[MMUSIC] ICE SDP/JSEP peace accords
Adam Roach <adam@nostrum.com> Mon, 14 January 2019 22:53 UTC
Return-Path: <adam@nostrum.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F6DB12DDA3 for <mmusic@ietfa.amsl.com>; Mon, 14 Jan 2019 14:53:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Level:
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kdN6BPSWo9bF for <mmusic@ietfa.amsl.com>; Mon, 14 Jan 2019 14:53:46 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D685012D84D for <mmusic@ietf.org>; Mon, 14 Jan 2019 14:53:46 -0800 (PST)
Received: from Svantevit.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x0EMriBs053902 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for <mmusic@ietf.org>; Mon, 14 Jan 2019 16:53:45 -0600 (CST) (envelope-from adam@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1547506426; bh=dCEeoH6VChgouNg9FEjde3ThJKg5SrV5J1oM8v4YNPs=; h=To:From:Subject:Date; b=biDi4euyttcI8rHhmVPbZLtonf6N0B3ptcKvLWJRsgY/LoqSp/paQyHYjeRyDw7hA cg+EztHxZKXhVtjaj1yFwb3LHK8HKW4RMqfuxnwUg8SRRRxVcYe1yGg719kRpGFzg0 RlAxFA5Fz9Hc+3Pl9hn10fwgilYmk9bUZQW9r+ng=
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Svantevit.local
To: "mmusic@ietf.org" <mmusic@ietf.org>
From: Adam Roach <adam@nostrum.com>
Message-ID: <0454609c-ce69-80d4-93d8-f89bc8ba897e@nostrum.com>
Date: Mon, 14 Jan 2019 16:53:39 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/SY3IFkifeJei5l-Tc3_GMJhAxPU>
Subject: [MMUSIC] ICE SDP/JSEP peace accords
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jan 2019 22:53:50 -0000
[as an individual] Okay, so I sat down and looked at JSEP, ice-sip-sdp, and RFC 5245/RFC 6544 to try to figure out what we might be able to do here. I'll note that the issue at hand is the transport (aka <proto>) field for audio and video only. I'm going to give a summary of the issues as I understand them so that people who haven't been following along closely can come up to speed and hopefully weigh in on the topic. Before I get too far into this, I want to point out that there are some constraints on the solution that we need to keep in mind. The first, of course, is that RFC 5245 is deployed and unchangeable. The second is that JSEP is effectively an as-built description of a deployed system, and is already in the RFC Editor Queue. It's not quite as immutable as RFC 5245 (as we can see from the recent changes to make it internally consistent), but I think the chances of getting the existing (now almost six years old) deployed WebRTC ecosystem to make a protocol-visible change are approximately zero. So that leaves us with the question of what to do with ice-sip-sdp. Implementations using RFC 5245/6544 do the following: - New sent offers will contain a proto corresponding to the default candidate. - Mid-session sent offers (including the "fix-up" offer sent exclusively for the benefit of middleboxes) will contain a proto corresponding to the selected ICE candidate. - New and mid-session received offers can contain any proto corresponding to a supported AVP profile. WebRTC implementations do the following: - New sent offers always contain "UDP/TLS/RTP/SAVPF" regardless of the default candidate or the selected candidate - Mid-session sent offers always contain "UDP/TLS/RTP/SAVPF" regardless of the default candidate or the selected candidate - "fix-up" offers are not generated. - New and mid-session received offers can contain any of the eight proto types listed in JSEP [1]. These are all treated as functionally identical to "UDP/TLS/RTP/SAVPF" [2]. draft-ietf-mmusic-ice-sip-sdp currently says: - New sent offers (prior to candidate nomination) will contain a proto corresponding to the default candidate. - Mid-session offers corresponding to the nominated/selected ICE candidate. - "fix-up" offers are only generated for changed offers. (I think? Language in §3.3.4 is unclear about the timing of the "subsequent offer/answer") - New and mid-session received offers can contain any proto corresponding to a supported AVP profile. In all cases: - All sent answers always match, on a line-for-line basis, the protos in the received offer. - Handling of the receipt of an answer with mismatched protos is undefined, and deployed products probably have varying behaviors. - Handling receipt of an unrecognized proto in a new offer will (probably) result in the media section being rejected. The lack of a "fix-up" offer may cause older intermediaries that aren't prepared to deal with WebRTC some heartburn; however, neither 5245/6544 nor ice-sip-sdp call for any endpoint behavior that will result in failures. It's also clear that answers of all kinds will work just fine, as the handling is functionally identical between JSEP and ice-sip-sdp. So the issue at hand seems confined to mid-session offers, and only in those cases where the transport of either the candidate in use or the initial default candidate is TCP. This leaves five cases to analyze: A) A WebRTC endpoint sends an initial offer where the default candidate is UDP. ICE selects a TCP candidate. B) A WebRTC endpoint sends an initial offer where the only offered candidates are TCP. (This is extremely unusual, but not impossible.) C) A non-WebRTC endpoint sends an initial offer where the default candidate is UDP. ICE selects a TCP candidate. D) A non-WebRTC endpoint sends an initial offer where the default candidate is TCP. ICE selects a TCP candidate. E) A non-WebRTC endpoint sends an initial offer where the default candidate is TCP. ICE selects a UDP candidate. (This really shouldn't happen unless an implementation has gone bonkers.) Case A: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - non-WebRTC endpoint sends answer with UDP/TLS/RTP/SAVPF - ICE runs and selects a TCP candidate - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer for TCP/DTLS/RTP/SAVPF - WebRTC endpoint accepts this per its rules, and sends answer for TCP/DTLS/RTP/SAVPF - Absolutely no problems ensue. - If WebRTC client sends a subsequent offer: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - non-WebRTC endpoint's answer will contain UDP/TLS/RTP/SAVPF. * If an implementation checks that the transport matches the in-use candidate, it might get upset about things, although nothing in ice-sip-sdp requires such a check. - The previous point notwithstanding, per ice-sip-sdp §3.4.1.1.1, this will not trigger a change in candidates or a restart of ice procedures. - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer with TCP/DTLS/RTP/SAVPF - WebRTC endpoint sends answer with TCP/DTLS/RTP/SAVPF - Everything works fine. Case B: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF but only TCP candidates - This won't work with non-ICE clients. WebRTC's security design does not allow working with non-ICE clients, so this isn't an issue. - non-WebRTC endpoint sends answer with UDP/TLS/RTP/SAVPF * If the non-WebRTC implementation does some kind of complex validation that the default candidate matches the specified transport, it might get upset about things. - ICE runs and selects a TCP candidate - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer for TCP/DTLS/RTP/SAVPF - WebRTC endpoint accepts this per its rules, and sends answer for TCP/DTLS/RTP/SAVPF - Absolutely no problems ensue. - If WebRTC client sends a subsequent offer: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - non-WebRTC endpoint's answer will contain UDP/TLS/RTP/SAVPF. * If an implementation checks that the transport matches the in-use candidate, it might get upset about things, although nothing in ice-sip-sdp requires such a check. - The previous point notwithstanding, per ice-sip-sdp §3.4.1.1.1, this will not trigger a change in candidates or a restart of ice procedures. - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer with TCP/DTLS/RTP/SAVPF - WebRTC endpoint sends answer with TCP/DTLS/RTP/SAVPF - Everything works fine. Case C: - non-WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - WebRTC endpoint sends answer with UDP/TLS/RTP/SAVPF - ICE runs and selects a TCP candidate - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer for TCP/DTLS/RTP/SAVPF - WebRTC endpoint accepts this per its rules, and sends answer for TCP/DTLS/RTP/SAVPF - Absolutely no problems ensue. - If WebRTC client sends a subsequent offer: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - non-WebRTC endpoint's answer will contain UDP/TLS/RTP/SAVPF. * If an implementation checks that the transport matches the in-use candidate, it might get upset about things, although nothing in ice-sip-sdp requires such a check. - The previous point notwithstanding, per ice-sip-sdp §3.4.1.1.1, this will not trigger a change in candidates or a restart of ice procedures. - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer with TCP/DTLS/RTP/SAVPF - WebRTC endpoint sends answer with TCP/DTLS/RTP/SAVPF - Everything works fine. Case D: - non-WebRTC endpoint sends offer for TCP/DTLS/RTP/SAVPF - WebRTC endpoint sends answer with TCP/DTLS/RTP/SAVPF - ICE runs and selects a TCP candidate - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer for TCP/DTLS/RTP/SAVPF - WebRTC endpoint accepts this per its rules, and sends answer for TCP/DTLS/RTP/SAVPF - Absolutely no problems ensue. - If WebRTC client sends a subsequent offer: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - non-WebRTC endpoint's answer will contain UDP/TLS/RTP/SAVPF. * If an implementation checks that the transport matches the in-use candidate, it might get upset about things, although nothing in ice-sip-sdp requires such a check. - The previous point notwithstanding, per ice-sip-sdp §3.4.1.1.1, this will not trigger a change in candidates or a restart of ice procedures. - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer with TCP/DTLS/RTP/SAVPF - WebRTC endpoint sends answer with TCP/DTLS/RTP/SAVPF - Everything works fine. Case E: - non-WebRTC endpoint sends offer for TCP/DTLS/RTP/SAVPF - WebRTC endpoint sends answer with TCP/DTLS/RTP/SAVPF - ICE runs and selects a UDP candidate - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - WebRTC endpoint accepts this per its rules, and sends answer for UDP/TLS/RTP/SAVPF - Absolutely no problems ensue. - If WebRTC client sends a subsequent offer: - WebRTC endpoint sends offer for UDP/TLS/RTP/SAVPF - non-WebRTC endpoint's answer will contain UDP/TLS/RTP/SAVPF. - Everything works fine. - If non-WebRTC client sends a subsequent offer: - non-WebRTC endpoint sends offer with UDP/TLS/RTP/SAVPF - WebRTC endpoint sends answer with UDP/TLS/RTP/SAVPF - Everything works fine. While the WebRTC and non-WebRTC implementations can be distinguished from each other in each of these cases, no incompatabilities arise. The only places where there is *any* potential for problems are highlighted above with an "*" instead of a "-". All such cases involve a non-WebRTC implementation deciding to validate peer behavior that has no bearing on its own operation. While Postel's Law would hopefully counsel implementors away from such behavior, it seems that we can head off this behavior completely by explicitly instructing implementations not to treat these situations as failures of any kind ("Implementations MUST NOT treat a mismatch between the transport in an m= line and the default or selected candidate as an error, and MUST NOT alter ICE state in reaction to such a mismatch"). I think that gets us to 100% compatibility between JSEP and ice-sip-sdp -- and, except for busybody implementations checking compliance where they should not be -- it doesn't require any changes in anyone's code. This does leave the kind of fiddly protocol-nerd issue that JSEP says to do one thing where ice-sip-sdp says to do another. I think this difference is best handled by a note in ice-sip-sdp along the lines of: "Note that implementations of [RFC-jsep] will indicate a transport of 'UDP/TLS/RTP/SAVPF' regardless of whether the default and/or selected ICE candidate is UDP or TCP. While this is functionally compatible with this specification, future users of ICE in conjunction with SDP Offer/Answer procedures are expected to use the procedures specified in this document." As far as I can tell, this gets us past the current impasse with the addition of two sentences to ice-sip-sdp, neither of which has any real practical effect on implementations. I know that there are parts of this proposal that will disappoint people who want JSEP to change to match ice-sip-sdp, and parts that will disappoint people who want ice-sip-sdp to change to match JSEP; but I think that this is the most practical fix, and the only one I can imagine that doesn't imply the need for large-scale software updates to comply with the final published protocols (taking careful note that any such changes would almost certainly never happen). /a ____ [1] RTP/AVP, RTP/AVPF, RTP/SAVP, RTP/SAVPF, TCP/DTLS/RTP/SAVP, TCP/DTLS/RTP/SAVPF, UDP/TLS/RTP/SAVP, and UDP/TLS/RTP/SAVPF. This is a list of the currently registered proto values that carry RTP over either UDP or TCP, minus the new protos defined in RFC 7850 (users of those values are presumably aware of the nuanced meanings of each value) and minus "TCP/RTP/AVP", which is unencrypted, and whose use with encryption-related attributes is inherently ambiguous, unlike the other "SAVP(F)" protos in this list. [2] WebRTC's permissive list is a practical hack in response to existing deployed implementations that say one thing but mean another. This can lead to kind of strange failures -- mostly due to differing notions of media encryption -- but that's a carefully-considered and already-litigated option that impacts only WebRTC.
- [MMUSIC] ICE SDP/JSEP peace accords Adam Roach
- Re: [MMUSIC] ICE SDP/JSEP peace accords Roman Shpount
- Re: [MMUSIC] ICE SDP/JSEP peace accords Adam Roach
- Re: [MMUSIC] ICE SDP/JSEP peace accords Roman Shpount
- Re: [MMUSIC] ICE SDP/JSEP peace accords Christer Holmberg
- [MMUSIC] Please Read and Comment: Re: ICE SDP/JSE… Flemming Andreasen
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Christer Holmberg
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Adam Roach
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Christer Holmberg
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Adam Roach
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Adam Roach
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Adam Roach
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Adam Roach
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Christer Holmberg
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Christer Holmberg
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Flemming Andreasen
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Christer Holmberg
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Suhas Nandakumar
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Adam Roach
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Suhas Nandakumar
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Christer Holmberg
- Re: [MMUSIC] Please Read and Comment: Re: ICE SDP… Roman Shpount