Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
Tom Kristensen <tomkrist@cisco.com> Wed, 19 December 2012 12:39 UTC
Return-Path: <tomkrist@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3E3821F8A0A for <bfcpbis@ietfa.amsl.com>; Wed, 19 Dec 2012 04:39:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.799
X-Spam-Level:
X-Spam-Status: No, score=-8.799 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_17=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynBYTpIby3UB for <bfcpbis@ietfa.amsl.com>; Wed, 19 Dec 2012 04:39:56 -0800 (PST)
Received: from bgl-iport-2.cisco.com (bgl-iport-2.cisco.com [72.163.197.26]) by ietfa.amsl.com (Postfix) with ESMTP id 6393A21F8974 for <bfcpbis@ietf.org>; Wed, 19 Dec 2012 04:39:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10531; q=dns/txt; s=iport; t=1355920794; x=1357130394; h=message-id:date:from:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=Rac00MV8II3F70EgGjyRoL1T5Nga8P+6/G8U9lvXO1M=; b=i9CTflksjzyo0xeQ95idWLMWA0LP7cMnEsvoAKpHlPciT2noHEOjsetq DAxqTpCib6H02D7HI3Tjx8q0smTGqte2T7kpqroHencPbYgZvEK1lG2+h 26TG5pCmnyKhMsSS7Ea9I+QuolqtE2xE/3Oysm7p/6GuXxNNiF+FeFrbu c=;
X-IronPort-AV: E=Sophos;i="4.84,316,1355097600"; d="scan'208";a="22341329"
Received: from vla196-nat.cisco.com (HELO bgl-core-3.cisco.com) ([72.163.197.24]) by bgl-iport-2.cisco.com with ESMTP; 19 Dec 2012 12:39:52 +0000
Received: from [10.47.38.141] ([10.47.38.141]) by bgl-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id qBJCdo7j028438; Wed, 19 Dec 2012 12:39:51 GMT
Message-ID: <50D1B596.2040207@cisco.com>
Date: Wed, 19 Dec 2012 13:39:50 +0100
From: Tom Kristensen <tomkrist@cisco.com>
Organization: Cisco
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.15) Gecko/20101027 Fedora/3.0.10-1.fc12 Lightning/1.0b2pre Thunderbird/3.0.10
MIME-Version: 1.0
To: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
References: <5087FAE4.5010900@ericsson.com> <508FA129.1090802@cisco.com> <508FBF31.8000906@ericsson.com> <508FC5C1.4040702@cisco.com> <50968F26.9080403@ericsson.com> <92B7E61ADAC1BB4F941F943788C0882810742E@xmb-aln-x08.cisco.com> <5097B862.6050200@ericsson.com> <92B7E61ADAC1BB4F941F943788C08828107F45@xmb-aln-x08.cisco.com>
In-Reply-To: <92B7E61ADAC1BB4F941F943788C08828107F45@xmb-aln-x08.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org>, 'Tom Kristensen' <2mkristensen@gmail.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/bfcpbis>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Dec 2012 12:39:57 -0000
In the upcoming version, I've simply added an informational note at the end of Section 8. Authentication. It reads: "Informational note: How to determine which endpoint to initiate the TLS/DTLS association depends on the selected underlying transport. It was decided to keep the original semantics in [15] for TCP to retain backwards compatibility. When using UDP, the procedure above was preferred since it adheres to [13] as used for DTLS-SRTP, it does not overload offer/answer semantics, and it works for offerless INVITE in scenarios with B2BUAs." Where [15] == RFC 4582 and [13] == RFC 5763. -- Tom On 11/06/2012 12:01 AM, Charles Eckel (eckelcu) wrote: > Works for me. > > Thanks, > Charles > > >> -----Original Message----- >> From: Gonzalo Camarillo [mailto:Gonzalo.Camarillo@ericsson.com] >> Sent: Monday, November 05, 2012 8:00 AM >> To: Charles Eckel (eckelcu) >> Cc: Tom Kristensen (tomkrist); bfcpbis@ietf.org >> Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03 >> >> Hi Charles, >> >> the point is that if we have decided not to be consistent across >> transports, we need to explain why in the RFCs. So, please, add some >> text (a few sentences should be enough) explaining why (i.e., something >> along the lines of your email below). >> >> Thanks, >> >> Gonzalo >> >> On 04/11/2012 6:44 PM, Charles Eckel (eckelcu) wrote: >> >>> Hi Gonzalo, >>> >>> We discussed this at IETF 82. I remember because I presented a slide on it >>> >> :) >> >>> RFC 4582 states the following with regard to TLS: >>> >>> Which party, the client or the floor control server, acts as the TLS >>> server depends on how the underlying TCP connection is established. >>> For example, when the TCP connection is established using an SDP >>> offer/answer exchange [7], the answerer (which may be the client or >>> the floor control server) always acts as the TLS server. >>> >>> For DTLS, we considered the following alternatives: >>> >>> 1.The answerer always acts as the TLS/DTLS server, per RFC 4583 (as >>> >> currently defined) >> >>> 2.The BFCP server always acts as the TLS/DTLS server >>> 3.The offerer always offers setup:actpass and the answerer answers either >>> >> setup:active or setup:passive, where setup:active is RECOMMENDED (per >> RFC 5763) >> >>> The consensus was that (3) was the preferred option, because it adheres >>> >> to RFC 5763, does not overload offer/answer semantics, and it works for >> offerless INVITE with B2BUAs. >> >>> Additional details are available in the alias archive: >>> http://www.ietf.org/mail-archive/web/bfcpbis/current/msg00007.html >>> and also in the meeting minutes: >>> http://tools.ietf.org/wg/bfcpbis/minutes?item=minutes82.html >>> >>> At the time of this decision, we did not consider changing the existing >>> >> guidance in RFC 4582 regarding TLS connection establishment. Doing so >> would introduce a backward compatibility concern. >> >>> Cheers, >>> Charles >>> >>> >>> >>>> -----Original Message----- >>>> From: bfcpbis-bounces@ietf.org [mailto:bfcpbis-bounces@ietf.org] On >>>> Behalf Of Gonzalo Camarillo >>>> Sent: Sunday, November 04, 2012 10:52 AM >>>> To: Tom Kristensen (tomkrist) >>>> Cc: bfcpbis@ietf.org >>>> Subject: Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583bis-03 >>>> >>>> Hi Tom, >>>> >>>> the way it is defined right now, how to determine which endpoint is the >>>> TLS or DTLS server is different in TLS (the answerer) and in DTLS >>>> (depends on the setup attribute). Why do you think we should not be >>>> consistent across both transports? >>>> >>>> Thanks, >>>> >>>> Gonzalo >>>> >>>> >>>> On 30/10/2012 8:19 AM, Tom Kristensen wrote: >>>> >>>>> Gonzalo, >>>>> >>>>> I'll add a definition of "BFCP connection" in rfc4582bis to avoid >>>>> confusion. >>>>> >>>>> Regarding the setup attr. I merely reflected in rfc4583bis what has been >>>>> part of rfc4582 for a while. >>>>> - Cf. http://tools.ietf.org/html/draft-ietf-bfcpbis-rfc4582bis-06#section- >>>>> >> 7 >> >>>>> - Note that the setup attr. is also used in DTLS-SRTP, cf. RFC 5763. >>>>> >>>>> -- Tom >>>>> >>>>> On 10/30/2012 12:51 PM, Gonzalo Camarillo wrote: >>>>> >>>>>> Hi Tom, >>>>>> >>>>>> thanks for your answers. >>>>>> >>>>>> With respect to the term BFCP connection, in addition to making a >>>>>> consistent use of it across both documents, make sure it is defined >>>>>> somewhere so that implementers are clear on what it means. >>>>>> >>>>>> Regarding UDP, we cannot really use the setup attribute for that. That >>>>>> attribute is defined for connection oriented protocols. Additionally, >>>>>> >> we >> >>>>>> need to be consistent regarding DTLS and TLS server determination. >>>>>> Section 8 explains how to determine the endpoint acting as the TLS >>>>>> server (i.e., the answerer). We cannot determine which endpoint acts >>>>>> >> as >> >>>>>> the DTLS server in a different way. >>>>>> >>>>>> Cheers, >>>>>> >>>>>> Gonzalo >>>>>> >>>>>> >>>>>> On 30/10/2012 11:43 AM, Tom Kristensen wrote: >>>>>> >>>>>> >>>>>>> On 10/24/2012 04:27 PM, Gonzalo Camarillo wrote: >>>>>>> >>>>>>> >>>>>>>> Folks, >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> [...] >>>>>>> >>>>>>> >>>>>>>> Comments on draft-ietf-bfcpbis-rfc4583bis-03 >>>>>>>> >>>>>>>> Section 3 includes a discussion about how to set the port field. That >>>>>>>> discussion is only relevant to TCP. The new draft needs to explain >>>>>>>> >> that >> >>>>>>>> and add a discussion about port handling in UDP. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Good catch. Reorganizing the text and adding this for UDP: >>>>>>> >>>>>>> "When UDP is used as transport, the port field contains the >>>>>>> port to which the remote endpoint will direct BFCP messages >>>>>>> regardless of the value of the 'setup' attribute." >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Also, the document needs to discuss what is the equivalent of >>>>>>>> establishing a TCP connection (i.e., it allows endpoints to start >>>>>>>> exchanging BFCP messages) in UDP. >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> The term "BFCP connection" is used in rfc4582bis/rfc4583bis >>>>>>> >>>> independent >>>> >>>>>>> of underlying transport. >>>>>>> >>>>>>> (For rfc4582bis: I propose we keep this common term regardless of >>>>>>> underlying transport and change the three occurrences of "BFCP >>>>>>> association" in Section 6.2 and 8.31 to "BFCP connection" as well.) >>>>>>> >>>>>>> However, we do indeed need to specify the counterpart of Section 7 >>>>>>> >>>> "TCP >>>> >>>>>>> Connection Management" for UDP as transport. Will add a sentence or >>>>>>> >>>> two, >>>> >>>>>>> since using UDP as transport is quite straight forward. Will also need >>>>>>> to add a UDP description to Section 8, i.e. mandate using the 'setup' >>>>>>> attribute when DTLS is used. >>>>>>> >>>>>>> Added to start of Section 7, now renamed to "BFCP Connection >>>>>>> Management": >>>>>>> "BFCP connections may use TCP or UDP as underlying transport. >>>>>>> >> BFCP >> >>>>>>> entities exchanging BFCP messages over UDP will direct the BFCP >>>>>>> messages to the peer side connection address and port provided in >>>>>>> the SDP 'm' line. TCP connection management is more complicated >>>>>>> and is described below." >>>>>>> And the subsection named "TCP Connection Management" follows. >>>>>>> >>>>>>> Added this sentence at the end of Section 8: >>>>>>> "Endpoints that use the offer/answer model to establish a DTLS >>>>>>> association MUST >>>>>>> support the 'setup' attribute, as defined in RFC 4145. When >>>>>>> DTLS is used with UDP, the 'setup' attribute indicates which of the >>>>>>> endpoints >>>>>>> (client or floor control server) initiates the DTLS association >>>>>>> setup." >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Section 6 contains the following new paragraph: >>>>>>>> >>>>>>>> " Note: In [15] 'm-stream' was erroneously used in Section 9. >>>>>>>> >> Although >> >>>>>>>> the example was non-normative, it is implemented by some >>>>>>>> >>>> vendors. >>>> >>>>>>>> Therefore, it is RECOMMENDED to support parsing and interpreting >>>>>>>> 'm-stream' the same way as 'mstrm' when receiving." >>>>>>>> >>>>>>>> The text should clarify (or be more explicit about) whether existing >>>>>>>> implementations are floor control server implementations or client >>>>>>>> implementations. The idea is that new implementers know clearly >>>>>>>> >>>> what >>>> >>>>>>>> exactly they need to support in order to be backwards compatible >>>>>>>> >> with >> >>>>>>>> those legacy implementations (whose implementers did not read >>>>>>>> >> RFCs >> >>>> but >>>> >>>>>>>> only the examples :-) ). >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Yeah, what kind of developers do this kind of things? :-P >>>>>>> >>>>>>> Usage of a=floorid (and mstrm/m-stream) applies to endpoints willing >>>>>>> >>>> to >>>> >>>>>>> act as server, will add this to the second sentence in the note: >>>>>>> "[...] some vendors and occurs in cases where the endpoint is willing >>>>>>> to act as an server." >>>>>>> >>>>>>> >>>>>>> >>>>>>>> The last paragraph of Section 8 discusses which entity behaves as the >>>>>>>> TLS server. Do we need a similar discussion for DTLS? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> Indeed. Handled above. >>>>>>> >>>>>>> -- Tom >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> _______________________________________________ >>>> bfcpbis mailing list >>>> bfcpbis@ietf.org >>>> https://www.ietf.org/mailman/listinfo/bfcpbis >>>> > >
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Gonzalo Camarillo
- [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4583b… Gonzalo Camarillo
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Gonzalo Camarillo
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Charles Eckel (eckelcu)
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Gonzalo Camarillo
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Charles Eckel (eckelcu)
- Re: [bfcpbis] Comments on draft-ietf-bfcpbis-rfc4… Tom Kristensen