IETF Logo Mail Archive

Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics

Justin Uberti <juberti@google.com> Wed, 09 March 2016 04:35 UTC

Return-Path: <juberti@google.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFE3912DE74 for <mmusic@ietfa.amsl.com>; Tue, 8 Mar 2016 20:35:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([127.0.0.1]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZkuSyDISH1d for <mmusic@ietfa.amsl.com>; Tue, 8 Mar 2016 20:35:24 -0800 (PST)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF07012D920 for <mmusic@ietf.org>; Tue, 8 Mar 2016 20:35:23 -0800 (PST)
Received: by mail-wm0-x236.google.com with SMTP id p65so176018825wmp.1 for <mmusic@ietf.org>; Tue, 08 Mar 2016 20:35:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=32Q0jkcA9taK5o2q4ifHSYOQW//eYuOUeMvEmJkCjWs=; b=nG3mhnyGuu8RLVMrL9pChDdfxtUHImT1YuciFpP//JyRkt8Abu+orogsaeYWtjdA0A wxgCgjPyVMMX1B8xNvCvg9pFsJrXRpg+nhBI6EO+o92WLqsdRzXlWB3+dzclnzlrkm0n bU4ThV/SrXU7Twe/uw7R95TUhcztxaqhLkd7ULGBFCe4RpievAoHpaZaz8el48F1mCwb RAYEiuQGHwTRQ1LUaUJKOxs5ntpZueE0FP+CyW02+Chz14BHcApxATrlHlfjp5meDpUo gywlMq5ixnggtnGYeYMU7+PHj72fbPlOyyle3a0RotfOSi5Ts3SUMlMZb5R7rmpmYBGL qPpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=32Q0jkcA9taK5o2q4ifHSYOQW//eYuOUeMvEmJkCjWs=; b=jlxJIFkrgEeKy6gboSKr0VsJF3MFZ90UVxePB1ja2WxgevpnJ+yIPHot6RKyJ0nLz/ ir9xYTGtcK0ka/tAmP9yMLaCvLjvVCobYKzT2YvVtLdYjgBibGv2vFpv1ALkQEghEMaV O5N/WMcVTMhCMHrpw2ToaMel9YdryEGEYmTy/6XxQsoLutCbWjwUmBoxrG3I5dPWItmc XSpJ2ApZTW1wGRx1TCnWs9J4cFU1HTt8XLZettLGSxStdiuxtMHSRlzKkwqW0Wc4WddN WMuZYkT/3BZa/7csXrDUwfoknJ2GYu2yKonspb4SYcTg9uzzQa1h25VKaznXiU/RfJ3E YHPQ==
X-Gm-Message-State: AD7BkJIEcsjP3HalS9Mwl6J5x91iiagW0TsO+Uc4Vw5Ke1t+iPrA/JZ5k7Oz//R+VQseC6Kym0oHflgMWLw1W0bD
X-Received: by 10.194.184.234 with SMTP id ex10mr30956822wjc.8.1457498122280; Tue, 08 Mar 2016 20:35:22 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.148.79 with HTTP; Tue, 8 Mar 2016 20:35:02 -0800 (PST)
In-Reply-To: <CAD5OKxvL-Lc9n=L4Z5MofhnYkaxL9i5hBFU4KnG2CLG=2SjX9Q@mail.gmail.com>
References: <CABcZeBNJ6jdL7SfLaatfr28X83dVOafpi=jrM6bSJ-qpmj4RuA@mail.gmail.com> <CAD5OKxuK9wBG47d+SwBH_f8-PgMQJuxFRmMg9E4omjgqO0tNbQ@mail.gmail.com> <56D8D2E1.2030306@alum.mit.edu> <CAOJ7v-2eWFFzK_rtSkT5Q12qv5Cdug_Do1z=cAWvfJsKi0U94Q@mail.gmail.com> <56DCB31A.1010502@alum.mit.edu> <7594FB04B1934943A5C02806D1A2204B37E818F9@ESESSMB209.ericsson.se> <56DDA6B2.5080403@alum.mit.edu> <CAD5OKxts-yfXS2nxTfoqMiDO2GLWu4AF6WJdvsE_tFtewmmmCg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B37E8B57C@ESESSMB209.ericsson.se> <56DDB1D2.6000801@alum.mit.edu> <CAD5OKxuXiPGDZtNQvfhQGD0NdmDoCZ6hAgqQnih8-_p7GD56fQ@mail.gmail.com> <56DDB8B0.5030806@alum.mit.edu> <CAD5OKxtsPiakn+N7PhVv+7f4cJ=+jOoB-M3VmrN-HguWy-sKCQ@mail.gmail.com> <CAOJ7v-3vSkHikt0_bKBsdP=GoAt5wJ5X6tOcq_4z_51jMQKT=w@mail.gmail.com> <CAD5OKxvnHARirebUC+tBACdAF=NhGJgxGJROfDt5LZ44Q-MUXA@mail.gmail.com> <D30450D0.55D7%christer.holmberg@ericsson.com> <CAD5OKxvL-Lc9n=L4Z5MofhnYkaxL9i5hBFU4KnG2CLG=2SjX9Q@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Tue, 08 Mar 2016 20:35:02 -0800
Message-ID: <CAOJ7v-2OCjGPkiU6tH0nUPk8Sa65fJOpVg3nmbuVCePWQkQC1g@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: multipart/alternative; boundary="047d7b86cc1ed7235a052d9639a1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/jye12ciXx97JHXQP1rGIkSQAlxw>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Mar 2016 04:35:28 -0000

