IETF Logo Mail Archive

[AVT] RE: [MMUSIC] Symmetry breaking for DTLS-SRTP

"Elwell, John" <john.elwell@siemens.com> Wed, 24 October 2007 19:16 UTC

Return-path: <avt-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iklib-0007I9-RZ; Wed, 24 Oct 2007 15:16:41 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Iklia-0007Fw-Bu; Wed, 24 Oct 2007 15:16:40 -0400
Received: from mailgate.siemenscomms.co.uk ([195.171.110.225] helo=bemg01.siemenscomms.co.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1IkliZ-00070L-JE; Wed, 24 Oct 2007 15:16:40 -0400
Received: from GBNTHT12009MSX.gb002.siemens.net ([137.223.219.235]) by siemenscomms.co.uk (PMDF V6.0-24 #40642) with ESMTP id <0JQF00B3MK74H7@siemenscomms.co.uk>; Wed, 24 Oct 2007 20:16:16 +0100 (BST)
Date: Wed, 24 Oct 2007 20:16:37 +0100
From: "Elwell, John" <john.elwell@siemens.com>
In-reply-to: <20071024165908.CDB1B33C28@delta.rtfm.com>
To: Eric Rescorla <ekr@networkresonance.com>, avt@ietf.org, mmusic@ietf.org
Message-id: <0D5F89FAC29E2C41B98A6A762007F5D037D5E4@GBNTHT12009MSX.gb002.siemens.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Thread-Topic: [MMUSIC] Symmetry breaking for DTLS-SRTP
Thread-Index: AcgWYYUSDnaoYlqJS0+cdjPoIgDg1QADmipA
Content-class: urn:content-classes:message
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
References: <20071024165908.CDB1B33C28@delta.rtfm.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 6d95a152022472c7d6cdf886a0424dc6
Cc:
Subject: [AVT] RE: [MMUSIC] Symmetry breaking for DTLS-SRTP
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
Errors-To: avt-bounces@ietf.org

Ekr,

I don't have a problem with the solution, but I am doubtful whether it
is a problem we need to solve. The case illustrated is based on the
assumption that offer and answer are symmetrical, in the sense that an
offer can be reused as an answer (and vice versa). In this case the
offer from A becomes an answer to B and vice versa. There are two
extensions to SDP that I am aware of that break this, and therefore any
controller that misuses SDP in this way will screw things up. One
example is the key management extension when used to carry MIKEY,
because a MIKEY request (which always goes in the offer) is very
different in syntax and semantics from a MIKEY response (which always
goes in the answer). Of course, this will not apply when using DTLS-SRTP
as the means of key management. The second example is the SDP capability
negotiation draft, which certainly will be applicable with DTLS-SRTP.

I am not aware of how the particular flow shown would arise. It is not
documented in RFC 3725 (3PCC). It has similarities to flow II in RFC
3725, which the RFC does not recommend. The other 3PCC flows in RFC 3725
do not mix up offers and answers in this way.

I also questioned the need for the solution in ICE, but as it came
virtually for free, it was not worth arguing about.

If we continue this discussion, I would suggest we stick to the MMUSIC
list rather than AVT.

John

> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@networkresonance.com] 
> Sent: 24 October 2007 17:59
> To: avt@ietf.org; mmusic@ietf.org
> Subject: [MMUSIC] Symmetry breaking for DTLS-SRTP
> 
> TLS (and by extension) DTLS-SRTP requires unambiguity about which side
> is to be the client and which is the server. This isn't an issue of
> credentials--DTLS-SRTP assumes that each side can take either
> role--it's just that TLS requires that one side initiate the
> handshake. My original intention had been to make this conditional on
> which side was the offerer and which was the answerer, but JDR pointed
> out in ORD that there are cases involving 3PCC where it's not
> unambiguous which is which.
> 
> Here's the paradigmatic case, transcribed from a phone call with
> JDR (so any errors are my fault):
> 
> 
> Alice                        Controller                        Bob
> ------------------------------------------------------------------
> INVITE + Offer ->
>                               INVITE ->
>                                                      <- OK + Offer
>                       <- OK + Answer                              
>                               ACK + Answer ->
> ACK ->
> 
> Because the controller sends an INVITE with no offer, Bob is the
> offererer, and of course Alice is. So, you can't use offerer
> or answerer to break symmetry. 
> 
> This same problem occurs with ICE, which uses a random tiebreaker
> value in the ICE messages to determine which side should take
> which role (controlling vs. controlled). This works because
> in ICE both sides are trying to transmit so they quickly 
> detect conflicts. Unfortunately, in DTLS-SRTP, the server just
> waits so if the rule we adopt allows both sides to think they
> are the server then we get deadlock. The above exchange 
> shows how both sides can be offerer so clearly we can't have
> offerer=server, but it seems that we could make a new exchange
> where both sides are answerer in which case we can't have
> offerer=client. JDR tells me that we don't have an actual
> use case like this yet but I would not want to count on that
> unless we're very sure.
> 
> We could use exactly the trick that ICE uses but that requires
> modifying DTLS to make the server send messages unprompted.
> I don't think that's necessary here because we can break
> the tie in the SDP where we announce the DTLS-SRTP capability
> (however that's done).
> 
> The basic principle is this:
> 1. Each side generates a random tiebreaker value T.
> 2. In the SDP offer/answer, he indicates whether he wishes
>    to be the TLS client or server (if you're the offerer
>    you SHOULD ask to be the server since that's faster, 
>    and vice versa).
> 3. If each side sees a consistent view (one client, one 
>    server) then that is what is used.
> 4. If the views are inconsistent, then the side with the
>    higher T is be the client.
> 
> This is basically the same algorithm as used with ICE, just
> moving the tiebreaker into the SDP.
> 
> Does anyone see a problem with this?
> 
> -Ekr
> 
> 
> 
> 
> 
> 
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www1.ietf.org/mailman/listinfo/mmusic
> 

_______________________________________________
Audio/Video Transport Working Group
avt@ietf.org
https://www1.ietf.org/mailman/listinfo/avt

v2.30.2 | Report a Bug | By Email | System Status