IETF Logo Mail Archive

Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples

Justin Uberti <juberti@google.com> Fri, 13 March 2015 16:12 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 935EF1A8880 for <rtcweb@ietfa.amsl.com>; Fri, 13 Mar 2015 09:12:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3C11iUq3G3Pq for <rtcweb@ietfa.amsl.com>; Fri, 13 Mar 2015 09:12:34 -0700 (PDT)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 442F41A898C for <rtcweb@ietf.org>; Fri, 13 Mar 2015 09:12:34 -0700 (PDT)
Received: by ieclw3 with SMTP id lw3so113275682iec.2 for <rtcweb@ietf.org>; Fri, 13 Mar 2015 09:12:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1eORjcnFTnRFXQY9gnbcAEqmGt6Ovwq3CScXgTy82mw=; b=GZEa0u08CBVPfPIbYleZefDGufTZElCIjY+qGaJq5M+RwIuDek8R4gTrfKnXgGa65f OA3rC6wZvOFFgO+WLgDT9VvRHlLExujnxC4rzH/n+6NJbOC+7YAkfGD9D6EfYpkENS5t 4RaJOnuwYdETz6YzJsvFbjh5e3Tx9VGa87atUlc5pJLV8Z6gtTVApuAgf5hmn2WVV/ZI +d0Xy3nLIWqMmQ2DwL5HEinWGlUhp4dGrBWbGbLoVpmvqfTD91mVRorx8amuf/O/+i0Q YfYba6cjpxNaT2ykqPqqNDzO/bOSyhrZrj6sGcJUrZ2nVxB3l3wkKL7Up1zZsErAybTm qBdA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=1eORjcnFTnRFXQY9gnbcAEqmGt6Ovwq3CScXgTy82mw=; b=K6ENm6xg/saL9zat3d3nzkDcoyzLoaVAmvju0MVPrigzLGSDl5cze0e7bUA4sDviA2 aJ9CeIXAG4MgMDL/VqKavc8SFmDzOonUSli2G3RtSZghGqv1mjjip0Agr6yKaeBCgbzJ IB5i1NdGmLzxXNyisVrTJnzv7Tjit5S5SJ6zmaWOwFS1k4erdGnVO3APpYOIrdVYC2sW 3ybE+BJbHN5x3eQ0bpqz6yUSA5Cb5nLZTEOpKmFZ39XdQfrDatyNkHSQGC1t8yEQOcmr GU4Sd9gVySIkiUSDjPSGmwfucWd9JCrwkVNO1ZR0LJNYoXSSBoGGv45MXUo97En5pB0C 0OTA==
X-Gm-Message-State: ALoCoQlJTNABszZH/NxlStYle2LblWTmaXE6St0O6Nx625FsxiJ0tSSpk5yrCoWfz3E3lko4b2xv
X-Received: by 10.50.79.230 with SMTP id m6mr84435255igx.33.1426263153649; Fri, 13 Mar 2015 09:12:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.64.42 with HTTP; Fri, 13 Mar 2015 09:12:12 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B1D739611@ESESSMB209.ericsson.se>
References: <54F74B02.1070902@jive.com> <CAD5OKxs8JYG3-Vvndi59ZrdPE7UTj22ozD4tcWTHgzWrHv=q7Q@mail.gmail.com> <54F756B2.60408@jive.com> <7594FB04B1934943A5C02806D1A2204B1D726AD8@ESESSMB209.ericsson.se> <CAD5OKxu7py3HbrFjxTDZS5ECFzx7vd=wpjve-gT6gWwksjEu+g@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D726B71@ESESSMB209.ericsson.se> <CABcZeBO1O6sA8MqvWkCDu3RPLz5-P2G65Us28i0baOavDnRT7Q@mail.gmail.com> <CAD5OKxuWCdgMR5Kxjv9BSwZ3Jm9kGXx9Pi-9FrfsnuQZ_91jAA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D726DC1@ESESSMB209.ericsson.se> <CALiegfkipJhsy7-40+=d9xMUf4RJGdn3_fABL3NN2KuFNvS2BA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D727570@ESESSMB209.ericsson.se> <CALiegfmfvz3NWSjcovGBytiOTbR6kFfyh0vx5cXoMJtytfGzRA@mail.gmail.com> <CAD5OKxsu3D0xHY-zYbDu1hyH_+4=3mWDvW2i98WCVZ+29BpKCw@mail.gmail.com> <CA5E97EE-99F8-44D8-B05B-C9EFDED1A9BB@vidyo.com> <2F467A7E-7A6C-4B1B-985A-0D9C089BE973@cisco.com> <CAOJ7v-1TjZOZ5G31vy_Gt73ADGLRay1RHVeMi=H6Q4=N1b6HLA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D7367A0@ESESSMB209.ericsson.se> <CALiegfmyp=v6thk4eLz7nL1BHh2Qj7jmC84tdG7ufg8HPXsVKA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D7369C9@ESESSMB209.ericsson.se> <CAD5OKxtCswToNzoZnnqJ5M66mjNjKJoA++WYNqN5155n+CWXsA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D736AC0@ESESSMB209.ericsson.se> <CAD5OKxs1grSqAG32mf__wtsjpo68jZmKonbd+EsJmYNsDHUbFQ@mail.gmail.com> <CAOJ7v-3YypG1s9KXOCA+Fo58SuVuUk5-thcSc0k3N2j=4ZmJoA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D737A76@ESESSMB209.ericsson.se> <CAD5OKxs+OEDp9pYrZHw237PfsNunao=PSC89dRhWiFcMwEQUXg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D739611@ESESSMB209.ericsson.se>
From: Justin Uberti <juberti@google.com>
Date: Fri, 13 Mar 2015 09:12:12 -0700
Message-ID: <CAOJ7v-3bCxVP9fNuRFp_sVBXh4msnF1=fVZrefE0jejMzY8VQQ@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="089e01229aaaa1602305112dc422"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/7JZYbDSHcGHEPCg2VcmavrrrOzE>
Cc: Cullen Jennings <fluffy@cisco.com>, Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 16:12:35 -0000

