Re: [MMUSIC] Review of draft-saito-mmusic-sdp-ike-00
Makoto Saito <ma.saito@nttv6.jp> Mon, 12 March 2007 18:00 UTC
Return-path: <mmusic-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HQooX-0002WG-1C; Mon, 12 Mar 2007 14:00:05 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HQooV-0002WB-Bd for mmusic@ietf.org; Mon, 12 Mar 2007 14:00:03 -0400
Received: from gura.nttv6.jp ([2001:218:1:1040::2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HQooN-00037c-MX for mmusic@ietf.org; Mon, 12 Mar 2007 14:00:03 -0400
Received: from nirvana.nttv6.jp (nirvana.nttv6.jp [IPv6:2001:218:1f01:1::2687]) by gura.nttv6.jp (NTTv6MTA) with ESMTP id E08351FE40; Tue, 13 Mar 2007 02:59:33 +0900 (JST)
Received: from [127.0.0.1] (localhost [IPv6:::1]) by nirvana.nttv6.jp (NTTv6MTA) with ESMTP id 567B8129AD7; Tue, 13 Mar 2007 02:59:33 +0900 (JST)
Message-ID: <45F59505.1090101@nttv6.jp>
Date: Tue, 13 Mar 2007 02:59:33 +0900
From: Makoto Saito <ma.saito@nttv6.jp>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: ja, en-us, en
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>, 'EKR' <ekr@networkresonance.com>, mmusic@ietf.org
Subject: Re: [MMUSIC] Review of draft-saito-mmusic-sdp-ike-00
References: <004b01c76424$05307310$c3f0200a@amer.cisco.com>
In-Reply-To: <004b01c76424$05307310$c3f0200a@amer.cisco.com>
Content-Type: text/plain; charset="ISO-2022-JP"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -2.8 (--)
X-Scan-Signature: c54bc2f42d02429833c0ca4b8725abd7
Cc:
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Errors-To: mmusic-bounces@ietf.org
Thank you for the review. As Dan said, this draft takes advantage of a mechanism of comedia-tls and introduces the simple approach to establish VPN to some device with IPsec. Of course this idea could apply to IPsec-over-UDP, but the draft deals with the simplest case for now. -- Makoto Saito Dan Wing wrote: > > > >>-----Original Message----- >>From: EKR [mailto:ekr@networkresonance.com] >>Sent: Saturday, March 10, 2007 1:46 PM >>To: mmusic@ietf.org >>Subject: [MMUSIC] Review of draft-saito-mmusic-sdp-ike-00 >> >>$Id: draft-saito-mmusic-sdp-ike-00-rev.txt,v 1.1 2007/03/10 >>21:57:28 ekr Exp $ > > > You may recall a presentation by Makoto Saito an IETF or two back, > which did something similar (it did the IPsec key exchange in SIP, > similar to sdescriptions). At the microphone, you said the approach > wasn't reasonable. This document provides a new approach that is > similar to comedia-tls and dtls-srtp. > > >>This document describes a mechanism whereby a SIP/SDP exchange can >>be used to kick off an IPsec association. The idea seems to be >>that I have the AOR for some machine behind a NAT or a firewall >>and I want to set up an IPsec tunnel. So, I use SIP address >>resolution and then SIP to signal to it and then set up an >>IPsec SA as if it were a media connection. >> >>There's no ladder diagram, but I think it looks something like >>this: >> >> >>Alice Proxy Bob >>----------------------------------------------- >>INVITE (IP=A.B.C.D) -> >>Fingerprint=XXXX >> INVITE (IP=A.B.C.D) -> >> Fingerprint=XXXX >> >> <- 200 OK (IP=W.X.Y.X) >> Fingerprint=XXXX >> >><- 200 OK (IP=W.X.Y.X) >> Fingerprint=XXXX >> >> >><------------- IKE exchange -----------------> >> >><=============== IPsec tunnel ================> >> >> >>My first question here is what the use case for this technique >>is. When would I want to set up a VPN to a machine behind a >>NAT? > > > It's not necessarily to a machine behind the NAT, but could also > be to the NAT itself (if the NAT itself implements > draft-saito-mmusic-sdp-ike). The idea being you could be on > the road with your fancy wireless device, could "call home" > (using draft-saito-mmusic-sdp-ike), and after the IPsec tunnel > is established with your NAT (or, if you prefer, with a device > that is behind your NAT), you can then interact with every > device within your home as if you were at home ---- those > devices don't need to understand SIP or IPsec tunnels or > any of that; they just need an IP stack. > > >>That said, this draft seems to solve two problems: >> >>1. Discovery of the current IP address of a given machine. >>2. Using SIP to authenticate the certificates of the client >> and server as per comedia. >> >>So, given that there is a use case for this, (1) seems legitimate. >>(2) strikes me as not quite right, though. Under what circumstances >>are you going to set up a VPN tunnel to a machine that you've never >>talked to before? >>Surely you already have its public key or some >>way of authenticating it. I would think this would go double for >>the receiver. I'm not about to let someone set up a VPN tunnel >>to me (especially since the claimed purpose here is NAT traversal!) >>without knowing who they are. So, I'm not sure what the fingerprint >>exchange buys you. > > > For the use-case described in the draft, it's probably not > necessary. However, it's reasonable to expect there are other > use cases we haven't yet envisioned, and exchanging the fingerprint > seems valuable. > > >>Finally, my impression was that NATs weren't that great about >>passing IKE and IPsec in general. > > > They aren't, but that's what IPsec-over-UDP solves. And if > draft-saito-mmusic-sdp-ike is implemented in the NAT device > itself (rather than in a device behind the NAT), this concern > is diminished. Of course, the concern comes back if the ISP > is NATting their subscribers. > > >>Aren't you going to want to >>use ICE to establish that you have a clear channel. > > > Probably, but that's orthogonal. The main goal of this > specification is setting up IPsec using SIP. > > >>Actually, >>while we're on the topic, wouldn't ICE need to establish not >>only that UDP traffic can pass through (for IKE) but also >>whether plain IPsec can pass or whether it needs UDP wrapping >>I'm not actually sure that ICE can do that now... > > > No, ICE can't do that now, but a connectivity check would be > pretty useful to determine if you could do native IPsec or > if you needed to do IPsec-over-UDP or IPsec-over-TCP. > > -d > > >>-Ekr >> >> >> >> >>_______________________________________________ >>mmusic mailing list >>mmusic@ietf.org >>https://www1.ietf.org/mailman/listinfo/mmusic > > > _______________________________________________ > mmusic mailing list > mmusic@ietf.org > https://www1.ietf.org/mailman/listinfo/mmusic > _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic