IETF Logo Mail Archive

Re: [MMUSIC] DTLS-SDP and JSEP Conflicts

Adam Roach <adam@nostrum.com> Fri, 25 August 2017 22:47 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E523B1321E6 for <mmusic@ietfa.amsl.com>; Fri, 25 Aug 2017 15:47:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.879
X-Spam-Level:
X-Spam-Status: No, score=-1.879 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ee49u7Vo34KI for <mmusic@ietfa.amsl.com>; Fri, 25 Aug 2017 15:47:28 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 525DD126BFD for <mmusic@ietf.org>; Fri, 25 Aug 2017 15:47:28 -0700 (PDT)
Received: from Svantevit.roach.at (cpe-70-122-154-80.tx.res.rr.com [70.122.154.80]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v7PMlO1t082485 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Fri, 25 Aug 2017 17:47:26 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-122-154-80.tx.res.rr.com [70.122.154.80] claimed to be Svantevit.roach.at
To: Roman Shpount <roman@telurix.com>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
References: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com> <CAD5OKxu3HCThdqTjJ=jz_ZsceX0bVXW+FoRWsEB-N-nbmjEC4g@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <3be5cdc3-b191-d3be-4097-2b17d5a78b7c@nostrum.com>
Date: Fri, 25 Aug 2017 17:47:23 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CAD5OKxu3HCThdqTjJ=jz_ZsceX0bVXW+FoRWsEB-N-nbmjEC4g@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------1461726FFBA51479F0213F6E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/i3n8KhlcNoIFLfSqEFM4jzqww2U>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2017 22:47:30 -0000

On 8/25/17 4:39 PM, Roman Shpount wrote:
>
> This is a really thorny issue which does not have a good solution. 
> Correct handling of ufrag change is one of the main reasons why tls-id 
> draft was written in the first place. Here is a little bit more 
> background on the problem:
>
> 1. If ICE restart was caused by 3pcc and resulted in connection to a 
> new device, new DTLS association is required. In some cases, 
> connection to a new device will also result in the new fingerprint 
> set. In some cases (like transfer withing the same organization which 
> uses the same pre-provisioned certificate), fingerprints will stay the 
> same and only ufrag will change. So, this means new DTLS association 
> should be established if ufrag changes due to device change.
>
> 2. If ICE restart is initiated when new network interfaces became 
> available, such as when WiFi became available on the mobile device. 
> This means that both existing candidates and new candidates can be 
> present during ICE restart. This also means, that in some situations, 
> even though ICE restart completes, the underlying transport does not 
> have to change and the same ICE candidate pair will be used after ICE 
> restart. Since this is the same ICE candidate pair, it will mean that 
> packets from old and new DTLS association can be received over the 
> same 5-tuple and they cannot be demultiplexed. This means DTLS 
> association should stay the same even if ufrag changes due to ICE 
> restart but when end points plans to re-use ICE candidates.

I hate to throw new engineering into the document at this point, but 
shouldn't it be possible to distinguish between these two circumstances 
by examining the candidates and determining whether they're completely 
new (versus having at least one in common with the existing connection)? 
This means that you won't know whether to restart DTLS until trickling 
has ended (for trickle), but you can solve that by not doing aggressive 
(or passive-aggressive) nomination -- just wait until you have all the 
candidates before you start connecting.

Does that sound like it would work?

/a

v2.23.0 | Report a Bug | By Email