Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 04 March 2015 19:54 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692291A88A4 for <rtcweb@ietfa.amsl.com>; Wed, 4 Mar 2015 11:54:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QMSSjEOs1RjU for <rtcweb@ietfa.amsl.com>; Wed, 4 Mar 2015 11:54:07 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12B7D1A8762 for <rtcweb@ietf.org>; Wed, 4 Mar 2015 11:54:06 -0800 (PST)
X-AuditID: c1b4fb25-f79446d000003f3f-56-54f762dc5ba1
Received: from ESESSHC004.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id A9.06.16191.CD267F45; Wed, 4 Mar 2015 20:54:04 +0100 (CET)
Received: from ESESSMB209.ericsson.se ([169.254.9.214]) by ESESSHC004.ericsson.se ([153.88.183.30]) with mapi id 14.03.0210.002; Wed, 4 Mar 2015 20:54:04 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Simon Perreault <sperreault@jive.com>, Roman Shpount <roman@telurix.com>
Thread-Topic: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples
Thread-Index: AQHQVqbHfYSbCv5RRE+VguSZdJaU4Z0MmygAgAACNQCAAB9EuA==
Date: Wed, 04 Mar 2015 19:54:04 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B1D726AD8@ESESSMB209.ericsson.se>
References: <54F74B02.1070902@jive.com> <CAD5OKxs8JYG3-Vvndi59ZrdPE7UTj22ozD4tcWTHgzWrHv=q7Q@mail.gmail.com>, <54F756B2.60408@jive.com>
In-Reply-To: <54F756B2.60408@jive.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B1D726AD8ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmpgkeLIzCtJLcpLzFFi42KZGfG3RvdO0vcQg0VbrC1mXJjKbLH2Xzu7 xfUroQ7MHkuW/GTy+DfnKbPHrSkFAcxRXDYpqTmZZalF+nYJXBnTXjxmKliuXdH6ayJ7A+Ni 1S5GTg4JAROJqSe3sUDYYhIX7q1nA7GFBI4wSiw5K9zFyAVkL2aUmNcyD6iIg4NNwEKi+582 SI2IgI/EkicNTCA2s4C6xJ3F59hBbGEBY4lvM58wQtSYSGx8/pwJwnaSmHFtFZjNIqAi0fN3 BxvISF4BX4md32UgVnUwSkzbMB+shlNATWLWgX6wOYxAt30/tQZql7hE05eVrBA3C0gs2XOe GcIWlXj5+B8rRE2+xMo9W8DivAKCEidnPmGZwCgyC0n7LCRls5CUQcQNJL68vw1la0ssW/ia GcLWl+h+f5oJWXwBI/sqRtHi1OKk3HQjY73Uoszk4uL8PL281JJNjMAoO7jlt+oOxstvHA8x CnAwKvHwGpR+CxFiTSwrrsw9xCjNwaIkzmtnfChESCA9sSQ1OzW1ILUovqg0J7X4ECMTB6dU A2Oo1JRONrHOoI/+knbnbxxSFH71/PelhdbK+zZwPV8bX7LrkVnqpIo/i5lUuifabu//2j6d efqOT7dWaqUsPOx3Qo7d+WXfmxtf3m39ynL046lEW55qWbeiP2/u7WK1ECnI9jk2UaajJmvP x1NfVh5crcy6WqtQc9s+kXdMl7lfF1w79KZIc+EfJZbijERDLeai4kQArWs51JMCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/oF4UNzRn5W4L6QkLYUnWiSYGwiY>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2015 19:54:09 -0000

Hi,

Didn't we last week agree that, if the underlying transport changes, the DTLS connection MUST be re-established?

Jumping from one candidate to another is a transport change, isn't it?

Regards,

Christer

Sent from my Windows Phone
________________________________
From: Simon Perreault<mailto:sperreault@jive.com>
Sent: ‎04/‎03/‎2015 21:02
To: Roman Shpount<mailto:roman@telurix.com>
Cc: rtcweb@ietf.org<mailto:rtcweb@ietf.org>
Subject: Re: [rtcweb] DTLS, DTLS-SRTP, and 5-tuples

Le 2015-03-04 13:54, Roman Shpount a écrit :
> This is not correct. End point can have multiple flows with different
> keying material or different DTLS sessions on the same local ICE 3-tuple
> due to forking. More correct implementation would be to associate
> multiple 5-tuples with the same logical transport stream based on ICE
> connectivity checks using ICE ufrag to identify which logical stream to
> associate with each 5-tuple.

Agreed.

> There is also another interesting consequence of this -- end point
> should not re-use the same ICE candidate IP/port with a different ufrag
> during session update offer/answer exchange. Otherwise you might end up
> with ambiguous association between the logical streams and keying
> material or DTLS session.

Right. And wait MSL seconds before reusing a candidate to let the pipes
drain.

> All of this probably needs to be defined somewhere and I am not aware
> which RFC or draft defines this at this time.

I guess for DTLS/DTLS-SRTP the obvious target would be -security...

Simon

_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb