Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples
Harald Alvestrand <harald@alvestrand.no> Fri, 13 March 2015 16:47 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6921A88C3 for <rtcweb@ietfa.amsl.com>; Fri, 13 Mar 2015 09:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acbavjr_-Xbu for <rtcweb@ietfa.amsl.com>; Fri, 13 Mar 2015 09:46:59 -0700 (PDT)
Received: from mork.alvestrand.no (mork.alvestrand.no [IPv6:2001:700:1:2::117]) by ietfa.amsl.com (Postfix) with ESMTP id 92E401A88C1 for <rtcweb@ietf.org>; Fri, 13 Mar 2015 09:46:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id AC3E87C42F1 for <rtcweb@ietf.org>; Fri, 13 Mar 2015 17:46:57 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at alvestrand.no
Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozBpJfmpePLd for <rtcweb@ietf.org>; Fri, 13 Mar 2015 17:46:56 +0100 (CET)
Received: from [10.100.7.176] (255.Red-88-9-26.dynamicIP.rima-tde.net [88.9.26.255]) by mork.alvestrand.no (Postfix) with ESMTPSA id 591037C42EA for <rtcweb@ietf.org>; Fri, 13 Mar 2015 17:46:55 +0100 (CET)
Message-ID: <5503147C.3060506@alvestrand.no>
Date: Fri, 13 Mar 2015 16:46:52 +0000
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <54F74B02.1070902@jive.com> <CA5E97EE-99F8-44D8-B05B-C9EFDED1A9BB@vidyo.com> <2F467A7E-7A6C-4B1B-985A-0D9C089BE973@cisco.com> <CAOJ7v-1TjZOZ5G31vy_Gt73ADGLRay1RHVeMi=H6Q4=N1b6HLA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D7367A0@ESESSMB209.ericsson.se> <CALiegfmyp=v6thk4eLz7nL1BHh2Qj7jmC84tdG7ufg8HPXsVKA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D7369C9@ESESSMB209.ericsson.se> <CAD5OKxtCswToNzoZnnqJ5M66mjNjKJoA++WYNqN5155n+CWXsA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D736AC0@ESESSMB209.ericsson.se> <CAD5OKxs1grSqAG32mf__wtsjpo68jZmKonbd+EsJmYNsDHUbFQ@mail.gmail.com> <CAOJ7v-3YypG1s9KXOCA+Fo58SuVuUk5-thcSc0k3N2j=4ZmJoA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D737A76@ESESSMB209.ericsson.se> <CAD5OKxs+OEDp9pYrZHw237PfsNunao=PSC89dRhWiFcMwEQUXg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D739611@ESESSMB209.ericsson.se> <CAOJ7v-3bCxVP9fNuRFp_sVBXh4msnF1=fVZrefE0jejMzY8VQQ@mail.gmail.com>
In-Reply-To: <CAOJ7v-3bCxVP9fNuRFp_sVBXh4msnF1=fVZrefE0jejMzY8VQQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------020403020107010504070804"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/Xehli6sCXHiovTu9PqDN_RdqJUg>
Subject: Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Mar 2015 16:47:01 -0000
On 03/13/2015 04:12 PM, Justin Uberti wrote: > > > On Fri, Mar 13, 2015 at 4:05 AM, Christer Holmberg > <christer.holmberg@ericsson.com > <mailto:christer.holmberg@ericsson.com>> wrote: > > Hi, > > > TLS (vs DTLS) cannot run on top of ICE since it is not a > protocol which can run on top of unreliable packet based transport > with no order guarantees. It would require a stream > > based transport to run below it in order to operate. If someone > defines TCP over ICE, that would make a good underlying stream > protocol to run below TLS. Once again, no one > > needed this so far. > > Even if we had TCP over ICE, I still don't know whether we would > be able to run TLS on top. Because, in addition to reliability, > doesn't TLS also rely on the ordering provided by TCP? We would > need to make sure the ordering is maintained if endpoints use > multiple TCP 5-tuples. > > > A few points: > - Anything we are say "runs over ICE" is going to be tunneled over UDP > or TCP, whichever ICE chooses to use as its underlying datagram > transport. So the notion of running "plain TCP" over ICE is nonsensical. > > - Assuming we do run TCP over ICE, we can certainly run TLS on top. > Since TCP is just treating the underlying ICE transport as a datagram > transport, TCP retains all of its reliability and in-order properties. > So TLS just sees that it is running over TCP, and doesn't care that it > is ICE at the lowest layer. Note that this stacking of TLS/TCP/ICE is > different from the case of running TLS over ICE-TCP, since ICE-TCP > does not guarantee reliability or ordering. > > - Harald's point about the TCP checksum is true; if we were truly > standardizing TCP-over-ICE, we would have to define an appropriate way > to compute the TCP checksum given that said checksum makes assumptions > about IP particulars. This would not be hard though. > > - Lastly, this is clearly a source of massive confusion, so I agree we > should discuss it in detail in Dallas. I would be happy to help > prepare presentation material if needed. Can we define an use case for which there is a compelling need for <whatever it is we're discussing> before spending too much meeting time on it? It's clearly very simple to define a protocol that is like TCP except that the checksum doesn't include the addresses, and where the two highest bits of the first byte aren't 00. It's not interoperable with standard TCP, it can't take advantage of TCP accelerator hardware or be detected by TCP-sensitive middle boxes (unless tweaked). But it's simple to define. It's also clearly very simple to run this protocol over ICE. But why? And is this scenario relevant for RTCWEB, which is trying to finish its current set of options?
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Paul Kyzivat
- [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Eric Rescorla
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Lorenzo Miniero
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Makaraju, Maridi Raju (Raju)
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Makaraju, Maridi Raju (Raju)
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Jonathan Lennox
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Makaraju, Maridi Raju (Raju)
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Paul Kyzivat
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Bernard Aboba
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Paul Kyzivat
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Paul Kyzivat
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Cullen Jennings
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Justin Uberti
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Eric Rescorla
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Justin Uberti
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Harald Alvestrand
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Schwarz, Albrecht (Albrecht)
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Justin Uberti
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Harald Alvestrand
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Justin Uberti
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Harald Alvestrand
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Justin Uberti
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Simon Perreault
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Roman Shpount
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Iñaki Baz Castillo
- Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples Christer Holmberg