IETF Logo Mail Archive

Re: [AVT] RFC4568 session parameter negotiation

"Dan Wing" <dwing@cisco.com> Fri, 11 April 2008 22:37 UTC

Return-Path: <avt-bounces@ietf.org>
X-Original-To: avt-archive@optimus.ietf.org
Delivered-To: ietfarch-avt-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 882563A6976; Fri, 11 Apr 2008 15:37:14 -0700 (PDT)
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FA6A3A6846 for <avt@core3.amsl.com>; Fri, 11 Apr 2008 15:37:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.228
X-Spam-Level:
X-Spam-Status: No, score=-5.228 tagged_above=-999 required=5 tests=[AWL=0.171, BAYES_00=-2.599, J_CHICKENPOX_12=0.6, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TQAGFSBIqhq0 for <avt@core3.amsl.com>; Fri, 11 Apr 2008 15:37:11 -0700 (PDT)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id F42273A6863 for <avt@ietf.org>; Fri, 11 Apr 2008 15:37:08 -0700 (PDT)
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-6.cisco.com with ESMTP; 11 Apr 2008 15:37:33 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m3BMbXlf028668; Fri, 11 Apr 2008 15:37:33 -0700
Received: from dwingwxp01 ([10.32.240.197]) by sj-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id m3BMbWFX022173; Fri, 11 Apr 2008 22:37:32 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Mike Taylor' <mtaylor@unicoi.com>, avt@ietf.org
References: <007f01c89c04$462d8650$6600a8c0@TAYLORDELL1> <102d01c89c09$5ea7e7c0$c5f0200a@cisco.com> <009401c89c1a$cb68b9a0$6600a8c0@TAYLORDELL1>
Date: Fri, 11 Apr 2008 15:37:32 -0700
Message-ID: <010b01c89c24$a21ceee0$c5f0200a@cisco.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <009401c89c1a$cb68b9a0$6600a8c0@TAYLORDELL1>
Thread-Index: AcicBEVb6+frajznTICSS8u9uDmWogABKLUQAAO6fiAAAhD9kA==
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5821; t=1207953453; x=1208817453; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[AVT]=20RFC4568=20session=20parameter=2 0negotiation |Sender:=20; bh=v4KOmeCOxJZ2rY/zS8pud5yiLHwwQM7IrYQ9+Da8/+s=; b=s3lp16ZJdQPFxKWIRK9vZWiw+/8Wg4+HIPiEFdHtRt88qTit/cJ5xJohEl yOGVqGqPCjFIK+cUeHa3m3c8ucKhAVnAoP7c1c4lBmALEyfTCYzEbRs0Zvb3 tFTssvumz9;
Authentication-Results: sj-dkim-2; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: Flemming Andreasen <fandreas@cisco.com>
Subject: Re: [AVT] RFC4568 session parameter negotiation
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: avt-bounces@ietf.org
Errors-To: avt-bounces@ietf.org

 

> -----Original Message-----
> From: Mike Taylor [mailto:mtaylor@unicoi.com] 
> Sent: Friday, April 11, 2008 2:27 PM
> To: 'Dan Wing'; avt@ietf.org
> Subject: RE: [AVT] RFC4568 session parameter negotiation
> 
> Hi Dan, 
> 
> Thanks for the response but I think you might have misunderstood
> my concern.
> 
> > > For example, suppose one receives an SDP offer like the following:
>   > >   v=0
>   > >   o=bob@biloxi.com 52342343 9239423 IN IP4 10.248.0.251
>   > >   s=Session123
>   > >   i=A test session
>   > >   c=IN IP4 10.248.0.239
>   > >   t=0 0
>   > >   m=audio 5004 RTP/SAVP 0 8
>   > >   a=crypto:1 AES_CM_128_HMAC_SHA1_80
>   > > inline:ljsdk1ksjld32368klksDSDkddKDKFsDskdldKKd|2^20|1:4
> > >
> > > and the receiver of this offer is not willing to support SRTP
> > > encryption.
> > >
> > > Then should
> > > the offer be rejected outright and the call terminated,
> > 
> 
> > Yes; it is the "m=" line itself, which says RTP/SAVP, that 
> causes the
> > rejection.  That is not specific to RFC4568.
> 
> I think you missed the "encryption" in the "not willing to 
> support SRTP encryption".  The offer says RTP/SAVP and the
> answerer is willing to support SRTP (RTP/SAVP) but just doesn't
> want to do encryption of the RTP.  Maybe it is a legacy phone, 
> for example, and if it has to do encryption that impacts the 
> audio quality to the extent that he phone isn't really usable.
> Whatever the case may be, it doesn't want to do encryption
> but will support authentication of RTP and RTCP.

Ah.  Ok.  You are right, I had misunderstood.  Thank you for
clarifying.

> So in other words, ideally it would like the offerer to include
> UNENCRYPTED_SRTP in the offered crypto attribute but in the
> example shown above it did not.

If the phone can not receive encrypted SRTP (for whatever reason),
it needs to do the same thing it would do if it cannot receive
G.938 (that is a codec that will be invented in the year 2043) --
it needs to reject the call setup request (in SIP, probably
with a 415 response code).  I believe the problem you are 
describing is similar to my made-up G.938 codec:  you want the 
offerer to send out an incomplete offer, and have the answerer 
guess that the offerer really has additional capabilities than it
advertised in its offer -- specifically, you want an offer to
only mention encrypting SRTP, and you want the answerer to
presume the offerer has the ability to send both 
encrypted+authenticated SRTP, and also has the (silent)
ability to send unencrypted, authenticated SRTP.

This is mentioned in Section 7.1.2 of RFC4568:

  "Furthermore, all parameters (crypto-
   suite, key parameter, and mandatory session parameters) MUST be
   acceptable to the answerer in order for the offered media stream to
   be accepted."

> So then is the answerer allowed by RFC4568 to insert UNENCRYPTED_SRTP 
> into the answer even though it wasn't present in the offer?

Yes, so long as the phone can receive encrypted SRTP, it can go ahead
and send encrypted SRTP.  This is because UNENCRYPTED_SRTP is negotiated 
(Section 6.3.2 of RFC4568), and negotiated parameters can be different 
between the offerer and the answerer (Section 5.1.2):

   Furthermore, any session parameters that are negotiated MUST be
   included in the answer.  

> Or must it reject the offer under the assumption that RFC4568
> dictates that if the offerer preferred to encrypt the RTP but would
> be willing not to, then it would have made the offer with two
> crypto attributes as shown here:
> 
>    m=audio 5004 RTP/SAVP 0 8
>    a=crypto:1 AES_CM_128_HMAC_SHA1_80
>      inline:ljsdk1ksjld32368klksDSDkddKDKFsDskdldKKd|2^20|1:4
>    a=crypto:2 AES_CM_128_HMAC_SHA1_80
>      inline:ya3k283klkWWdkjwFek2932ckdejlklkelksl233|2^20|1:4
>       UNENCRYPTED_SRTP
>
> Then the answerer could choose the second attribute since it
> doesn't want to do encryption of the RTP. 

Right.  That would be the best thing to do if you want to have 
unencrypted SRTP in both directions.

> If the RFC was very
> explicit about this then I think the latter approach would be
> better since it allows a full expression of one's preferences
> and doesn't require any guesswork on the part of the answerer.

Right.  It also aligns with how offers for other things (e.g.,
codecs) works -- the offer is supposed to contain everything the
offerer is willing to support.  The answerer then picks and 
chooses from that list.

-d


> Maybe this is the intent of RFC4568 but I wanted to get 
> clarification.
> 
> Regards,
> 
> Mike Taylor
> 
> > >
> > > So then if such a parameter is not present in the offer the
> > > answerer can assume that the offerer
> > >
> > > is not willing to support it.
> > >
> > > This seems better since it forces offerers to explicitly
> > > indicate what they're willing to negotiate, but
> > >
> > > I wanted to make sure whether or not inserting a negotiated
> > > session parameter like UNENCRYPTED_SRTP
> > >
> > > into a response is valid.  I'm certainly hoping that it isn't
> > > valid since it would simplify the logic and
> > >
> > > probably greatly increase the chances of successful negotiation.
> > 
> > But it requires the answerer to understand RTP/SAVP, and to 
> understand
> > enough
> > of RFC4568 to generate an answer containing 
> UNENCRYPTED_SRTP.  That seems
> > a
> > pretty high bar.
> > 
> > 
> > draft-ietf-mmusic-sdp-capability-negotiation is the best 
> way to increase
> > the
> > chances of successful negotiation.  That draft includes 
> some examples of
> > SDP
> > offers that contain both SRTP and RTP.
> > 
> > -d
> > 
> > 
> > > Regards,
> > >
> > > Mike Taylor
> > >
> > >
> 
> 

_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www.ietf.org/mailman/listinfo/avt

v2.23.0 | Report a Bug | By Email