IETF Logo Mail Archive

Re: [rtcweb] Feedback for draft-ietf-rtcweb-mdns-ice-candidates-03

Roman Shpount <roman@telurix.com> Tue, 09 July 2019 01:01 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DAD612024F for <rtcweb@ietfa.amsl.com>; Mon, 8 Jul 2019 18:01:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.592
X-Spam-Level:
X-Spam-Status: No, score=-0.592 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zKIEuls624DK for <rtcweb@ietfa.amsl.com>; Mon, 8 Jul 2019 18:01:12 -0700 (PDT)
Received: from mail-pg1-x530.google.com (mail-pg1-x530.google.com [IPv6:2607:f8b0:4864:20::530]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FD76120090 for <rtcweb@ietf.org>; Mon, 8 Jul 2019 18:01:12 -0700 (PDT)
Received: by mail-pg1-x530.google.com with SMTP id w10so8526693pgj.7 for <rtcweb@ietf.org>; Mon, 08 Jul 2019 18:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iu9rqA6Do8Zo5ErLiIxJhcM/sVC6LCnWvxub5a3bA4w=; b=cDgHqHEEUZ2hrUYr/YBhD4ORjFU+tpcAOSxs6l3oUnnNZxImDSUTp4h0A1bNVEOi/x 5sxoN3vQwQ7jKbslFj6JqWpKfx4k7uCNI+rjh5if6DjkPUt58KEko3XRX8Wag+BQgUAE vtslN+2Bf2vB1BN2CcCx8tqnedmbUxC2zJfGjeBNVJZtyFyNO5ZEX1Ot0yhMOtsg/jGl cs2nbXnY9FzwbY2zDARygIW4+jZ033F6KAqH04IRupVfM3BV86dHVC1hyKovpod8fj+g cTmP0dexIApLCYGlVm3Vm4g0/07eoQItAE+kLbT1CS56nO3qQtde0oKSa5r/QZC8dqdC DJkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iu9rqA6Do8Zo5ErLiIxJhcM/sVC6LCnWvxub5a3bA4w=; b=ircd1OrxgPlwwa3dmisCR1ApjKMqvQDI1vP7ftDTVmEJCNuIJJt8UNhRjZoDel4qjW Zsppg5SZ7iN7TEdwOp+MJb+l7tKrpwFuT8XcQDYyCDYTAW1IAgCJn5hNhQnI1WhNPBCC 2Yn5K1XELfupZGP6B1gpEVRxH5xMMHixT5AmNejDiytQLjnCeU5Cl2MV0XmxDGaY0Eis A6TdFaK8fXT1FMJCB12yIgh3nZU5T8cVZcXcqcM9HuBmDeSNOufFymGChth6Clo9MB6k COB93cl4q+cVnrXe2+JZ42LbTG3eOkrZjsyC2UgVzcweYQrP8F98twHQG2Nmk3B8F1nX yohA==
X-Gm-Message-State: APjAAAV6FQT1WkdUHeSDhfkM5Sjg1CCCB5En+htbcYlhWfPH46K7AP/7 ue/SAGg7Y6EWC6htPPZs9LSqfZjDD0c=
X-Google-Smtp-Source: APXvYqzAjtJTYmJd743RQx5LuDu3KdYr4eed0qDHEI7iWCZWlD8jbWqUkYg0OMHATgcqCdJs9knXyw==
X-Received: by 2002:a17:90a:5288:: with SMTP id w8mr29505554pjh.61.1562634071563; Mon, 08 Jul 2019 18:01:11 -0700 (PDT)
Received: from mail-pl1-f181.google.com (mail-pl1-f181.google.com. [209.85.214.181]) by smtp.gmail.com with ESMTPSA id b26sm21923824pfo.129.2019.07.08.18.01.09 for <rtcweb@ietf.org> (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 08 Jul 2019 18:01:10 -0700 (PDT)
Received: by mail-pl1-f181.google.com with SMTP id a93so9157287pla.7 for <rtcweb@ietf.org>; Mon, 08 Jul 2019 18:01:09 -0700 (PDT)
X-Received: by 2002:a17:902:20c8:: with SMTP id v8mr28729231plg.284.1562634069028; Mon, 08 Jul 2019 18:01:09 -0700 (PDT)
MIME-Version: 1.0
References: <29062AF1-579F-41F2-A2A6-633E4371BF1E@mozilla.com> <CAD5OKxuCj8cbU5X+9xb5_xDC4VR6qYSuvwwNoKvSYxJHxeeN0g@mail.gmail.com> <C4EF9E8D-6A7A-40DF-82ED-0E4CB1D028EC@mozilla.com>
In-Reply-To: <C4EF9E8D-6A7A-40DF-82ED-0E4CB1D028EC@mozilla.com>
From: Roman Shpount <roman@telurix.com>
Date: Mon, 08 Jul 2019 21:00:58 -0400
X-Gmail-Original-Message-ID: <CAD5OKxvYiz15QSibbBj7sLnvnnt7G3Nx4cFtwZjd1GwBuzC9Eg@mail.gmail.com>
Message-ID: <CAD5OKxvYiz15QSibbBj7sLnvnnt7G3Nx4cFtwZjd1GwBuzC9Eg@mail.gmail.com>
To: Nils Ohlmeier <nohlmeier@mozilla.com>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009935e0058d351854"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/MeTfe0M176-27i5hobeh7qljRB0>
Subject: Re: [rtcweb] Feedback for draft-ietf-rtcweb-mdns-ice-candidates-03
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jul 2019 01:01:16 -0000

Hi Nils,

Using FQDN was not my decision and it is certainly not uncontroversial. As
I have mentioned, I see two possible options for address in c= line:

1. Same FQDN as in default ICE candidate
2. IPv4/IPv6 address values "0.0.0.0"/"::" and port value of "9"

The main argument for option 1, is that it should be compatible with legacy
implementations based on RFC 4566/RFC 5245. There is a question of
Verifying ICE Support (https://tools.ietf.org/html/rfc5245#section-5.1). It
is unclear what matching default candidate to a=candidate supposed to mean
when FQDN is used, but using the same literal value seemed like a safer
option.

The main argument against option 1 is that no one implemented or tested
FQDN in a=candidate before chrome implemented mDNS candidates, so default
candidate selection and verifying ICE support was not tested either. I did
see multiple implementations using FQDN in c= line. There are multiple use
cases for this which existed outside of ICE and mDNS.

The main argument for option 2 is that end points that implemented trickle
ICE support, would likely support  "0.0.0.0"/"::" and port value of "9" in
"c="/"m=" lines. This option is documented in JSEP as well, so it seems
safer for the WebRTC compatible end points.

The main argument against option 2 is that legacy endpoints which are not
WebRTC compatible will have no reason to support   "0.0.0.0"/"::" and port
value of "9"   in "c="/"m=" lines.

This being said, FQDN in a=candidate is a breaking change either way, since
nobody tested for this before mDNS. If legacy implementations do work with
it, it is mostly by accident.

I do not see how FQDN in a=candidate can be rolled out without causing some
breakage.

Finally, using FQDN in a=candidate was always broken/under-specified in RFC
5245. The following things in RFC 5245 are missing or broken:

1. ICE Support Verification procedures -- was fixed in ice-sip-sdp by
stating that FQDN on c= line must never cause the ICE verification failure

2. Default candidate selection procedures -- no guidance was provided what
address value, address family and type should be specified in the "c="
line. mDNS draft specifies using FQDN literal value and always using IN IP4
regardless of the actual address used for FQDN. As we know this is causing
breakage with Firefox and can potentially cause breakage with legacy
implementations which implemented FQDN candidate support based on RFC 5245
(unclear if such implementations exist).

