Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
Tom Kristensen <tomkrist@cisco.com> Wed, 19 December 2012 12:39 UTC
Return-Path: <tomkrist@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E3821F8A0A for <bfcpbis@ietfa.amsl.com>; Wed, 19 Dec 2012 04:39:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.799
X-Spam-Level:
X-Spam-Status: No, score=-8.799 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_17=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynBYTpIby3UB for <bfcpbis@ietfa.amsl.com>; Wed, 19 Dec 2012 04:39:56 -0800 (PST)
Received: from bgl-iport-2.cisco.com (bgl-iport-2.cisco.com [72.163.197.26]) by ietfa.amsl.com (Postfix) with ESMTP id 6393A21F8974 for <bfcpbis@ietf.org>; Wed, 19 Dec 2012 04:39:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10531; q=dns/txt; s=iport; t=1355920794; x=1357130394; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=Rac00MV8II3F70EgGjyRoL1T5Nga8P+6/G8U9lvXO1M=; b=i9CTflksjzyo0xeQ95idWLMWA0LP7cMnEsvoAKpHlPciT2noHEOjsetq DAxqTpCib6H02D7HI3Tjx8q0smTGqte2T7kpqroHencPbYgZvEK1lG2+h 26TG5pCmnyKhMsSS7Ea9I+QuolqtE2xE/3Oysm7p/6GuXxNNiF+FeFrbu c=;
X-IronPort-AV: E=Sophos;i="4.84,316,1355097600"; d="scan'208";a="22341329"
Received: from vla196-nat.cisco.com (HELO bgl-core-3.cisco.com) ([72.163.197.24]) by bgl-iport-2.cisco.com with ESMTP; 19 Dec 2012 12:39:52 +0000
Received: from [10.47.38.141] ([10.47.38.141]) by bgl-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id qBJCdo7j028438; Wed, 19 Dec 2012 12:39:51 GMT
Message-ID: <50D1B596.2040207@cisco.com>
Date: Wed, 19 Dec 2012 13:39:50 +0100
From: Tom Kristensen <tomkrist@cisco.com>
Organization: Cisco
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Fedora/3.0.10-1.fc12 Lightning/1.0b2pre Thunderbird/3.0.10
MIME-Version: 1.0
To: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
References: <5087FAE4.5010900@ericsson.com> <508FA129.1090802@cisco.com> <508FBF31.8000906@ericsson.com> <508FC5C1.4040702@cisco.com> <50968F26.9080403@ericsson.com> <92B7E61ADAC1BB4F941F943788C0882810742E@xmb-aln-x08.cisco.com> <5097B862.6050200@ericsson.com> <92B7E61ADAC1BB4F941F943788C08828107F45@xmb-aln-x08.cisco.com>
In-Reply-To: <92B7E61ADAC1BB4F941F943788C08828107F45@xmb-aln-x08.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org>, 'Tom Kristensen' <2mkristensen@gmail.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/bfcpbis>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 12:39:57 -0000
In the upcoming version, I've simply added an informational note at the
end of Section 8. Authentication. It reads:
"Informational note: How to determine which endpoint to initiate
the TLS/DTLS association depends on the selected underlying
transport. It was decided to keep the original semantics in [15]
for TCP to retain backwards compatibility. When using UDP, the
procedure above was preferred since it adheres to [13] as used for
DTLS-SRTP, it does not overload offer/answer semantics, and it
works for offerless INVITE in scenarios with B2BUAs."
Where [15] == RFC 4582 and [13] == RFC 5763.
-- Tom
On 11/06/2012 12:01 AM, Charles Eckel (eckelcu) wrote:
> Works for me.
>
> Thanks,
> Charles
>
>
>> -----Original Message-----
>> From: Gonzalo Camarillo [mailto:Gonzalo.Camarillo@ericsson.com]
>> Sent: Monday, November 05, 2012 8:00 AM
>> To: Charles Eckel (eckelcu)
>> Cc: Tom Kristensen (tomkrist); bfcpbis@ietf.org
>> Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
>>
>> Hi Charles,
>>
>> the point is that if we have decided not to be consistent across
>> transports, we need to explain why in the RFCs. So, please, add some
>> text (a few sentences should be enough) explaining why (i.e., something
>> along the lines of your email below).
>>
>> Thanks,
>>
>> Gonzalo
>>
>> On 04/11/2012 6:44 PM, Charles Eckel (eckelcu) wrote:
>>
>>> Hi Gonzalo,
>>>
>>> We discussed this at IETF 82. I remember because I presented a slide on it
>>>
>> :)
>>
>>> RFC 4582 states the following with regard to TLS:
>>>
>>> Which party, the client or the floor control server, acts as the TLS
>>> server depends on how the underlying TCP connection is established.
>>> For example, when the TCP connection is established using an SDP
>>> offer/answer exchange [7], the answerer (which may be the client or
>>> the floor control server) always acts as the TLS server.
>>>
>>> For DTLS, we considered the following alternatives:
>>>
>>> 1.The answerer always acts as the TLS/DTLS server, per RFC 4583 (as
>>>
>> currently defined)
>>
>>> 2.The BFCP server always acts as the TLS/DTLS server
>>> 3.The offerer always offers setup:actpass and the answerer answers either
>>>
>> setup:active or setup:passive, where setup:active is RECOMMENDED (per
>> RFC 5763)
>>
>>> The consensus was that (3) was the preferred option, because it adheres
>>>
>> to RFC 5763, does not overload offer/answer semantics, and it works for
>> offerless INVITE with B2BUAs.
>>
>>> Additional details are available in the alias archive:
>>> http://www.ietf.org/mail-archive/web/bfcpbis/current/msg00007.html
>>> and also in the meeting minutes:
>>> http://tools.ietf.org/wg/bfcpbis/minutes?item=minutes82.html
>>>
>>> At the time of this decision, we did not consider changing the existing
>>>
>> guidance in RFC 4582 regarding TLS connection establishment. Doing so
>> would introduce a backward compatibility concern.
>>
>>> Cheers,
>>> Charles
>>>
>>>
>>>
>>>> -----Original Message-----
>>>> From: bfcpbis-bounces@ietf.org [mailto:bfcpbis-bounces@ietf.org] On
>>>> Behalf Of Gonzalo Camarillo
>>>> Sent: Sunday, November 04, 2012 10:52 AM
>>>> To: Tom Kristensen (tomkrist)
>>>> Cc: bfcpbis@ietf.org
>>>> Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
>>>>
>>>> Hi Tom,
>>>>
>>>> the way it is defined right now, how to determine which endpoint is the
>>>> TLS or DTLS server is different in TLS (the answerer) and in DTLS
>>>> (depends on the setup attribute). Why do you think we should not be
>>>> consistent across both transports?
>>>>
>>>> Thanks,
>>>>
>>>> Gonzalo
>>>>
>>>>
>>>> On 30/10/2012 8:19 AM, Tom Kristensen wrote:
>>>>
>>>>> Gonzalo,
>>>>>
>>>>> I'll add a definition of "BFCP connection" in rfc4582bis to avoid
>>>>> confusion.
>>>>>
>>>>> Regarding the setup attr. I merely reflected in rfc4583bis what has been
>>>>> part of rfc4582 for a while.
>>>>> - Cf. http://tools.ietf.org/html/draft-ietf-bfcpbis-rfc4582bis-06#section-
>>>>>
>> 7
>>
>>>>> - Note that the setup attr. is also used in DTLS-SRTP, cf. RFC 5763.
>>>>>
>>>>> -- Tom
>>>>>
>>>>> On 10/30/2012 12:51 PM, Gonzalo Camarillo wrote:
>>>>>
>>>>>> Hi Tom,
>>>>>>
>>>>>> thanks for your answers.
>>>>>>
>>>>>> With respect to the term BFCP connection, in addition to making a
>>>>>> consistent use of it across both documents, make sure it is defined
>>>>>> somewhere so that implementers are clear on what it means.
>>>>>>
>>>>>> Regarding UDP, we cannot really use the setup attribute for that. That
>>>>>> attribute is defined for connection oriented protocols. Additionally,
>>>>>>
>> we
>>
>>>>>> need to be consistent regarding DTLS and TLS server determination.
>>>>>> Section 8 explains how to determine the endpoint acting as the TLS
>>>>>> server (i.e., the answerer). We cannot determine which endpoint acts
>>>>>>
>> as
>>
>>>>>> the DTLS server in a different way.
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Gonzalo
>>>>>>
>>>>>>
>>>>>> On 30/10/2012 11:43 AM, Tom Kristensen wrote:
>>>>>>
>>>>>>
>>>>>>> On 10/24/2012 04:27 PM, Gonzalo Camarillo wrote:
>>>>>>>
>>>>>>>
>>>>>>>> Folks,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> [...]
