Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F03BD1A01F6 for ; Sun, 30 Nov 2014 06:21:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.901 X-Spam-Level: X-Spam-Status: No, score=-3.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4-3xvm4SnoeS for ; Sun, 30 Nov 2014 06:21:00 -0800 (PST) Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0D551A0108 for ; Sun, 30 Nov 2014 06:20:59 -0800 (PST) X-AuditID: c1b4fb2d-f79fc6d000001087-0a-547b27c9a152 Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 8C.48.04231.9C72B745; Sun, 30 Nov 2014 15:20:57 +0100 (CET) Received: from ESESSMB209.ericsson.se ([169.254.9.189]) by ESESSHC011.ericsson.se ([153.88.183.51]) with mapi id 14.03.0195.001; Sun, 30 Nov 2014 15:20:57 +0100 From: =?Windows-1252?Q?Stefan_H=E5kansson_LK?= To: "Makaraju, Maridi Raju (Raju)" , Christer Holmberg , Roman Shpount Thread-Topic: [rtcweb] JSEP: Why always offer actpass? Thread-Index: AdAH/G6saC/Ce4vxTgqv23nLTon8JA== Date: Sun, 30 Nov 2014 14:20:56 +0000 Message-ID: <1447FA0C20ED5147A1AA0EF02890A64B1D0E3909@ESESSMB209.ericsson.se> References: <1447FA0C20ED5147A1AA0EF02890A64B1D0D579E@ESESSMB209.ericsson.se> <1447FA0C20ED5147A1AA0EF02890A64B1D0D5A4B@ESESSMB209.ericsson.se> <1447FA0C20ED5147A1AA0EF02890A64B1D0D5FB6@ESESSMB209.ericsson.se> <1447FA0C20ED5147A1AA0EF02890A64B1D0D86B9@ESESSMB209.ericsson.se> <7594FB04B1934943A5C02806D1A2204B1D53F719@ESESSMB209.ericsson.se> <7594FB04B1934943A5C02806D1A2204B1D54BB03@ESESSMB209.ericsson.se> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [153.88.183.148] Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNLMWRmVeSWpSXmKPExsUyM+Jvje5J9eoQgz8/NS0aNl5htZhxYSqz xdp/7ewOzB6tz/ayeixZ8pPJ49aUggDmKC6blNSczLLUIn27BK6MffvusBTMUqhom/ORvYFx n1QXIweHhICJxJ+zhl2MnECmmMSFe+vZuhi5OIQEjjBKdC34yAzhLGGUuPLsCztIA5tAsETT XzeQuIjAAkaJdysXsoN0MwuoS9xZfA7MFhYwlZh0cRkTiC0iYCax8OQERghbT+LmlwssIDaL gKrEyZU9YHFeAV+JWd+esUMse88m0d10B6yIEeik76fWMEEsEJe49WQ+E8SpAhJL9pxnhrBF JV4+/scKYStJNC55wgpRbyDx/tx8ZghbW2LZwtfMEMsEJU7OfMIygVF0FpKxs5C0zELSMgtJ ywJGllWMosWpxcW56UbGeqlFmcnFxfl5enmpJZsYgbFzcMtv3R2Mq187HmIU4GBU4uHd8KMq RIg1say4MvcQozQHi5I476Jz84KFBNITS1KzU1MLUovii0pzUosPMTJxcEo1MC5Qir6uK1Dp zrYm9JTK7+Y6NtEj8//85g/aIPXly7+khdXMH3In5XGcvRjn47jitdTtnueaapOXHfGseGFc uKI54+yEuXXHV/Da+R5xzjAIfzoviOPnrR1HPXrm6tX1eu/lKOc6ePLym5Sq9UWTaq9nnT57 1vXiXv8dKX85d77QD1I+1LD18jQlluKMREMt5qLiRAD1j3eEfgIAAA== Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/y3TUxLbLonIbjgwh65ZqP5p7ygo Cc: "rtcweb@ietf.org" Subject: Re: [rtcweb] JSEP: Why always offer actpass? X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Nov 2014 14:21:02 -0000 On 30/11/14 14:51, Makaraju, Maridi Raju (Raju) wrote:=0A= >> Hi,=0A= >>=0A= >>>> RFC 7345 (UDPTL-DTLS) says the following:=0A= >>>>=0A= >>>> "Once an offer/answer exchange has been completed, either=0A= >>>> endpoint=0A= >> MAY=0A= >>>> send a new offer in order to modify the session. The=0A= >>>> endpoints=0A= >> can=0A= >>>> reuse the existing DTLS association if the key fingerprint=0A= >>>> values=0A= >> and=0A= >>>> transport parameters indicated by each endpoint are unchanged.=0A= >>>> Otherwise, following the rules for the initial offer/answer=0A= >> exchange,=0A= >>>> the endpoints can negotiate and create a new DTLS association=0A= >>>> and, once created, delete the previous DTLS association,=0A= >>>> following the same rules for the initial offer/answer exchange.=0A= >>>> Each endpoint needs to be prepared to receive data on both the=0A= >>>> new and old DTLS associations as long as both are alive."=0A= >>>>=0A= >>>> So, I guess that can be read in a way that the setup attribute=0A= >>>> as such=0A= >> does not impact previously=0A= >>>> negotiated TLS roles - unless the key fingerprint values and/or=0A= >>>> transport=0A= >> parameters are modified.=0A= >>>>=0A= >>>> The SCTP-SDP draft currently says that a subsequent offer must=0A= >>>> not change=0A= >> the previously negotiated roles. But, I guess=0A= >>>> we could say something similar as in RFC 7345.=0A= >>>=0A= >>> I have struggled with this language quite a bit from the=0A= >>> implementation=0A= >> perspective. I think we need to explicitly state=0A= >>> that endpoints MUST reuse the existing association if the key=0A= >>> fingerprint=0A= >> values and transport parameters indicated=0A= >>> by each endpoint are unchanged.=0A= >>=0A= >> We could take such general approach.=0A= >>=0A= >> However, for =91SCTP/DTLS=92 (DTLS over SCTP), I assume that the DTLS=0A= >> connection will also be re-established if the underlying SCTP=0A= >> association is re- established - even if no transport parameters=0A= >> etc are changed.=0A= >>=0A= >> Also, RFC 6083 says:=0A= >>=0A= >> =93Each DTLS connection MUST be established and terminated within the=0A= >> same SCTP association.=94=0A= >>=0A= >>=0A= >>> The way this language reads to me is that endpoints can reuse the=0A= >>> existing=0A= >> association if they want to, but they can create a new one if they=0A= >> don't. Also, when this new=0A= >>> association is created, it is unclear if old setup roles MUST be=0A= >>> preserved=0A= >> or if they MUST be selected based on the current offer/answer=0A= >> exchange. It seems the current=0A= >>> specification language is not strong or clear enough on this=0A= >>> topic.=0A= >>=0A= >> In my opinion, IF a new DTLS connection needs to be established=0A= >> (for whatever reasons), the current roles should be used.=0A= >=0A= > When ICE is NOT used, how does the offerer know that the=0A= > answerer does not change the fingerprint and/or transport parameters?=0A= > I guess it does not know. So, offerer has to be prepared for new DTLS=0A= > association by offering actpass. When ICE is used, the answerer can't=0A= > change transport parameter unless offerer does ICE restart (which=0A= > changes offerer transport parameters); Ref [1] is very clear on this=0A= > indicating "DTLS handshake procedure is repeated". However, even when=0A= > ICE is used, I do not find any restriction about answerer not=0A= > changing fingerprint. So, even without ICE restart answerer can=0A= > trigger a DTLS renegotiation by changing its fingerprint.=0A= >=0A= > To conclude all this, IMO whether ICE is used or not, sending actpass=0A= > for all new offers may be cover all possible scenarios.=0A= =0A= That is also my conclusion based on the discussion so far.=0A= =0A= I also think the JSEP draft as far as detailed out is correct, but info =0A= about how the implementation should behave for Subsequent answers is =0A= missing. Text saying that the role must be maintained (unless there is =0A= an ICE restart) should be put in there.=0A=