3. Candidate FQDN assignment procedures, i.e. do not assign FQDN which
resolves to more then one address

4. Candidate FQDN resolution procedures in RFC 5245 are broken. Two end
points can end up with different addresses if FQDN resolves to multiple
addresses or if DNS64, 464XLAT or some other DNS based NAT firewall is
present for one of the end points.

I think, resolution problem is not fixable unless additional information
about address family and type is added to a=candidate line which uses FQDN.
This will make a=candidate line orivude the same information as c= line,
ending up with something like:

a=candidate:2 1 udp 2129033471 alice.comany.biz 60460 typ host addrype
inipv4
a=candidate:1 1 udp 2129289471 alice.comany.biz 60454 typ host
addrype inipv6


If anybody interested I can describe the problem and solution in more
details.

Best Regards,
_____________
Roman Shpount


On Mon, Jul 8, 2019 at 7:55 PM Nils Ohlmeier <nohlmeier@mozilla.com> wrote:

> Hi Roman,
>
> I know that not being able to handle FQDN in c-lines is a bug on the
> Firefox side.
> And we are working on it to fix it:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1544770
>
> But my main question is: why does the draft right now recommend to use the
> mDNS FQDN in the c-line, rather then a fake IPv4/IPv6 address?
> I fail to see the advantage of using the FQDN and it appears to cause more
> interop issues.
>
> Best
>   Nils Ohlmeier
>
> On 4Jul, 2019, at 12:26, Roman Shpount <roman@telurix.com> wrote:
>
> Nils,
>
> When writing ice-sip-sdp we have considered two possible options when
> using FQDN in ICE candidate lines:
>
> 1. Same FQDN as in default ICE candidate
> 2. IPv4/IPv6 address values "0.0.0.0"/"::" and port value of "9"
>
> To deal with both, ice-sip-sdp specifies, that when verifying ICE support,
> both options should be accepted.
>
> Since RFC 5245 provided no guidance regarding handling FQDN in default
> candidate, both options would likely cause ICE support verification
> failures. Using FQDN in default candidate also raised the question of
> address family and address type in c= line since neither is specified in
> the ICE candidate.
>
> This being said, FQDN in c= line is allowed by RFC 4566:
>
> connection-field =    [%x63 "=" nettype SP addrtype SP
>                          connection-address CRLF]
>                          ;a connection field must be present
>                          ;in every media description or at the
>                          ;session-level
>
> ; sub-rules of 'c='
> connection-address =  multicast-address / unicast-address
> unicast-address =     IP4-address / IP6-address / FQDN / extn-addr
>
> Not being able to handle FQDN in the c= line is technically a bug.
>
> Best Regards,
> _____________
> Roman Shpount
>
>
> On Thu, Jul 4, 2019 at 1:26 AM Nils Ohlmeier <nohlmeier@mozilla.com>
> wrote:
>
>> Hello,
>>
>> I have concerns regarding the current recommendations in
>> draft-ietf-rtcweb-mdns-ice-candidates-03 regarding the handling of IP
>> addresses in the “c=“ lines.
>>
>> Section 3.1.2.3 recommends to use mDNS for the connection-address. I
>> think we should reconsider this advice as some SPD parsers handle parsing
>> failures differently depending on line type.
>> In case of Firefox a parsing failure for the connection line is treated
>> as terminal failure. Where parsing failures for a= lines are expected, as
>> these might contain unknown new features.
>>
>> Section 4.3 mentions that hostnames in ICE candidates can result in ICE
>> failures, but it does not cover backward compatibility in regards to the c=
>> line.
>>
>> My recommendation is to change the draft so that it recommends to always
>> use a fixed value, for example IP6 ::1 in all c= lines, if mDNS is in use.
>> Obviously it could also be recommended to use an IP4 address instead. The
>> important point is only to use the same IP consistently in all c= lines and
>> across all instances.
>> I think the advantage of this is better backwards compatibility, and it
>> will not reveal any more details about the user agent compared to using
>> mDNS names in c= lines.
>>
>> Best regards
>>   Nils Ohlmeier
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>>
>
>

v2.23.0 | Report a Bug | By Email