Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment direction of DTLS session

["Schwarz, Albrecht (Albrecht)" <albrecht.schwarz@alcatel-lucent.com>]

Hello Christer,

the "copy & paste" action (across at least three "RFCs") seems to be the root cause of the issue :-(

SIP session establishment and L4 security session (DTLS, TLS) establishment directions should be principally decoupled because application specific.

We got here (wrt DTLS) three (different!) applications:
1) Key exchange (RFC 5763)
2) Conference control (rfc4582bis)
3) Document transmission (udptl-dtls)

All three applications are different in terms of number/type of supported network models, security models or/and communication topology.

Consequently, the basic, application independent SDP O/A rules for DTLS session establishment would need to support that flexibility.
The application specific SIP/SDP profile could then still narrow down the required SDP O/A rules.

What we got so far: SDP O/A rules in three application specific "RFCs" (RFC 5763, rfc4582bis, udptl-dtls), which are all tight to RFC 5773 :-(

There might be two options to correct that copy & paste issue in "udptl-dtls" in my opinion:
a) expand the SDP O/A rules for more flexibility
or
b) add a WARNING / NOTE about the inherent limitations (due to the assumption of a network and communication environment according RFC 5763)

What do you think?
Best regards,
Albrecht


-----Original Message-----
From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] 
Sent: Montag, 23. September 2013 11:54
To: Schwarz, Albrecht (Albrecht)
Cc: mmusic@ietf.org; LANDAIS, BRUNO (BRUNO)
Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

Hi Albrecht,

I don't know what model people were focusing on when writing RFC 5763, but the RFC does say:

"The endpoint that is the offerer MUST use the setup attribute value of setup:actpass"

...which we also copied into the udptl-dtls draft.

Now, if you want to change that, and allow the Offerer to "force" the direction, I think you should start a separate thread about that. Because, it is not specific to fax, in my opinion.

Regards,

Christer 

-----Original Message-----
From: Schwarz, Albrecht (Albrecht) [mailto:albrecht.schwarz@alcatel-lucent.com] 
Sent: 23. syyskuuta 2013 12:31
To: Christer Holmberg
Cc: mmusic@ietf.org; LANDAIS, BRUNO (BRUNO)
Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

Hello Christer,

the decision about "DTLS session establishment direction" is ALWAYS up to the SDP ANSWERER (according present 3.1).

In order to decouple SIP session and DTLS session establishment directions, then the SDP OFFERER should also to be able to use "setup:active" and "setup:passive" (besides codepoint "setup:actpass") in my understanding.

I'm not sure whether the reference to RFC 5763 helps because I could imagine that the subject comes down to the indicated network scenarios, lets look again at:
a) T - T
b) T -GW

The existing udptl-dtls & RFC 5763 text seems to focus on model (a) only: SDP O/A between two peering, terminal located SIP UAs (there is NOT any SIP B2BUA).
But I could imagine that the SIP/SDP profiles for "T" and "GW" are not necessarily the same in case of model (b): "T" as SDP Offerer may not allowed to decide the DTLS session establishment direction, but "GW" as SDP offerer may need to enforce the DTLS session establishment direction (either way).

Regards,
Albrecht


-----Original Message-----
From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] 
Sent: Donnerstag, 19. September 2013 10:02
To: Schwarz, Albrecht (Albrecht)
Cc: mmusic@ietf.org
Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

Hi Albrecht,

The direction of the SIP session establishment and the DTLS session establishment are NOT tightly coupled. The draft enables the Answerer to select whether it wants to act as DTLS client or DTLS server.

Section 3.1 states:

.... The
offerer MUST assign the SDP setup attribute with setup:actpass value, and MUST be prepared to receive a DTLS client_hello message before it receives the SDP answer. The answerer MUST assign the SDP setup attribute with either setup:active value or setup:passive value. The answerer SHOULD assign the SDP setup attribute with the setup:active value. Whichever party is active MUST initiate a DTLS handshake by sending a ClientHello over each flow (host/port quartet).

The same rules apply for DTLS-SRTP (see Section 5 of RFC5763). In fact, we base the procedure on that RFC.

BFCP-over-DTLS (draft-ietf-bfcpbis-rfc4582bis) also refers to the DTLS-SRTP procedures for DTLS server determination.

Regards,

Christer





-----Original Message-----
From: Schwarz, Albrecht (Albrecht) [mailto:albrecht.schwarz@alcatel-lucent.com]
Sent: 18. syyskuuta 2013 18:28
To: Christer Holmberg
Cc: mmusic@ietf.org
Subject: [mmusic-udptl-dtls-01] Establishment direction of DTLS session

The T.38 endpoint could be located in a terminal (= T.38 IAF) or in a gateway, leading to three possible scenarios of
a) T - T
b) T -GW
c) GW-GW

I'd like to scope on scenario (b) due to its asymmetry of user- and network-side located T.38 endpoints.

Christer,
I thought that the two directions of
1) SIP session establishment and
2) DTLS session establishment
should be NOT tightly coupled (as currently supposed to be in clause 3.1)?
The ietf draft should offer the flexibility in decoupling both establishment directions.

E.g., there might be the demand to limit DTLS session establishment in T-to-GW direction (and apply rather the reverse direction) due ClientHello associated security threats, resource requests in terms of memory, ...

In my opinion:
the IETF should allow the flexibility,
other SDOs could still profile/limit this capability.

Best regards,
Albrecht

PS
We had a similar discussion with TLS, there NAT traversal (NAT-T) aspects could influence TLS session establishment direction. However, I guess that NAT-T is minor for DTLS/UDP.