Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer? - Updated PR
Christer Holmberg <christer.holmberg@ericsson.com> Wed, 14 June 2017 10:06 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 950D2129B64 for <mmusic@ietfa.amsl.com>; Wed, 14 Jun 2017 03:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PJvpkjMYIola for <mmusic@ietfa.amsl.com>; Wed, 14 Jun 2017 03:06:15 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8D391271FD for <mmusic@ietf.org>; Wed, 14 Jun 2017 03:06:14 -0700 (PDT)
X-AuditID: c1b4fb25-545149a0000046b1-32-59410a948164
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.183.39]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id F3.47.18097.49A01495; Wed, 14 Jun 2017 12:06:13 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.30]) by ESESSHC007.ericsson.se ([153.88.183.39]) with mapi id 14.03.0339.000; Wed, 14 Jun 2017 12:06:11 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Roman Shpount <roman@telurix.com>, Cullen Jennings <fluffy@iii.ca>, Eric Rescorla <ekr@rtfm.com>
CC: mmusic <mmusic@ietf.org>
Thread-Topic: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer? - Updated PR
Thread-Index: AQHS5PXYBF/b9T08mE6k5iisEptUBA==
Date: Wed, 14 Jun 2017 10:06:10 +0000
Message-ID: <D566E5B3.1E4C4%christer.holmberg@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.4.170508
x-originating-ip: [153.88.183.16]
Content-Type: multipart/alternative; boundary="_000_D566E5B31E4C4christerholmbergericssoncom_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrGIsWRmVeSWpSXmKPExsUyM2K7uu5ULsdIgz1rWS1WvD7HbvFh/Q9G i6nLH7NYzLgwldmBxWPJkp9MHpfPf2T0mPy4jdnj1pSCAJYoLpuU1JzMstQifbsEroymO53M BYvDKtrWnmVvYDzn0cXIySEhYCLRMO85axcjF4eQwBFGiUOHdzFCOIsZJXYsO8jSxcjBwSZg IdH9TxukQUQgQ+Lzg8lMIDazgIzEjLONYLawQDujxOclQSC9IgIdQPbLyYwgvSICehIz15aB 1LAIqEpM6HjHCmLzClhL3J/dB9bLKCAm8f3UGqiZ4hK3nsxngjhOQGLJnvPMELaoxMvH/1hB RooCjXy33xMirCix82w7M0RrgsSa5gZGiPGCEidnPmGZwCg8C8nUWUjKZiEpg4gbSLw/N58Z wtaWWLbwNZStL7Hxy1lGCNtaov3qcSZkNQsYOVYxihanFiflphsZ66UWZSYXF+fn6eWllmxi BMbewS2/VXcwXn7jeIhRgINRiYd3zUaHSCHWxLLiytxDjBIczEoivBLngUK8KYmVValF+fFF pTmpxYcYpTlYlMR5HfddiBASSE8sSc1OTS1ILYLJMnFwSjUwmt3vPVLjtMDsKM+uhSqTFsvF xi9fypIZ7f7q+t7kWdO3iR9vXD2p3aFnr1OGVkvKg8NJ8qbRUvvTcu/55nzkKJZZNjPZI3Tf oS360WW8/jrezP8Wfk7/YjQ96sPR8HPXCz7PuBDxhetwYlHS4eW/p02VfeEW0+e+O7F70Uqe o8Lsm82YS07+VmIpzkg01GIuKk4EAKSnMkm5AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/rNSNS9OtP0rSyOodDZisSovLTdg>
Subject: Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer? - Updated PR
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 10:06:17 -0000
Hi, I have updated the PR. I hope it addresses the opinions of everyone: * It removes any text regarding handling of DTLS associations before the answer. * It adds a note saying any data received is to be considered coming from an unverified source, but that the processing of the data is outside the scope of the document * It adds text to the SIP considerations, saying that the offerer should wait for all SDP answers until it declares a possible fingerprint mismatch. https://github.com/cdh4u/draft-dtls-sdp/pull/31 Note that this PR does not address the actpass issue – any changes associated with that issue will be in a separate PR. Regards, Christer From: Roman Shpount <roman@telurix.com<mailto:roman@telurix.com>> Date: Friday 9 June 2017 at 17:18 To: Cullen Jennings <fluffy@iii.ca<mailto:fluffy@iii.ca>> Cc: "mmusic@ietf.org<mailto:mmusic@ietf.org>" <mmusic@ietf.org<mailto:mmusic@ietf.org>>, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> Subject: Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer? On Fri, Jun 9, 2017 at 9:32 AM, Cullen Jennings <fluffy@iii.ca<mailto:fluffy@iii.ca>> wrote: I'd really really appreciate if you could give me a hint of it you agree with my original points I asked about or which ones you disagree with and why. The three points I am interested in are: For devices that want to minimize delay in setting up media and avoid media clipping, doing the TLS handshake as soon as possible is good design but in some cases this means the system does the handshake before the identity of the fingerprint is known. Doing TLS handshake as soon as possible is a good design. Doing answer identity and integrity validation and validating certificate fingerprints as soon as possible is a better design. I understand that doing answer and fingerprint validation is not always possible when interfacing with legacy SIP devices, but there is no reason to design new solutions which process media before the answer. For instance WebRTC has no reason to support unverified media. Because of this, I think that anything that produces unverified media is a bad design which has no reason to exist apart for legacy interop. Specifics on how to design session description identity and integrity validation are clearly out of scope for this draft. All of this being said, what I am proposing for the sake of moving this draft forward does not contradict any of your points. Once again, what I am proposing is: 1. Remove any recommendation regarding handling DTLS association before the answer (leave it up to implementation) 2. Put a note that accepting DTLS association before the answer can result in unverified media and if this media is played back to the end user, end user SHOULD be notified that media is coming from an unverified source. 3. Add clarification that DTLS associations established before the answer MUST be torn down when no more answers are expected and that fingerprints in any of the received answers match the negotiated certificate (Right now it is specified that DTLS association MUST be torn down if it does not match the answer. This is wrong if forking is used and multiple answers are received). Draft does not advise that DTLS association should be established before the answer is received (I think this is wrong), but it also does not advise that it should not (you think it is wrong). This way implementation decides what's best for it. Does it contradict anything that you want to accomplish? If it does, what needs to be changed? Regards, _____________ Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg