Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics
Paul Kyzivat <pkyzivat@alum.mit.edu> Fri, 11 March 2016 02:22 UTC
Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F0FF12DC51 for <mmusic@ietfa.amsl.com>; Thu, 10 Mar 2016 18:22:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.935
X-Spam-Level:
X-Spam-Status: No, score=-1.935 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjEQ4JKyCxuV for <mmusic@ietfa.amsl.com>; Thu, 10 Mar 2016 18:22:50 -0800 (PST)
Received: from resqmta-ch2-02v.sys.comcast.net (resqmta-ch2-02v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:34]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A61F12DB2B for <mmusic@ietf.org>; Thu, 10 Mar 2016 18:22:50 -0800 (PST)
Received: from resomta-ch2-17v.sys.comcast.net ([69.252.207.113]) by resqmta-ch2-02v.sys.comcast.net with comcast id USNJ1s0032TL4Rh01SNpmg; Fri, 11 Mar 2016 02:22:49 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([73.218.51.154]) by resomta-ch2-17v.sys.comcast.net with comcast id USNo1s00K3KdFy101SNpBt; Fri, 11 Mar 2016 02:22:49 +0000
To: Justin Uberti <juberti@google.com>, Christer Holmberg <christer.holmberg@ericsson.com>
References: <CABcZeBNJ6jdL7SfLaatfr28X83dVOafpi=jrM6bSJ-qpmj4RuA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E818F9@ESESSMB209.ericsson.se> <56DDA6B2.5080403@alum.mit.edu> <CAD5OKxts-yfXS2nxTfoqMiDO2GLWu4AF6WJdvsE_tFtewmmmCg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E8B57C@ESESSMB209.ericsson.se> <56DDB1D2.6000801@alum.mit.edu> <CAD5OKxuXiPGDZtNQvfhQGD0NdmDoCZ6hAgqQnih8-_p7GD56fQ@mail.gmail.com> <56DDB8B0.5030806@alum.mit.edu> <CAD5OKxtsPiakn+N7PhVv+7f4cJ=+jOoB-M3VmrN-HguWy-sKCQ@mail.gmail.com> <CAOJ7v-3vSkHikt0_bKBsdP=GoAt5wJ5X6tOcq_4z_51jMQKT=w@mail.gmail.com> <CAD5OKxvnHARirebUC+tBACdAF=NhGJgxGJROfDt5LZ44Q-MUXA@mail.gmail.com> <D30450D0.55D7%christer.holmberg@ericsson.com> <CAD5OKxvL-Lc9n=L4Z5MofhnYkaxL9i5hBFU4KnG2CLG=2SjX9Q@mail.gmail.com> <CAOJ7v-2OCjGPkiU6tH0nUPk8Sa65fJOpVg3nmbuVCePWQkQC1g@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E9FD1C@ESESSMB209.ericsson.se> <CAOJ7v-1KGEG5njHxYo7WGtz6epjG7STdSnAYe9dnzqrbmZx-0Q@mail.gmail.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <56E22BF8.9010303@alum.mit.edu>
Date: Thu, 10 Mar 2016 21:22:48 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-1KGEG5njHxYo7WGtz6epjG7STdSnAYe9dnzqrbmZx-0Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1457662969; bh=BGJ6YNuScueWI07QfTQbf78emqZ7of5OKRI32Pe7UdI=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=q7nxaEYNaEchwiRAqzyC/IyvEP9nKAUS2ZUpz9UCxn+//LjNJiJJuT45apgNIvM1L 2CSGkDrPe8NZpOqE+196DsIbeE1Bc1oid7dmme/EBI/BuvlY0mNLmmQJkqGOO1xRsL gsmPMeSV4zQDxU3HrHZTIRAqan23OlAFKbr2/LE5MBORGjQ8IloTOP5/ZEG1fU/aLq x3Gm+fzW7eHEoiZJunseWDGEM/TRVKjidy5m/J9WAy4fa/shJcSsKTur6pTWdUexFd vBnWrqDl7MYHjx5S4TXxUfE/EyyWHXFJvnsqNWfpzzsmmP0CJJhL5ZdV47CG2+ygyF tTLcnKuncZGTQ==
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/bj3h2lE04gPyS4gSn_a9VicN6UE>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
Subject: Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Mar 2016 02:22:53 -0000
On 3/10/16 8:55 PM, Justin Uberti wrote: > With no minimum length (well, minimum of 1). How random can a value with a length of 1 be? Thanks, Paul > On Tue, Mar 8, 2016 at 10:46 PM, Christer Holmberg > <christer.holmberg@ericsson.com <mailto:christer.holmberg@ericsson.com>> > wrote: > > So, alphanumeric it is :)____ > > __ __ > > *From:*Justin Uberti [mailto:juberti@google.com > <mailto:juberti@google.com>] > *Sent:* 09 March 2016 06:35 > *To:* Roman Shpount <roman@telurix.com <mailto:roman@telurix.com>> > *Cc:* Christer Holmberg <christer.holmberg@ericsson.com > <mailto:christer.holmberg@ericsson.com>>; Paul Kyzivat > <pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu>>; > mmusic@ietf.org <mailto:mmusic@ietf.org> > > > *Subject:* Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 > semantics____ > > __ __ > > I think the id should be alphanumeric, but how it is assigned can be > left to the application.