>>>>>>>
>>>>>>>
>>>>>>>> Comments on draft-ietf-bfcpbis-rfc4583bis-03
>>>>>>>>
>>>>>>>> Section 3 includes a discussion about how to set the port field. That
>>>>>>>> discussion is only relevant to TCP. The new draft needs to explain
>>>>>>>>
>> that
>>
>>>>>>>> and add a discussion about port handling in UDP.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Good catch. Reorganizing the text and adding this for UDP:
>>>>>>>
>>>>>>> "When UDP is used as transport, the port field contains the
>>>>>>> port to which the remote endpoint will direct BFCP messages
>>>>>>> regardless of the value of the 'setup' attribute."
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Also, the document needs to discuss what is the equivalent of
>>>>>>>> establishing a TCP connection (i.e., it allows endpoints to start
>>>>>>>> exchanging BFCP messages) in UDP.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> The term "BFCP connection" is used in rfc4582bis/rfc4583bis
>>>>>>>
>>>> independent
>>>>
>>>>>>> of underlying transport.
>>>>>>>
>>>>>>> (For rfc4582bis: I propose we keep this common term regardless of
>>>>>>> underlying transport and change the three occurrences of "BFCP
>>>>>>> association" in Section 6.2 and 8.31 to "BFCP connection" as well.)
>>>>>>>
>>>>>>> However, we do indeed need to specify the counterpart of Section 7
>>>>>>>
>>>> "TCP
>>>>
>>>>>>> Connection Management" for UDP as transport. Will add a sentence or
>>>>>>>
>>>> two,
>>>>
>>>>>>> since using UDP as transport is quite straight forward. Will also need
>>>>>>> to add a UDP description to Section 8, i.e. mandate using the 'setup'
>>>>>>> attribute when DTLS is used.
>>>>>>>
>>>>>>> Added to start of Section 7, now renamed to "BFCP Connection
>>>>>>> Management":
>>>>>>> "BFCP connections may use TCP or UDP as underlying transport.
>>>>>>>
>> BFCP
>>
>>>>>>> entities exchanging BFCP messages over UDP will direct the BFCP
>>>>>>> messages to the peer side connection address and port provided in
>>>>>>> the SDP 'm' line. TCP connection management is more complicated
>>>>>>> and is described below."
>>>>>>> And the subsection named "TCP Connection Management" follows.
>>>>>>>
>>>>>>> Added this sentence at the end of Section 8:
>>>>>>> "Endpoints that use the offer/answer model to establish a DTLS
>>>>>>> association MUST
>>>>>>> support the 'setup' attribute, as defined in RFC 4145. When
>>>>>>> DTLS is used with UDP, the 'setup' attribute indicates which of the
>>>>>>> endpoints
>>>>>>> (client or floor control server) initiates the DTLS association
>>>>>>> setup."
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Section 6 contains the following new paragraph:
>>>>>>>>
>>>>>>>> " Note: In [15] 'm-stream' was erroneously used in Section 9.
>>>>>>>>
>> Although
>>
>>>>>>>> the example was non-normative, it is implemented by some
>>>>>>>>
>>>> vendors.
>>>>
>>>>>>>> Therefore, it is RECOMMENDED to support parsing and interpreting
>>>>>>>> 'm-stream' the same way as 'mstrm' when receiving."
>>>>>>>>
>>>>>>>> The text should clarify (or be more explicit about) whether existing
>>>>>>>> implementations are floor control server implementations or client
>>>>>>>> implementations. The idea is that new implementers know clearly
>>>>>>>>
>>>> what
>>>>
>>>>>>>> exactly they need to support in order to be backwards compatible
>>>>>>>>
>> with
>>
>>>>>>>> those legacy implementations (whose implementers did not read
>>>>>>>>
>> RFCs
>>
>>>> but
>>>>
>>>>>>>> only the examples :-) ).
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Yeah, what kind of developers do this kind of things? :-P
>>>>>>>
>>>>>>> Usage of a=floorid (and mstrm/m-stream) applies to endpoints willing
>>>>>>>
>>>> to
>>>>
>>>>>>> act as server, will add this to the second sentence in the note:
>>>>>>> "[...] some vendors and occurs in cases where the endpoint is willing
>>>>>>> to act as an server."
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> The last paragraph of Section 8 discusses which entity behaves as the
>>>>>>>> TLS server. Do we need a similar discussion for DTLS?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Indeed. Handled above.
>>>>>>>
>>>>>>> -- Tom
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>> _______________________________________________
>>>> bfcpbis mailing list
>>>> bfcpbis@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/bfcpbis
>>>>
>
>
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Gonzalo Camarillo
- [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583b… Gonzalo Camarillo
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Gonzalo Camarillo
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Charles Eckel (eckelcu)
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Gonzalo Camarillo
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Charles Eckel (eckelcu)
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen