Re: [MMUSIC] actpass redux
Paul Kyzivat <paul.kyzivat@comcast.net> Fri, 02 June 2017 21:33 UTC
Return-Path: <paul.kyzivat@comcast.net>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 650A5126DED for <mmusic@ietfa.amsl.com>; Fri, 2 Jun 2017 14:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsint4gWz6KD for <mmusic@ietfa.amsl.com>; Fri, 2 Jun 2017 14:33:42 -0700 (PDT)
Received: from resqmta-ch2-10v.sys.comcast.net (resqmta-ch2-10v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F833126D73 for <mmusic@ietf.org>; Fri, 2 Jun 2017 14:33:42 -0700 (PDT)
Received: from resomta-ch2-10v.sys.comcast.net ([69.252.207.106]) by resqmta-ch2-10v.sys.comcast.net with SMTP id GuByd2BOF61D9GuCTdZaDg; Fri, 02 Jun 2017 21:33:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1496439221; bh=jZ1STUeqSneGJm68o4EB2lWN118EH5LByPPXKlSpQ0s=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=c7T5fvF6fj+o4iJV4ToAW1GPeZRxgFALnEkT0S31RDmTFmh+OWfK91EWaXTT9kGNA J+pr8Ta4UIeH0NkF7O6/ZrNBC5wzvT23pgxu8+Ys7SFlC5mV0ccsOt5P7wJHtRdpYC uHruhKclF/HOMy0uNJ0jViEY7g+Yr7HQXOTiD5mnZsTZkF0XTh9/ssR5/U4PXfi+uO djqdf+vfWPZ0rjQhmCRnes3oKHpy3Q3SUhBOOZsC7o7biRspBhcDczM/zEN3gUQpcH 3YdfnrwTKd7C900VoL5otk9JZY+GgVTquxOLDbbCYeTgrRQuWH6FpiaRFNPfwoDOIJ slx/HQ8eo2Rfw==
Received: from [192.168.1.110] ([24.62.227.142]) by resomta-ch2-10v.sys.comcast.net with SMTP id GuCSdmgNnX2FjGuCTdDlkA; Fri, 02 Jun 2017 21:33:41 +0000
To: mmusic@ietf.org
References: <CABcZeBMd2BZgyeFnqafTVyGga4FMoK0xJkPCv0y_wvmBWsg+xg@mail.gmail.com> <CAD5OKxvwgvm3Q4HsCYsewZjRS9ty_g34n9+x87vfLW4Omcm8mw@mail.gmail.com> <CAD5OKxuNvnBgpv7BO3fv27ASu5AMugh4-LNpq1r8ga5OtqD_nw@mail.gmail.com>
From: Paul Kyzivat <paul.kyzivat@comcast.net>
Message-ID: <5bd77e3f-e90b-5de4-2d97-170c952c2ba3@comcast.net>
Date: Fri, 02 Jun 2017 17:33:40 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CAD5OKxuNvnBgpv7BO3fv27ASu5AMugh4-LNpq1r8ga5OtqD_nw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfPHwjsEmjFqXFDnDkyt+zmZ41Yj1YMcfQrNesgQbHJAp+uOiKA1BU3xtdo5QMsoSzMyAiSejfJL4F6dQIJlllxi4tJXcpFGHM/goG6Up44K0y5uWg+ae IPywqzILlcbaJTGBLR300X95DbU4j7E6E/sQPYYNyz1Ao09uLIlscR9i
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/mWq4m971eylriJ1qPLaAhtPXFQI>
Subject: Re: [MMUSIC] actpass redux
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 21:33:44 -0000
The scope for this discussion isn't defined. Is this just for SRTP? Or also for SCTP? Or also for TCP and TLS? Thanks, Paul On 6/2/17 5:16 PM, Roman Shpount wrote: > Just to provide the historic background for this change. We have > discussed setup role in subsequent offers with Christer before IETF95 > and decided to remove the text that setup MUST be actpass in all the > offers. This removed this requirement from the initial offers as well > (even though they weren't discussed at that time). > > Now we have three options: > > 1. setup can be whatever application wants in all offers (current text) > 2. setup MUST be actpass in initial offer and whatever application wants > in subsequent (or, alternatively actpass or negotiated role in > subsequent offers). > 3. setup MUST be actpass in all the offers (back to RFC 5763) > > My top preference is that setup SHOULD be actpass in all the offers. > Second preference is 1 and hope that application will do the right thing. > > From my point of view 2 is strange, since there is no principal > difference between initial and subsequent offers, especially when 3pcc > comes into play. Any offer can end up being subsequent for one end point > and initial for another. > > I also think that RFC 5763 requirement is too strong. There are > implementations which send offers without actpass so it is already > violated. There are also legitimate scenarios where sending current role > (subsequent offers without ICE restart) or active (endpoints with basic > UDP behind NAT) makes more sense. > > Regards, > > _____________ > Roman Shpount > > On Fri, Jun 2, 2017 at 2:02 PM, Roman Shpount <roman@telurix.com > <mailto:roman@telurix.com>> wrote: > > Hi All, > > There was a discussion regarding the setup attribute value in > subsequent offers when establishing new DTLS association is not > desired. Based on that discussion it was decided that setup value > can be either currently negotiated value or actpass. There are also > UDP/DTLS without STUN NAT traversal scenarios that only work when > end point behind NAT is active. I think sending actpass in offers is > a generally safer option, but I think SHOULD here is more > appropriate then MUST. > > Please note that https://tools.ietf.org/html/rfc5763#section-5 > <https://tools.ietf.org/html/rfc5763#section-5> says: > > The endpoint MUST use the setup attribute defined in [RFC4145]. > The endpoint that is the offerer MUST use the setup attribute > value of setup:actpass and be prepared to receive a client_hello > before it receives the answer. > > > This applies not only to initial but to ALL offers. > > Finally, I can double check, but I am fairly sure there are current > implementation that violate this rule. > > Regards, > > _____________ > Roman Shpount > > On Fri, Jun 2, 2017 at 12:44 PM, Eric Rescorla <ekr@rtfm.com > <mailto:ekr@rtfm.com>> wrote: > > Hi folks, > > RFC 5763 required (and JSEP imported) that all offers include > > a=setup:actpass > > However, assuming I am reading: > https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24 > <https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24> > correctly, S 4.2 allows the initial offer to contain anything, > though encourages actpass: > > When an offerer sends the initial offer, the offerer MUST > insert an > SDP 'setup' attribute according to the procedures in > [RFC4145], and > one or more SDP 'fingerprint' attributes according to the > procedures > in [RFC8122]. In addition, the offerer MUST insert in the > offer an > SDP 'tls-id' attribute with a unique value. > > If the offerer inserts the SDP 'setup' attribute with an > 'actpass' or > 'passive' attribute value, the offerer MUST be prepared to > receive a > DTLS ClientHello message (if a new DTLS association is > established by > the answerer) from the answerer before the offerer receives > the SDP > answer. > > For subequent offers, it also gives flexibility but points at 4145. > > > So... > > 1. Changing the behavior for initial offers seems like it presents > a serious interop risk, because previously you could depend on > the offer being actpass. > > 2. JSEP requires actpass for all offers, so at least it's stricter. > > > What was the rationale for these changes? Feel free to point me > at the > mailing list discussion where that happened. > > -Ekr > Hi folks, > > RFC 5763 required (and JSEP imported) that all offers include > > a=setup:actpass > > However, assuming I am reading: > https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24 > <https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24> > correctly, S 4.2 allows the initial offer to contain anything, > though encourages actpass: > > When an offerer sends the initial offer, the offerer MUST > insert an > SDP 'setup' attribute according to the procedures in > [RFC4145], and > one or more SDP 'fingerprint' attributes according to the > procedures > in [RFC8122]. In addition, the offerer MUST insert in the > offer an > SDP 'tls-id' attribute with a unique value. > > If the offerer inserts the SDP 'setup' attribute with an > 'actpass' or > 'passive' attribute value, the offerer MUST be prepared to > receive a > DTLS ClientHello message (if a new DTLS association is > established by > the answerer) from the answerer before the offerer receives > the SDP > answer. > > For subequent offers, it also gives flexibility but points at 4145. > > > So... > > 1. Changing the behavior for initial offers seems like it presents > a serious interop risk, because previously you could depend on > the offer being actpass. > > 2. JSEP requires actpass for all offers, so at least it's stricter. > > > What was the rationale for these changes? Feel free to point me > at the > mailing list discussion where that happened. > > -Ekr > > _______________________________________________ > mmusic mailing list > mmusic@ietf.org <mailto:mmusic@ietf.org> > https://www.ietf.org/mailman/listinfo/mmusic > <https://www.ietf.org/mailman/listinfo/mmusic> > > > > > > _______________________________________________ > mmusic mailing list > mmusic@ietf.org > https://www.ietf.org/mailman/listinfo/mmusic >
- [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Cullen Jennings
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Cullen Jennings
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Paul Kyzivat
- Re: [MMUSIC] actpass redux Roman Shpount
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Eric Rescorla
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] actpass redux Martin Thomson
- Re: [MMUSIC] actpass redux Iñaki Baz Castillo
- Re: [MMUSIC] actpass redux Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Paul Kyzivat
- Re: [MMUSIC] actpass redux Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Bernard Aboba
- Re: [MMUSIC] it's time to expel SDP from our lives Dale R. Worley
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Christer Holmberg
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo
- Re: [MMUSIC] it's time to expel SDP from our lives Paul Kyzivat
- Re: [MMUSIC] it's time to expel SDP from our lives Iñaki Baz Castillo