IETF Logo Mail Archive

Re: [Sipping] new draft on ICE for opening SIPdialogs: draft-lowekamp-sipping-ice-for-sip-00

"Bruce Lowekamp" <lowekamp@sipeerior.com> Fri, 30 November 2007 03:34 UTC

Return-path: <sipping-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ixwdw-0003sz-TZ; Thu, 29 Nov 2007 22:34:20 -0500
Received: from sipping by megatron.ietf.org with local (Exim 4.43) id 1Ixwdu-0003sP-RX for sipping-confirm+ok@megatron.ietf.org; Thu, 29 Nov 2007 22:34:18 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ixwdu-0003sE-Ho for sipping@ietf.org; Thu, 29 Nov 2007 22:34:18 -0500
Received: from nz-out-0506.google.com ([64.233.162.231]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ixwdt-0005tm-Kp for sipping@ietf.org; Thu, 29 Nov 2007 22:34:18 -0500
Received: by nz-out-0506.google.com with SMTP id n1so1691063nzf for <sipping@ietf.org>; Thu, 29 Nov 2007 19:34:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=ofpKC9pSvKJLj7PoqsJ5Zf7gxFVT4gHoAk8hB3vliwM=; b=abydbD+Qk5lMNRMSDsUGhMcdXOQA3Kpo7kZNyah9YAB5bcmOJO2dnRo5vfMSlmnux/6ImS5e/NuPBuiJf1VhIv/swAVei3CCcur1qJsL9loPa87mI2RhgBnJwotaN5KPYQNDEefkn9atBGty+aWA8uKt68vPYQCYR5mNDVOPGSg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=EpHSkRXkIOQZESEO/zbieDkIo/eWtd6KU5/rKA1+r+fPdysM3edVd/dvIg11uhqHqMbLRnumpxf1X8f1MygcIcwpXKJk+swuLpxig04ltyKBgKL18o9BN7Acsbp/RQHwFy7yn+RhOdHuzyH+Pt7I4l7+g5ezBpAuS2hvNADisOk=
Received: by 10.142.221.19 with SMTP id t19mr483058wfg.1196393656598; Thu, 29 Nov 2007 19:34:16 -0800 (PST)
Received: by 10.142.132.18 with HTTP; Thu, 29 Nov 2007 19:34:16 -0800 (PST)
Message-ID: <20d2bdfb0711291934x41ff5465v98cafcb2a0e1354b@mail.gmail.com>
Date: Thu, 29 Nov 2007 22:34:16 -0500
From: Bruce Lowekamp <lowekamp@sipeerior.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, Henning Schulzrinne <hgs@cs.columbia.edu>, Jonathan Rosenberg <jdrosen@cisco.com>
Subject: Re: [Sipping] new draft on ICE for opening SIPdialogs: draft-lowekamp-sipping-ice-for-sip-00
In-Reply-To: <CA9998CD4A020D418654FCDEF4E707DF03257BC1@esealmw113.eemea.ericsson.se>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20d2bdfb0711140456s462aeec8i8e46da10b537ca7c@mail.gmail.com> <473E8F26.4090308@cisco.com> <CA9998CD4A020D418654FCDEF4E707DF03257BC1@esealmw113.eemea.ericsson.se>
X-Google-Sender-Auth: 2524cd7507fa8f99
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cd3fc8e909678b38737fc606dec187f0
Cc: "David A. Bryan" <dbryan@sipeerior.com>, sipping@ietf.org
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Errors-To: sipping-bounces@ietf.org

Thanks for all the feedback.  Sorry to take so long to reply.  I'm
going to reply to all three responses at once, inline.


On Nov 17, 2007 1:50 AM, Jonathan Rosenberg <jdrosen@cisco.com> wrote:
> Bruce,
>
> Interesting draft.
>
> My biggest concern is that in practice this would never be utilized in a
> regular SIP proxy chain since it requires every proxy along the path to
> support the mechanism. I wonder if there are intermediate solutions that
> allow path optimization along subsets of the path. Not obvious how to do
> that, but a thought.
>

I think if you had a sequence of proxies that all support this with
the tag in their header, it would be possible to do it; I would think
it should be a somewhat different mechanism where the proxies simply
collectively decide to start routing the same dialog over the direct
path.  But I am unsure how common such a long chain of proxies would
be and am concerned about the complexity of implementing it.  It would
be interesting to work out what would be involved, though.

