IETF Logo Mail Archive

Re: [MMUSIC] DTLS-SDP and JSEP Conflicts

Roman Shpount <roman@telurix.com> Fri, 25 August 2017 21:39 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADFEB132C6C for <mmusic@ietfa.amsl.com>; Fri, 25 Aug 2017 14:39:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jMT8FRwZps_I for <mmusic@ietfa.amsl.com>; Fri, 25 Aug 2017 14:39:26 -0700 (PDT)
Received: from mail-pg0-x22d.google.com (mail-pg0-x22d.google.com [IPv6:2607:f8b0:400e:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07A4213280C for <mmusic@ietf.org>; Fri, 25 Aug 2017 14:39:25 -0700 (PDT)
Received: by mail-pg0-x22d.google.com with SMTP id r133so5260334pgr.3 for <mmusic@ietf.org>; Fri, 25 Aug 2017 14:39:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jiePJZOOoIjmUeuRiLJWUKolRq6kuMVlcyBsZ+kz8LQ=; b=XmeLxnILvq1Li4Om6IRriCdfvQ0iTWt25i/gm2ncW/BH3YIY66wBVcz59TNA72eOkP ibOakfXxtvOEoI2YM8EJU1pwT9az6Jdycghf7i+4G1sb3gz4RsvxThdfvhEq9RSNL+yB oX6LghYIGlstKh17+fA4buGiwvWhf4n+457APRXgiy0EKKJcrP+Y4Ma3TWVukTXb1NI+ pAcjfQA2NJZsO1MIPdUvA1qJ/qli046cs+pU8/UK8az9HTIOCKCH+o9F6zTrrLlHTCGF J7Zv/gpEOoU/QBVeEOb7r9OwA9HqrCsWitPYW7O+WnTiStCanJ01KfnJfb2NO6kbLHKL fBFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jiePJZOOoIjmUeuRiLJWUKolRq6kuMVlcyBsZ+kz8LQ=; b=mSQNdoWiOsfAIEC+IxSGKDCD8uMlTBCmhtzX7UIO5wuJWPsfYaYkoDyGvo1uPJzIv9 GMBp9BS9cwA8UDSm5HcsTwCw7avWzGck/CXmR0o6cj/2cvjmKAnQpFSGOgMrd3Jt/Qdm aT8Dv3ObVf9Qd5LHroynXlyHxlGJTCKV0gkUvpI5pWlzNXdVIbwp8r2ETKWF8BA7yJL5 V2g8N6v4HREoVg4ytFsnAiPY52iaQrRvZ9rRKRJvXM1QqnFBZul3WYq1JeFeJfISiqIX 70/7nsUD4ZR0zaZ2K4r9iCGx2U4Bh37+dYdNNg8JV828EEpsj0P9i/wtcDyEAz5NCEzt mzBQ==
X-Gm-Message-State: AHYfb5hy5rRlqh+UZlT61bGyXTlrU4Bil8irXv+oRxHbNQf69/UXt+Nk W/GM9cOmfAt1YDZk4Iw=
X-Received: by 10.99.119.196 with SMTP id s187mr11051736pgc.57.1503697165241; Fri, 25 Aug 2017 14:39:25 -0700 (PDT)
Received: from mail-pg0-f52.google.com (mail-pg0-f52.google.com. [74.125.83.52]) by smtp.gmail.com with ESMTPSA id p17sm15244089pfj.176.2017.08.25.14.39.24 for <mmusic@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Aug 2017 14:39:24 -0700 (PDT)
Received: by mail-pg0-f52.google.com with SMTP id t3so5345601pgt.0 for <mmusic@ietf.org>; Fri, 25 Aug 2017 14:39:24 -0700 (PDT)
X-Received: by 10.84.140.3 with SMTP id 3mr12429876pls.374.1503697164363; Fri, 25 Aug 2017 14:39:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.191.8 with HTTP; Fri, 25 Aug 2017 14:39:23 -0700 (PDT)
In-Reply-To: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com>
References: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com>
From: Roman Shpount <roman@telurix.com>
Date: Fri, 25 Aug 2017 17:39:23 -0400
X-Gmail-Original-Message-ID: <CAD5OKxu3HCThdqTjJ=jz_ZsceX0bVXW+FoRWsEB-N-nbmjEC4g@mail.gmail.com>
Message-ID: <CAD5OKxu3HCThdqTjJ=jz_ZsceX0bVXW+FoRWsEB-N-nbmjEC4g@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1194da54ee2605579ac74c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/2bYbnnIR666dcux9LWLcAB8nF5U>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2017 21:39:28 -0000

On Fri, Aug 25, 2017 at 4:30 PM, Adam Roach <adam@nostrum.com> wrote:

>
>    1. (Issue 1c) The crux of the matter: does ICE restart cause DTLS to
>    restart? The primary rationale outlined in RFC5245 for restarting ICE is
>    changing the destination (IP address or port) of an ongoing media stream --
>    which would commonly involve changing to a different physical device. While
>    it would, in theory, be possible to transfer the TLS state associated with
>    the connection between devices, this is rather cumbersome (and, as far as I
>    know, not generally supported by TLS libraries). From that perspective, it
>    is my opinion that the DTLS-SDP document is correct that an ICE restart
>    necessitates a new DTLS connection; and I conclude that JSEP needs to
>    change.
>
>
> This is a really thorny issue which does not have a good solution. Correct
handling of ufrag change is one of the main reasons why tls-id draft was
written in the first place. Here is a little bit more background on the
problem:

1. If ICE restart was caused by 3pcc and resulted in connection to a new
device, new DTLS association is required. In some cases, connection to a
new device will also result in the new fingerprint set. In some cases (like
transfer withing the same organization which uses the same pre-provisioned
certificate), fingerprints will stay the same and only ufrag will change.
So, this means new DTLS association should be established if ufrag changes
due to device change.

2. If ICE restart is initiated when new network interfaces became
available, such as when WiFi became available on the mobile device. This
means that both existing candidates and new candidates can be present
during ICE restart. This also means, that in some situations, even though
ICE restart completes, the underlying transport does not have to change and
the same ICE candidate pair will be used after ICE restart. Since this is
the same ICE candidate pair, it will mean that packets from old and new
DTLS association can be received over the same 5-tuple and they cannot be
demultiplexed. This means DTLS association should stay the same even if
ufrag changes due to ICE restart but when end points plans to re-use ICE
candidates.

So, we have two situations which both will result in some interop problems
regardless of which decision we will make. Taking into account that most of
existing ICE with DTLS implementations use ephemeral certificates, 3pcc
will likely result in change of both ufrag and fingerprints. Because of
this, I think not establishing new DTLS association on ufrag change is a
safer option. Which means JSEP text is probably a safer option, especially
where WebRTC is concerned.

This being said, going forward tls-id should be used to make sure this is
resolved in unambiguous manner.

Regards,
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email