____ > > __ __ > > __ __ > > On Tue, Mar 8, 2016 at 4:59 PM, Roman Shpount <roman@telurix.com > <mailto:roman@telurix.com>> wrote:____ > > I would make the dtls-association-id value random alphanumeric > to keep it shorter.____ > > __ __ > > I would also make dtls-association-id optional if any of the > fingerprints is for a newly generated self-signed certificate > which will not be reused for any other DTLS association.____ > > __ __ > > Regards,____ > > > ____ > > _____________ > Roman Shpount____ > > __ __ > > On Tue, Mar 8, 2016 at 2:54 AM, Christer Holmberg > <christer.holmberg@ericsson.com > <mailto:christer.holmberg@ericsson.com>> wrote:____ > > Hi,____ > > __ __ > > There is no need to track the “order” of DTLS associations, > so I think we should use random value. I am not sure we need > “+” and “-“. Would a numeric value be enough? The number of > DTLS associations between the connected endpoints is going > to be very small, so we shouldn’t over-engineer it.____ > > __ __ > > Regarding the id being unique for a given fingerprint, keep > in mind that we now allow multiple fingerprints.____ > > __ __ > > Regards,____ > > __ __ > > Christer____ > > __ __ > > *From: *Roman Shpount <roman@telurix.com > <mailto:roman@telurix.com>> > *Date: *Tuesday 8 March 2016 at 06:24 > *To: *Justin Uberti <juberti@google.com > <mailto:juberti@google.com>> > *Cc: *"pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu>" > <pkyzivat@alum.mit.edu <mailto:pkyzivat@alum.mit.edu>>, > Christer Holmberg <christer.holmberg@ericsson.com > <mailto:christer.holmberg@ericsson.com>>, "mmusic@ietf.org > <mailto:mmusic@ietf.org>" <mmusic@ietf.org > <mailto:mmusic@ietf.org>> > *Subject: *Re: [MMUSIC] Thoughts on > draft-ietf-mmusic-dtls-sdp-10 semantics____ > > __ __ > > We need to make sure dtls-association-id works in cases of > 3pcc where a new session can be connected to an existing > session or two existing sessions can be connected with each > other. In all of those cases new DTLS association must be > established. The case of merging two existing sessions > especially worry me if we chose monotonically increasing > IDs. Imagine two sessions, each hitting IVR for an > announcement, and then being connecting directly with each > other. If monotonically increasing from zero ID is used, > both sessions will have dtls-association-id=1, but clearly a > new session would need to be established. ____ > > __ __ > > I think in general monotonically increasing IDs have a high > chance of collision when unrelated end points are used. > Randomly assigned IDs are safer in this regard. ____ > > __ __ > > Another option is to state that dtls-association-id should > be unique for a given security certificate fingerprint. So > if new certificate is created for each DTLS association, > then dtls-association-id can stay at value 0 or be omitted. > If certificate is reused a unique value should be used for > each new DTLS association created with this certificate. > This uniqueness can be achieved by using a counter > associated with each self signed certificate or using > sufficiently large random or pseudo random (server id + time > stamp + per server counter would be an example of the pseudo > random) value associated with pre-provisioned permanent > certificates.____ > > __ __ > > Does anybody else have any suggestions or concerns about > dtls-association-id generation scheme?____ > > ______________ ____ > > Roman Shpount____ > > __ __ > > On Mon, Mar 7, 2016 at 9:15 PM, Justin Uberti > <juberti@google.com <mailto:juberti@google.com>> wrote:____ > > Keep in mind that this id value isn't actually sent > anywhere. So it's not like the ICE ufrag that needs a > certain amount of entropy. It can just as easily be a > monotonically increasing number. ____ > > __ __ > > IOW, a string with a 1-byte minimum seems right.