Re: [MMUSIC] actpass redux

Paul Kyzivat <paul.kyzivat@comcast.net> Fri, 02 June 2017 21:33 UTC

Return-Path: <paul.kyzivat@comcast.net>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 650A5126DED for <mmusic@ietfa.amsl.com>; Fri, 2 Jun 2017 14:33:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jsint4gWz6KD for <mmusic@ietfa.amsl.com>; Fri, 2 Jun 2017 14:33:42 -0700 (PDT)
Received: from resqmta-ch2-10v.sys.comcast.net (resqmta-ch2-10v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F833126D73 for <mmusic@ietf.org>; Fri, 2 Jun 2017 14:33:42 -0700 (PDT)
Received: from resomta-ch2-10v.sys.comcast.net ([69.252.207.106]) by resqmta-ch2-10v.sys.comcast.net with SMTP id GuByd2BOF61D9GuCTdZaDg; Fri, 02 Jun 2017 21:33:41 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1496439221; bh=jZ1STUeqSneGJm68o4EB2lWN118EH5LByPPXKlSpQ0s=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=c7T5fvF6fj+o4iJV4ToAW1GPeZRxgFALnEkT0S31RDmTFmh+OWfK91EWaXTT9kGNA J+pr8Ta4UIeH0NkF7O6/ZrNBC5wzvT23pgxu8+Ys7SFlC5mV0ccsOt5P7wJHtRdpYC uHruhKclF/HOMy0uNJ0jViEY7g+Yr7HQXOTiD5mnZsTZkF0XTh9/ssR5/U4PXfi+uO djqdf+vfWPZ0rjQhmCRnes3oKHpy3Q3SUhBOOZsC7o7biRspBhcDczM/zEN3gUQpcH 3YdfnrwTKd7C900VoL5otk9JZY+GgVTquxOLDbbCYeTgrRQuWH6FpiaRFNPfwoDOIJ slx/HQ8eo2Rfw==
Received: from [192.168.1.110] ([24.62.227.142]) by resomta-ch2-10v.sys.comcast.net with SMTP id GuCSdmgNnX2FjGuCTdDlkA; Fri, 02 Jun 2017 21:33:41 +0000
To: mmusic@ietf.org
References: <CABcZeBMd2BZgyeFnqafTVyGga4FMoK0xJkPCv0y_wvmBWsg+xg@mail.gmail.com> <CAD5OKxvwgvm3Q4HsCYsewZjRS9ty_g34n9+x87vfLW4Omcm8mw@mail.gmail.com> <CAD5OKxuNvnBgpv7BO3fv27ASu5AMugh4-LNpq1r8ga5OtqD_nw@mail.gmail.com>
From: Paul Kyzivat <paul.kyzivat@comcast.net>
Message-ID: <5bd77e3f-e90b-5de4-2d97-170c952c2ba3@comcast.net>
Date: Fri, 02 Jun 2017 17:33:40 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CAD5OKxuNvnBgpv7BO3fv27ASu5AMugh4-LNpq1r8ga5OtqD_nw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfPHwjsEmjFqXFDnDkyt+zmZ41Yj1YMcfQrNesgQbHJAp+uOiKA1BU3xtdo5QMsoSzMyAiSejfJL4F6dQIJlllxi4tJXcpFGHM/goG6Up44K0y5uWg+ae IPywqzILlcbaJTGBLR300X95DbU4j7E6E/sQPYYNyz1Ao09uLIlscR9i
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/mWq4m971eylriJ1qPLaAhtPXFQI>
Subject: Re: [MMUSIC] actpass redux
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jun 2017 21:33:44 -0000

The scope for this discussion isn't defined. Is this just for SRTP? Or 
also for SCTP? Or also for TCP and TLS?

