Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness
Bernard Aboba <bernard.aboba@gmail.com> Fri, 22 May 2015 04:54 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E830F1A9103; Thu, 21 May 2015 21:54:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wx13Fjf8lqpv; Thu, 21 May 2015 21:54:09 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6FBF1A9108; Thu, 21 May 2015 21:54:08 -0700 (PDT)
Received: by wibt6 with SMTP id t6so34767794wib.0; Thu, 21 May 2015 21:54:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=M9GK6veDWhblg37p5x5ia9EXwaC8Vcut1j/SL0joveM=; b=lLMgXzIhsUS6SU0CC6Xu5oLE48cFFQcepRElF3nK1Zn0DzWTFeTAj8t5UCeTgxk9TO 675JEzuCgUoy8CPByYqcrL5e6IJ5h8CTP4JjuBvRJB0QR3oXPJ0H7EduyW5gGrkWeuqL ewRoJhhOhQsL9HqG3qLJPirUtQ4Y3grsPYberT1FWz8uwWc1WH+PAWJ85Z9+ug9L4IU3 ETussXTZ15eKzDFHtJeYRYIe7gXdn/Gt55NsK7aMcMx55NeP6B9dwCgO0Ag12rcGKAfz NGeT2HlagtVCCnkclPzSSz1oE0L7ouPH7mBKk/lm8bmPc6CZ2qcuzxhwSCUctpYp8npq 5Zmw==
X-Received: by 10.180.96.196 with SMTP id du4mr3614917wib.77.1432270447465; Thu, 21 May 2015 21:54:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.54.16 with HTTP; Thu, 21 May 2015 21:53:47 -0700 (PDT)
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B1D82B0F3@ESESSMB209.ericsson.se>
References: <CAOW+2dsv8CVpaKoBsUvc5MGh2s3xD2J5NiXPAnFUMOhYqSmjzQ@mail.gmail.com> <CABkgnnWgpSYDjRQpk16Z0mCLietUcK1dSiNL-Y+jmFCpqan4Gg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D82B0F3@ESESSMB209.ericsson.se>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Thu, 21 May 2015 21:53:47 -0700
Message-ID: <CAOW+2dvzE2emRPdn6_zeTZLb4+v_Urg7u50byunrccnnQ=1FpQ@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="f46d043bdabc3e5c740516a473a1"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/Sod_0bRH_E_gv2cfvLAh7gCT41E>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 04:54:11 -0000
Christer said: "A while ago, we agreed that consent does not need to be maintained on candidate pairs that aren't currently used." [BA] If the specification were to say that consent is required once media is sent, then this would logically follow. That should not be seen as lost consent (i.e. if the UA wants to start sending data on the candidate pair it should not have to do ICE restart or create a new session). [BA] I agree. As long as it can obtain consent on the new pair (without having to update the ufrag/pwd), it should be fine. So, consent is lost if the UA sends consent requests, and does not receive a response. [BA] Consent is lost for that candidate pair, and that pair alone. If connectivity checks are being done on an unused candidate pair (as advocated in Justin's nombis draft), the consent mechanism does not apply until media is sent on that pair. So you can't revoke consent on a candidate pair if media isn't being sent on the pair. Perhaps that is clear in the draft, but if people have a different understanding it may need to be clarified :) [BA] I agree with your perspective, but I do think it could be made more clear in the document. On Thu, May 21, 2015 at 8:55 PM, Christer Holmberg < christer.holmberg@ericsson.com> wrote: > Hi, > > ... > > >> After consent is lost for any reason, the same ICE credentials MUST > >> NOT be used on the affected 5-tuple again. That means that a new > >> session, or an ICE restart, is needed to obtain consent to send. > >> > >> [BA] The second sentence does not follow from the first. RFC 5245 > >> enables sending of media once a successful ICE connectivity check has > been received. > >> If multiple successful candidate pairs have been identified, why > >> should failure of consent on one candidate pair require an ICE restart > >> if another operational candidate pair exists? > > > >... is needed to obtain consent to send *on that candidate pair*. > > > >There was a long discussion about this point, the conclusion of which was > "use it or lose it". This captures that >conclusion. I can't remember the > details of the discussion, but I think that it wasn't a security concern > but a >robustness one. > > A while ago, we agreed that consent does not need to be maintained on > candidate pairs that aren't currently used. That should not be seen as lost > consent (i.e. if the UA wants to start sending data on the candidate pair > it should not have to do ICE restart or create a new session). > > So, consent is lost if the UA sends consent requests, and does not receive > a response. Consent is NOT lost if the UA stops sending consent requests > (and therefor obviously will not receive a response). > > Perhaps that is clear in the draft, but if people have a different > understanding it may need to be clarified :) > > Regards, > > Christer >
- [rtcweb] Review of draft-ietf-rtcweb-stun-consent… Ted Hardie
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Ram Mohan R (rmohanr)
- [rtcweb] Review of draft-ietf-rtcweb-stun-consent… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Emil Ivov
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Martin Thomson
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Christer Holmberg
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Christer Holmberg
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Martin Thomson
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Martin Thomson
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Emil Ivov
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Martin Thomson
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Martin Thomson
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Bernard Aboba
- Re: [rtcweb] Review of draft-ietf-rtcweb-stun-con… Martin Thomson