IETF Logo Mail Archive

Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics

Justin Uberti <juberti@google.com> Fri, 11 March 2016 02:03 UTC

Return-Path: <juberti@google.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8E3012DC41 for <mmusic@ietfa.amsl.com>; Thu, 10 Mar 2016 18:03:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4PlpsczgRYt for <mmusic@ietfa.amsl.com>; Thu, 10 Mar 2016 18:03:43 -0800 (PST)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E39C012DF9E for <mmusic@ietf.org>; Thu, 10 Mar 2016 17:55:41 -0800 (PST)
Received: by mail-wm0-x22e.google.com with SMTP id l68so10574325wml.0 for <mmusic@ietf.org>; Thu, 10 Mar 2016 17:55:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3q01PB0a8LYs7ipP6O6eCHKjOsEaBMRbzUqjVNBgaTQ=; b=TgwV1Hqa9d6bau/hK11+iNVqGj2+REn3cjmRw1Plu+jtzwVeZBKyDswrX3eDuIsLVP axuaHxb0JKZJwV3A97Dz5Q1x/k/dl1toRjgDb3h2xPWJzDUCsDCYs4lHZmneum1Fl5jG y/zlN6OpIQL94N4Wo4nfqNxTF6L+mGs9TN87IUyH15Wt5h7HvN4kCOnaHOZVHq2QPDRA vdcTEO4JneQQNJztDWIf7vb4VlbdmtkGRSu5Lkx0Er5LAygRShF5MbYwZ7TfGJgn3m/y kHLw0t2IyWznXtRq2wlTvwt2GlLF0fzj5qUCax0LSNujhZpEmCRhrmGUSSoVEe0RU93J bm/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3q01PB0a8LYs7ipP6O6eCHKjOsEaBMRbzUqjVNBgaTQ=; b=Cv6+dadEeIpLMBYWhmiTcN8wulH85sr6+8U4o5j2eemy+fp8uHSIlbpjTSjkf1BfFi wJ9BwWQf38K/Dae4rB2mfOvOW8UZuSH5gmk0iwoHc3f/jD4L9fky3sixMgaLwF5HUhto /H4ycGoByoXiGQvFFgo7M6MCMfpejA8IRZYB64rQ64xGtJgnXdhEYT8ZguDsNWp7ysEi lQeewLJP7jcTs/Nkkjg/s1oVrMspKhEO5550QJ3oFslEssFMsgXt43zy27LyyT/9dn7i dO8LnUOs1TZXZQdbBqhRwKHdnI/fWHvqRaf2M+aG6xBV1kmjh6B67Lt7uRwlUChvOCtR Q81g==
X-Gm-Message-State: AD7BkJI6sciR67XsgoGseQtqZVgQDJlBwNUJJvopK3oUL3cvW2dWSPZgOXytmJqAvl7Ri/K8uaTSiL2o+cupJ/Ev
X-Received: by 10.28.16.9 with SMTP id 9mr24410wmq.44.1457661340250; Thu, 10 Mar 2016 17:55:40 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.148.79 with HTTP; Thu, 10 Mar 2016 17:55:20 -0800 (PST)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B37E9FD1C@ESESSMB209.ericsson.se>
References: <CABcZeBNJ6jdL7SfLaatfr28X83dVOafpi=jrM6bSJ-qpmj4RuA@mail.gmail.com> <CAD5OKxuK9wBG47d+SwBH_f8-PgMQJuxFRmMg9E4omjgqO0tNbQ@mail.gmail.com> <56D8D2E1.2030306@alum.mit.edu> <CAOJ7v-2eWFFzK_rtSkT5Q12qv5Cdug_Do1z=cAWvfJsKi0U94Q@mail.gmail.com> <56DCB31A.1010502@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E818F9@ESESSMB209.ericsson.se> <56DDA6B2.5080403@alum.mit.edu> <CAD5OKxts-yfXS2nxTfoqMiDO2GLWu4AF6WJdvsE_tFtewmmmCg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E8B57C@ESESSMB209.ericsson.se> <56DDB1D2.6000801@alum.mit.edu> <CAD5OKxuXiPGDZtNQvfhQGD0NdmDoCZ6hAgqQnih8-_p7GD56fQ@mail.gmail.com> <56DDB8B0.5030806@alum.mit.edu> <CAD5OKxtsPiakn+N7PhVv+7f4cJ=+jOoB-M3VmrN-HguWy-sKCQ@mail.gmail.com> <CAOJ7v-3vSkHikt0_bKBsdP=GoAt5wJ5X6tOcq_4z_51jMQKT=w@mail.gmail.com> <CAD5OKxvnHARirebUC+tBACdAF=NhGJgxGJROfDt5LZ44Q-MUXA@mail.gmail.com> <D30450D0.55D7%christer.holmberg@ericsson.com> <CAD5OKxvL-Lc9n=L4Z5MofhnYkaxL9i5hBFU4KnG2CLG=2SjX9Q@mail.gmail.com> <CAOJ7v-2OCjGPkiU6tH0nUPk8Sa65fJOpVg3nmbuVCePWQkQC1g@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E9FD1C@ESESSMB209.ericsson.se>
From: Justin Uberti <juberti@google.com>
Date: Thu, 10 Mar 2016 17:55:20 -0800
Message-ID: <CAOJ7v-1KGEG5njHxYo7WGtz6epjG7STdSnAYe9dnzqrbmZx-0Q@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="001a1146ea8e63b675052dbc3a99"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/-rSze6N_g6YSxQulBdx8emY-MUU>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, "mmusic@ietf.org" <mmusic@ietf.org>
Subject: Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 02:03:46 -0000

With no minimum length (well, minimum of 1).

On Tue, Mar 8, 2016 at 10:46 PM, Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> So, alphanumeric it is :)
>
>
>
> *From:* Justin Uberti [mailto:juberti@google.com]
> *Sent:* 09 March 2016 06:35
> *To:* Roman Shpount <roman@telurix.com>
> *Cc:* Christer Holmberg <christer.holmberg@ericsson.com>; Paul Kyzivat <
> pkyzivat@alum.mit.edu>; mmusic@ietf.org
>
> *Subject:* Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10
> semantics
>
>
>
> I think the id should be alphanumeric, but how it is assigned can be left
> to the application.
>
>
>
>
>
> On Tue, Mar 8, 2016 at 4:59 PM, Roman Shpount <roman@telurix.com> wrote:
>
> I would make the dtls-association-id value random alphanumeric to keep it
> shorter.
>
>
>
> I would also make dtls-association-id optional if any of the fingerprints
> is for a newly generated self-signed certificate which will not be reused
> for any other DTLS association.
>
>
>
> Regards,
>
>
> _____________
> Roman Shpount
>
>
>
> On Tue, Mar 8, 2016 at 2:54 AM, Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
>
> Hi,
>
>
>
> There is no need to track the “order” of DTLS associations, so I think we
> should use random value. I am not sure we need “+” and “-“. Would a numeric
> value be enough? The number of DTLS associations between the connected
> endpoints is going to be very small, so we shouldn’t over-engineer it.
>
>
>
> Regarding the id being unique for a given fingerprint, keep in mind that
> we now allow multiple fingerprints.
>
>
>
> Regards,
>
>
>
> Christer
>
>
>
> *From: *Roman Shpount <roman@telurix.com>
> *Date: *Tuesday 8 March 2016 at 06:24
> *To: *Justin Uberti <juberti@google.com>
> *Cc: *"pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>, Christer Holmberg <
> christer.holmberg@ericsson.com>, "mmusic@ietf.org" <mmusic@ietf.org>
> *Subject: *Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10
> semantics
>
>
>
> We need to make sure dtls-association-id works in cases of 3pcc where a
> new session can be connected to an existing session or two existing
> sessions can be connected with each other. In all of those cases new DTLS
> association must be established. The case of merging two existing sessions
> especially worry me if we chose monotonically increasing IDs. Imagine two
> sessions, each hitting IVR for an announcement, and then being connecting
> directly with each other. If monotonically increasing from zero ID is used,
> both sessions will have dtls-association-id=1, but clearly a new session
> would need to be established.
>
>
>
> I think in general monotonically increasing IDs have a high chance of
> collision when unrelated end points are used. Randomly assigned IDs are
> safer in this regard.
>
>
>
> Another option is to state that dtls-association-id should be unique for a
> given security certificate fingerprint. So if new certificate is created
> for each DTLS association, then dtls-association-id can stay at value 0 or
> be omitted. If certificate is reused a unique value should be used for each
> new DTLS association created with this certificate. This uniqueness can be
> achieved by using a counter associated with each self signed certificate or
> using sufficiently large random or pseudo random (server id + time stamp +
