IETF Logo Mail Archive

Re: [MMUSIC] DTLS-SDP and JSEP Conflicts

Christer Holmberg <christer.holmberg@ericsson.com> Sun, 03 September 2017 05:51 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5158126D0C for <mmusic@ietfa.amsl.com>; Sat, 2 Sep 2017 22:51:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fEHFwsnl94XQ for <mmusic@ietfa.amsl.com>; Sat, 2 Sep 2017 22:51:46 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E10AD126BFD for <mmusic@ietf.org>; Sat, 2 Sep 2017 22:51:45 -0700 (PDT)
X-AuditID: c1b4fb2d-103ff700000057a4-e0-59ab986f47c0
Received: from ESESSHC020.ericsson.se (Unknown_Domain [153.88.183.78]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 21.F6.22436.F689BA95; Sun, 3 Sep 2017 07:51:43 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.194]) by ESESSHC020.ericsson.se ([153.88.183.78]) with mapi id 14.03.0352.000; Sun, 3 Sep 2017 07:51:42 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: Bernard Aboba <bernard.aboba@gmail.com>, "mmusic@ietf.org" <mmusic@ietf.org>
Thread-Topic: [MMUSIC] DTLS-SDP and JSEP Conflicts
Thread-Index: AQHTHeD9eWXjhOvP60up2QfAnU62xaKbMmOAgAbGf4CAADCNsP//5vyAgACksAA=
Date: Sun, 03 Sep 2017 05:51:42 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B56282B43@ESESSMB109.ericsson.se>
References: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com> <CAOW+2dtv8r7qTyNxWY8NacfEh+Ojk5ObVAXEur3D4GyMw89YaQ@mail.gmail.com> <CABcZeBOJgyva5e-ykH-RkKN=BJPrXVYLu8vZbbNBv0xscv6bOA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B562818F7@ESESSMB109.ericsson.se> <CABcZeBNv4fdFTJ+tXeBkMDqbMCEw916Txt8owFY-X7ijX0-FcA@mail.gmail.com>
In-Reply-To: <CABcZeBNv4fdFTJ+tXeBkMDqbMCEw916Txt8owFY-X7ijX0-FcA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.150]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B56282B43ESESSMB109erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprHIsWRmVeSWpSXmKPExsUyM2K7n27+jNWRBrdnilps2Pef2WLF63Ps FlOXP2ZxYPbYOesuu8eSJT+ZPCY/bmMOYI7isklJzcksSy3St0vgyvi2aDVjwZsjTBWTz11l amBcs4epi5GTQ0LARGLr609ANheHkMARRollnT9YIJzFjBLTtl1h7mLk4GATsJDo/qcN0iAi oCDx688JFhCbWSBIoql/IQtIibCAocTp+0YQJUYSl48/AOsUEfCTePxUBCTMIqAi8eflU7C1 vAK+EqsaDzFCbLrOJLF6QT8zSIJTIFDi1aIvYOMZBcQkvp9awwSxSlzi1pP5UDcLSCzZc54Z whaVePn4HyuErSSxYvslRoj6fIn+O99YIZYJSpyc+YRlAqPILCSjZiEpm4WkbBbQ2cwCmhLr d+lDlChKTOl+yA5ha0i0zpnLjiy+gJF9FaNocWpxcW66kbFealFmcnFxfp5eXmrJJkZgrB3c 8lt3B+Pq146HGAU4GJV4eFnrVkcKsSaWFVfmHmKU4GBWEuHdNAUoxJuSWFmVWpQfX1Sak1p8 iFGag0VJnNdh34UIIYH0xJLU7NTUgtQimCwTB6dUAyPjjqDSNRfzxSrztlTwbF6kaZJW8/Gw 9PkZkU9Kjzeo7ylYrXkoLLP3zKV6TqljImwFq+pkb7wNWiNoJGuT/PbdhyWCk5zcbk+anf7x zKNdpTFfHtt2Gc93X/7K94i1+C/BrwkyClt42oW52vab2izlEtoqz5IRf+3ybxOL1Kk5EZoH kyZvvK3EUpyRaKjFXFScCAB66fYSsQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/20iGTta8GcO4CoDH8Y_Wx3Lt4Ig>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Sep 2017 05:51:50 -0000

Hi,

>Yes. Indeed, that's the crux of the disagreement between JSEP and this document

So, just to clarify: in your opinion, if an endpoint receives an offer/answer WITHOUT a tls-id, but with a NEW ufrag (read: ICE restart), the new urfag will NOT trigger a new DTLS association. Right?

Regards,

Christer



On Sat, Sep 2, 2017 at 3:31 PM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:
Hi Ekr,

What if the remote peer does not support/include the tls-id attribute?

Regards,

Christer

From: mmusic [mailto:mmusic-bounces@ietf.org<mailto:mmusic-bounces@ietf.org>] On Behalf Of Eric Rescorla
Sent: 02 September 2017 22:36
To: Bernard Aboba <bernard.aboba@gmail.com<mailto:bernard.aboba@gmail.com>>
Cc: mmusic@ietf.org<mailto:mmusic@ietf.org>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts



On Tue, Aug 29, 2017 at 7:07 AM, Bernard Aboba <bernard.aboba@gmail.com<mailto:bernard.aboba@gmail.com>> wrote:
On Issue 1, Adam said:

"
1.      (Issue 1c) The crux of the matter: does ICE restart cause DTLS to restart? The primary rationale outlined in RFC5245 for restarting ICE is changing the destination (IP address or port) of an ongoing media stream -- which would commonly involve changing to a different physical device. While it would, in theory, be possible to transfer the TLS state associated with the connection between devices, this is rather cumbersome (and, as far as I know, not generally supported by TLS libraries). From that perspective, it is my opinion that the DTLS-SDP document is correct that an ICE restart necessitates a new DTLS connection; and I conclude that JSEP needs to change.
"

[BA] Agree that for consistency, it is best for an ICE restart to necessitate a new DTLS connection, since an ICE restart can result in connection to a different device (and the need for a new DTLS connection).

I'm not persuaded by this: the primary reason for an ICE restart is not changing devices but rather trying to deal with topology changes and/or connectivity check failures. If you actually *do* change devices, then it's also quite probably you will have a new certificate fingerprint, in which case you will get a new DTLS connection in any case. In other words, tls-id should be used to say "I want a new DTLS connection in spite of the fingerprint being the same" (what JSEP says), not "I want to keep the DTLS connection even though I am doing an ICE restart"

-Ekr


On Fri, Aug 25, 2017 at 4:30 PM, Adam Roach <adam@nostrum.com<mailto:adam@nostrum.com>> wrote:

MMUSIC --

[I will be posting a separate message to RTCWEB directing interested parties to discuss this issue on the MMUSIC mailing list]

During the IESG review of draft-ietf-mmusic-dtls-sdp, EKR identified some conflicts between the procedures in DTLS-SDP and JSEP were identified. This note is an attempt to summarize them. I have also made an initial proposal, for each conflict, regarding which document needs to change, in and which way.

Issue 1 (quoting EKR), which raises a couple of additional sub-issues:

1. Assuming I understand this document correctly, it conflicts with

the guidance in JSEP. Specifically, S 4 says:



   No default value is defined for the SDP 'tls-id' attribute.

   Implementations that wish to use the attribute MUST explicitly

   include it in SDP offers and answers.  If an offer or answer does not

   contain a 'tls-id' attribute (this could happen if the offerer or

   answerer represents an existing implementation that has not been

   updated to support the 'tls-id' attribute), unless there is another

   mechanism to explicitly indicate that a new DTLS association is to be

   established, a modification of one or more of the following

   characteristics MUST be treated as an indication that an endpoint

   wants to establish a new DTLS association:



   o  DTLS setup role; or



   o  fingerprint set; or



   o  local transport parameters; or



   o  ICE ufrag value



This seems to say that if there is no tls-id attribute, then an ICE restart

(which necessitates a ufrag change) requires a DTLS restart. JSEP isn't

incredibly clear on this point, but 5.7.3 seems to say that tls-id

need not be present:



      *  tls-id value, which MUST be set according to

         [I-D.ietf-mmusic-dtls-sdp], Section 5.  If this is a re-offer

         and the tls-id value is different from that presently in use,

         the DTLS connection is not being continued and the remote

         description MUST be part of an ICE restart, together with new

         ufrag and password values.  If this is an answer, the tls-id

         value, if present, MUST be the same as in the offer.



