Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03

"Charles Eckel (eckelcu)" <eckelcu@cisco.com> Sun, 04 November 2012 23:44 UTC

Return-Path: <eckelcu@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B18D21F87F7 for <bfcpbis@ietfa.amsl.com>; Sun, 4 Nov 2012 15:44:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.074
X-Spam-Level:
X-Spam-Status: No, score=-9.074 tagged_above=-999 required=5 tests=[AWL=-0.275, BAYES_00=-2.599, J_CHICKENPOX_17=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UNNNoj0LbNWo for <bfcpbis@ietfa.amsl.com>; Sun, 4 Nov 2012 15:44:24 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id C317B21F85F0 for <bfcpbis@ietf.org>; Sun, 4 Nov 2012 15:44:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7549; q=dns/txt; s=iport; t=1352072663; x=1353282263; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=RpQHTZx05iDEat3e27+eff31FzEA1Uwan1tsSk3EXHg=; b=IS6IJk/hqSinMfwbWv8HeQbESVqTNwIU2Uv+rWKEsHCh6TwBBl6bwVfG YrwlxRtkz3uj4slEqFD/3yuV97pyDCvo1Em50uL4hJYL2R9iF9S9zs6+k Sp2NvWNZpFR9KZH+FlFQOyrjfARm62+AqvXOfTHgOLht4u43+svTg9Qss 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAPb8llCtJV2Z/2dsb2JhbABDwzqBCIIeAQEBBAEBAQ8BJzQLDAQCAQgRBAEBAQoUCQcnCxQJCAIEAQ0FCAEZh2gLmUSfCYwBGoVBYQOSSYROjT2Ba4JvgWQXHg
X-IronPort-AV: E=Sophos;i="4.80,712,1344211200"; d="scan'208";a="138685804"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-5.cisco.com with ESMTP; 04 Nov 2012 23:44:23 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id qA4NiNJO024561 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 4 Nov 2012 23:44:23 GMT
Received: from xmb-aln-x08.cisco.com ([169.254.3.25]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.02.0318.001; Sun, 4 Nov 2012 17:44:22 -0600
From: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
To: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, "Tom Kristensen (tomkrist)" <tomkrist@cisco.com>
Thread-Topic: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
Thread-Index: AQHNsfSO4+3wdAt3DEKwiaDvAG4G1ZfR9dSAgAAjzYCAAAfSgIAIJ+cAgAAZjRA=
Date: Sun, 04 Nov 2012 23:44:22 +0000
Message-ID: <92B7E61ADAC1BB4F941F943788C0882810742E@xmb-aln-x08.cisco.com>
References: <5087FAE4.5010900@ericsson.com> <508FA129.1090802@cisco.com> <508FBF31.8000906@ericsson.com> <508FC5C1.4040702@cisco.com> <50968F26.9080403@ericsson.com>
In-Reply-To: <50968F26.9080403@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.122.252]
x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19338.004
x-tm-as-result: No--62.519600-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org>
Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/bfcpbis>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Nov 2012 23:44:25 -0000

Hi Gonzalo,

We discussed this at IETF 82. I remember because I presented a slide on it :)

RFC 4582 states the following with regard to TLS:

   Which party, the client or the floor control server, acts as the TLS
   server depends on how the underlying TCP connection is established.
   For example, when the TCP connection is established using an SDP
   offer/answer exchange [7], the answerer (which may be the client or
   the floor control server) always acts as the TLS server.

For  DTLS, we considered the following alternatives:

1.The answerer always acts as the TLS/DTLS server, per RFC 4583 (as currently defined)
2.The BFCP server always acts as the TLS/DTLS server
3.The offerer always offers setup:actpass and the answerer answers either setup:active or setup:passive, where setup:active is RECOMMENDED (per RFC 5763)

The consensus was that (3) was the preferred option, because it adheres to RFC 5763, does not overload offer/answer semantics, and it works for offerless INVITE with B2BUAs.

Additional details are available in the alias archive:
http://www.ietf.org/mail-archive/web/bfcpbis/current/msg00007.html
and also in the meeting minutes:
http://tools.ietf.org/wg/bfcpbis/minutes?item=minutes82.html

At the time of this decision, we did not consider changing the existing guidance in RFC 4582 regarding TLS connection establishment. Doing so would introduce a backward compatibility concern.

