IETF Logo Mail Archive

Re: [MMUSIC] Faster ICE by role reversal?

Dan Wing <dwing@cisco.com> Thu, 31 July 2014 07:01 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DDB81A0377 for <mmusic@ietfa.amsl.com>; Thu, 31 Jul 2014 00:01:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8GKKvsB1ppwF for <mmusic@ietfa.amsl.com>; Thu, 31 Jul 2014 00:01:48 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07D971A036F for <mmusic@ietf.org>; Thu, 31 Jul 2014 00:01:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4689; q=dns/txt; s=iport; t=1406790108; x=1407999708; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=EIAgP3cVOVuXe/dbBFRLOp89oarZ0y9PmU365zxRFzk=; b=b+pBWic7Yw7GongUa/tZsP260IlhyoPDAJqcZEa8QVl+X7BbhlExegz8 XGNUaHPLLvImXRwoNf9AUF6NvZ8IiSkF75RUHdn+MDIzh04YEu5c9tBbn 7pYZ/l1ih7Smyu22dpXAQmsdmr7pUf0YwK5gNgF3VTA5wIvIQ/PxEY1yu A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AmQFABTp2VOtJV2Q/2dsb2JhbABZgw5SV8kogWKHSwGBBRZ3hAMBAQEBAgF5BQsLBBQuITYGE4guAwkIDbURDYcOF40fgi0Hgy+BGwWBWIknjmCCBYFSjFyGJYNpHS8BAYEDJA
X-IronPort-AV: E=Sophos;i="5.01,770,1400025600"; d="scan'208,217";a="344070661"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-5.cisco.com with ESMTP; 31 Jul 2014 07:01:47 +0000
Received: from rtp-vpn5-597.cisco.com (rtp-vpn5-597.cisco.com [10.82.234.87]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s6V71gZW014519 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Thu, 31 Jul 2014 07:01:45 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_9B3F7D58-DB24-43B6-9621-3843241993F4"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <CABkgnnXHTC=QgjLNj8rjRpCDdCsSpSFqpwwZd=txkbWPR3_bfA@mail.gmail.com>
Date: Thu, 31 Jul 2014 00:01:49 -0700
Message-Id: <CA576EB9-6BD8-4955-A0F1-19E28502F899@cisco.com>
References: <CABkgnnVrXKz-7M_Qn7pSZBxCJTdQYPDOcEzrEbbv6eYrQs1Dhg@mail.gmail.com> <67A963F0-3667-47A7-B116-4712BA1147AD@vidyo.com> <CABkgnnV+ARP5xC-z=3AshUObUX_m3uisLY6NcsgEZVq-1drU8Q@mail.gmail.com> <DD8DA86E-3C6A-44A7-B4E1-92CC0742369D@vidyo.com> <EC1B03D0-A13C-4A3B-BA61-3BE519D111F2@cisco.com> <CABkgnnXHTC=QgjLNj8rjRpCDdCsSpSFqpwwZd=txkbWPR3_bfA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/mmusic/Y4z5iOIXaRb6m8SuQiN7dS0hXO0
Cc: Jonathan Lennox <jonathan@vidyo.com>, mmusic@ietf.org
Subject: Re: [MMUSIC] Faster ICE by role reversal?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 07:01:50 -0000

On Jul 30, 2014, at 8:03 PM, Martin Thomson <martin.thomson@gmail.com> wrote:

> On Jul 30, 2014 7:00 PM, "Dan Wing" <dwing@cisco.com> wrote:
> > Towards the desire to remove a round trip, has there been consideration to folding the STUN messaging into the ClientHello?
> 
> Like http://tools.ietf.org/html/draft-thomson-rtcweb-ice-dtls-00 ?
> 
Sortof.  What I had in mind was sending ClientHello with a new TLS extension, let's call the extension STUN Binding Request and let's say it contains exactly the same bits as the UDP payload of an actual STUN Binding Request.  When the server receives that UDP packet (containing both a DTLS ClientHello and embedded STUN Binding Request payload), it can do its normal STUN processing against that packet.  When it decides to send its STUN Binding Response, it does the processing necessary to generate its DTLS ServerHello.  It puts them together into the DTLS ServerHello response and replies to the ServerHello.  After that, over that 5-tuple, normal ICE processing can occur (such as for the periodic consent checks).

> Yeah. It doesn't actually reduce round trips here because you still want to confirm consent before doing the whole proof-of-possession thing.
> 
We should be able to optimize the case where we are not being attacked.  When attacked, we can incur an additional round trip.
> If you don't care about the associated DoS vector (and we might not need to worry about that if you can validate the ClientHello properly), a 1 round trip handshake would be very fast.
> 
The HelloVerifyRequest mitigation described in DTLS (http://tools.ietf.org/html/rfc4347#section-4.2.1) seems adequate.

-d

v2.23.0 | Report a Bug | By Email