IETF Logo Mail Archive

Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?

Roman Shpount <roman@telurix.com> Fri, 09 June 2017 14:18 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9752129483 for <mmusic@ietfa.amsl.com>; Fri, 9 Jun 2017 07:18:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7DLmdY5WEWR for <mmusic@ietfa.amsl.com>; Fri, 9 Jun 2017 07:18:52 -0700 (PDT)
Received: from mail-pg0-x234.google.com (mail-pg0-x234.google.com [IPv6:2607:f8b0:400e:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40B0412945F for <mmusic@ietf.org>; Fri, 9 Jun 2017 07:18:52 -0700 (PDT)
Received: by mail-pg0-x234.google.com with SMTP id f185so27116627pgc.0 for <mmusic@ietf.org>; Fri, 09 Jun 2017 07:18:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7hUthKzVEDKbt+gGN63b058O6byCk14wK33TIXw50yE=; b=bTeGmw5QmJqAYhfQuLlt/Kg08ptB/pliI09X8/wxaECrETNwQAEGN5dEV/nWPmlM3D ebzEvWQx0KrSMGziyjfXrgLp3Tkjqtb8667rtYzWh0Yco1KFMEiLumjh+yszIgmswBJF sdOcf9N6s7Lq/wo++jCqVkGGEypsQV3eez2nQxEb+XbKykxLYLqXucr5i4n/Y1RkKYuU G4pEi7TIzPdHxyzQwJP0t/u3BbVrEGDnRI8PvXVgcb3T7jlgXsv1scIeA0Z8jQrWSne5 iVfk3DpmZezi7OctSqIghcA1o+rns2HPVQx/2e0jvOY9KI7YGVDY0PC0T0ZpTXGvktgh oBEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7hUthKzVEDKbt+gGN63b058O6byCk14wK33TIXw50yE=; b=s/bgzFUqfHG9PxyDb4vplTQ5Gu6alv7XMzf2w5dScqZ/gFu/kTmZIVTR5t3La0Sc7U 04df7N/p/gfr5TyyqvvZrGllIcM7RPJS2RZx4WIvBZDrzwtPSl/NqiutF5S85oj155UJ FSnW5i18pYuaJU3joCiG0EH9PfFec9Hedjl14B4eCVj5cLuyRtSUdnt+YAyDy3WSoOrX P1X/3FJSAM3q+dV+5qSA3i+kzaDHyfk8zljE264b3p3Bzvg+JCAZwaho6JYApQouSD1T 8qSkDh58pHI6Ba244s2FqSXF9mNgng3Orlifk/be0OWZFB04Au9gjsTprITGLdFWZgv/ wsHg==
X-Gm-Message-State: AODbwcD1/oef2k5NMToJIaa/v+hLzmgRP/tIAkSvADxgtxGR2DXkZs7s 7YLywnIxR5U4x8ZR55M=
X-Received: by 10.84.130.98 with SMTP id 89mr28117894plc.222.1497017931617; Fri, 09 Jun 2017 07:18:51 -0700 (PDT)
Received: from mail-pf0-f178.google.com (mail-pf0-f178.google.com. [209.85.192.178]) by smtp.gmail.com with ESMTPSA id r73sm3713017pfk.114.2017.06.09.07.18.50 for <mmusic@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Jun 2017 07:18:51 -0700 (PDT)
Received: by mail-pf0-f178.google.com with SMTP id x63so29007674pff.3 for <mmusic@ietf.org>; Fri, 09 Jun 2017 07:18:50 -0700 (PDT)
X-Received: by 10.98.223.131 with SMTP id d3mr22581051pfl.112.1497017930396; Fri, 09 Jun 2017 07:18:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.169.66 with HTTP; Fri, 9 Jun 2017 07:18:49 -0700 (PDT)
In-Reply-To: <727A5880-BAF5-44FC-8112-6FF5206AEEBC@iii.ca>
References: <D551D683.1D429%christer.holmberg@ericsson.com> <22C94242-218F-4724-AE92-E0B1E8DC2C82@nostrum.com> <21E8BA9D-E442-4DBC-8A7D-CEDFD5F54F8B@iii.ca> <CAD5OKxujAuzJt4QD6JXKHkVd4JB_nO5Th6KXjavMBww=W4644Q@mail.gmail.com> <6125EAB1-A827-4E0F-B756-78F85BB411CD@iii.ca> <CAD5OKxutcpUzh1yLA2kukmYmiHQg3+6fuXbaD0w73gzsAHEXzg@mail.gmail.com> <e80f0fbe-221e-aa9b-33bd-24d2ff50fe84@cisco.com> <6D9B0AD9-F9C9-4DF6-A2AB-D160094E5FE3@iii.ca> <CAD5OKxsZMei6FYDPWVcrjt0X6fy4h_=Odybjczpc8VpEgFSrQg@mail.gmail.com> <46506F82-3944-471C-80E9-D622EB3E1211@iii.ca> <CAD5OKxsWM0SevCiMZ9jJQn_PsEp5hhJ=0BODOm_UXa0P_1_nwQ@mail.gmail.com> <727A5880-BAF5-44FC-8112-6FF5206AEEBC@iii.ca>
From: Roman Shpount <roman@telurix.com>
Date: Fri, 09 Jun 2017 10:18:49 -0400
X-Gmail-Original-Message-ID: <CAD5OKxtFG5h65jY425SmQB-RgZ4VQZLF-ShsX_c+QtXZiO3Pxg@mail.gmail.com>
Message-ID: <CAD5OKxtFG5h65jY425SmQB-RgZ4VQZLF-ShsX_c+QtXZiO3Pxg@mail.gmail.com>
To: Cullen Jennings <fluffy@iii.ca>
Cc: mmusic <mmusic@ietf.org>, Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="f403045cc7d4f6bfec055187a501"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/BHqAIQWeAhixBLSYfnV4f5s3wTs>
Subject: Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Jun 2017 14:18:54 -0000

On Fri, Jun 9, 2017 at 9:32 AM, Cullen Jennings <fluffy@iii.ca> wrote:

> I'd really really appreciate if you could give me a hint of it you agree
> with my original points I asked about or which ones you disagree with and
> why. The three points I am interested in are:
>
> For devices that want to minimize delay in setting up media and avoid
> media clipping, doing the TLS handshake as soon as possible is good design
> but in some cases this means the system does  the handshake before the
> identity of the fingerprint is known.
>

Doing TLS handshake as soon as possible is a good design. Doing answer
identity and integrity validation and validating certificate fingerprints
as soon as possible is a better design. I understand that doing answer and
fingerprint validation is not always possible when interfacing with legacy
SIP devices, but there is no reason to design new solutions which process
media before the answer. For instance WebRTC has no reason to support
unverified media. Because of this, I think that anything that produces
unverified media is a bad design which has no reason to exist apart for
legacy interop. Specifics on how to design session description identity and
integrity validation are clearly out of scope for this draft.

All of this being said, what I am proposing for the sake of moving this
draft forward does not contradict any of your points. Once again, what I am
proposing is:

1. Remove any recommendation regarding handling DTLS association before the
answer (leave it up to implementation)
2. Put a note that accepting DTLS association before the answer can result
in unverified media and if this media is played back to the end user, end
user SHOULD be notified that media is coming from an unverified source.
3. Add clarification that DTLS associations established before the answer
MUST be torn down when no more answers are expected and that fingerprints
in any of the received answers match the negotiated certificate (Right now
it is specified that DTLS association MUST be torn down if it does not
match the answer. This is wrong if forking is used and multiple answers are
received).


Draft does not advise that DTLS association should be established before
the answer is received (I think this is wrong), but it also does not advise
that it should not (you think it is wrong). This way implementation decides
what's best for it.

Does it contradict anything that you want to accomplish?
If it does, what needs to be changed?

Regards,
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email