RE: [Sip] draft-jennings-sip-dtls

Today I would recommend SIP operators to avoid TCP (and that includes
TLS) because the processes are simply running out of sockets (think
about an ITSP with one million customers). The UDP/DTLS idea would make
it reasonable simple to have much more connections and on top have
security. And as far as I understood the dtls it finally does solve the
fragmentation pain problem.

That sounds like a great thing to me. I would vote for dtls!

CS

________________________________

	From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On
Behalf Of Francois Audet
	Sent: Wednesday, February 16, 2005 9:47 PM
	To: 'Cullen Jennings'; 'Jonathan Rosenberg'
	Cc: sip@ietf.org
	Subject: RE: [Sip] draft-jennings-sip-dtls

	I would agree with Jonathan.

	Yes, some implementations of SIP/TCP have performance issues
compared to SIP/UDP, but not necessarily all of them. 

	Also, if we need to address the other problems of UDP transport
(like fragmentation, and others), then it is not clear to me that we are
saving much in the first place by using UDP/DTLS instead of TCP/TLS.

	I'd like to see real data before we add yet another thing we'll
have to implement...

		-----Original Message-----
		From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org]
On Behalf Of Cullen Jennings
		Sent: Tuesday, February 15, 2005 20:08
		To: Jonathan Rosenberg
		Cc: sip@ietf.org
		Subject: Re: [Sip] draft-jennings-sip-dtls

		Oops - I meant to put that.... There is pretty much one
key thing. No one has build an single edge proxy that can terminate 100k
to 1M connections to UAs using TLS. In theory it is possible, but in
practice it seems hard. The argument is that this will be easier with
DTLS. The issue is not the time it takes to do the crypto - session
resumption deals with that nicely - it just the issues of dealing with
half a million TCP connections to one box. Of course no one has done it
with DTLS either :-)

		I believe the argument we made for SCTP was that adding
an extensions for SCTP won't increase the complexity of things that
don't support SCTP. 

		I agree the UDP/TCP complexity made SIP more complicated
and I agree that sip and sips made things more complicated. I'm not sure
I buy that both TLS and TCP made things more complicated. 

		On 2/15/05 7:15 PM, "Jonathan Rosenberg"
<jdrosen@cisco.com> wrote:

			Cullen, 

			What seems missing to me from this is
requirements and problem 
			statements. What is DTLS doing for us that we
don't get from TLS? 

			Though SIP can run over many different transport
protocols, I think 
			experience over time has shown that more choices
here is not necessarily 
			a good thing, as SIP has a fair bit of
complexity as a result of dealing 
			with the differences between UDP and TCP. As
such, I don't think its a 
			good idea to just add more transport protocols
to SIP's list of 
			supported ones unless there is a compelling
problem that it is solving. 

			Thanks, 
			Jonathan R. 

			Cullen Jennings wrote: 

			> 
			> Nagendra and I put together a draft on using
DTLS with SIP. Until it 
			> shows up in the archives you can find it at 
			> 
			>
http://scm.sipfoundry.org/rep/ietf-drafts/fluffy/draft-jennings-sip-dtls
-00.html 
			> 
			> (there is a .txt version too) 
			> 
			> 
			> The abstract is: 
			> 
			>    This draft specifies how to use Datagram
Transport Layer Security 
			>    (DTLS) as a transport for SIP.  DTLS is a
new protocol for providing 
			>    TLS security over a datagram protocol. 
			> 
			> 
			>
------------------------------------------------------------------------

			> 
			>
_______________________________________________ 
			> Sip mailing list
https://www1.ietf.org/mailman/listinfo/sip 
			> This list is for NEW development of the core
SIP Protocol 
			> Use sip-implementors@cs.columbia.edu for
questions on current sip 
			> Use sipping@ietf.org for new developments on
the application of sip 