On Fri, Mar 13, 2015 at 4:05 AM, Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi,
>
> > TLS (vs DTLS) cannot run on top of ICE since it is not a protocol which
> can run on top of unreliable packet based transport with no order
> guarantees. It would require a stream
> > based transport to run below it in order to operate. If someone defines
> TCP over ICE, that would make a good underlying stream protocol to run
> below TLS. Once again, no one
> > needed this so far.
>
> Even if we had TCP over ICE, I still don't know whether we would be able
> to run TLS on top. Because, in addition to reliability, doesn't TLS also
> rely on the ordering provided by TCP? We would need to make sure the
> ordering is maintained if endpoints use multiple TCP 5-tuples.
>
>
A few points:
- Anything we are say "runs over ICE" is going to be tunneled over UDP or
TCP, whichever ICE chooses to use as its underlying datagram transport. So
the notion of running "plain TCP" over ICE is nonsensical.

- Assuming we do run TCP over ICE, we can certainly run TLS on top. Since
TCP is just treating the underlying ICE transport as a datagram transport,
TCP retains all of its reliability and in-order properties. So TLS just
sees that it is running over TCP, and doesn't care that it is ICE at the
lowest layer. Note that this stacking of TLS/TCP/ICE is different from the
case of running TLS over ICE-TCP, since ICE-TCP does not guarantee
reliability or ordering.

- Harald's point about the TCP checksum is true; if we were truly
standardizing TCP-over-ICE, we would have to define an appropriate way to
compute the TCP checksum given that said checksum makes assumptions about
IP particulars. This would not be hard though.

- Lastly, this is clearly a source of massive confusion, so I agree we
should discuss it in detail in Dallas. I would be happy to help prepare
presentation material if needed.

v2.23.0 | Report a Bug | By Email