Proposal to add support for configuring the SRTP algorithm.

[jcbeaulieu]

The SRTP configuration is done using the encoder configurations for audio, video and metadata for media 2.

Streaming specification XML changes will be made once the basic design is considered adequate.

This is a continuation of #420

[jcbeaulieu]

I've added the first draft for the updated SRTP streaming specification.

@sirzooro, I believe the only remaining issue is SRTCP.
Since we do not use SRTCP and rely on RTSP messages for the keep alive, we cannot test an SRTCP specification.

I would propose that a new proposal should be created to define SRTCP specifically.

[sirzooro]

Thanks, I have added few comments.

[kieran242]

@jcbeaulieu very comprehensive. I have provided some typo and grammar updates as suggestions.

[bsriramprasad]

"tr2" namespace is used for structures related or relevant to Media2 WSDL.

Since "SrtpSecurityAlgorithms" structure is defined in onvif.xsd itself, all references of SrtpSecurityAlgorithms should be "tt:SrtpSecurityAlgorithms" and not "tr2:SrtpSecurityAlgorithms"

In addition, Media1 structures listed below referring to dependency on Media2 structure like "tr2:SrtpSecurityAlgorithms" is incorrect and hence its even more important to refer as tt:SrtpSecurityAlgorithms

VideoEncoderConfiguration
VideoEncoderConfigurationOptions
AudioEncoderConfiguration
AudioEncoderConfigurationOption

Hence the commit suggestion to replace all text references in onvif.xsd from tr2:SrtpSecurityAlgorithms to tt:SrtpSecurityAlgorithms, all the "tt:" structures can be reused between Media1/2.

[venki5685]

@jcbeaulieu , if SRTP is considered for playback streaming also, GetReplayUri in ONVIF Replay Service needs to be extended with SRTP TCP, UDP-Unicast, UDP-multicast connection modes. GetRecordingOptions in ONVIF Recording Service should be updated with supported SRTP Crypto Policies and Recording or Track configuration needs to be updated with current SRTP Crypto Policy for GET/SET operation.

[jcbeaulieu]

TODO:
Change back RTSPS_ONLY to NONE
Venki will make a separate proposal for SRTP Playback

[venki5685]

Usually RTSPS port used for SRTP feature is different from RTSP port. Currently ONVIF GetNetworkProtocols API response returns only HTTP, HTTPS, RTSP port information, it does not return RTSPS port information. Same with ONVIF SetNetworkProtocols API for configuring port info. Can we consider extending these APIs for configuring RTSPS port info.

[Juyoung-Hanwha]

This file(url) has a rendering issue now.
https://developer.onvif.org/pub/specs/branches/video/srtp-aes-gcm/doc/Streaming.xml
This branch contents have conflicted with develop branch. It needs to have updated contents to be merged to develop.

[ocampana-videotec]

@jcbeaulieu could you please rebase this branch on top of development?

[jcbeaulieu]

@jcbeaulieu could you please rebase this branch on top of development?

Merged developement back into branch. Rebase broke the PR.

[ocampana-videotec]

There is something broken in onvif.xsd

As you can see SrtpSecurityAlgorithmsis duplicated and the wsdl checkers fail

[ocampana-videotec]

I suspect there is something else broken in onvif.xsd

If I try to load it with Visual Studio, I get this error:

If I look at the committed changes, I have the impression that the character ' has been replaced with something broken. Potentially there may be other errors and I suspect this is why the dotnet-wsdl-check is failing. @jcbeaulieu can you please check if that's the reason why it fails?

[venki5685]

@jcbeaulieu , I do observe the character ' is replaced in the new commit while reviewing the PR yesterday.

[jcbeaulieu]

I believe I have fixed the substitution issue, but we still have issues regarding the StringList

[ocampana-videotec]

@jcbeaulieu if you run git -c core.whitespace=tab-in-indent diff development you will see that there is an encoding disaster. Moreover many lines are identical to the original ones, but spaces were replaced by tabs, thus understanding what changed is really hard.

I am string trying to understand what's wrong with StringList.

[ocampana-videotec]

@jcbeaulieu I just pushed a clean up of all the symbols. It is now correctly compiled.

[ocampana-videotec]

Ok, it now looks good (at least for me). Members, please review this PR and let me know whether we can proceed by merging it.

[venki5685]

@ocampana-videotec , @jcbeaulieu , I reviewed the latest changes in this branch, it looks good. Small change required is, media2 wsdl->GetAudioDecoderConfigurationOptions list SecureStreamingProtocolAlgorithms parameter, but at the same time no provision to get/set the crypto policy via GetAudioDecoderConfigurations, SetAudioDecoderConfiguration since these APIs are not updated with SecureStreamingProtocolAlgorithm parameter.

As per last VEWG telco i.e Feb 5th 2026, current Genetec SRTP prototype did not cover Audio Back Channel for SRTP and plan to raise different PR for audio back channel, then it is better to exclude SecureStreamingProtocolAlgorithms parameter GetAudioDecoderConfigurationOptions API. It is suggestion from my side.

[bsriramprasad]

there are still lot of comments open on the PR, Would it be better if they are addressed, they should be marked as 'resolved' and if not addressed or will not be addressed state a reason for 'wontfix'?

[jcbeaulieu]

there are still lot of comments open on the PR, Would it be better if they are addressed, they should be marked as 'resolved' and if not addressed or will not be addressed state a reason for 'wontfix'?

I dont see a way to resolve most of the comments.

I see that cappentz has posted two new resolvable comments. I'll check them shortly

[bsriramprasad]

This seems to be a requirement added from client perspective, but usually technical specs with 'shall' requirements are written from device perspective and hence I suggest below

The device shall not accept or ignore the change of encryption algorithm after the stream has been started. (ONVIF specification)

Not sure if device has to reject such a request from client, any existing error messages cover for this?

[sujithhanwha]

Plugfest test between Hanwha and Genetec is complete.

[kieran242]

@jcbeaulieu I am happy to approve this PR. I only found two minor spelling mistakes and supplied them as suggestions to update. They are not blocking updates and thus the approval.

[kieran242]

Suggested change

<para>The Metadata payload is an XML document with root node <literal>tt:MetaDataStream</literal>. There is no limitation on the size of the XML document. If GZIP compression is used, the payload starts with a GZIP header according to RFC 1952 followed by the compressed data. A marker bit signals the end of the compressed data. When a synchronization point (see section "Synchronization Points" of the ONVIF Media Service Specification) is requested for the stream, the previous XML document shall be closed and a new one started. It is RECOMMENDED to start new XML documents after 1 second, at the longest. The RTP timestamp of the Metadata stream has no specific meaning. The Metadata stream multiplexes Metadata from different sources. This specification defines placeholders for the Scene Description of the Video Analytics, the PTZ Status of the PTZ controller and the Notifications of the Event Configuration. A device can select which of these parts should be multiplexed into the Metadata during the Media Configuration (see seciont "Metadata Configuration" of the ONVIF Media Service Specification). Each part can appear multiple times in arbitrary order within the document. A Metadata connection can be bi-directional using the backchannel mechanism (see Section <xref linkend="_Ref231788974" />). </para>

<para>The Metadata payload is an XML document with root node <literal>tt:MetaDataStream</literal>. There is no limitation on the size of the XML document. If GZIP compression is used, the payload starts with a GZIP header according to RFC 1952 followed by the compressed data. A marker bit signals the end of the compressed data. When a synchronization point (see section "Synchronization Points" of the ONVIF Media Service Specification) is requested for the stream, the previous XML document shall be closed and a new one started. It is RECOMMENDED to start new XML documents after 1 second, at the longest. The RTP timestamp of the Metadata stream has no specific meaning. The Metadata stream multiplexes Metadata from different sources. This specification defines placeholders for the Scene Description of the Video Analytics, the PTZ Status of the PTZ controller and the Notifications of the Event Configuration. A device can select which of these parts should be multiplexed into the Metadata during the Media Configuration (see section "Metadata Configuration" of the ONVIF Media Service Specification). Each part can appear multiple times in arbitrary order within the document. A Metadata connection can be bi-directional using the backchannel mechanism (see Section <xref linkend="_Ref231788974" />). </para>

[kieran242]

Suggested change

<para>When the client sends the describle command to server, the server generates the response information and the track to be sent in one session will be chosen. According to [RFC 5888], the fields "group" and "mid" are provided in the sdp information. The attribute "group" represents that the following "mid" stream can be sent in one session. To clearly notify the client which URL uses for setup, we use the attribute "control" with absolute path. </para>

<para>When the client sends the describe command to server, the server generates the response information and the track to be sent in one session will be chosen. According to [RFC 5888], the fields "group" and "mid" are provided in the sdp information. The attribute "group" represents that the following "mid" stream can be sent in one session. To clearly notify the client which URL uses for setup, we use the attribute "control" with absolute path. </para>