I believe that the first sentence is in error, as we clearly

can't have JSEP implementations requiring that tls-id be present.



   ...



   o  If the remote DTLS fingerprint has been changed or the tls-id has

      changed, tear down the DTLS connection.  This includes the case

      when the PeerConnection state is "have-remote-pranswer".  If a

      DTLS connection needs to be torn down but the answer does not

      indicate an ICE restart or, in the case of "have-remote-pranswer",

      new ICE credentials, an error MUST be generated.  If an ICE

      restart is performed without a change in tls-id or fingerprint,

      then the same DTLS connection is continued over the new ICE

      channel.



I think the best interpretation of this is that if tls-id is not present

(and hence unchanged) then ICE restart does not cause DTLS restart.

This is also my memory of the consensus in RTCWEB. In any case, these

two documents clearly must match.



My observations/recommendations:

  1.  (Issue 1a) EKR is correct that the first sentence of the bullet from JSEP needs to be removed so as to enable interoperation with non-JSEP implementations.
  2.  (Issue 1b) Additionally the final sentence of that bullet ("If this is an answer, the tls-id value, if present, MUST be the same as in the offer") conflicts with the definition of tls-id ("the offerer and answerer generate their own local 'tls-id' attribute values, and the combination of both values identify the DTLS association"). In this case, the DTLS-SDP document would appear to be correct (the fact that the two parties choose different IDs is integral to the mechanism's design), so JSEP needs to change.
  3.  (Issue 1c) The crux of the matter: does ICE restart cause DTLS to restart? The primary rationale outlined in RFC5245 for restarting ICE is changing the destination (IP address or port) of an ongoing media stream -- which would commonly involve changing to a different physical device. While it would, in theory, be possible to transfer the TLS state associated with the connection between devices, this is rather cumbersome (and, as far as I know, not generally supported by TLS libraries). From that perspective, it is my opinion that the DTLS-SDP document is correct that an ICE restart necessitates a new DTLS connection; and I conclude that JSEP needs to change.



Issue 2 (quoting EKR):

2. S 4 says:



   The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'tls-

   id' attribute is 'IDENTICAL', which means that the attribute value

   must be identical across all media descriptions being multiplexed

   [I-D.ietf-mmusic-sdp-bundle-negotiation].



This is not actually what JSEP requires:



   different categories.  To avoid unnecessary duplication when

   bundling, attributes of category IDENTICAL or TRANSPORT MUST NOT be

   repeated in bundled m= sections, repeating the guidance from

   [I-D.ietf-mmusic-sdp-bundle-negotiation], Section 8.1.  This includes



I suspect this is old text.

(Issue 2) JSEP is aligned with draft-ietf-mmusic-sdp-bundle-negotiation-38, while DTLS-SDP does not. This is a largely aesthetic decision (although the JSEP/BUNDLE approach does save a tiny handful of bytes), but I think changing one document (DTLS-SDP) makes more sense than changing two. (I suspect the BUNDLE formulation more closely tracks consensus anyway).



/a

_______________________________________________
mmusic mailing list
mmusic@ietf.org<mailto:mmusic@ietf.org>
https://www.ietf.org/mailman/listinfo/mmusic


_______________________________________________
mmusic mailing list
mmusic@ietf.org<mailto:mmusic@ietf.org>
https://www.ietf.org/mailman/listinfo/mmusic

v2.23.0 | Report a Bug | By Email