IETF Logo Mail Archive

Re: [MMUSIC] DTLS-SDP and JSEP Conflicts

Eric Rescorla <ekr@rtfm.com> Thu, 07 September 2017 14:26 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41D6132F2A for <mmusic@ietfa.amsl.com>; Thu, 7 Sep 2017 07:26:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4moGm4xl0NSe for <mmusic@ietfa.amsl.com>; Thu, 7 Sep 2017 07:26:23 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A52AA132968 for <mmusic@ietf.org>; Thu, 7 Sep 2017 07:26:23 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id s62so15491088ywg.0 for <mmusic@ietf.org>; Thu, 07 Sep 2017 07:26:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fsXCd2PDeWwE9nUqVIBikv5T5lUuVy8rr3AoerHvAjU=; b=KqXz6uJXidEhuq3Irf4n7nZPmMDCg8lprb9L8irQFeXnw842Of8/VWDbs1MVLWmg1K uYfbwK9Sva52JQFnWlxtvuD3ci0sRapTI6tYq+nwz55uz8nV3ye7uTw/5izlCMC/6C8m yP0DNGqXb6mO8Jr5MCQjDE8JHNHUJF0ChvAvrYXmnfsNM0kqJVkmhaskoxgAor5CQFKG Pg0213G5jb5+I5QlqSaCysJrqWBmgDrcuB8YQYquD5lUYPKYjVmc5G1DcW99m+wTLFp7 6g2YrCbNIS2i9UFEuujoIhaOcKumZbiO5uhMRtpZqNCk+06sI9VIEnjo3QE3IFcAuyE/ iMMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fsXCd2PDeWwE9nUqVIBikv5T5lUuVy8rr3AoerHvAjU=; b=MtAQYlSVGCFyQl4Ud7/yruvJRgSIVZSAzgK8ggWaw4YFIZZFPCWP/be0UBRaRyJqGn nyHKvSmLvRVTYcbjPickKzUu0UtML13DmDOkayheIkV7v/5uC/NZ/rBz0lZtge+xS0Ie ZY0AgmF7EC5Qjhl4xiTS/BEPNYmR1OucITtYFIeZ6enzTLkhkUU5TGKUhurcl6CQ6HN9 TnV3Uk41gaR1kVGyqob5ORF/7pe8KufAyD/QVXwz21H+3QHnCWXlsahHZQ6LFx8No0VA dlFXIHIHfZpP/zBrZuHiOqWk3nz/rfld/sfE8fCAX9RgBIfoatCc2gjFseiYvWzvF9E2 bn7g==
X-Gm-Message-State: AHPjjUgMPkGzMEtoXScGbUWCp4HZF1SVKykUS+VoPSZ0+BL3Zrk3SC/t sJCzIReAhqkoiEl8RUpAEhHj465X+SVr
X-Google-Smtp-Source: ADKCNb5gzv5W9f6Zf3qaIFGj5pzTbR9hoZ6+jT2oKHq/j9IuGU52MgW3eDk4TNeplyStlJ7T8xrMr/tow7r2siXnvpc=
X-Received: by 10.37.190.76 with SMTP id d12mr2266821ybm.204.1504794382715; Thu, 07 Sep 2017 07:26:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.218.130 with HTTP; Thu, 7 Sep 2017 07:25:42 -0700 (PDT)
In-Reply-To: <CAD5OKxufxwtEuq8a7z16wGcdxWfLOP5E439hbs2Ev=nSbK52cA@mail.gmail.com>
References: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com> <CAOW+2dtv8r7qTyNxWY8NacfEh+Ojk5ObVAXEur3D4GyMw89YaQ@mail.gmail.com> <CABcZeBOJgyva5e-ykH-RkKN=BJPrXVYLu8vZbbNBv0xscv6bOA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B562818F7@ESESSMB109.ericsson.se> <CABcZeBNv4fdFTJ+tXeBkMDqbMCEw916Txt8owFY-X7ijX0-FcA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B56282B43@ESESSMB109.ericsson.se> <CABcZeBNh9ep+tq4_wWHT6uqXZz=OS8VngrmtspPz5nJ=pZS0ow@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B562869A2@ESESSMB109.ericsson.se> <CABcZeBPj6e=rtYHr4nyqeaB58TDBEjyB0xYeJJ+P63rO0DSw+A@mail.gmail.com> <D5D30222.20F35%christer.holmberg@ericsson.com> <b5a72f26-8bae-7eb8-4d54-93dc38b0f16a@alum.mit.edu> <CABcZeBM3m6Sdou5-VE6hjtdQpzC8sEpeSH1fUzauW68NqoSiog@mail.gmail.com> <CAD5OKxviYzVHYwXzk0DDiMQ64nWYq1WnB1hYbNR0xUCwT33JiA@mail.gmail.com> <CABcZeBNHJXCzjuArsHAa_+hb0QC98ftA4-P0h2vwzMV1_ReyQg@mail.gmail.com> <CAD5OKxufxwtEuq8a7z16wGcdxWfLOP5E439hbs2Ev=nSbK52cA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 07 Sep 2017 07:25:42 -0700
Message-ID: <CABcZeBPUFpdXXkj6b6GjaDQV+X+DGPrnu+CFJ3gu1L9=5qrrpQ@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, mmusic WG <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="089e08230cbca4705b05589a3eee"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/Rx8Up6U9wh79gc69pNUgiCsJZZI>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Sep 2017 14:26:26 -0000

