Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment direction of DTLS session
"Gonzalo Salgueiro (gsalguei)" <gsalguei@cisco.com> Fri, 15 November 2013 22:56 UTC
Return-Path: <gsalguei@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C652E11E81D2 for <mmusic@ietfa.amsl.com>; Fri, 15 Nov 2013 14:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.699
X-Spam-Level:
X-Spam-Status: No, score=-9.699 tagged_above=-999 required=5 tests=[AWL=-0.900, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, J_CHICKENPOX_56=0.6, J_CHICKENPOX_57=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibkQ+JZ2FcsP for <mmusic@ietfa.amsl.com>; Fri, 15 Nov 2013 14:56:47 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 81BBE11E811D for <mmusic@ietf.org>; Fri, 15 Nov 2013 14:56:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14647; q=dns/txt; s=iport; t=1384556203; x=1385765803; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=yeHpZodFpnA73LKEizTRVEdzfQiOmCrlxIRtCJtT53k=; b=LEdSECh05gpeUl6oSWjgBorLmjLyFmoM4RvwWS1OojmKGPTpMPL/CqUg BfJy7/sxGEUDlovfb2AiaELaZk64Md4GgpodpSZ/rM71Q6/j2cT6VT4R9 /uw8ZWB7VVwRt+6zejnRd23on3c09HzuR0xtzxZrTRcTs/MUsxBygDyqt A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AiAFANqlhlKtJV2b/2dsb2JhbABZgwc4U75hS4EqFnSCJQEBAQMBAQEBCVwGCwUHBAIBCBEEAQEBJwcnCxQJCAIEDgUUB4dgBg3BJQSOKIEOMwcGgxqBEQOTbEKDYpINgyiBaUE
X-IronPort-AV: E=Sophos;i="4.93,710,1378857600"; d="scan'208";a="285291125"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-1.cisco.com with ESMTP; 15 Nov 2013 22:56:42 +0000
Received: from xhc-rcd-x08.cisco.com (xhc-rcd-x08.cisco.com [173.37.183.82]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id rAFMugil022773 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 15 Nov 2013 22:56:42 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.192]) by xhc-rcd-x08.cisco.com ([173.37.183.82]) with mapi id 14.03.0123.003; Fri, 15 Nov 2013 16:56:42 -0600
From: "Gonzalo Salgueiro (gsalguei)" <gsalguei@cisco.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Thread-Topic: [MMUSIC] [mmusic-udptl-dtls-01] Establishment direction of DTLS session
Thread-Index: AQHO4N5p0XpoIfKxQUeqq6//ZRwwFpoknjaAgAKwh4A=
Date: Fri, 15 Nov 2013 22:56:41 +0000
Message-ID: <81FDCDD8-6BDD-4D64-8D22-00A750E0289F@cisco.com>
References: <786615F3A85DF44AA2A76164A71FE1AC0BA3EC@FR711WXCHMBA03.zeu.alcatel-lucent.com> <7594FB04B1934943A5C02806D1A2204B1C4A769E@ESESSMB209.ericsson.se> <786615F3A85DF44AA2A76164A71FE1AC0BC423@FR711WXCHMBA03.zeu.alcatel-lucent.com> <7594FB04B1934943A5C02806D1A2204B1C4A9A45@ESESSMB209.ericsson.se>, <786615F3A85DF44AA2A76164A71FE1AC0BD395@FR711WXCHMBA03.zeu.alcatel-lucent.com> <7594FB04B1934943A5C02806D1A2204B1C4AB001@ESESSMB209.ericsson.se> <786615F3A85DF44AA2A76164A71FE1AC0C68BB@FR711WXCHMBA03.zeu.alcatel-lucent.com>, <7594FB04B1934943A5C02806D1A2204B1C4B6352@ESESSMB209.ericsson.se> <786615F3A85DF44AA2A76164A71FE1AC107E9D@FR711WXCHMBA03.zeu.alcatel-lucent.com>, <7594FB04B1934943A5C02806D1A2204B1C518E13@ESESSMB209.ericsson.se> <786615F3A85DF44AA2A76164A71FE1AC107EFE@FR711WXCHMBA03.zeu.alcatel-lucent.com>, <52843090.4050509@alum.mit.edu> <3l87dt3gkmh42oon4n8n22he.1384408337440@email.android.com>
In-Reply-To: <3l87dt3gkmh42oon4n8n22he.1384408337440@email.android.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.82.237.78]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <41D4D2C00039A441A9066E6ADC42DAC4@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment direction of DTLS session
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Nov 2013 22:56:52 -0000
TBH I didn't see a compelling reason to make the change in the first place. If it is important to Albrecht, I think this proposal is fine and seems innocuous to the proposed solution. Gonzalo On Nov 14, 2013, at 12:52 AM, Christer Holmberg <christer.holmberg@ericsson.com> wrote: > Hi, > > I guess 'SHOULD use actpass' would work. > > Regards, > > Christer > > Sent from my Sony Ericsson Xperia arc S > > Paul Kyzivat <pkyzivat@alum.mit.edu> wrote: > > > I believe that the a=setup attribute was first defined by rfc 4145, for TCP. > > There it governs who listens for an incoming connection. And the main > concern was that NATs/FWs might prevent one end or the other from > accepting incoming connections. Even so, it didn't have any normative > behavior about what should be in the offer. > > As this same attribute is used in different contexts, the implications > of using it may vary. In particular, if it is intended that either end > should be able