IETF Logo Mail Archive

Re: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 01 June 2017 07:20 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C32301294F4; Thu, 1 Jun 2017 00:20:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XFMJKGVBCrKV; Thu, 1 Jun 2017 00:20:15 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C39612AF6E; Thu, 1 Jun 2017 00:20:11 -0700 (PDT)
X-AuditID: c1b4fb3a-6e3519a000004a6a-76-592fc02941b9
Received: from ESESSHC013.ericsson.se (Unknown_Domain [153.88.183.57]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id B8.44.19050.920CF295; Thu, 1 Jun 2017 09:20:09 +0200 (CEST)
Received: from ESESSMB109.ericsson.se ([169.254.9.30]) by ESESSHC013.ericsson.se ([153.88.183.57]) with mapi id 14.03.0339.000; Thu, 1 Jun 2017 09:17:55 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Cullen Jennings <fluffy@iii.ca>, Ben Campbell <ben@nostrum.com>
CC: Eric Rescorla <ekr@rtfm.com>, Roman Shpount <roman@telurix.com>, Martin Thomson <martin.thomson@gmail.com>, "mmusic-chairs@ietf.org" <mmusic-chairs@ietf.org>, mmusic <mmusic@ietf.org>
Thread-Topic: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
Thread-Index: AQHS2ldELwNcYwD50E6oSow85173oqIPrDeA
Date: Thu, 01 Jun 2017 07:17:54 +0000
Message-ID: <D5559919.1D777%christer.holmberg@ericsson.com>
References: <D551D683.1D429%christer.holmberg@ericsson.com> <22C94242-218F-4724-AE92-E0B1E8DC2C82@nostrum.com> <21E8BA9D-E442-4DBC-8A7D-CEDFD5F54F8B@iii.ca>
In-Reply-To: <21E8BA9D-E442-4DBC-8A7D-CEDFD5F54F8B@iii.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.4.170508
x-originating-ip: [153.88.183.18]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <096224745518964BB6BA81B56CA504A7@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrDIsWRmVeSWpSXmKPExsUyM2K7pa7mAf1IgwXXLSzmd55mt1jx+hy7 xYf1Pxgtrp35x2hxfud6Joupyx+zWMy4MJXZgd1j56y77B5Llvxk8rh8/iOjx6ydT1g8Jj9u Y/a4NaUggC2KyyYlNSezLLVI3y6BK+Pi5wa2gnciFXOP5zQwHhHoYuTkkBAwkZj9eBpbFyMX h5DAEUaJ9tYWFghnEaPExQ+H2LsYOTjYBCwkuv9pgzSICDhLtG9dzw5SwyxwkFHi86VmRpCE sEC9xLrHq1lBEiICDYwSj/p+sIA0iwgYSaxslQWpYRFQkVj9vpcFxOYVsJa4PuMC1LIFjBI3 u5aADeIUsJJ4+mc7K4jNKCAm8f3UGiYQm1lAXOLWk/lMEGcLSCzZc54ZwhaVePn4HyvILlEB PYl3+z0hwooSH1/tY4RoNZB4f24+M4RtLXHuyH6okdoSyxa+Zoa4R1Di5MwnLBMYxWch2TYL SfssJO2zkLTPQtK+gJF1FaNocWpxcW66kZFealFmcnFxfp5eXmrJJkZgHB/c8ttqB+PB546H GAU4GJV4eBn260cKsSaWFVfmHmKU4GBWEuHlqwQK8aYkVlalFuXHF5XmpBYfYpTmYFES53XY dyFCSCA9sSQ1OzW1ILUIJsvEwSnVwLjhR07MjZ7Kxw/c/C4YizTPcz/WPCXoiXzxpRO1Pddy xd1T3SYJKXBuyZob1dA09w5HT/vlwgVW3Mwb8rdrfX0crnszMf3VhNdxiS1rLsWoMQRZZJ45 dcFPNWN/xwOTk2Jnyh6Uu8t8D5O9PkvCTKag5jD3yS+m/O/v8Mbr3fpw1ruo5K1XihJLcUai oRZzUXEiAKqaOZTfAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/tqWRRiB-RgzYCdeNNgH2zxzUP2Y>
Subject: Re: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 07:20:17 -0000

Hi,

>No ... the draft (with the PR) does not work. The key issue is the line
>
>   However, the offerer MUST NOT
>   complete the DTLS handshake before it has received the SDP answer.
>
>This breaks the usage of DTLS-SRTP with SIP and is not needed. The
>argument that you should not send media before you know who it is going
>to is not the problem. The key issue is that some times an SIP UA  needs
>to be able to receive media before it knows who it is from. Of course the
>UA should indicate in the caller ID etc that it is does not know who it
>is from. It might be really reasonable for the UA not to send any human
>generated media before it get the the dtls-id in the offer/answer, and
>validate any identity assertions, and validates in the certificates are
>not revoked, and whatever else the UA wants to to but the spec should not
>forbid receiving information while that is all happening. And to receive
>media, it needs to complete the DTLS handshake.
>
>Let me ask, for your average call flow that uses PRACK, do we think that
>call flow would work if we said there could not be any media before the
>Answer was received ?

I am aware of systems, especially SBCs and media gating devices, that will
not accept media until the answer has been received - PRACK or no PRACK.

Having said that, I am staying neutral in this case - I just want text
that everyone can live with, so we can get the draft done...

>I'm sure the next issue is just my confusion but I was under the
>impression this would help solve the unauthenticated keying problem fro
>DTLS-SRTP. But the dtls-id in this draft never get tied to anything in
>the TLS session. Is that specified elsewhere? Do we need a ref to it ?

The original intention of the id was to be able to indicate whether a new
association is to be established.

Martin¹s draft, draft-thomson-mmusic-sdp-uks, extends the usage, but we
earlier agreed that we are not going to reference it from draft-dtls-sdp.

>One other issues ... It seems that this removes from RFC5763 the line
>
>  The SIP message containing the offer SHOULD be sent to
>   the offerer's SIP proxy over an integrity protected channel.
>
>from RFC 5763. Any reason for that? Seems like the fingerprint should
>still be integrity protected.

The text was removed based on a comment in Ben¹s AD review (14th March):

"-9.2, paragraph 5: "The SIP message containing the offer SHOULD be sent
To the offerer¹s SIP proxy over an integrity protected channel":

This seems redundant with a previous statement 2 sentences back. (Yes,
this was in the original textŠ)"


Regards,

Christer

v2.23.0 | Report a Bug | By Email