IETF Logo Mail Archive

Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?

Eric Rescorla <ekr@rtfm.com> Tue, 16 May 2017 13:58 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2C3112EBB0 for <mmusic@ietfa.amsl.com>; Tue, 16 May 2017 06:58:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cakLcaZHJYup for <mmusic@ietfa.amsl.com>; Tue, 16 May 2017 06:58:03 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C624E12EB82 for <mmusic@ietf.org>; Tue, 16 May 2017 06:54:43 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id 203so52989304ywe.0 for <mmusic@ietf.org>; Tue, 16 May 2017 06:54:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=d03deiM0x1P9h3fcaQ9uHcR0EuwhMHoLML6lkp3k7tQ=; b=aVH+8X31pEyf/Pec2RwafH+KP+FGa/vZXhXqb6d8Su3m+61UwpyU/lxRH8Bj/qBIx3 5zde+cuMUwQwhNDYBV1BA8W5D7FmUmNWNKTkzmHwtGVbFqni63ObiYWHde/c4NLwttM7 GibrCPn2FtGPjjd0pCA783n8bYtfIhiXXnubfH2AniaqITksLBWqmFWYguR1IxpH8jDb 1wxJbI8Boytscot9G932Y2Z9V87DdnA+nqpPKyP40Uati48MwNlrC4tf/RaExiyzyI6c 2pVkRE/rmkzaLqbZ03rpdbIMA70PpZH647R5I/w0VgulwIkA1Pwt8tBeVcgEF7QFrm6n pQhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=d03deiM0x1P9h3fcaQ9uHcR0EuwhMHoLML6lkp3k7tQ=; b=KOJuxO/Y0fPuMDiPLFbxEJMAPC6zej/cScM13gdvqY9+S344LDNlDqn5cab5BzcXI7 Ci5otjwnLZEiJIZfnBoa05C93W0kFmRCGutjFCdhDTWvHbCBc0DMCKxxv7ba9mTcj0xC iZTk1nnFQMFk6++cxyKTNjitFtCMMpDNZu1HOpD2IShn2KiFoo/yuZ6og/Yq/9KFuqa6 X5GzNPoqyQqTl6vRLVEvBJ2bjEhjzhUoligBlSP/PPfaMs8pvuKGUNf6l/mcVMbx3emy fXccm2AWrZdrlHwPARIqOrcoFnpOL6L2+kuzUY8XZLA6C0bEBkBW1zi1F8GoMtM5efHL q91A==
X-Gm-Message-State: AODbwcAtO9tZzt5BosZJnBihIeTqEfA/8u9Q5BwBTd0b6vgQuOnGj21r c1EA6FFjRhDxkHY2xTU44aKGiTdOgoKk
X-Received: by 10.129.146.210 with SMTP id j201mr9949418ywg.3.1494942883068; Tue, 16 May 2017 06:54:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Tue, 16 May 2017 06:54:02 -0700 (PDT)
In-Reply-To: <D5407B8A.1C98B%christer.holmberg@ericsson.com>
References: <D5407B8A.1C98B%christer.holmberg@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 16 May 2017 06:54:02 -0700
Message-ID: <CABcZeBN+91+kf8j599CpdiHu62QoOu4Xbkb5xhEEwSQp_LGxFw@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c092a40816cb2054fa4837e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/KWC9BGarvK17oR0mFFQdJ-OWXIY>
Subject: Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 May 2017 13:58:08 -0000

On Mon, May 15, 2017 at 11:43 PM, Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi,
>
> The pull request based on the WGLC comments from Roman S and Martin T,
> suggests text saying that if an offerer receives ClientHello it must not
> send ServerHello until it has received the answer (that carries the
> fingerprint associated with the DTLS association).
>

I may have missed their comments, but I don't understand why you would make
that
rule. In neither TLS 1.2 or 1.3 are you able to evaluate the fingerprint at
this
point anyway, because you don't have the cert.

It's one thing not to determine that the handshake is complete until you
receive
the answer, but that's different from not sending the SH. That seems silly.
[0]

-Ekr

[0] I want to preemptively acknowledge that in most full-ICE cases, you
won't
be able to send the SH at this point anyway, but that's a distinct question.



> It has been claimed that we DO need to allow the offerer to establish the
> DTLS association BEFORE it has received the answer, in order to support
> certain early media use-cases. Until the offerer has received the answer,
> such media would be considered un-authenticated. Others do not want to
> allow
> it, due to security concerns.
>
> We need to find a solution to this, so any input is welcome.
>
> The pull request: https://github.com/cdh4u/draft-dtls-sdp/pull/31/files
>
> Regards,
>
> Christer
>
>
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic
>
>

v2.23.0 | Report a Bug | By Email