IETF Logo Mail Archive

Re: [MMUSIC] DTLS-SDP and JSEP Conflicts

Roman Shpount <roman@telurix.com> Fri, 25 August 2017 23:23 UTC

Return-Path: <roman@telurix.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7DC7132C74 for <mmusic@ietfa.amsl.com>; Fri, 25 Aug 2017 16:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_SORBS_SPAM=0.5, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VW5EKFDe8quA for <mmusic@ietfa.amsl.com>; Fri, 25 Aug 2017 16:23:10 -0700 (PDT)
Received: from mail-pg0-x233.google.com (mail-pg0-x233.google.com [IPv6:2607:f8b0:400e:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 979E3132C7F for <mmusic@ietf.org>; Fri, 25 Aug 2017 16:23:10 -0700 (PDT)
Received: by mail-pg0-x233.google.com with SMTP id t3so6324817pgt.0 for <mmusic@ietf.org>; Fri, 25 Aug 2017 16:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=7hBnHGzxw5k3/IiWqsLltiOhpLStZcgyVY62x15W0VY=; b=wCvlHWVhcyi9NFOG1Da5b8oE6UoGcsMbLjfHQQ1EoXg1oTJQwj9WWdz1tvNLfGXqdQ S/m0i6W0RFOS2Q4y1iETgOv64yJStPuA13ZKp+W0G+TAfNHGaPBmIww1A9UjSOaoYAhx ldaYTaOnJP/3CEWbTbbY2ozo1P+FrXx3cjQENORgrrGYIN4l7Ah8/RwXTcVnIm6eyBEE r0vcedDJu/b3cnkhxKorCUNwBUrRP0DAUpbDy4Z7hMpF0Jy13bL90hC45ofcwQF5ZJ0b wER2LIXBrpmHcVU9GFsMcOAVfiXG9a+35ut9HmKTw1vK2cOmrfmj5i/9PXI4SBA88glj Z7Iw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=7hBnHGzxw5k3/IiWqsLltiOhpLStZcgyVY62x15W0VY=; b=c2ZqicWxfKwc1K3yEL2OwuKU8cjLE1jHCj9H1N8zyQkXeluMZrqGJoNjFAFc4X3yrQ LW3v+t8z1PW8N4fcGSjcpwWsv6JANJ+QhNn9wLu/T7Dbas7GdUQIT586vuUcCGV24D83 cJlWuunZu0qMEmCg2sdcKrB+zp7ZEwaPaqkDVa+bAvMImgYBwL3Z5KJb6VU18gyjaBvc k9fOU4z7o3qp/pNDUZp5FiUjii1FOGfec0ctim5oPdlQ2/Jske77qkdzGQLuZinXXMbg jSdX+pLxN7h2Ca9w1XLC0T27a3FZu+SyBJO2rFQJaKYZWvli7hab+ybJGavkf8opJVL7 Se6A==
X-Gm-Message-State: AHYfb5i990AC/47QyPfXVoCk+mcj1NZD9SIeWY/h2Ry3RdGDa/I4yNvs imaN+ctRwUn9aoSnMdg=
X-Received: by 10.98.178.144 with SMTP id z16mr104830pfl.282.1503703389700; Fri, 25 Aug 2017 16:23:09 -0700 (PDT)
Received: from mail-pg0-f45.google.com (mail-pg0-f45.google.com. [74.125.83.45]) by smtp.gmail.com with ESMTPSA id u26sm13546753pfi.140.2017.08.25.16.23.08 for <mmusic@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 25 Aug 2017 16:23:09 -0700 (PDT)
Received: by mail-pg0-f45.google.com with SMTP id r133so6228852pgr.3 for <mmusic@ietf.org>; Fri, 25 Aug 2017 16:23:08 -0700 (PDT)
X-Received: by 10.99.36.134 with SMTP id k128mr78187pgk.413.1503703388689; Fri, 25 Aug 2017 16:23:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.191.8 with HTTP; Fri, 25 Aug 2017 16:23:08 -0700 (PDT)
In-Reply-To: <3be5cdc3-b191-d3be-4097-2b17d5a78b7c@nostrum.com>
References: <f353ad39-4ee5-4661-8e99-7fab6e394e91@nostrum.com> <CAD5OKxu3HCThdqTjJ=jz_ZsceX0bVXW+FoRWsEB-N-nbmjEC4g@mail.gmail.com> <3be5cdc3-b191-d3be-4097-2b17d5a78b7c@nostrum.com>
From: Roman Shpount <roman@telurix.com>
Date: Fri, 25 Aug 2017 19:23:08 -0400
X-Gmail-Original-Message-ID: <CAD5OKxtqJGYZJwiS=w1M+qRenoxqi7gDX3K6Tc-dMPXB_E3-Tw@mail.gmail.com>
Message-ID: <CAD5OKxtqJGYZJwiS=w1M+qRenoxqi7gDX3K6Tc-dMPXB_E3-Tw@mail.gmail.com>
To: Adam Roach <adam@nostrum.com>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c031c9c549ccf05579c3a36"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/uvbUAjI8Vbz66tXxpngNYG4gKyI>
Subject: Re: [MMUSIC] DTLS-SDP and JSEP Conflicts
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2017 23:23:13 -0000

On Fri, Aug 25, 2017 at 6:47 PM, Adam Roach <adam@nostrum.com> wrote:

> On 8/25/17 4:39 PM, Roman Shpount wrote:
>
>
> This is a really thorny issue which does not have a good solution. Correct
> handling of ufrag change is one of the main reasons why tls-id draft was
> written in the first place. Here is a little bit more background on the
> problem:
>
> 1. If ICE restart was caused by 3pcc and resulted in connection to a new
> device, new DTLS association is required. In some cases, connection to a
> new device will also result in the new fingerprint set. In some cases (like
> transfer withing the same organization which uses the same pre-provisioned
> certificate), fingerprints will stay the same and only ufrag will change.
> So, this means new DTLS association should be established if ufrag changes
> due to device change.
>
> 2. If ICE restart is initiated when new network interfaces became
> available, such as when WiFi became available on the mobile device. This
> means that both existing candidates and new candidates can be present
> during ICE restart. This also means, that in some situations, even though
> ICE restart completes, the underlying transport does not have to change and
> the same ICE candidate pair will be used after ICE restart. Since this is
> the same ICE candidate pair, it will mean that packets from old and new
> DTLS association can be received over the same 5-tuple and they cannot be
> demultiplexed. This means DTLS association should stay the same even if
> ufrag changes due to ICE restart but when end points plans to re-use ICE
> candidates.
>
>
> I hate to throw new engineering into the document at this point, but
> shouldn't it be possible to distinguish between these two circumstances by
> examining the candidates and determining whether they're completely new
> (versus having at least one in common with the existing connection)? This
> means that you won't know whether to restart DTLS until trickling has ended
> (for trickle), but you can solve that by not doing aggressive (or
> passive-aggressive) nomination -- just wait until you have all the
> candidates before you start connecting.
>
> Does that sound like it would work?
>

This will theoretically work, but can delay DTLS association setup in case
of tricket ICE past the point of being usable.

More importantly this is not how existing implementations work. They simply
do not start new DTLS association on ufrag change. This is for legacy
interop only, so we might as well do what legacy end points do and ignore
ufrag.

Regards,
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email