> per server counter would be an example of the pseudo random) value
> associated with pre-provisioned permanent certificates.
>
>
>
> Does anybody else have any suggestions or concerns about
> dtls-association-id generation scheme?
>
> ______________
>
> Roman Shpount
>
>
>
> On Mon, Mar 7, 2016 at 9:15 PM, Justin Uberti <juberti@google.com> wrote:
>
> Keep in mind that this id value isn't actually sent anywhere. So it's not
> like the ICE ufrag that needs a certain amount of entropy. It can just as
> easily be a monotonically increasing number.
>
>
>
> IOW, a string with a 1-byte minimum seems right.
>
>
>
> On Mon, Mar 7, 2016 at 10:26 AM, Roman Shpount <roman@telurix.com> wrote:
>
>
>
> On Mon, Mar 7, 2016 at 12:21 PM, Paul Kyzivat <pkyzivat@alum.mit.edu>
> wrote:
>
> On 3/7/16 12:12 PM, Roman Shpount wrote:
>
> On Mon, Mar 7, 2016 at 11:52 AM, Paul Kyzivat <pkyzivat@alum.mit.edu
> <mailto:pkyzivat@alum.mit.edu>> wrote:
>
>     On 3/7/16 11:26 AM, Christer Holmberg wrote:
>
>         I suggest dtls-association-id. In my opinion there is no longer
>         the same
>         need to be aligned with the name of the connection attribute.
>
>
>     This seems plausible. But I want to reserve judgement until the
>     detailed semantics of the attribute are worked out:
>
> I wanted to model this attribute on ICE ufrag
>
>     - is it numeric, or a token?
>
>
> I was thinking something like this:
> dtls-association-id-attr = "dtls-association-id" ":" dtls-association-id
>
> dtls-association-id = 4*256dtls-association-id-char
>
> dtls-association-id-char = ALPHA / DIGIT / "+" / "/"
>
>
> Why this in particular? Is it your intent to reuse values that were
> generated for another purpose? Or to reuse code that is also used for
> another purpose?
>
>
>
> This is reusing the definition (and generation code) from ice-ufrag
> attribute (https://tools.ietf.org/html/rfc5245#section-15.4).
>
>
>
>     - any rules for how the value chosen?
>
>
> The dtls-association-id attributes MUST be chosen randomly when new DTLS
> association is requested.  The dtls-association-id attribute MUST
> contain at least 24 bits of randomness.  This means that
> the dtls-association-id  attribute will be at least 4 characters
> long since the grammar for this attribute allows for 6 bits of
> randomness per character.  The attribute MAY be longer than 4
> characters, respectively, of course, up to 256 characters.  The upper
> limit allows for buffer sizing in implementations.  Its large upper
> limit allows for increased amounts of randomness to be added over time.
>
>
> What is the reason for using random values, rather than some well defined
> sequence of values? (Where the sequence might start with a random value, or
> perhaps every sequence would start with 0.)
>
>
>
> We are dealing with multiple end points which can be reconnected in more
> or less random order. Each end point needs to detect when it is talking to
> a new end point or to a new DTLS association. This is why I picked a random
> value. Once again, if this works for ICE, should work for DTLS just as well.
>
>
>
> Let me know if you have a better idea for ID generation.
>
>
>
> Regards,
>
> _____________
> Roman Shpount
>
>
>
>
>
>
>
>
>
>
>

v2.23.0 | Report a Bug | By Email