IETF Logo Mail Archive

Re: [MMUSIC] DTLS-SDP and JSEP Conflicts

Roman Shpount <roman@telurix.com> Thu, 07 September 2017 18:10 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B3A913292F for <mmusic@ietfa.amsl.com>; Thu, 7 Sep 2017 11:10:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bJv0pxL2HRd4 for <mmusic@ietfa.amsl.com>; Thu, 7 Sep 2017 11:10:52 -0700 (PDT)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA390132D40 for <mmusic@ietf.org>; Thu, 7 Sep 2017 11:10:50 -0700 (PDT)
Received: by mail-pg0-x22f.google.com with SMTP id q68so842490pgq.1 for <mmusic@ietf.org>; Thu, 07 Sep 2017 11:10:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=HgOTA4J5HymbrWgASVY1RRfJMRYGfPHezcNMkmahzNY=; b=PvLZBZNHQ6coSWFZkLJBSmW/NKw6tyDwYVxRYBW1UgWs6ON/RCoot8fAcnpmgBNc3T onzgYbWM6nppXyGP4vu999pMfJYj2X2KWORVuiMtbB0aRETGL7OMJ/Q+U3gax8WQtBID zUFfYLnVfYNPS57cVc6wbcCwHNl1tFCSgcWTwfQJz/4l1nJgUsmGFkBx0/Gz+PZU0Fq0 ESZ/hK4RF8cy68ngDS309a479ZWDwzLgTaAB2IBZOH8/vRuQHyrIU3FdnuNXnUjCj1/M 46qWhGP6agHNWVi0Qm4lFFbtgSdh5e9MKk9dySZ0ZfvKQ4XBxvwO6HJClvgKBE9Df6Df G9tQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=HgOTA4J5HymbrWgASVY1RRfJMRYGfPHezcNMkmahzNY=; b=swj351Gp2nodd5S40y61rkWf54cdKiBqU5acEotkmyRTp2uhjmvGm/djQNsgKsd4tk Ez69Yif2vLt12QghCx+p/tbvJRbYwIp4jcN4W55vtu+NMRkP86jYWKi3srtKm9o1G+MG nkpkv1z3qdKtEF9PN4Oaghc6ce4/gR1JH1kVpEKMmD8gtYsCxDONdAeqAha9AYiVo+FG PLxDJQT+8y7li688MtsDKwP72zTrXLeeH2fuTDAS58mgvrojsHlWAXPUlm43Mn0OXvHR 6zyzzDPZQTaiC7OcvATsj8Eqpib6MOvhbGUcez0vyG6rXBhWf46d93ejPoXxapNWCMVp PU4g==
X-Gm-Message-State: AHPjjUi5euU3kV1FATyKGmZQ98aTSmbmMhKQjviUOHBkbewh2HdixNs1 dD5sU8wEX7YTFJ+YYDc=
X-Received: by 10.98.220.66 with SMTP id t63mr218578pfg.328.1504807850208; Thu, 07 Sep 2017 11:10:50 -0700 (PDT)
Received: from mail-pg0-f45.google.com (mail-pg0-f45.google.com. [74.125.83.45]) by smtp.gmail.com with ESMTPSA id 62sm371537pfu.4.2017.09.07.11.10.49 for <mmusic@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 07 Sep 2017 11:10:49 -0700 (PDT)
Received: by mail-pg0-f45.google.com with SMTP id v66so804369pgb.5 for <mmusic@ietf.org>; Thu, 07 Sep 2017 11:10:49 -0700 (PDT)
X-Google-Smtp-Source: ADKCNb49LnbS2CpfKgw7lsIBK6d468LWpBdvyriZfFFLQx8xXxeZxe0Tv/mfwAlBbyva3kgKIx3bri1yA6Xb54sfV/U=
X-Received: by 10.84.238.135 with SMTP id v7mr224664plk.276.1504807849041; Thu, 07 Sep 2017 11:10:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.191.8 with HTTP; Thu, 7 Sep 2017 11:10:48 -0700 (PDT)
In-Reply-To: <CABcZeBPUFpdXXkj6b6GjaDQV+X+DGPrnu+CFJ3gu1L9=5qrrpQ@mail.gmail.com>
References: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com> <CAOW+2dtv8r7qTyNxWY8NacfEh+Ojk5ObVAXEur3D4GyMw89YaQ@mail.gmail.com> <CABcZeBOJgyva5e-ykH-RkKN=BJPrXVYLu8vZbbNBv0xscv6bOA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B562818F7@ESESSMB109.ericsson.se> <CABcZeBNv4fdFTJ+tXeBkMDqbMCEw916Txt8owFY-X7ijX0-FcA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B56282B43@ESESSMB109.ericsson.se> <CABcZeBNh9ep+tq4_wWHT6uqXZz=OS8VngrmtspPz5nJ=pZS0ow@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B562869A2@ESESSMB109.ericsson.se> <CABcZeBPj6e=rtYHr4nyqeaB58TDBEjyB0xYeJJ+P63rO0DSw+A@mail.gmail.com> <D5D30222.20F35%christer.holmberg@ericsson.com> <b5a72f26-8bae-7eb8-4d54-93dc38b0f16a@alum.mit.edu> <CABcZeBM3m6Sdou5-VE6hjtdQpzC8sEpeSH1fUzauW68NqoSiog@mail.gmail.com> <CAD5OKxviYzVHYwXzk0DDiMQ64nWYq1WnB1hYbNR0xUCwT33JiA@mail.gmail.com> <CABcZeBNHJXCzjuArsHAa_+hb0QC98ftA4-P0h2vwzMV1_ReyQg@mail.gmail.com> <CAD5OKxufxwtEuq8a7z16wGcdxWfLOP5E439hbs2Ev=nSbK52cA@mail.gmail.com> <CABcZeBPUFpdXXkj6b6GjaDQV+X+DGPrnu+CFJ3gu1L9=5qrrpQ@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Thu, 07 Sep 2017 14:10:48 -0400
X-Gmail-Original-Message-ID: <CAD5OKxvdC6Eb-eZzd-jd+5-UfRVph2qfJpQKsr3nP-qvcgoaoQ@mail.gmail.com>
Message-ID: <CAD5OKxvdC6Eb-eZzd-jd+5-UfRVph2qfJpQKsr3nP-qvcgoaoQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, mmusic WG <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="f403045fdf884c249305589d610b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/Lbxr4FFpTasEJQHKqsPjEPOeH2Q>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 18:10:55 -0000

On Thu, Sep 7, 2017 at 10:25 AM, Eric Rescorla <ekr@rtfm.com> wrote:

>
> Well, to recap, ICE restart can only be initiated by the offerer:
> https://tools.ietf.org/rfcmarkup?doc=5245#section-9.2.2
>
> And as we discussed in detail, there's no real way to demux without an ICE
> restart, so I'm not interested in trying to preserve that case in the
> situations when it happens to work. In general, the offerer can simply
> offer a new tls-id if it's willing to accept a new TLS connection. I
> appreciate that this will also cause a TLS association even when the
> endpoints haven't changed, but this just doesn't seem like that big a deal.
>
> If you have a specific case in mind that this causes a problem for, I'd
> need to see a call-flow diagram to understand it.
>
>
There are two specific scenarios that concern me:

1. Third Party Call Control

a. End point A is connected to end point B through third party call control
agent 3PCC
b. 3PCC sends a request for a new offer to A (using SIP INVITE with no SDP
body).
c. End point A sends an offer with ICE restart (required in response to
INVITE with no SDP) and existing tls-id
d. 3PCC agent sends this offer as a new call offer to end point C
e. This is a new offer for C, so it sends an answer with a new tls-id to
3PCC
f. 3PCC sends an answer to end point A
g. Since A got an answer with a new tls-id, a new DTLS association is
established between A and C

This also has an optional case, when end point C is legacy and it does not
send back tls-id attribute, but does send new fingerprint values. I would
prefer that new implementations were allowed for the same scenario using
tls-id.

Note that in step d, 3PCC can also send the  re-offer back to B, which will
result in existing DTLS association reuse. This is very common when session
timers are implemented by 3PCC agents.

2. Connection Recovery

a. End point is connected to a service (like conference service) which is
comprised from multiple redundant media servers behind a single signaling
proxy
b. End point detects a network connectivity disruption via keep-alive
timeout
c. End point initiates connection recovery process by generating an offer
with ICE restart and existing DTLS association (and media settings) and
sends it to the signaling proxy
d. If the network connectivity is restored to the same media server via a
different network path, for instance due to client address change, existing
DTLS association and media are re-used
e. If connectivity failure was due to media server failure, connectivity is
restored but to a different media server. New DTLS  association and media
connection is established in this case.

Please note that case d is much less common then case e.

In both cases it is possible to make things work by forcing new tls-id
value in the offer. This will result in extra DTLS association, local ICE
candidate allocations (which are required if new DTLS association is
requested via new tls-id), and new media setup. All of those things will
waste resources and more importantly will increase connection setup time.

Regards,
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email