Re: [MMUSIC] Merging ICE aggressive and regular nomination (was Re: [tram] Comment on draft-williams-peer-redirect-01: might it not converge?)

Iñaki Baz Castillo <> Sun, 03 August 2014 15:45 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 390461A0068 for <>; Sun, 3 Aug 2014 08:45:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id q84TgCw78TiE for <>; Sun, 3 Aug 2014 08:45:19 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CD8F51A0055 for <>; Sun, 3 Aug 2014 08:45:19 -0700 (PDT)
Received: by with SMTP id eu11so8581011pac.3 for <>; Sun, 03 Aug 2014 08:45:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=TT+1l9aLi15Bzn+q3Uhp2kt6T3gd9NZLi17fOWARn0g=; b=QQWoQlm/FYyPguDsxg5JDWawrgjawASij/e4cyUgQbk8OHfHaBIZWPiT7BXgn6ZWpM HPvSi4cJvNfDyZgKlVU1vthXje3wKY51Pm45CV8PY2bP0+VkkTNotAqyUtCVENxsTgeZ So7j5Mlm0PZzJGnyR/7vcWUq+rQj8gUqIzmSqqi651YS4zr/XL/VV33rCt3H/HFshenj B94fcg5TIztJ4pv1mg9ABEb9b79vWVzPSQyqBB7s64GzTKRpAboldTGrPA1UZlhu7te1 LKV2YySB1hROlamKpIbsu/OZHYa7jmXKXx8fP2x5e4Gmq6QJMVm/KyTGDG3UyI7W+MxE 05Sg==
X-Gm-Message-State: ALoCoQnd5za41i6pfHksZb4HEvN1BeF58Afm0edTsjY65KMlvjtARugHZz6fa93PGYlhx2trt9Dr
X-Received: by with SMTP id 4mr1192941pdl.147.1407080719309; Sun, 03 Aug 2014 08:45:19 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 3 Aug 2014 08:44:58 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <>
Date: Sun, 3 Aug 2014 17:44:58 +0200
Message-ID: <>
To: Martin Thomson <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: Jonathan Lennox <>, mmusic <>
Subject: Re: [MMUSIC] Merging ICE aggressive and regular nomination (was Re: [tram] Comment on draft-williams-peer-redirect-01: might it not converge?)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 03 Aug 2014 15:45:21 -0000

2014-08-03 17:02 GMT+02:00 Martin Thomson <>om>:
> If we were to couple DTLS with the connectivity check, it seems like we
> would have to require some tweaks to the process in order to avoid the
> problem you describe. I think that you have identified a real problem. It
> might be that we need to exclude that transaction identifier from the
> integrity check to fix that, which is a non-trivial change. The obvious
> solution - requiring identical transaction identifiers - removes the on-push
> guarantee, at least to the extent that an attacker can modify signaling and
> spoof valid source addresses.

I don't like the idea of including an ICE Binding request into a DTLS
packet. ICE requests are supposed to "open the path" and thus STUN
packets should be the first ones. Instead, DTLS is "application data
to be carried over the open path". We must respect that.

So why not the opposite?: Add the DTLS ClientHello packet into a new
STUN attribute (may be called "DTLS_PACKET"). Issues above solved:

- STUN is processed as normal.

- The *same* DTLS HelloClient can be set into *different* ICE Binding
requests, so there is a single DTLS handshake.

- From the point of view of the sender, it is the same scenario in
which the sender sends a ICE Binding request followed by a DTLS
HelloClient, but with the guarantee that the ICE request will arrive
"first" :)

- From the point of view of the receiver, it first receives (and
validates) the ICE Binding request, then generates the ICE response
and then processes the DTLS HelloClient contained in the "DTLS_PACKET"
attribute of the Binding request. This adds very little complexity to
existing implementations.


Iñaki Baz Castillo