____ > > __ __ > > On Mon, Mar 7, 2016 at 10:26 AM, Roman Shpount > <roman@telurix.com <mailto:roman@telurix.com>> wrote:____ > > __ __ > > On Mon, Mar 7, 2016 at 12:21 PM, Paul Kyzivat > <pkyzivat@alum.mit.edu > <mailto:pkyzivat@alum.mit.edu>> wrote:____ > > On 3/7/16 12:12 PM, Roman Shpount wrote:____ > > On Mon, Mar 7, 2016 at 11:52 AM, Paul > Kyzivat <pkyzivat@alum.mit.edu > <mailto:pkyzivat@alum.mit.edu> > <mailto:pkyzivat@alum.mit.edu > <mailto:pkyzivat@alum.mit.edu>>> wrote: > > On 3/7/16 11:26 AM, Christer Holmberg > wrote: > > I suggest dtls-association-id. In > my opinion there is no longer > the same > need to be aligned with the name of > the connection attribute. > > > This seems plausible. But I want to > reserve judgement until the > detailed semantics of the attribute are > worked out: > > I wanted to model this attribute on ICE ufrag > > - is it numeric, or a token? > > > I was thinking something like this: > dtls-association-id-attr = > "dtls-association-id" ":" dtls-association-id > > dtls-association-id = > 4*256dtls-association-id-char > > dtls-association-id-char = ALPHA / DIGIT / > "+" / "/"____ > > > Why this in particular? Is it your intent to > reuse values that were generated for another > purpose? Or to reuse code that is also used for > another purpose?____ > > __ __ > > This is reusing the definition (and generation code) > from ice-ufrag attribute > (https://tools.ietf.org/html/rfc5245#section-15.4). ____ > > __ __ > > - any rules for how the value chosen? > > > The dtls-association-id attributes MUST be > chosen randomly when new DTLS > association is requested. The > dtls-association-id attribute MUST > contain at least 24 bits of randomness. > This means that > the dtls-association-id attribute will be > at least 4 characters > long since the grammar for this attribute > allows for 6 bits of > randomness per character. The attribute MAY > be longer than 4 > characters, respectively, of course, up to > 256 characters. The upper > limit allows for buffer sizing in > implementations. Its large upper > limit allows for increased amounts of > randomness to be added over time.____ > > > What is the reason for using random values, > rather than some well defined sequence of > values? (Where the sequence might start with a > random value, or perhaps every sequence would > start with 0.)____ > > __ __ > > We are dealing with multiple end points which can be > reconnected in more or less random order. Each end > point needs to detect when it is talking to a new > end point or to a new DTLS association. This is why > I picked a random value. Once again, if this works > for ICE, should work for DTLS just as well.____ > > __ __ > > Let me know if you have a better idea for ID > generation.____ > > __ __ > > Regards,____ > > _____________ > Roman Shpount____ > > ____ > > __ __ > > __ __ > > __ __ > > __ __ > >
- [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-1… Eric Rescorla
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Ted Hardie
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Ted Hardie
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Eric Rescorla
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Eric Rescorla
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Justin Uberti
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Christer Holmberg
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Christer Holmberg
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Justin Uberti
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Christer Holmberg
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Justin Uberti
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Christer Holmberg
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Justin Uberti
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Paul Kyzivat
- Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-s… Roman Shpount