Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
Eric Rescorla <ekr@rtfm.com> Thu, 08 June 2017 05:16 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15E0A127868 for <mmusic@ietfa.amsl.com>; Wed, 7 Jun 2017 22:16:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xi52nXyiCzE7 for <mmusic@ietfa.amsl.com>; Wed, 7 Jun 2017 22:16:38 -0700 (PDT)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9CED127444 for <mmusic@ietf.org>; Wed, 7 Jun 2017 22:16:38 -0700 (PDT)
Received: by mail-yb0-x231.google.com with SMTP id f192so7265092yba.2 for <mmusic@ietf.org>; Wed, 07 Jun 2017 22:16:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4Ng4TvEs37IkUUoPCnc9U36yCoTN1qc0zaeAyL4JQTE=; b=HZ3NleyNkFhtpNQ+iQcmVAaIrQc5xw9Ns1Lnm2DfQ9xMvloPFLVkyhUaYxcVHiL6DT MilxbPkep1fpmMHQmG9BdFPmdHZxdVAhCL/GgB7/TftR5GBogQj1ssiqH9SYwbv+xn9e yS2JLq3mkUL8Nps2INHJ44ikqi48f8JqyuT0+cEPyRG1pY2KMGd4tfEZUZV0bA9RkPwC kmUhrF27ARHXE45fcPDo7yml9xrToxILJ/7+XLoJtgh6hyax1t9f1DDMFoPP19RvECik 2rDeRwSW0yR7fuWVrB1HTD9hab2T1XN5Vvl379VdQ79C1d+6oddR1vzq1hLSVm08xic1 v/nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4Ng4TvEs37IkUUoPCnc9U36yCoTN1qc0zaeAyL4JQTE=; b=f253W3XJN0kDTzPA+uOyui0Ign6k3zwTGg/5pXJrMkWdIxD1EabDMpWpieQoBEooHW aOwQUTjE9wo7oF5JFzEkun4iMASP63HhsRa9tnBEDkEukEKx3yOkvJun4w5VnrmSBsQV tT6oK7I5upRiUszfe05Q0KvLcTd9B7e+xA1PvJ/8/0g6zImdXJsFjL7nIV9YE04lcl4S 3m9wfvZ804YXyrvyW38ba719KZ2mJeugRCoG9jQJ1Hr2LVPTnQRMx4dIMmIZwufMksc/ aodVB52MR2667sf3egOpnfNJ41e13au5TzeP+LDs8PRng8FjcIvTlf7NJ8LSPR9GcnZb aEpg==
X-Gm-Message-State: AODbwcBiTWzpcADDRyysmdWtY4A4WnMc9IUS1kPEpv1eC4KIOugdpvuP a7LX8j0QJ1YagMQ8OVh0WHN71T0tHn5W
X-Received: by 10.37.44.72 with SMTP id s69mr9295962ybs.89.1496898997981; Wed, 07 Jun 2017 22:16:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.4 with HTTP; Wed, 7 Jun 2017 22:15:57 -0700 (PDT)
In-Reply-To: <CAD5OKxvZfgrLko=GiHN87xHA7_faFXpaQdnYCnDLP2qkYPdVNw@mail.gmail.com>
References: <D551D683.1D429%christer.holmberg@ericsson.com> <22C94242-218F-4724-AE92-E0B1E8DC2C82@nostrum.com> <21E8BA9D-E442-4DBC-8A7D-CEDFD5F54F8B@iii.ca> <CAD5OKxujAuzJt4QD6JXKHkVd4JB_nO5Th6KXjavMBww=W4644Q@mail.gmail.com> <6125EAB1-A827-4E0F-B756-78F85BB411CD@iii.ca> <CAD5OKxutcpUzh1yLA2kukmYmiHQg3+6fuXbaD0w73gzsAHEXzg@mail.gmail.com> <e80f0fbe-221e-aa9b-33bd-24d2ff50fe84@cisco.com> <CAD5OKxvZfgrLko=GiHN87xHA7_faFXpaQdnYCnDLP2qkYPdVNw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 08 Jun 2017 07:15:57 +0200
Message-ID: <CABcZeBOOD5J4mxZyiaMyO-xm2Da=suqwR8==3UaHym=Pm6zOJA@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Cc: Flemming Andreasen <fandreas@cisco.com>, Cullen Jennings <fluffy@iii.ca>, Ben Campbell <ben@nostrum.com>, Martin Thomson <martin.thomson@gmail.com>, Christer Holmberg <christer.holmberg@ericsson.com>, mmusic-chairs@ietf.org, mmusic <mmusic@ietf.org>
Content-Type: multipart/alternative; boundary="001a11432ade0a948b05516bf5c4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/vMpn5Y92XWkxFAaDDgQ00VRrunQ>
Subject: Re: [MMUSIC] draft-dtls-sdp: Allow offerer to establish DTLS association before it has received the SDP answer?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Jun 2017 05:16:41 -0000
i can live with that. -Ekr On Thu, Jun 8, 2017 at 12:58 AM, Roman Shpount <roman@telurix.com> wrote: > As a way forward on this issue, I am proposing the following: > > 1. Remove any recommendation regarding handling DTLS association before > the answer (leave it up to implementation) > 2. Put a note that accepting DTLS association before the answer can result > in unverified media and if this media is played back to the end user, end > user SHOULD be notified that media is coming from an unverified source. > 3. Add clarification that DTLS associations established before the answer > MUST be torn down when no more answers are expected and that fingerprints > in any of the received