to take either the active or passive role, then the > considerations for use may vary. > > ISTM that actpas SHOULD be used in the offer, except in cases where the > offerer has a particular preference for active or passive, and would > prefer to have the connection fail than use the other mode. > > Thanks, > Paul > > On 11/13/13 5:31 PM, Schwarz, Albrecht (Albrecht) wrote: >> Right. >> >> ------------------------------------------------------------------------ >> *Von:* Christer Holmberg [christer.holmberg@ericsson.com] >> *Gesendet:* Donnerstag, 14. November 2013 02:21 >> *An:* Schwarz, Albrecht (Albrecht) >> *Cc:* mmusic@ietf.org; LANDAIS, BRUNO (BRUNO) >> *Betreff:* VS: [mmusic-udptl-dtls-01] Establishment direction of DTLS >> session >> >> Hi Albrecht, >> >> If I understand your proposal correctly, the change would be to relax >> the rule for assigning the SDP setup attribute value in the SDP Offer. >> Instead of mandating actpass, we would also allow active and passive. >> >> Right? >> >> Regards, >> >> Christer >> >> *Lähettäjä:*Schwarz, Albrecht (Albrecht) >> [mailto:albrecht.schwarz@alcatel-lucent.com] >> *Lähetetty:* 14. marraskuuta 2013 3:11 >> *Vastaanottaja:* Christer Holmberg >> *Kopio:* mmusic@ietf.org; LANDAIS, BRUNO (BRUNO) >> *Aihe:* AW: [mmusic-udptl-dtls-01] Establishment direction of DTLS session >> >> Hello Christer, >> guess it's time to come back on this topic since the WG adopted the draft. >> >> In brief ("don't want to repeat again the thread"): >> a) problem statement: existing SDP O/A rules define a tighly coupled >> mode between the establishment direction of the SIP session and the >> establishment direction of the DTLS session, but there's not any >> reasoning for such tightly coupled behaviour. >> >> b) change proposal: >> Revise in clause 3.1 following list item >> >> o The endpoint MUST use the SDP setup attribute [RFC4145]. The >> >> offerer MUST assign the SDP setup attribute with setup:actpass >> >> value, and MUST be prepared to receive a DTLS client_hello message >> >> before it receives the SDP answer. The answerer MUST assign the >> >> SDP setup attribute with either setup:active value or >> >> setup:passive value. The answerer SHOULD assign the SDP setup >> >> attribute with the setup:active value. Whichever party is active >> >> MUST initiate a DTLS handshake by sending a ClientHello over each >> >> flow (host/port quartet). >> >> >> by >> >> o The endpoint MUST use the SDP setup attribute [RFC4145]. The >> >> offerer MUST assign the SDP setup attribute with a setup:actpass, >> setup:active or setup:passive >> >> value, and, in case of setup:actpass or setup:passive, MUST be >> prepared to receive a DTLS client_hello message >> >> before it receives the SDP answer. The answerer MUST assign the >> >> SDP setup attribute with either setup:active value or >> >> setup:passive value. The answerer SHOULD assign the SDP setup >> >> attribute with the setup:active value, in case of setup:actpass >> or setup:passive. Whichever party is active >> >> MUST initiate a DTLS handshake by sending a ClientHello over each >> >> flow (host/port quartet). >> >> >> We would limit ourselves with the existing, restrictive SDP O/A rule. >> And without any justification for such a constraint. >> >> Any comments? >> >> Regards, >> Albrecht >> >> >> ------------------------------------------------------------------------ >> >> *Von:*Christer Holmberg [christer.holmberg@ericsson.com] >> *Gesendet:* Montag, 7. Oktober 2013 13:11 >> *An:* Schwarz, Albrecht (Albrecht) >> *Cc:* mmusic@ietf.org <mailto:mmusic@ietf.org>; LANDAIS, BRUNO (BRUNO) >> *Betreff:* VS: [mmusic-udptl-dtls-01] Establishment direction of DTLS >> session >> >> Hi Albrecht, >> >> At this point, the community is making a decision about whether to start >> working on this. >> >> Once that is done, we will start looking into, and discuss, individual >> technical issues etc, and your input will be highly appreciated. >> >> Regards, >> >> Christer >> >> *Lähettäjä:*Schwarz, Albrecht (Albrecht) >> [mailto:albrecht.schwarz@alcatel-lucent.com] >> *Lähetetty:* 7. lokakuuta 2013 13:56 >> *Vastaanottaja:* Christer Holmberg >> *Kopio:* mmusic@ietf.org <mailto:mmusic@ietf.org>; LANDAIS, BRUNO (BRUNO) >> *Aihe:* RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session >> >> Hello Christer, >> >> I may not commit to submit a problem statement in the next couple of >> weeks, just due to time reasons. >> >> At least a note (or editor’s note) should be added to