Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt> (WebRTC Data Channels) to Proposed Standard
Randell Jesup <randell-ietf@jesup.org> Sat, 18 October 2014 18:41 UTC
Return-Path: <randell-ietf@jesup.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279F81A00F9 for <rtcweb@ietfa.amsl.com>; Sat, 18 Oct 2014 11:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.399
X-Spam-Level: *
X-Spam-Status: No, score=1.399 tagged_above=-999 required=5 tests=[BAYES_50=0.8, J_CHICKENPOX_41=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IwxFCDuFOIUL for <rtcweb@ietfa.amsl.com>; Sat, 18 Oct 2014 11:41:11 -0700 (PDT)
Received: from relay.mailchannels.net (si-002-i53.relay.mailchannels.net [184.154.112.227]) by ietfa.amsl.com (Postfix) with ESMTP id 7B1901A00FD for <rtcweb@ietf.org>; Sat, 18 Oct 2014 11:41:10 -0700 (PDT)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from r2-chicago.webserversystems.com (ip-10-213-14-133.us-west-2.compute.internal [10.213.14.133]) by relay.mailchannels.net (Postfix) with ESMTPA id 0CD4C120148 for <rtcweb@ietf.org>; Sat, 18 Oct 2014 18:41:07 +0000 (UTC)
X-Sender-Id: wwwh|x-authuser|randell@jesup.org
Received: from r2-chicago.webserversystems.com (r2-chicago.webserversystems.com [10.251.53.86]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:2500 (trex/5.3.1); Sat, 18 Oct 2014 18:41:08 GMT
X-MC-Relay: Neutral
X-MailChannels-SenderId: wwwh|x-authuser|randell@jesup.org
X-MailChannels-Auth-Id: wwwh
X-MC-Loop-Signature: 1413657668254:1760815717
X-MC-Ingress-Time: 1413657668254
Received: from pool-71-175-4-200.phlapa.fios.verizon.net ([71.175.4.200]:56144 helo=[192.168.1.12]) by r2-chicago.webserversystems.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <randell-ietf@jesup.org>) id 1XfYw6-0008rt-Sp for rtcweb@ietf.org; Sat, 18 Oct 2014 13:41:06 -0500
Message-ID: <5442B41D.6040307@jesup.org>
Date: Sat, 18 Oct 2014 14:40:29 -0400
From: Randell Jesup <randell-ietf@jesup.org>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <20141010004836.12666.88765.idtracker@ietfa.amsl.com> <03a3bbbc282b4e6d88d587931b46b5f8@CY1PR0501MB1579.namprd05.prod.outlook.com> <57B40110-2F21-4893-B77C-54F46D18567F@lurchi.franken.de> <1DE35922-E890-40C2-87E9-C8C12235920E@phonefromhere.com> <E53B9B7E-37F0-495C-B1BA-DE0A48AC6D73@lurchi.franken.de> <abdfd3ef58dd40028e8d5e2248b5a995@CY1PR0501MB1579.namprd05.prod.outlook.com> <543A5570.7060208@alvestrand.no> <B53499C4-6B51-4E8E-87C2-C8E5C10DBC34@lurchi.franken.de> <543A9E11.2030605@alvestrand.no> <F5C54F5E-C301-4EC7-9536-E43EA3A16863@lurchi.franken.de> <543ABE69.8030104@alvestrand.no> <99078EA5-5FE7-431F-9C70-EEA882F4C3C6@lurchi.franken.de> <E1FE4C082A89A246A11D7F32A95A17828E5DA2AC@US70UWXCHMBA02.zam.alcatel-lucent.com> <71e2b21516cb496eb4d1ad2b26e53a29@CY1PR0501MB1579.namprd05.prod.outlook.com> <543CD1CD.3000001@alvestrand.no> <5440E38F.9070809@jesup.org> <c4ff2fdcd48f4388b67f3e1ffed8edfe@CY1PR0501MB1579.namprd05.prod.outlook.com>
In-Reply-To: <c4ff2fdcd48f4388b67f3e1ffed8edfe@CY1PR0501MB1579.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AuthUser: randell@jesup.org
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/YtRfvq1Sr1KHc4Fb5-hKn3pWwaM
Subject: Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt> (WebRTC Data Channels) to Proposed Standard
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 18:41:13 -0000
On 10/17/2014 4:00 PM, Wyss, Felix wrote: >>> I now see a tradeoff between allowing such non-mapping boxes >>> (operating below the SCTP layer but above the DTLS layer in our model) >>> and avoiding additional complexity (either extending DCEP with glare >>> resolution - something it was designed to avoid needing - or requiring >>> such boxes to not use actpass). >> I'll note that not only does it have to sit between the SCTP and DTLS layers, >> but also it has to be the offerer to both sides as well. So if we use SDP, the issues become one of ensuring the two sides always have different values. For direct calls, no problem (offerer sets mine=x, answerer sets mine=!x) For direct intermediated calls, the same (offer is just forwarded) For start-in-the-middle calls (3pcc) the middlebox sends offers to both sides, but can use complimentary values: offer->A mine=x, offer->B mine=!x (makes assumptions about how A and B will answer! & likely demands use of TURN server or media gateway) or offer->A mine=x, A->answer mine=!x, "offer"->B mine=!x, B->answer mine=x (and then the middlebox will start a renegotiation if for some reason B's answer is incompatible with A's response). May require some careful ICE candidate handling to avoid TURN. Note: I hate this sort of setup in SDP; it almost guarantees issues when you don't have tightly-coupled endpoints and thus know how they'll respond to the SDP. Note that in SIP-land-style you'd generally (always?) do it this way to avoid re-negotiation and avoid the tight coupling: offer->A with no SDP; A->"answer" (really createOffer()), offer->B, B->answer, answer->A (In SIP this would be OFFER->A (null SDP), A->200 OK(offer-SDP), OFFER->B(offer-SDP), B->200 OK (answer-SDP), ACK->A (answer-SDP), ACK->B (null) Note here that both sides agree who offered and answered, unlike the above, AND I believe that DTLS role use would work. > This is a problem even if the middlebox is the answerer on one side and the offerer on the other (relay). As offerer it cannot control what role it will play without violating RFC#5763. As Indicated in my response to Harald from the 15th, I do not believe allowing the offerer to offer anything but actpass to be a desirable approach. Per above, if it's simply asking the application for an offer, then forwarding it, there's no issue: the offer is a true offer, you never have to "convert" an SDP offer into an answer or vice versa, and the offer will be actpass and roles will be consistent (assuming the middlebox isn't trying to intercept/sniff the decrypted DataChannel data). So, if the middle box uses sip-style "empty offers" (ask the app to make an offer), then I think there are no issues with DTLS role. If it tries to avoid the 3-way handshake style, or work with apps that don't understand it then there'd be an issue (but in webrtc signaling isn't specified, so the middlebox MUST be designed to be compatible with the signaling used by the apps). Also, if the middlebox acts as an "answerer-in-the-middle", DTLS roles should work: A->middlebox offer, B->middlebox offer, middlebox->A answer, middlebox->B answer (where the answers are derived from the offer on the other side). This again requires that the two Offers be safely transformable by the middlebox into answers without a renegotiation. The middlebox would select the roles in the answers to be complimentary. >> While certainly there are some use-cases for that, it's by no means the common case. >> WebRTC applications designed to work with such a midpoint may need to fall back on >> "external" negotiation, perhaps running a short sequence at opening time to >> decide who will get even and odd (assuming that both sides actually open >> channels dynamically). >> It means you may not be able to drop such a middlebox (and have it initiate >> offers to both sides) without a cooperative application (or one known to >> have a compatible usage patter) - but likely you need some level of known >> compatibility anyways, or more likely the entity deploying the middlebox also >> deploys or chooses the application - especially as we've explicitly said that >> signaling protocols and transmission (i.e. sending the offer, etc) is explicitly >> not defined by the WG, so the middlebox, in order to generate the offers to >> both sides >> *must* be in bed somehow with the applications - at least to where they all >> agree on signaling. > Well, then why not leave the ID generation and conflict resolution completely up to the application? That takes the DTLS role hack out of the picture too. Of course, leaving it to the application how it determines the ID risks that poorly written applications just pick it at random or some other criteria and don't worry about collisions ("well, it worked in my tests"). As per above, an application can *always* do that, it never has to use the DTLS-role-reliant allocations. Webrtc doesn't specify the signaling side; any middlebox must agree with the apps on signaling, and thus you can put requirements on how that interaction works. Inserting a middlebox into existing application channels that were not