WebRTC: Is there a SFU that operates at the transport layer?

Question

I'm running a WebRTC based service and currently investigating the requirements for WebRTC conference chats with approx. 10 users. Therefore I'd like to run a Selective Forwarding Unit (SFU). I know about janus and jitsi videobridge, but am a little bit concerned about data security. Both servers operate like WebRTC endpoints, which means to me that the incoming streams are de- and encoded before they are passed to the users. Even if it happens only in memory and in a split second, it means a lack of confidentiality (which I have to take serious for legal reasons).

This leads me to my question. Are there any SFU (or multicast relay servers that could be used as SFU) that operate at the transport layer (as described in RFC 7201 chapter 2.3.1, citing RFC 5117) and only pass the SRTP encrypted streams to their recipients?

I thought about (re-) using my TURN server for this purpose, but as Oleg pointed out here the TURN specs are designed for P2P communication only. Maybe I'm just wrong with my assumptions about janus and jitsi videobridge, then I would be glad to here that as well.

Thx in advance

Greg

Answer 1

That's not currently possible, I'm afraid. Advanced SFUs may need to check metadata in the RTP stream, such as to identify a video keyframe, hence the need to access the RTP stream.

But there is hope! The IETF PERC working group has published a draft which allows for end-to-end encryption by applyuing SRTP twice, see it here.

Jitsi is working towards having the first PERC implementation: https://www.slideshare.net/alexpiwi5/perc-webrtc-e2e-media-encryption-with-sfu