draft >> mmusic-udptl-dtls in order to indicate the issue and that a solution >> proposal is still pending. >> >> Thanks, >> >> Albrecht >> >> *From:*Christer Holmberg [mailto:christer.holmberg@ericsson.com] >> *Sent:* Dienstag, 24. September 2013 16:01 >> *To:* Schwarz, Albrecht (Albrecht) >> *Cc:* mmusic@ietf.org <mailto:mmusic@ietf.org>; LANDAIS, BRUNO (BRUNO) >> *Subject:* RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS >> session >> >> Hi Albrecht, >> >> I don't think putting a note somewhere in the fax draft is going to >> solve anything. >> >> As you indicate, the issue exists in multiple documents, so it's a >> generic issues. >> >> So, my suggestion is that you put together a short draft which describes >> the problem, and how you want to change it, and then we can have a more >> generic discussion about it. The WG can then decide whether we shall fix >> something, and if so, in which specs. >> >> Regards, >> >> Christer >> >> ------------------------------------------------------------------------ >> >> *From:*Schwarz, Albrecht (Albrecht) [albrecht.schwarz@alcatel-lucent.com] >> *Sent:* Tuesday, 24 September 2013 4:22 PM >> *To:* Christer Holmberg >> *Cc:* mmusic@ietf.org <mailto:mmusic@ietf.org>; LANDAIS, BRUNO (BRUNO) >> *Subject:* RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS >> session >> >> Hello Christer, >> >> the "copy & paste" action (across at least three "RFCs") seems to be the >> root cause of the issue :-( >> >> SIP session establishment and L4 security session (DTLS, TLS) >> establishment directions should be principally decoupled because >> application specific. >> >> We got here (wrt DTLS) three (different!) applications: >> 1) Key exchange (RFC 5763) >> 2) Conference control (rfc4582bis) >> 3) Document transmission (udptl-dtls) >> >> All three applications are different in terms of number/type of >> supported network models, security models or/and communication topology. >> >> Consequently, the basic, application independent SDP O/A rules for DTLS >> session establishment would need to support that flexibility. >> The application specific SIP/SDP profile could then still narrow down >> the required SDP O/A rules. >> >> What we got so far: SDP O/A rules in three application specific "RFCs" >> (RFC 5763, rfc4582bis, udptl-dtls), which are all tight to RFC 5773 :-( >> >> There might be two options to correct that copy & paste issue in >> "udptl-dtls" in my opinion: >> a) expand the SDP O/A rules for more flexibility >> or >> b) add a WARNING / NOTE about the inherent limitations (due to the >> assumption of a network and communication environment according RFC 5763) >> >> What do you think? >> Best regards, >> Albrecht >> >> >> -----Original Message----- >> From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] >> Sent: Montag, 23. September 2013 11:54 >> To: Schwarz, Albrecht (Albrecht) >> Cc: mmusic@ietf.org <mailto:mmusic@ietf.org>; LANDAIS, BRUNO (BRUNO) >> Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session >> >> Hi Albrecht, >> >> I don't know what model people were focusing on when writing RFC 5763, >> but the RFC does say: >> >> "The endpoint that is the offerer MUST use the setup attribute value of >> setup:actpass" >> >> ...which we also copied into the udptl-dtls draft. >> >> Now, if you want to change that, and allow the Offerer to "force" the >> direction, I think you should start a separate thread about that. >> Because, it is not specific to fax, in my opinion. >> >> Regards, >> >> Christer >> >> -----Original Message----- >> From: Schwarz, Albrecht (Albrecht) >> [mailto:albrecht.schwarz@alcatel-lucent.com] >> Sent: 23. syyskuuta 2013 12:31 >> To: Christer Holmberg >> Cc: mmusic@ietf.org <mailto:mmusic@ietf.org>; LANDAIS, BRUNO (BRUNO) >> Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session >> >> Hello Christer, >> >> the decision about "DTLS session establishment direction" is ALWAYS up >> to the SDP ANSWERER (according present 3.1). >> >> In order to decouple SIP session and DTLS session establishment >> directions, then the SDP OFFERER should also to be able to use >> "setup:active" and "setup:passive" (besides codepoint "setup:actpass") >> in my understanding. >> >> I'm not sure whether the reference to RFC 5763 helps because I could >> imagine that the subject comes down to the indicated network scenarios, >> lets look again at: >> a) T - T >> b) T -GW >> >> The existing udptl-dtls & RFC 5763 text seems to focus on model (a) >> only: SDP O/A between two