designed for a middlebox at most requires you to allow the application to be told to generate an offer, OR for the application to use it's own generation/conflict resolution. What is not possible is to insert a middlebox between arbitrary WebRTC apps that are not designed with that in mind, AND to try to initiate calls from the "middle" (without the SDP solution). However, initiation from the middle in that way is fraught with other issues and need to renegotiate after the first pass anyways. >>> I agree that the DTLS hack is ugly. But glare resolution is ugly too. >> Quite so. We had glare resolution in earlier versions. It sucked and caused >> lots of problems, especially with 0-rtt opens. >> >> While DTLS role isn't wonderful, neither was anything else proposed. >> Offerer/answerer status has the same problem. > Even the offerer/answerer role would be better than the DTLS role. At least that would work in the case where the middlebox relays the offer and answer. I think that's still too limiting as I'd rather allow the middlebox to be offerer on both sides, but I'll take it over the DTLS hack any day :-) I disagree that role won't work if the middlebox is just forwarding offers and answers - that's what every WebRTC signaling server is doing today. However, as I think you implied, you're also terminating DTLS but forwarding SCTP (and media). This a) implies packet-relay; b) implicit decryption of all media at the server (NOTE this is a security/privacy/MITM issue). Still, if A->middlebox (offer) is actpass, and middlebox->B (offer) is actpass (and they would be), then B chooses the role, and then when forwarding the answer to A the middlebox can choose the same role B did. So I still don't see a problem here.... Also, assuming some bits of my analysis are incorrect, or there are edge cases we care about we don't handle (the non-SIP-like start-in-middle case), then (and only then) as a working group, we need to decide if this is a usecase we support. Obviously B2BUA's (which this more-or-less is) are always possible, at varying levels of ease. The question (partly) is should the protocol be designed to ease the use of a B2BUA with datachannels *assuming* it doesn't work per above. >> An SDP parameter would >> allow a middlebox to specify to the endpoints compatible (complementary) >> values; however from a DataChannels perspective, this is almost the same as >> external negotiation if the middlebox and applications are 'matched'. > If in-band negotiation and collision resolution is not an option, adding an SDP attribute would be my second choice. If it's not present, use offerer/answerer role. If we *cannot* safely use DTLS role for middlebox cases, and care, then we should allow SDP to override the DTLS role (not use the SDP offer state as the base). If an offerer doesn't specify even/odd in the SDP, but the answer does specify, then the offerer must use the SDP of the answerer to select even/odd (i.e. SDP overrides role). -- Randell Jesup -- rjesup a t mozilla d o t com
- [rtcweb] Last Call: <draft-ietf-rtcweb-data-chann… The IESG
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Martin Thomson
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… tim panton
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Harald Alvestrand
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Makaraju, Maridi Raju (Raju)
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Harald Alvestrand
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Harald Alvestrand
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Michael Tuexen
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Makaraju, Maridi Raju (Raju)
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Makaraju, Maridi Raju (Raju)
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Peter Thatcher
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Harald Alvestrand
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Randell Jesup
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Randell Jesup
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… tim panton
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Randell Jesup
- Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-c… Wyss, Felix