answers match the negotiated certificate (Right now > it is specified that DTLS association MUST be torn down if it does not > match the answer. This is wrong if forking is used and multiple answers are > received). > > Does anyone opposes this? > > Regards, > > _____________ > Roman Shpount > > On Wed, Jun 7, 2017 at 5:52 PM, Flemming Andreasen <fandreas@cisco.com> > wrote: > >> Can we get some specific text proposals from the people that seem to care >> about what we end up with here ? >> >> Thanks >> >> -- Flemming (as MMUSIC co-chair) >> >> >> >> On 6/5/17 12:58 PM, Roman Shpount wrote: >> >> On Mon, Jun 5, 2017 at 10:03 AM, Cullen Jennings <fluffy@iii.ca> wrote: >> >>> >>> > On May 31, 2017, at 4:51 PM, Roman Shpount <roman@telurix.com> wrote: >>> > >>> > 1. Starting DTLS handshake until the corresponded answer is received >>> is NOT RECOMMENDED since it can result in unauthenticated media. If >>> unauthenticated media is played to the end user, in cases such as early >>> media in SIP calls, this should be indicated to the end user. >>> >>> No. Doing the handshake as quickly as possible is recommend - it's what >>> you do with the media before you know who you are talking to that is the >>> issue you are concerned with. And knowing who you are talking often >>> involves much more than checking the fingerprint. So I don't agree this is >>> not recommended. >>> >> >> There are also implementation issues with getting media and not playing >> it. End point will still need to either buffer or somehow process the >> received packets so that playback can be started when the answer is >> received. If handshake is delayed until answer is received, none of this is >> an issue, so implementation is simpler. >> >> More importantly, I do not think new systems should be built without ICE. >> I understand there are legacy implementations which use symmetric UDP for >> media. In such cases it is allowed to complete handshake. Such solutions >> are legacy and building new systems like this are not recommended. It is >> recommended that new systems should implement full ICE, consent to send, >> and do not complete DTLS handshake before an answer SDP is received. >> >> Regards, >> _____________ >> Roman Shpount >> >> >> >> >
- [MMUSIC] draft-dtls-sdp: Allow offerer to establi… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Eric Rescorla
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Eric Rescorla
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Martin Thomson
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Cullen Jennings
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Martin Thomson
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Martin Thomson
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Eric Rescorla
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Martin Thomson
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer to es… Ben Campbell
- Re: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer t… Cullen Jennings
- Re: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer t… Roman Shpount
- Re: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer t… Christer Holmberg
- Re: [MMUSIC] Fwd: draft-dtls-sdp: Allow offerer t… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Cullen Jennings
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Flemming Andreasen
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Eric Rescorla
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Cullen Jennings
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Paul Kyzivat
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Cullen Jennings
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Cullen Jennings
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Roman Shpount
- Re: [MMUSIC] draft-dtls-sdp: Allow offerer to est… Christer Holmberg