From my understanding, in a one-to-many scenario, each RTP packet is encrypted separately for each outgoing WebRTC stream. Theoretically, we could encrypt once and then send the same encrypted packet to each stream, saving some CPU load for encryption. Would such a configuration be feasible? Sorry if this is a stupid question, I’m not too knowledgeable regarding DTLS and SRTP.
From my understanding SRTP encryption is always required, meaning that each connection to SFU will have it’s own encryption. For broadcasting a TURN server pool by region should do the job. Hope it helps.
My idea was along the lines of going with the same cipher suite for each consumer, with the same symmetric key for SRTP, then encrypt the RTP payload data once, and then you could just send the same packet to everyone, of course with changing the SSRC and seqnum on the SRTP header as need (afaik the header is not encrypted). After some more research, it doesn’t seem like such a configuration would be possible with the cipher suites available on DTLS, which then actually provides the encryption key for SRTP to use. But I might be wrong there.
It’s bad practice to share/re-use keys, regular routing won’t show problems but if someone middle in the man attacked and knew all keys were the same they’d be able to hi-jack stream and send it along without server disruption.
Keep it unique is best policy in case of these BGP infiltrations.
Can’t assist past this but practice bullet proofing your system first/foremost.