I think the id should be alphanumeric, but how it is assigned can be left
to the application.


On Tue, Mar 8, 2016 at 4:59 PM, Roman Shpount <roman@telurix.com> wrote:

> I would make the dtls-association-id value random alphanumeric to keep it
> shorter.
>
> I would also make dtls-association-id optional if any of the fingerprints
> is for a newly generated self-signed certificate which will not be reused
> for any other DTLS association.
>
> Regards,
>
> _____________
> Roman Shpount
>
> On Tue, Mar 8, 2016 at 2:54 AM, Christer Holmberg <
> christer.holmberg@ericsson.com> wrote:
>
>> Hi,
>>
>> There is no need to track the “order” of DTLS associations, so I think we
>> should use random value. I am not sure we need “+” and “-“. Would a numeric
>> value be enough? The number of DTLS associations between the connected
>> endpoints is going to be very small, so we shouldn’t over-engineer it.
>>
>> Regarding the id being unique for a given fingerprint, keep in mind that
>> we now allow multiple fingerprints.
>>
>> Regards,
>>
>> Christer
>>
>> From: Roman Shpount <roman@telurix.com>
>> Date: Tuesday 8 March 2016 at 06:24
>> To: Justin Uberti <juberti@google.com>
>> Cc: "pkyzivat@alum.mit.edu" <pkyzivat@alum.mit.edu>, Christer Holmberg <
>> christer.holmberg@ericsson.com>, "mmusic@ietf.org" <mmusic@ietf.org>
>> Subject: Re: [MMUSIC] Thoughts on draft-ietf-mmusic-dtls-sdp-10 semantics
>>
>> We need to make sure dtls-association-id works in cases of 3pcc where a
>> new session can be connected to an existing session or two existing
>> sessions can be connected with each other. In all of those cases new DTLS
>> association must be established. The case of merging two existing sessions
>> especially worry me if we chose monotonically increasing IDs. Imagine two
>> sessions, each hitting IVR for an announcement, and then being connecting
>> directly with each other. If monotonically increasing from zero ID is used,
>> both sessions will have dtls-association-id=1, but clearly a new session
>> would need to be established.
>>
>> I think in general monotonically increasing IDs have a high chance of
>> collision when unrelated end points are used. Randomly assigned IDs are
>> safer in this regard.
>>
>> Another option is to state that dtls-association-id should be unique for
>> a given security certificate fingerprint. So if new certificate is created
>> for each DTLS association, then dtls-association-id can stay at value 0 or
>> be omitted. If certificate is reused a unique value should be used for each
>> new DTLS association created with this certificate. This uniqueness can be
>> achieved by using a counter associated with each self signed certificate or
>> using sufficiently large random or pseudo random (server id + time stamp +
>> per server counter would be an example of the pseudo random) value
>> associated with pre-provisioned permanent certificates.
>>
>> Does anybody else have any suggestions or concerns about
>> dtls-association-id generation scheme?
>> ______________
>> Roman Shpount
>>
>> On Mon, Mar 7, 2016 at 9:15 PM, Justin Uberti <juberti@google.com> wrote:
>>
>>> Keep in mind that this id value isn't actually sent anywhere. So it's
>>> not like the ICE ufrag that needs a certain amount of entropy. It can just
>>> as easily be a monotonically increasing number.
>>>
>>> IOW, a string with a 1-byte minimum seems right.
>>>
>>> On Mon, Mar 7, 2016 at 10:26 AM, Roman Shpount <roman@telurix.com>
>>> wrote:
>>>
>>>>
>>>> On Mon, Mar 7, 2016 at 12:21 PM, Paul Kyzivat <pkyzivat@alum.mit.edu>
>>>> wrote:
>>>>
>>>>> On 3/7/16 12:12 PM, Roman Shpount wrote:
>>>>>
>>>>>> On Mon, Mar 7, 2016 at 11:52 AM, Paul Kyzivat <pkyzivat@alum.mit.edu
>>>>>> <mailto:pkyzivat@alum.mit.edu>> wrote:
>>>>>>
>>>>>>     On 3/7/16 11:26 AM, Christer Holmberg wrote:
>>>>>>
>>>>>>         I suggest dtls-association-id. In my opinion there is no
>>>>>> longer
>>>>>>         the same
>>>>>>         need to be aligned with the name of the connection attribute.
>>>>>>
>>>>>>
>>>>>>     This seems plausible. But I want to reserve judgement until the
>>>>>>     detailed semantics of the attribute are worked out:
>>>>>>
>>>>>> I wanted to model this attribute on ICE ufrag
>>>>>>
>>>>>>     - is it numeric, or a token?
>>>>>>
>>>>>>
>>>>>> I was thinking something like this:
>>>>>> dtls-association-id-attr = "dtls-association-id" ":"
>>>>>> dtls-association-id
>>>>>>
>>>>>> dtls-association-id = 4*256dtls-association-id-char
>>>>>>
>>>>>> dtls-association-id-char = ALPHA / DIGIT / "+" / "/"
>>>>>>
>>>>>
>>>>> Why this in particular? Is it your intent to reuse values that were
>>>>> generated for another purpose? Or to reuse code that is also used for
>>>>> another purpose?
>>>>
>>>>
>>>> This is reusing the definition (and generation code) from ice-ufrag
>>>> attribute (https://tools.ietf.org/html/rfc5245#section-15.4).
>>>>
>>>>     - any rules for how the value chosen?
>>>>>>
>>>>>>
>>>>>> The dtls-association-id attributes MUST be chosen randomly when new
>>>>>> DTLS
>>>>>> association is requested.  The dtls-association-id attribute MUST
>>>>>> contain at least 24 bits of randomness.  This means that
>>>>>> the dtls-association-id  attribute will be at least 4 characters
>>>>>> long since the grammar for this attribute allows for 6 bits of
>>>>>> randomness per character.  The attribute MAY be longer than 4
>>>>>> characters, respectively, of course, up to 256 characters.  The upper
>>>>>> limit allows for buffer sizing in implementations.  Its large upper
>>>>>> limit allows for increased amounts of randomness to be added over
>>>>>> time.
>>>>>>
>>>>>
>>>>> What is the reason for using random values, rather than some well
>>>>> defined sequence of values? (Where the sequence might start with a random
>>>>> value, or perhaps every sequence would start with 0.)
>>>>>
>>>>
>>>> We are dealing with multiple end points which can be reconnected in
>>>> more or less random order. Each end point needs to detect when it is
>>>> talking to a new end point or to a new DTLS association. This is why I
>>>> picked a random value. Once again, if this works for ICE, should work for
>>>> DTLS just as well.
>>>>
>>>> Let me know if you have a better idea for ID generation.
>>>>
>>>> Regards,
>>>> _____________
>>>> Roman Shpount
>>>>
>>>>
>>>
>>>
>>
>

v2.23.0 | Report a Bug | By Email