peering, terminal located SIP UAs (there is >> NOT any SIP B2BUA). >> But I could imagine that the SIP/SDP profiles for "T" and "GW" are not >> necessarily the same in case of model (b): "T" as SDP Offerer may not >> allowed to decide the DTLS session establishment direction, but "GW" as >> SDP offerer may need to enforce the DTLS session establishment direction >> (either way). >> >> Regards, >> Albrecht >> >> >> -----Original Message----- >> From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] >> Sent: Donnerstag, 19. September 2013 10:02 >> To: Schwarz, Albrecht (Albrecht) >> Cc: mmusic@ietf.org <mailto:mmusic@ietf.org> >> Subject: RE: [mmusic-udptl-dtls-01] Establishment direction of DTLS session >> >> Hi Albrecht, >> >> The direction of the SIP session establishment and the DTLS session >> establishment are NOT tightly coupled. The draft enables the Answerer to >> select whether it wants to act as DTLS client or DTLS server. >> >> Section 3.1 states: >> >> .... The >> offerer MUST assign the SDP setup attribute with setup:actpass value, >> and MUST be prepared to receive a DTLS client_hello message before it >> receives the SDP answer. The answerer MUST assign the SDP setup >> attribute with either setup:active value or setup:passive value. The >> answerer SHOULD assign the SDP setup attribute with the setup:active >> value. Whichever party is active MUST initiate a DTLS handshake by >> sending a ClientHello over each flow (host/port quartet). >> >> The same rules apply for DTLS-SRTP (see Section 5 of RFC5763). In fact, >> we base the procedure on that RFC. >> >> BFCP-over-DTLS (draft-ietf-bfcpbis-rfc4582bis) also refers to the >> DTLS-SRTP procedures for DTLS server determination. >> >> Regards, >> >> Christer >> >> >> >> >> >> -----Original Message----- >> From: Schwarz, Albrecht (Albrecht) >> [mailto:albrecht.schwarz@alcatel-lucent.com] >> Sent: 18. syyskuuta 2013 18:28 >> To: Christer Holmberg >> Cc: mmusic@ietf.org <mailto:mmusic@ietf.org> >> Subject: [mmusic-udptl-dtls-01] Establishment direction of DTLS session >> >> The T.38 endpoint could be located in a terminal (= T.38 IAF) or in a >> gateway, leading to three possible scenarios of >> a) T - T >> b) T -GW >> c) GW-GW >> >> I'd like to scope on scenario (b) due to its asymmetry of user- and >> network-side located T.38 endpoints. >> >> Christer, >> I thought that the two directions of >> 1) SIP session establishment and >> 2) DTLS session establishment >> should be NOT tightly coupled (as currently supposed to be in clause 3.1)? >> The ietf draft should offer the flexibility in decoupling both >> establishment directions. >> >> E.g., there might be the demand to limit DTLS session establishment in >> T-to-GW direction (and apply rather the reverse direction) due >> ClientHello associated security threats, resource requests in terms of >> memory, ... >> >> In my opinion: >> the IETF should allow the flexibility, >> other SDOs could still profile/limit this capability. >> >> Best regards, >> Albrecht >> >> PS >> We had a similar discussion with TLS, there NAT traversal (NAT-T) >> aspects could influence TLS session establishment direction. However, I >> guess that NAT-T is minor for DTLS/UDP. >> >> >> >> _______________________________________________ >> mmusic mailing list >> mmusic@ietf.org >> https://www.ietf.org/mailman/listinfo/mmusic >> > > _______________________________________________ > mmusic mailing list > mmusic@ietf.org > https://www.ietf.org/mailman/listinfo/mmusic > _______________________________________________ > mmusic mailing list > mmusic@ietf.org > https://www.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] [mmusic-udptl-dtls-01] Establishment dir… Schwarz, Albrecht (Albrecht)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Schwarz, Albrecht (Albrecht)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Schwarz, Albrecht (Albrecht)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Schwarz, Albrecht (Albrecht)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Schwarz, Albrecht (Albrecht)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Schwarz, Albrecht (Albrecht)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Paul Kyzivat
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Gonzalo Salgueiro (gsalguei)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Charles Eckel (eckelcu)
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Christer Holmberg
- Re: [MMUSIC] [mmusic-udptl-dtls-01] Establishment… Charles Eckel (eckelcu)