IETF Logo Mail Archive

Re: [rtcweb] How to determine TLS roles?

Tim Panton <tim@phonefromhere.com> Mon, 10 February 2014 20:22 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87DF91A0835 for <rtcweb@ietfa.amsl.com>; Mon, 10 Feb 2014 12:22:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7D3wDRA4iTAu for <rtcweb@ietfa.amsl.com>; Mon, 10 Feb 2014 12:22:30 -0800 (PST)
Received: from smtp001.apm-internet.net (smtp001-out.apm-internet.net [85.119.248.222]) by ietfa.amsl.com (Postfix) with ESMTP id 4E92A1A06F3 for <rtcweb@ietf.org>; Mon, 10 Feb 2014 12:22:30 -0800 (PST)
Received: (qmail 3981 invoked from network); 10 Feb 2014 20:22:29 -0000
X-AV-Scan: clean
X-APM-Authkey: 83769 19484
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp001.apm-internet.net with SMTP; 10 Feb 2014 20:22:29 -0000
Received: from zimbra003.verygoodemail.com (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id 6810A18A03CA; Mon, 10 Feb 2014 20:22:29 +0000 (GMT)
Received: from limit.westhawk.co.uk (limit.westhawk.co.uk [192.67.4.33]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id 1E8C118A03C9; Mon, 10 Feb 2014 20:22:29 +0000 (GMT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B1D167CF8@ESESSMB209.ericsson.se>
Date: Mon, 10 Feb 2014 20:22:09 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <1FC0C1C7-E5AB-4D4C-ABCC-8371457DCBF0@phonefromhere.com>
References: <7594FB04B1934943A5C02806D1A2204B1D1672FC@ESESSMB209.ericsson.se> <9ADA7473-1F36-4D96-A875-D2DC0762E9C2@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D1673C4@ESESSMB209.ericsson.se> <54B6400D-3753-4285-96DB-08EDB23BD03F@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D1674E9@ESESSMB209.ericsson.se>, <CABcZeBOyQeLSwYjKt7hNqn0WViHYhvLmsGecmwCWyGNgUdgSnA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D167825@ESESSMB209.ericsson.se> <8991EDBE-71F3-4456-A614-A9F4926F4955@phonefromhere.com> <7594FB04B1934943A5C02806D1A2204B1D167CF8@ESESSMB209.ericsson.se>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.1827)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] How to determine TLS roles?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Feb 2014 20:22:37 -0000

On 10 Feb 2014, at 20:03, Christer Holmberg <christer.holmberg@ericsson.com> wrote:

> Hi,
> 
>>>> This is defined in RFC 5763 S 5:
>>>> http://tools.ietf.org/html/rfc5763#section-5
>>>> 
>>>> Which points to:
>>>> http://tools.ietf.org/html/rfc4145
>>> 
>>> Ok. So, a few questions to for clarification:
>>> 
>>> Q1: This means that the JS App must set the setup attrbute value before passing an SDP to the browser?
>> No, peer-to-peer browser calls should 'do the right thing' - based on the initator/ice-controlling rule Both browsers set a=setup:act-pass meaning that we fall back to the old rules.
> 
> What "old rules"? :)
> 

Sorry that was unclear - As I read it, putting 
a=setup:actpass 
in the SDP indicates that the ice-controlling entity should act as DTLS client, and typically the ice-controlling entity is the initiator of the session. So it isn't a matter of O/A negotiation.

>>> Q2: If SDP O/A is not used on the wire, there needs to be another mechanism for the peers to negotiate/indicate who is "active" and who is "passive"?
>>> 
>> If you don't care, and are locally generating the SDP for a remote offer or answer, set a=setup:act-pass and the roles sort themselves out.
> 
> According to the "old rules", right? :)

Yeah, Ice controlling is the DTLS client. 

> 
>> If however you have a gateway initating a call to a browser, and it wants to do early media (it's an 800 number gateway for example) then it sets a=setup:active
>> in the SDP it sends (or you create on it's behalf).
> 
> There doesn't necessarily have to be a gateway. It may be a browser-to-browser call, using SIP and SDP O/A on the wire - meaning that the SDP setup attribute is used to determine the roles.

But there is no concept of early media on a peer-to-peer webRTC call, so there isn't any need to manage which side is the DTLS client or server.

> 
>>> Q3: If you have mulitple m- lines, all using the same DTLS association, the setup attribute value must be identical in all m- lines?
>>> 
>> 
>> Yes, I think so.
>> 
>>> Q4: The data channel (DTLS/SCTP) will have the same rule (e.g. using the setup attribute value) as DTLS/SRTP for determining the TLS role?
>> 
>> That's the way chrome seems to implement it - and presumably the way the spec is intended.
> 
> Ok.
> 
> Regards,
> 
> Christer

v2.23.0 | Report a Bug | By Email