Cheers,
Charles


> -----Original Message-----
> From: bfcpbis-bounces@ietf.org [mailto:bfcpbis-bounces@ietf.org] On
> Behalf Of Gonzalo Camarillo
> Sent: Sunday, November 04, 2012 10:52 AM
> To: Tom Kristensen (tomkrist)
> Cc: bfcpbis@ietf.org
> Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
> 
> Hi Tom,
> 
> the way it is defined right now, how to determine which endpoint is the
> TLS or DTLS server is different in TLS (the answerer) and in DTLS
> (depends on the setup attribute). Why do you think we should not be
> consistent across both transports?
> 
> Thanks,
> 
> Gonzalo
> 
> 
> On 30/10/2012 8:19 AM, Tom Kristensen wrote:
> > Gonzalo,
> >
> > I'll add a definition of "BFCP connection" in rfc4582bis to avoid
> > confusion.
> >
> > Regarding the setup attr. I merely reflected in rfc4583bis what has been
> > part of rfc4582 for a while.
> > - Cf. http://tools.ietf.org/html/draft-ietf-bfcpbis-rfc4582bis-06#section-7
> > - Note that the setup attr. is also used in DTLS-SRTP, cf. RFC 5763.
> >
> > -- Tom
> >
> > On 10/30/2012 12:51 PM, Gonzalo Camarillo wrote:
> >> Hi Tom,
> >>
> >> thanks for your answers.
> >>
> >> With respect to the term BFCP connection, in addition to making a
> >> consistent use of it across both documents, make sure it is defined
> >> somewhere so that implementers are clear on what it means.
> >>
> >> Regarding UDP, we cannot really use the setup attribute for that. That
> >> attribute is defined for connection oriented protocols. Additionally, we
> >> need to be consistent regarding DTLS and TLS server determination.
> >> Section 8 explains how to determine the endpoint acting as the TLS
> >> server (i.e., the answerer). We cannot determine which endpoint acts as
> >> the DTLS server in a different way.
> >>
> >> Cheers,
> >>
> >> Gonzalo
> >>
> >>
> >> On 30/10/2012 11:43 AM, Tom Kristensen wrote:
> >>
> >>> On 10/24/2012 04:27 PM, Gonzalo Camarillo wrote:
> >>>
> >>>> Folks,
> >>>>
> >>>>
> >>> [...]
> >>>
> >>>> Comments on draft-ietf-bfcpbis-rfc4583bis-03
> >>>>
> >>>> Section 3 includes a discussion about how to set the port field. That
> >>>> discussion is only relevant to TCP. The new draft needs to explain that
> >>>> and add a discussion about port handling in UDP.
> >>>>
> >>>>
> >>> Good catch. Reorganizing the text and adding this for UDP:
> >>>
> >>>    "When UDP is used as transport, the port field contains the
> >>>     port to which the remote endpoint will direct BFCP messages
> >>>     regardless of the value of the 'setup' attribute."
> >>>
> >>>
> >>>> Also, the document needs to discuss what is the equivalent of
> >>>> establishing a TCP connection (i.e., it allows endpoints to start
> >>>> exchanging BFCP messages) in UDP.
> >>>>
> >>>>
> >>> The term "BFCP connection" is used in rfc4582bis/rfc4583bis
> independent
> >>> of underlying transport.
> >>>
> >>>   (For rfc4582bis: I propose we keep this common term regardless of
> >>> underlying transport and change the three occurrences of "BFCP
> >>> association" in Section 6.2 and 8.31 to "BFCP connection" as well.)
> >>>
> >>> However, we do indeed need to specify the counterpart of Section 7
> "TCP
> >>> Connection Management" for UDP as transport. Will add a sentence or
> two,
> >>> since using UDP as transport is quite straight forward. Will also need
> >>> to add a UDP description to Section 8, i.e. mandate using the 'setup'
> >>> attribute when DTLS is used.
> >>>
> >>> Added to start of Section 7, now renamed to "BFCP Connection
> >>> Management":
> >>>    "BFCP connections may use TCP or UDP as underlying transport. BFCP
> >>>     entities exchanging BFCP messages over UDP will direct the BFCP
> >>>     messages to the peer side connection address and port provided in
> >>>     the SDP 'm' line. TCP connection management is more complicated
> >>>     and is described below."
> >>> And the subsection named "TCP Connection Management" follows.
> >>>
> >>> Added this sentence at the end of Section 8:
> >>>    "Endpoints that use the offer/answer model to establish a DTLS
> >>> association MUST
> >>>     support the 'setup' attribute, as defined in RFC 4145. When
> >>>     DTLS is used with UDP, the 'setup' attribute indicates which of the
> >>> endpoints
> >>>     (client or floor control server) initiates the DTLS association
> >>> setup."
> >>>
> >>>
> >>>> Section 6 contains the following new paragraph:
> >>>>
> >>>> " Note: In [15] 'm-stream' was erroneously used in Section 9.  Although
> >>>>     the example was non-normative, it is implemented by some
> vendors.
> >>>>     Therefore, it is RECOMMENDED to support parsing and interpreting
> >>>>     'm-stream' the same way as 'mstrm' when receiving."
> >>>>
> >>>> The text should clarify (or be more explicit about) whether existing
> >>>> implementations are floor control server implementations or client
> >>>> implementations. The idea is that new implementers know clearly
> what
> >>>> exactly they need to support in order to be backwards compatible with
> >>>> those legacy implementations (whose implementers did not read RFCs
> but
> >>>> only the examples :-) ).
> >>>>
> >>>>
> >>> Yeah, what kind of developers do this kind of things? :-P
> >>>
> >>> Usage of a=floorid (and mstrm/m-stream) applies to endpoints willing
> to
> >>> act as server, will add this to the second sentence in the note:
> >>>    "[...] some vendors and occurs in cases where the endpoint is willing
> >>> to act as an server."
> >>>
> >>>
> >>>> The last paragraph of Section 8 discusses which entity behaves as the
> >>>> TLS server. Do we need a similar discussion for DTLS?
> >>>>
> >>>>
> >>> Indeed. Handled above.
> >>>
> >>> -- Tom
> >>>
> >>>
> >>
> >
> 
> _______________________________________________
> bfcpbis mailing list
> bfcpbis@ietf.org
> https://www.ietf.org/mailman/listinfo/bfcpbis