IETF Logo Mail Archive

Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?

Roman Shpount <roman@telurix.com> Wed, 07 June 2017 22:59 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7317A120454 for <mmusic@ietfa.amsl.com>; Wed, 7 Jun 2017 15:59:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JVAvwBvldzJV for <mmusic@ietfa.amsl.com>; Wed, 7 Jun 2017 15:58:53 -0700 (PDT)
Received: from mail-pg0-x22a.google.com (mail-pg0-x22a.google.com [IPv6:2607:f8b0:400e:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D4DB1270B4 for <mmusic@ietf.org>; Wed, 7 Jun 2017 15:58:52 -0700 (PDT)
Received: by mail-pg0-x22a.google.com with SMTP id f185so9810811pgc.0 for <mmusic@ietf.org>; Wed, 07 Jun 2017 15:58:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3T+KuJ7GYfSyglfJXjSoSxF8Rat5BGy/cxwVSf8yR+Q=; b=m+4hFI3YthACaLiWseyzYE5tg7Js+bCv1BnIJB5cCsIScnV/NDchFvgn0b5doCFkeY GSMIP8Xrm/YzgedsTNtpxrS8sPhTF0FyHpuMscye11HjuORtFKZxYcDSuHIT+Z7SH6Az NKHLdY/LFX7X3VSyx12Cfp5FcMAaMY3AWA43cSEuH+octFqqjL9QeL0yA4uzWgjhNjDw mzaVz1P4SQ1AGYLd6bvdzk1Yj8pYt6/NAREP8n8wfVPCci+Ata2Y17RwTXHcLhk+krGx Y3BLQmdPdQBoGBJ8maY6Ny9kXzhygLL9Fc5xneUp7gMpXyjVQABuRjYvfi5gF5tNjVix ixmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3T+KuJ7GYfSyglfJXjSoSxF8Rat5BGy/cxwVSf8yR+Q=; b=qRHC1hrJEhDYu7qdCTglwABnPSiLvJGfoEZTU+HSbr+Ayhk2+RPMjKr7lf4WVx/M0w F488jM1bqK+XIS1bIAgPeRhbtCA3PbH1NfdITA//23jYMJzy+BchkCUWcxe3EOu/+ic8 tAXgasB9ZSbyZfiamLxEVfGvO/JP4A9IR1ZiYn6S3tD5mkG41S0h0XM4t7pu2EmBOWk2 jV4c4gUaGOe0aIslMIQFYL5YsbtjVdPLEiINKsbGkDP7BVe5UFPmY7ZJg4QYZRZlq2qk xkYzjcF6vPGaAAGrg2tNpoErpdFHyo16twZpSEJH+jhuQ8uCF7w/jecSWaA1Y1jIW4u1 QDYA==
X-Gm-Message-State: AODbwcBGfId70I8nfKr6PqFqz9Sb4c/SjaUIi8DzE94LUFEEE1RwRGaI ay8yNHlnXU1UEA6T
X-Received: by 10.98.209.22 with SMTP id z22mr32764268pfg.95.1496876331787; Wed, 07 Jun 2017 15:58:51 -0700 (PDT)
Received: from mail-pg0-f52.google.com (mail-pg0-f52.google.com. [74.125.83.52]) by smtp.gmail.com with ESMTPSA id c123sm5331890pfa.100.2017.06.07.15.58.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Jun 2017 15:58:50 -0700 (PDT)
Received: by mail-pg0-f52.google.com with SMTP id k71so9794428pgd.2; Wed, 07 Jun 2017 15:58:49 -0700 (PDT)
X-Received: by 10.84.217.154 with SMTP id p26mr30341103pli.295.1496876329586; Wed, 07 Jun 2017 15:58:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.169.66 with HTTP; Wed, 7 Jun 2017 15:58:49 -0700 (PDT)
In-Reply-To: <e80f0fbe-221e-aa9b-33bd-24d2ff50fe84@cisco.com>
References: <D551D683.1D429%christer.holmberg@ericsson.com> <22C94242-218F-4724-AE92-E0B1E8DC2C82@nostrum.com> <21E8BA9D-E442-4DBC-8A7D-CEDFD5F54F8B@iii.ca> <CAD5OKxujAuzJt4QD6JXKHkVd4JB_nO5Th6KXjavMBww=W4644Q@mail.gmail.com> <6125EAB1-A827-4E0F-B756-78F85BB411CD@iii.ca> <CAD5OKxutcpUzh1yLA2kukmYmiHQg3+6fuXbaD0w73gzsAHEXzg@mail.gmail.com> <e80f0fbe-221e-aa9b-33bd-24d2ff50fe84@cisco.com>
From: Roman Shpount <roman@telurix.com>
Date: Wed, 07 Jun 2017 18:58:49 -0400
X-Gmail-Original-Message-ID: <CAD5OKxvZfgrLko=GiHN87xHA7_faFXpaQdnYCnDLP2qkYPdVNw@mail.gmail.com>
Message-ID: <CAD5OKxvZfgrLko=GiHN87xHA7_faFXpaQdnYCnDLP2qkYPdVNw@mail.gmail.com>
To: Flemming Andreasen <fandreas@cisco.com>
Cc: Cullen Jennings <fluffy@iii.ca>, Ben Campbell <ben@nostrum.com>, Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>, Christer Holmberg <christer.holmberg@ericsson.com>, mmusic-chairs@ietf.org, mmusic <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c5a0ce5d8a8055166ad2a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/Ys1doTm-2MczlXnyb-8svwkRumo>
Subject: Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jun 2017 22:59:04 -0000

As a way forward on this issue, I am proposing the following:

1. Remove any recommendation regarding handling DTLS association before the
answer (leave it up to implementation)
2. Put a note that accepting DTLS association before the answer can result
in unverified media and if this media is played back to the end user, end
user SHOULD be notified that media is coming from an unverified source.
3. Add clarification that DTLS associations established before the answer
MUST be torn down when no more answers are expected and that fingerprints
in any of the received answers match the negotiated certificate (Right now
it is specified that DTLS association MUST be torn down if it does not
match the answer. This is wrong if forking is used and multiple answers are
received).

Does anyone opposes this?

Regards,

_____________
Roman Shpount

On Wed, Jun 7, 2017 at 5:52 PM, Flemming Andreasen <fandreas@cisco.com>
wrote:

> Can we get some specific text proposals from the people that seem to care
> about what we end up with here ?
>
> Thanks
>
> -- Flemming (as MMUSIC co-chair)
>
>
>
> On 6/5/17 12:58 PM, Roman Shpount wrote:
>
> On Mon, Jun 5, 2017 at 10:03 AM, Cullen Jennings <fluffy@iii.ca> wrote:
>
>>
>> > On May 31, 2017, at 4:51 PM, Roman Shpount <roman@telurix.com> wrote:
>> >
>> > 1. Starting DTLS handshake until the corresponded answer is received is
>> NOT RECOMMENDED since it can result in unauthenticated media. If
>> unauthenticated media is played to the end user, in cases such as early
>> media in SIP calls, this should be indicated to the end user.
>>
>> No. Doing the handshake as quickly as possible is recommend - it's what
>> you do with the media before you know who you are talking to that is the
>> issue you are concerned with. And knowing who you are talking often
>> involves much more than checking the fingerprint. So I don't agree this is
>> not recommended.
>>
>
> There are also implementation issues with getting media and not playing
> it. End point will still need to either buffer or somehow process the
> received packets so that playback can be started when the answer is
> received. If handshake is delayed until answer is received, none of this is
> an issue, so implementation is simpler.
>
> More importantly, I do not think new systems should be built without ICE.
> I understand there are legacy implementations which use symmetric UDP for
> media. In such cases it is allowed to complete handshake. Such solutions
> are legacy and building new systems like this are not recommended. It is
> recommended that new systems should implement full ICE, consent to send,
> and do not complete DTLS handshake before an answer SDP is received.
>
> Regards,
> _____________
> Roman Shpount
>
>
>
>

v2.23.0 | Report a Bug | By Email