Re: [MMUSIC] DTLS-SRTP client/server role negotiation

Christer Holmberg <> Thu, 02 May 2013 18:09 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F80421F8FA7 for <>; Thu, 2 May 2013 11:09:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.874
X-Spam-Status: No, score=-5.874 tagged_above=-999 required=5 tests=[AWL=-0.225, BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UlElZLhfMQeG for <>; Thu, 2 May 2013 11:09:41 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D394021F8EB3 for <>; Thu, 2 May 2013 11:09:40 -0700 (PDT)
X-AuditID: c1b4fb30-b7f3a6d0000007a4-0f-5182abe3d90a
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id A7.2A.01956.3EBA2815; Thu, 2 May 2013 20:09:39 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.02.0328.009; Thu, 2 May 2013 20:09:39 +0200
From: Christer Holmberg <>
To: Francois Audet <>, Alan Johnston <>, "Schwarz, Albrecht (Albrecht)" <>
Thread-Topic: [MMUSIC] DTLS-SRTP client/server role negotiation
Date: Thu, 02 May 2013 18:09:37 +0000
Message-ID: <>
References: <> <> <> <> <> <>, <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrHLMWRmVeSWpSXmKPExsUyM+Jvre7j1U2BBq8emljMbG1lsfjT+ovR omM1i8XU5Y9ZLFZsOMDqwOrR+mwvq8ff9x+YPHbOusvusWTJTyaPWw8msQWwRnHbJCWWlAVn pufp2yVwZyw+tZat4JRVxezlE1kaGCcbdDFyckgImEi8+HaECcIWk7hwbz1bFyMXh5DAYUaJ 02cfsoEkhAQWM0r0HrfoYuTgYBOwkOj+pw1SIyKwiFHi4vMTrCA1zAK+Eu9/TmcHsYUF7CRm zO8AGyoiYC9xtmMRG4SdJbG27yILyBwWARWJh8sLQMK8QK3LNs9hgti7k0Xi8tfLYPWcAtES 8x5cA7MZgY77fmoNE8QucYlbT+ZDHS0gsWTPeWYIW1Ti5eN/rCDzJQQUJZb3y0GU60ncmDqF DcLWlli28DUzxF5BiZMzn7BMYBSbhWTqLCQts5C0zELSsoCRZRUje25iZk56ufkmRmB0Hdzy 22AH46b7YocYpTlYlMR5k7kaA4UE0hNLUrNTUwtSi+KLSnNSiw8xMnFwggguqQZGvkWfa+LO GlwIy9HpC2SXzDjtmfXZ2P7hVsYwxsq9jw5at+TkHL17vERvRdGkbR/8lVjOB2/gMCmdsHl7 W4eTu+zq/cyyjxZb3LjAXP2db2ZlTf1qyYbqt18UPG1zDh32vTj3GG+xjOX9ORybPjw5eqNo QcTGcwZTC3a0BOYJXD69L0N+p4WvEktxRqKhFnNRcSIAcPo3ZoECAAA=
Cc: "" <>, Paul Kyzivat <>
Subject: Re: [MMUSIC] DTLS-SRTP client/server role negotiation
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 02 May 2013 18:09:46 -0000


One good reason is if both clients are behind NATs, connected to SBCs. The SBCs will typically make the clients "active", in order to make the TCP connection traverse the NAT. Hence both clients will also become TLS clients. But, TLS does not define a mechanism to handle "collisions" when both endpoints act as TLS client, which means some intermediary needs to act as TLS server towards the clients.

Now, I realize that may not be a "valid" reason in IETF, and with ICE it may not be a long-term problem :) 

But, is there a reason why it is NOT be a good idea?


From: Francois Audet []
Sent: Thursday, 02 May 2013 8:52 PM
To: Christer Holmberg; Alan Johnston; Schwarz, Albrecht (Albrecht)
Cc:; Paul Kyzivat
Subject: RE: [MMUSIC] DTLS-SRTP client/server role negotiation

You think a rule the binds TLS client role to offer/answer is *good*.... Really, why?

-----Original Message-----
From: [] On Behalf Of Christer Holmberg
Sent: 2 May, 2013 10:31
To: Alan Johnston; Schwarz, Albrecht (Albrecht)
Cc:; Paul Kyzivat
Subject: Re: [MMUSIC] DTLS-SRTP client/server role negotiation


RFC 4572 specifies that the "active" endpoint also takes the role as TLS client. At least MSRP refers to RFC 4572.

AFAIR, BFCP specifies its own rule, saying that the SDP offerer always act as TLS client - ie it separates the TCP setup from TLS roles - which I think is very good.



From: [] on behalf of Alan Johnston []
Sent: Thursday, 02 May 2013 8:05 PM
To: Schwarz, Albrecht (Albrecht)
Cc:; Paul Kyzivat
Subject: Re: [MMUSIC] DTLS-SRTP client/server role negotiation

Interestingly, I have yet to see any browser use a=setup for DTLS-SRTP.  Is this attribute really needed?  How do things work if one or both browsers don't include it?

- Alan -

On Thu, May 2, 2013 at 2:15 AM, Schwarz, Albrecht (Albrecht) <<>> wrote:
The RFC situation is not really clear, even confusing concerning client/server role negotiations (in case of transport security sessions over connection-oriented IP transport protocols).

.         RFC 4145 is only about TCP, i.e., TCP client/server role assignments. Thus, the RFC 4145 introduced SDP attribute is TCP specific.

.         draft-ietf-mmusic-sctp-sdp: seems to profile the "a=setup:" attribute for SCTP path establishment directions . (?)

.         RFC 5763 uses the TCP SDP attribute for DTLS session establishment, i.e. DTLS client/server role assignments; that's actually a semantical change of this SDP element vs RFC 4145

. and DTLS is TLS based, leading to the question of role/assignments in case of TLS/TCP sessions?
I.e., the TCP client/server and also TLS client/server roles? Keeping in mind that the role assignments at IP transport layer and security session layer may principally be different!

The "a=setup" definition by RFC 4145 is unfortunate in my opinion.
Required seems to be a generic SDP specification (i.e., outside RFC 4145), which may be then tight to the concerned protocol. Sth like an explicit indication "a=setup:PROTOCOL:" or an implicit indication by adding an identifier.

The "m=" line <proto> element does not really help to reduce ambiguity (as Paul reminded again: ""Unfortunately SDP has a pretty confusing idea of "transport". The proto field identifies a whole stack of protocol layers.").

I would see following parameter values for a SDP "a=setup:PROTOCOL:" attribute extension:
L4+: TLS, DTLS, DTLS-SRTP(?, due to RFC 5764 SDP profiling .)

From:<> [<>] On Behalf Of Mo Zanaty (mzanaty)
Sent: Donnerstag, 2. Mai 2013 06:04
To: Justin Uberti
Cc: Paul Kyzivat;<>
Subject: Re: [MMUSIC] DTLS-SRTP client/server role negotiation

A simple 3PCC/B2BUA only delays offers toward one leg like RFC3725, so the other leg will answer with active or passive but not actpass.

A complex 3PCC/B2BUA delays offers toward both legs, so it must analyze and alter SDP in complex ways to generate two answers from two offers, part of which is deciding which answer should become active and which should become passive.

The flow in RFC 5245 B.11 is oversimplified. SDP can't be forwarded unaltered by a B2BUA which delays offers on both legs. Generating two answers from two offers is much more complex than simply forwarding the offers as answers.

DTLS-SRTP is actually an easy case since RFC 5763 requires offers to be actpass. TCP is harder since RFC 4145 allows offers to be active, passive, or actpass, causing more complex reinvites to resolve active/active or passive/passive conflicts.


On May 1, 2013, at 6:28 PM, "Justin Uberti" <<>> wrote:
I think Paul means the active/passive attributes in RFC 5763, but I'm still not sure about how 3rd party call control would be handled in this case, i.e. when both endpoints think they are offerers and set a=setup:actpass.

ICE has logic to determine roles in this scenario, as shows in RFC 5245, B.11.

On Wed, May 1, 2013 at 2:10 PM, Gustavo García <<>> wrote:
I saw it, but that is all about TCP client/server role and not DTLS client/server role.   Are we supposed to use the same "setup" attribute for dtls role negotiation even if it is over UDP?

I think there is no reason to tie TCP and DTLS roles, but perhaps I'm misunderstanding something.

On 01/05/2013, at 13:56, Paul Kyzivat wrote:

> On 5/1/13 2:26 PM, Gustavo García wrote:
>> RFC5764 (DTLS-SRTP) states that "Which side is the DTLS client and which side is the DTLS server must be established via some out-of-band mechanism such as SDP."
>> What is the specification on how to signal that in SDP?
>> Specifically in case of 3pcc where both endpoints are SDP offerers which one should take the client and server roles for DTLS?    Should we tie that role to ICE controlled/controlling roles or should we negotiate it in the SDP somehow?
> See RFC4145.
> _______________________________________________
> mmusic mailing list

mmusic mailing list<>

mmusic mailing list<>

mmusic mailing list<>

mmusic mailing list