Re: [MMUSIC] actpass redux
Roman Shpount <roman@telurix.com> Fri, 02 June 2017 21:16 UTC
Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC7601201FA for <mmusic@ietfa.amsl.com>; Fri, 2 Jun 2017 14:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqssSl-iXfJS for <mmusic@ietfa.amsl.com>; Fri, 2 Jun 2017 14:16:16 -0700 (PDT)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 42A1412714F for <mmusic@ietf.org>; Fri, 2 Jun 2017 14:16:16 -0700 (PDT)
Received: by mail-pf0-x235.google.com with SMTP id n23so57063202pfb.2 for <mmusic@ietf.org>; Fri, 02 Jun 2017 14:16:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=xBT6iSXCR/cLIDv9Zyhfq2PazoQkQMGi7lZ/2RE9SAs=; b=TKNgHDbEUo9V0PrbqGi5IpH8gVqZxF6KekdpBhOl25+xDyh0GYWvZko1iL02vOzW6Z rgnY8tXuhQ25N9KAP6Y+x5rw8LXIVRqKVnMeg+zv/1tLOlb+0cblAS0SmnKhmjUju41T tAPq0/Ne1rgk30IX4l2Ae5sc8YLoxi3SbN/spM+jbLsPxVIp/yGpez01KmWN0K7IKT1q 4HQbHoalQwokhPwZRyVN7CTjacOYtE4zzEUnrglEzWmZdR98qQeYaY94oBas/jDjX7ce YPBrEb0kFZKDLEinLUwy1OI0o6sSN8M2MMwalUFBhOcdqvcDz+uUdZBlyvl979gFuBk+ 8AUQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=xBT6iSXCR/cLIDv9Zyhfq2PazoQkQMGi7lZ/2RE9SAs=; b=NsVpmtDzWbgX4vuFXswhLSxTMNMSu9yDPVZ4qrhwow+z+lGHfXH/Nzs0vT3YCwc8RW y6sViXqLrmUaTwVczP52ZoazQK6j5cpcjxfRd0lxQh+huQCRQzINwLkiU7+DL5tt61iV 4DfKXNxTn2uo/lGR9KE1apxzSpz8eoLJvUL9E54F6bYJ067mHyVZ7sndUHJOUxyXYhg4 e2K9KgAD4FuHBZlELF3I7jr71K1gf1yJz4ELjWBRULjX8j/nIrPw+B3qHlt7wgWWde1m R3H3ItcNZENAo83tWMObC/u+Sdbnd4kxyAHJzfWZ7wmUqtxo0MAStpApKCimhj3QNVYQ 9wIw==
X-Gm-Message-State: AODbwcB9/4LPtSql8v/icljwJkpyrEkQMXo53YVhavYY8F7nwg9PtW7F rwj9/Cksk5cqGJuxyok=
X-Received: by 10.84.216.23 with SMTP id m23mr1697733pli.268.1496438175615; Fri, 02 Jun 2017 14:16:15 -0700 (PDT)
Received: from mail-pg0-f42.google.com (mail-pg0-f42.google.com. [74.125.83.42]) by smtp.gmail.com with ESMTPSA id w2sm3242080pfb.18.2017.06.02.14.16.15 for <mmusic@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Jun 2017 14:16:15 -0700 (PDT)
Received: by mail-pg0-f42.google.com with SMTP id x64so12173282pgd.3 for <mmusic@ietf.org>; Fri, 02 Jun 2017 14:16:15 -0700 (PDT)
X-Received: by 10.99.114.66 with SMTP id c2mr9176627pgn.130.1496438174747; Fri, 02 Jun 2017 14:16:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.169.66 with HTTP; Fri, 2 Jun 2017 14:16:14 -0700 (PDT)
In-Reply-To: <CAD5OKxvwgvm3Q4HsCYsewZjRS9ty_g34n9+x87vfLW4Omcm8mw@mail.gmail.com>
References: <CABcZeBMd2BZgyeFnqafTVyGga4FMoK0xJkPCv0y_wvmBWsg+xg@mail.gmail.com> <CAD5OKxvwgvm3Q4HsCYsewZjRS9ty_g34n9+x87vfLW4Omcm8mw@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Fri, 02 Jun 2017 17:16:14 -0400
X-Gmail-Original-Message-ID: <CAD5OKxuNvnBgpv7BO3fv27ASu5AMugh4-LNpq1r8ga5OtqD_nw@mail.gmail.com>
Message-ID: <CAD5OKxuNvnBgpv7BO3fv27ASu5AMugh4-LNpq1r8ga5OtqD_nw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: mmusic WG <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c56cad596aa055100a9bd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/ZgNecKmX8nSsQmXPkIZHu_RngUo>
Subject: Re: [MMUSIC] actpass redux
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 21:16:19 -0000
Just to provide the historic background for this change. We have discussed setup role in subsequent offers with Christer before IETF95 and decided to remove the text that setup MUST be actpass in all the offers. This removed this requirement from the initial offers as well (even though they weren't discussed at that time). Now we have three options: 1. setup can be whatever application wants in all offers (current text) 2. setup MUST be actpass in initial offer and whatever application wants in subsequent (or, alternatively actpass or negotiated role in subsequent offers). 3. setup MUST be actpass in all the offers (back to RFC 5763) My top preference is that setup SHOULD be actpass in all the offers. Second preference is 1 and hope that application will do the right thing. >From my point of view 2 is strange, since there is no principal difference between initial and subsequent offers, especially when 3pcc comes into play. Any offer can end up being subsequent for one end point and initial for another. I also think that RFC 5763 requirement is too strong. There are implementations which send offers without actpass so it is already violated. There are also legitimate scenarios where sending current role (subsequent offers without ICE restart) or active (endpoints with basic UDP behind NAT) makes more sense. Regards, _____________ Roman Shpount On Fri, Jun 2, 2017 at 2:02 PM, Roman Shpount <roman@telurix.com> wrote: > Hi All, > > There was a discussion regarding the setup attribute value in subsequent > offers when establishing new DTLS association is not desired. Based on that > discussion it was decided that setup value can be either currently > negotiated value or actpass. There are also UDP/DTLS without STUN NAT > traversal scenarios that only work when end point behind NAT is active. I > think sending actpass in offers is a generally safer option, but I think > SHOULD here is more appropriate then MUST. > > Please note that https://tools.ietf.org/html/rfc5763#section-5 says: > > The endpoint MUST use the setup attribute defined in [RFC4145]. The > endpoint that is the offerer MUST use the setup attribute value of > setup:actpass and be prepared to receive a client_hello before it receives > the answer. > > > This applies not only to initial but to ALL offers. > > Finally, I can double check, but I am fairly sure there are current > implementation that violate this rule. > > Regards, > > _____________ > Roman Shpount > > On Fri, Jun 2, 2017 at 12:44 PM, Eric Rescorla <ekr@rtfm.com> wrote: > >> Hi folks, >> >> RFC 5763 required (and JSEP imported) that all offers include >> >> a=setup:actpass >> >> However, assuming I am reading: >> https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24 >> >> correctly, S 4.2 allows the initial offer to contain anything, >> though encourages actpass: >> >> When an offerer sends the initial offer, the offerer MUST insert an >> SDP 'setup' attribute according to the procedures in [RFC4145], and >> one or more SDP 'fingerprint' attributes according to the procedures >> in [RFC8122]. In addition, the offerer MUST insert in the offer an >> SDP 'tls-id' attribute with a unique value. >> >> If the offerer inserts the SDP 'setup' attribute with an 'actpass' or >> 'passive' attribute value, the offerer MUST be prepared to receive a >> DTLS ClientHello message (if a new DTLS association is established by >> the answerer) from the answerer before the offerer receives the SDP >> answer. >> >> For subequent offers, it also gives flexibility but points at 4145. >> >> >> So... >> >> 1. Changing the behavior for initial offers seems like it presents >> a serious interop risk, because previously you could depend on >> the offer being actpass. >> >> 2. JSEP requires actpass for all offers, so at least it's stricter. >> >> >> What was the rationale for these changes? Feel free to point me at the >> mailing list discussion where that happened. >> >> -Ekr >> Hi folks, >> >> RFC 5763 required (and JSEP imported) that all offers include >> >> a=setup:actpass >> >> However, assuming I am reading: >> https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24 >> >> correctly, S 4.2 allows the initial offer to contain anything, >> though encourages actpass: >> >> When an offerer sends the initial offer, the offerer MUST insert an >> SDP 'setup' attribute according to the procedures in [RFC4145], and >> one or more SDP 'fingerprint' attributes according to the procedures >> in [RFC8122]. In addition, the offerer MUST insert in the offer an >> SDP 'tls-id' attribute with a unique value. >> >> If the offerer inserts the SDP 'setup' attribute with an 'actpass' or >> 'passive' attribute value, the offerer MUST be prepared to receive a >> DTLS ClientHello message (if a new DTLS association is established by >> the answerer) from the answerer before the offerer receives the SDP >> answer. >> >> For subequent offers, it also gives flexibility but points at 4145. >> >> >> So... >> >> 1. Changing the behavior for initial offers seems like it presents >> a serious interop risk, because previously you could depend on >> the offer being actpass. >> >> 2. JSEP requires actpass for all offers, so at least it's stricter. >> >> >> What was the rationale for these changes? Feel free to point me at the >> mailing list discussion where that happened. >> >> -Ekr >> >> >> _______________________________________________ >> mmusic mailing list >> mmusic@ietf.org >> https://www.ietf.org/mailman/listinfo/mmusic >> >> >
- [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Cullen Jennings
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Cullen Jennings
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Martin Thomson
- Re: [MMUSIC] actpass redux Iñaki Baz Castillo
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Paul Kyzivat
- Re: [MMUSIC] actpass redux Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Bernard Aboba
- Re: [MMUSIC] it's time to expel SDP from our lives Dale R. Worley
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Paul Kyzivat
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo