IETF Logo Mail Archive

Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment direction of DTLS session

Christer Holmberg <christer.holmberg@ericsson.com> Mon, 23 September 2013 10:03 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A5111E8192 for <mmusic@ietfa.amsl.com>; Mon, 23 Sep 2013 03:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.26
X-Spam-Level:
X-Spam-Status: No, score=-3.26 tagged_above=-999 required=5 tests=[AWL=-1.861, BAYES_00=-2.599, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zLxxXnFX-Gdl for <mmusic@ietfa.amsl.com>; Mon, 23 Sep 2013 03:03:10 -0700 (PDT)
Received: from sesbmg20.ericsson.net (sesbmg20.ericsson.net [193.180.251.56]) by ietfa.amsl.com (Postfix) with ESMTP id F305821F8F32 for <mmusic@ietf.org>; Mon, 23 Sep 2013 02:55:24 -0700 (PDT)
X-AuditID: c1b4fb38-b7fcf8e0000062b8-0e-52400fd48973
Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.253.125]) by sesbmg20.ericsson.net (Symantec Mail Security) with SMTP id 01.83.25272.4DF00425; Mon, 23 Sep 2013 11:54:29 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.146]) by ESESSHC011.ericsson.se ([153.88.183.51]) with mapi id 14.02.0328.009; Mon, 23 Sep 2013 11:54:27 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Schwarz, Albrecht (Albrecht)" <albrecht.schwarz@alcatel-lucent.com>
Thread-Topic: [mmusic-udptl-dtls-01] Establishment direction of DTLS session
Thread-Index: AQHOuD+aJtvv7cpjnkmDBowqd8pC3pnTEtBg
Date: Mon, 23 Sep 2013 09:54:26 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B1C4A9A45@ESESSMB209.ericsson.se>
References: <786615F3A85DF44AA2A76164A71FE1AC0BA3EC@FR711WXCHMBA03.zeu.alcatel-lucent.com> <7594FB04B1934943A5C02806D1A2204B1C4A769E@ESESSMB209.ericsson.se> <786615F3A85DF44AA2A76164A71FE1AC0BC423@FR711WXCHMBA03.zeu.alcatel-lucent.com>
In-Reply-To: <786615F3A85DF44AA2A76164A71FE1AC0BC423@FR711WXCHMBA03.zeu.alcatel-lucent.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.16]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrALMWRmVeSWpSXmKPExsUyM+Jvre4Xfocgg56vUhZ/Wn8xWmxdn2gx dfljFgdmj9Zne1k9liz5yRTAFMVlk5Kak1mWWqRvl8CVsev/Q/aCqcoVzxZ8ZmxgPCvTxcjJ ISFgIrGxdyIzhC0mceHeerYuRi4OIYGjjBKbNzawgiSEBJYwStyZBWRzcLAJWEh0/9MGCYsI eEjcX3CMDcRmFkiTmNC5ngnEFhbwlth/ah8bRI2PxIbeg0wgrSICRhITbueAhFkEVCW+7F/A CGLzCvhKdDw6wgix9j2jxJrbN1lAEpwC0RK3mraAzWEEuu37qTVMELvEJW49mc8EcbOAxJI9 56HuF5V4+fgfK4StKLHzbDszRL2OxILdn6Du1JZYtvA1M8RiQYmTM5+wTGAUm4Vk7CwkLbOQ tMxC0rKAkWUVI0dxanFSbrqRwSZGYKwc3PLbYgfj5b82hxilOViUxHm36J0JFBJITyxJzU5N LUgtii8qzUktPsTIxMEp1cAoHtIXK5Ruv+FlQaZ4mX3powNLZkiWd5wWZcnZyHQqkHlhvJPc fPEfesLB508KL6uIEL4sVTppT+wnmd+2Xy4ulDu/c1f42lMH/t2x5LE+5qy/QMJZeY6d95SP sxqmXPQsvDBxDc/jboU/l24LT751xyFbRMmBMdf83vKD5VwsEkk5VW86coqUWIozEg21mIuK EwEFNkSxYwIAAA==
Cc: "mmusic@ietf.org" <mmusic@ietf.org>, "LANDAIS, BRUNO (BRUNO)" <bruno.landais@alcatel-lucent.com>
Subject: Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment direction of DTLS session
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 10:03:39 -0000

Hi Albrecht,

I don't know what model people were focusing on when writing RFC 5763, but the RFC does say:

"The endpoint that is the offerer MUST use the setup attribute value of setup:actpass"

...which we also copied into the udptl-dtls draft.

Now, if you want to change that, and allow the Offerer to "force" the direction, I think you should start a separate thread about that. Because, it is not specific to fax, in my opinion.

Regards,

Christer 

-----Original Message-----
From: Schwarz, Albrecht (Albrecht) [mailto:albrecht.schwarz@alcatel-lucent.com] 
Sent: 23. syyskuuta 2013 12:31
To: Christer Holmberg
Cc: mmusic@ietf.org; LANDAIS, BRUNO (BRUNO)
Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

Hello Christer,

the decision about "DTLS session establishment direction" is ALWAYS up to the SDP ANSWERER (according present 3.1).

In order to decouple SIP session and DTLS session establishment directions, then the SDP OFFERER should also to be able to use "setup:active" and "setup:passive" (besides codepoint "setup:actpass") in my understanding.

I'm not sure whether the reference to RFC 5763 helps because I could imagine that the subject comes down to the indicated network scenarios, lets look again at:
a) T - T
b) T -GW

The existing udptl-dtls & RFC 5763 text seems to focus on model (a) only: SDP O/A between two peering, terminal located SIP UAs (there is NOT any SIP B2BUA).
But I could imagine that the SIP/SDP profiles for "T" and "GW" are not necessarily the same in case of model (b): "T" as SDP Offerer may not allowed to decide the DTLS session establishment direction, but "GW" as SDP offerer may need to enforce the DTLS session establishment direction (either way).

Regards,
Albrecht


-----Original Message-----
From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] 
Sent: Donnerstag, 19. September 2013 10:02
To: Schwarz, Albrecht (Albrecht)
Cc: mmusic@ietf.org
Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

Hi Albrecht,

The direction of the SIP session establishment and the DTLS session establishment are NOT tightly coupled. The draft enables the Answerer to select whether it wants to act as DTLS client or DTLS server.

Section 3.1 states:

.... The
offerer MUST assign the SDP setup attribute with setup:actpass value, and MUST be prepared to receive a DTLS client_hello message before it receives the SDP answer. The answerer MUST assign the SDP setup attribute with either setup:active value or setup:passive value. The answerer SHOULD assign the SDP setup attribute with the setup:active value. Whichever party is active MUST initiate a DTLS handshake by sending a ClientHello over each flow (host/port quartet).

The same rules apply for DTLS-SRTP (see Section 5 of RFC5763). In fact, we base the procedure on that RFC.

BFCP-over-DTLS (draft-ietf-bfcpbis-rfc4582bis) also refers to the DTLS-SRTP procedures for DTLS server determination.

Regards,

Christer





-----Original Message-----
From: Schwarz, Albrecht (Albrecht) [mailto:albrecht.schwarz@alcatel-lucent.com]
Sent: 18. syyskuuta 2013 18:28
To: Christer Holmberg
Cc: mmusic@ietf.org
Subject: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

The T.38 endpoint could be located in a terminal (= T.38 IAF) or in a gateway, leading to three possible scenarios of
a) T - T
b) T -GW
c) GW-GW

I'd like to scope on scenario (b) due to its asymmetry of user- and network-side located T.38 endpoints.

Christer,
I thought that the two directions of
1) SIP session establishment and
2) DTLS session establishment
should be NOT tightly coupled (as currently supposed to be in clause 3.1)?
The ietf draft should offer the flexibility in decoupling both establishment directions.

E.g., there might be the demand to limit DTLS session establishment in T-to-GW direction (and apply rather the reverse direction) due ClientHello associated security threats, resource requests in terms of memory, ...

In my opinion:
the IETF should allow the flexibility,
other SDOs could still profile/limit this capability.

Best regards,
Albrecht

PS
We had a similar discussion with TLS, there NAT traversal (NAT-T) aspects could influence TLS session establishment direction. However, I guess that NAT-T is minor for DTLS/UDP.

v2.46.0 | Report a Bug | By Email | System Status