	Thanks,
	Paul

On 6/2/17 5:16 PM, Roman Shpount wrote:
> Just to provide the historic background for this change. We have 
> discussed setup role in subsequent offers with Christer before IETF95 
> and decided to remove the text that setup MUST be actpass in all the 
> offers. This removed this requirement from the initial offers as well 
> (even though they weren't discussed at that time).
> 
> Now we have three options:
> 
> 1. setup can be whatever application wants in all offers (current text)
> 2. setup MUST be actpass in initial offer and whatever application wants 
> in subsequent (or, alternatively actpass or negotiated role in 
> subsequent offers).
> 3. setup MUST be actpass in all the offers (back to RFC 5763)
> 
> My top preference is that setup SHOULD be actpass in all the offers. 
> Second preference is 1 and hope that application will do the right thing.
> 
>  From my point of view 2 is strange, since there is no principal 
> difference between initial and subsequent offers, especially when 3pcc 
> comes into play. Any offer can end up being subsequent for one end point 
> and initial for another.
> 
> I also think that RFC 5763 requirement is too strong. There are 
> implementations which send offers without actpass so it is already 
> violated. There are also legitimate scenarios where sending current role 
> (subsequent offers without ICE restart) or active (endpoints with basic 
> UDP behind NAT) makes more sense.
> 
> Regards,
> 
> _____________
> Roman Shpount
> 
> On Fri, Jun 2, 2017 at 2:02 PM, Roman Shpount <roman@telurix.com 
> <mailto:roman@telurix.com>> wrote:
> 
>     Hi All,
> 
>     There was a discussion regarding the setup attribute value in
>     subsequent offers when establishing new DTLS association is not
>     desired. Based on that discussion it was decided that setup value
>     can be either currently negotiated value or actpass. There are also
>     UDP/DTLS without STUN NAT traversal scenarios that only work when
>     end point behind NAT is active. I think sending actpass in offers is
>     a generally safer option, but I think SHOULD here is more
>     appropriate then MUST.
> 
>     Please note that https://tools.ietf.org/html/rfc5763#section-5
>     <https://tools.ietf.org/html/rfc5763#section-5> says:
> 
>         The endpoint MUST use the setup attribute defined in [RFC4145].
>         The endpoint that is the offerer MUST use the setup attribute
>         value of setup:actpass and be prepared to receive a client_hello
>         before it receives the answer.
> 
> 
>     This applies not only to initial but to ALL offers.
> 
>     Finally, I can double check, but I am fairly sure there are current
>     implementation that violate this rule.
> 
>     Regards,
> 
>     _____________
>     Roman Shpount
> 
>     On Fri, Jun 2, 2017 at 12:44 PM, Eric Rescorla <ekr@rtfm.com
>     <mailto:ekr@rtfm.com>> wrote:
> 
>         Hi folks,
> 
>         RFC 5763 required (and JSEP imported) that all offers include
> 
>            a=setup:actpass
> 
>         However, assuming I am reading:
>         https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24
>         <https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24>
>         correctly, S 4.2 allows the initial offer to contain anything,
>         though encourages actpass:
> 
>             When an offerer sends the initial offer, the offerer MUST
>         insert an
>             SDP 'setup' attribute according to the procedures in
>         [RFC4145], and
>             one or more SDP 'fingerprint' attributes according to the
>         procedures
>             in [RFC8122].  In addition, the offerer MUST insert in the
>         offer an
>             SDP 'tls-id' attribute with a unique value.
> 
>             If the offerer inserts the SDP 'setup' attribute with an
>         'actpass' or
>             'passive' attribute value, the offerer MUST be prepared to
>         receive a
>             DTLS ClientHello message (if a new DTLS association is
>         established by
>             the answerer) from the answerer before the offerer receives
>         the SDP
>             answer.
> 
>         For subequent offers, it also gives flexibility but points at 4145.
> 
> 
>         So...
> 
>         1. Changing the behavior for initial offers seems like it presents
>         a serious interop risk, because previously you could depend on
>         the offer being actpass.
> 
>         2. JSEP requires actpass for all offers, so at least it's stricter.
> 
> 
>         What was the rationale for these changes? Feel free to point me
>         at the
>         mailing list discussion where that happened.
> 
>         -Ekr
>           Hi folks,
> 
>         RFC 5763 required (and JSEP imported) that all offers include
> 
>            a=setup:actpass
> 
>         However, assuming I am reading:
>         https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24
>         <https://tools.ietf.org/html/draft-ietf-mmusic-dtls-sdp-24>
>         correctly, S 4.2 allows the initial offer to contain anything,
>         though encourages actpass:
> 
>             When an offerer sends the initial offer, the offerer MUST
>         insert an
>             SDP 'setup' attribute according to the procedures in
>         [RFC4145], and
>             one or more SDP 'fingerprint' attributes according to the
>         procedures
>             in [RFC8122].  In addition, the offerer MUST insert in the
>         offer an
>             SDP 'tls-id' attribute with a unique value.
> 
>             If the offerer inserts the SDP 'setup' attribute with an
>         'actpass' or
>             'passive' attribute value, the offerer MUST be prepared to
>         receive a
>             DTLS ClientHello message (if a new DTLS association is
>         established by
>             the answerer) from the answerer before the offerer receives
>         the SDP
>             answer.
> 
>         For subequent offers, it also gives flexibility but points at 4145.
> 
> 
>         So...
> 
>         1. Changing the behavior for initial offers seems like it presents
>         a serious interop risk, because previously you could depend on
>         the offer being actpass.
> 
>         2. JSEP requires actpass for all offers, so at least it's stricter.
> 
> 
>         What was the rationale for these changes? Feel free to point me
>         at the
>         mailing list discussion where that happened.
> 
>         -Ekr
> 
>         _______________________________________________
>         mmusic mailing list
>         mmusic@ietf.org <mailto:mmusic@ietf.org>
>         https://www.ietf.org/mailman/listinfo/mmusic
>         <https://www.ietf.org/mailman/listinfo/mmusic>
> 
> 
> 
> 
> 
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic
>