On Mon, Sep 4, 2017 at 9:16 PM, Roman Shpount <roman@telurix.com> wrote:

> On Tue, Sep 5, 2017 at 12:03 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>> On Mon, Sep 4, 2017 at 8:48 PM, Roman Shpount <roman@telurix.com> wrote:
>>
>>> On Mon, Sep 4, 2017 at 10:41 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>>>
>>>>
>>>>
>>>> On Mon, Sep 4, 2017 at 7:37 AM, Paul Kyzivat <pkyzivat@alum.mit.edu>
>>>> wrote:
>>>>
>>>>> On 9/4/17 6:14 AM, Christer Holmberg wrote:
>>>>>
>>>>> Now, based on your suggestion, if the offerer doesn¹t know whether the
>>>>>>>> answerer supports tls-id, does that mean that the only way
>>>>>>>> for the offerer to ensure that the re-offer will trigger a new DTLS
>>>>>>>> association is by modifying the fingerprint set in the offer?
>>>>>>>>
>>>>>>>
>>>>>>> That's true in any case, because we have implementations which behave
>>>>>>> that way and we can't change them.
>>>>>>>
>>>>>>
>>>>>> On GitHub you also suggested
>>>>>> (https://github.com/cdh4u/draft-dtls-sdp/issues/37) that the
>>>>>> answerer,
>>>>>> even if it supports tls-id, shall not be able to trigger a new DTLS
>>>>>> association (read: change the tls-id value). I assume that means the
>>>>>> answerer would not be able to change its fingerprint set either, or do
>>>>>> anything else that would trigger a new DTLS association?
>>>>>>
>>>>>
>>>>> Why would you want to *prevent* the answerer from triggering a new
>>>>> DTLS association???
>>>>>
>>>>
>>>> As noted previously, it's confusing and it's only possible at all in
>>>> the edge case where the offerer offers an ICE restart but not a new DTLS
>>>> association.
>>>>
>>>>
>>> The main reason new DTLS association can started by the answering party
>>> is third party call control. The new DTLS association will be required if
>>> as a result of the offer/answer exchange two new end points ends up being
>>> connected with each other by a third party call control agent. This is a
>>> fairly common scenario. If it is not supported interoperability with
>>> existing implementations will be seriously affected. Please note that in
>>> existing specification new DTLS association can already be started by the
>>> answerer changing fingerprints, transport parameters, or setup role.
>>>
>>
>> Well, as has been noted, the current specification is fairly unclear (I
>> feel comfortable saying that as one of the authors), but as a practical
>> matter, this only works if you already are doing an ICE restart. Is that
>> what is happening in this instance?
>>
>>
> Current specification is not very specific about ICE. It does allow
> answerer to start a new DTLS association even if ICE restart is not
> initiated. I am not sure how this will work in all the cases, but it
> definitely works for third party call control, which, as far as I am
> concerned, is the only useful use case of answerer triggering a new DTLS
> association. ICE restart is required in case of the new offer generated in
> response to INVITE with no SDP. Because of this, answerer can successfullu
> establish a new DTLS association by changing fingerprints.
>

Well, to recap, ICE restart can only be initiated by the offerer:
https://tools.ietf.org/rfcmarkup?doc=5245#section-9.2.2

And as we discussed in detail, there's no real way to demux without an ICE
restart, so I'm not interested in trying to preserve that case in the
situations when it happens to work. In general, the offerer can simply
offer a new tls-id if it's willing to accept a new TLS connection. I
appreciate that this will also cause a TLS association even when the
endpoints haven't changed, but this just doesn't seem like that big a deal.

If you have a specific case in mind that this causes a problem for, I'd
need to see a call-flow diagram to understand it.

-Ekr


And, since answerer is a new end point, ICE candidate pair nominated for
> transport will end up to be a new distinct 5-tuple so new and old DTLS
> associations can be easily demuxed. So, in some sense, current
> specification works almost by accident.
>
> I would really like for this to continue to work since this is being used.
>
> Regards,
> _____________
> Roman Shpount
>
>

v2.23.0 | Report a Bug | By Email