> It was entirely unclear to me how the e2e TLS connection is
> authenticated. What certificate does each endpoint use? It seems like we
> need something like DTLS-SRTP that exchanges a fingerprint of a
> self-signed cert in the SDP routed through the proxy chain, and that is
> used to drive the e2e TLS connection.
>

I think that allowing the end-to-end encryption is a pretty
interesting use, but you're right, I completely ignored
authentication, primarily because I was hesitant to specify a
particular mechanism.  SRTP would be a great way of handling it, and
is probably the most implementable, but I didn't want to ignore
leap-of-faith or some central authority that the two endpointsb both
trust.



> Seems like a big part of the motivation here is in p2psip, to find a way
> to route the initial INVITE tunneled through the DHT, and then later on
> do ICE to optimize this out. The purported reason for this is that call
> setups are faster when the INVITE is tunneled through the DHT. That may
> be true, but I think the difference is irrelevant. In a consumer DHT,
> you'll have nodes all over the world. So each hop through the DHT can be
> pretty long, 100ms+ perhaps. If it takes log hops to get through, for
> any reasonable sized DHT this is between 10 and 20 hops. So you are
> already in the 1-2 second delay range to cross the DHT. ICE itself will
> ideally complete in a few RTT between caller and called party, and thus
> is a small percentage of the overall penalty you already paid traversing
> the DHT. Given that the mechanism in here is a big change in SIP and
> probably ONLY usfeul in the p2psip case (given the comment above on
> limited applicability because each hop needs to support it), I think we
> better understand the real delay improvements associated with it.

We should probably move this to p2psip if we get into too much detail,
but I think my thoughts on the cost are along the lines of Henning's.
If you do ICE across the DHT to open the SIP dialog, then send an
INVITE and do ICE to establish the media, you have paid the around the
overlay latency for the SIP connection, ICE for the SIP connection,
and then the direct ICE for media.  If you route the INVITE around the
overlay first, you have media flowing after the around the overlay
latency and first ICE negotiation.  So  you have media in one ICE
negotiation latency shorter time if you do the INVITE tunneled across
the overlay.  Then you can pay the cost of moving the dialog in the
background where the user doesn't perceive it.

I think there are some optimizations that can be applied to both
approaches in terms of pre-advertising candidates, but there are a lot
of open issues there, so I'd rather stick with the straightforward
approach for now.

On 11/17/07, Henning Schulzrinne <hgs@cs.columbia.edu> wrote:
> I'll also note that tunneling, without SIP ICE, one of the solutions
> mentioned in the draft, would essentially reduce the additional
> latency beyond DHT lookup to zero for the initial INVITE. Re-INVITE
> and BYE would still suffer the penalty, but they are typically less
> time-critical.
>
> I admit that I'm rather worried about the additional complexity
> implied by the approach, given the various interactions of this
> mechanism with, say, outbound. We seem to have difficulties achieving
> interoperability of basic SIP functionality, including TCP and TLS, so
> adding yet more complexity and alternate mechanisms would seem to
> require a fairly careful consideration.
>

I agree the complexity is an issue.  I think in terms of evaluating
the complexity, I'm willing to ignore the complexity of ICE because I
will assume implementors already have ICE for media.  The question is
of adding such negotiation for SIP.  I don't believe it's that
terribly complex (all the parts are already there, they just need to
be connected), and it has the virtue that the new dialog is being
created separately and the worst that will happen is that it won't be
established, so the replacement never occurs.  If it's just being
established as an optimization, nothing is lost and the UA doesn't
really have a particualr reason to notice or care.

Is the complexity that is there worth it?  The end-to-end security
scenario is, to me, one of the more convincing scenarios where it
achieves a benefit that is hard to achieve otherwise.  In terms of
removing proxies from dialogs as an optimization, I haven't done any
calculations or measurements, but I think it's an interesting question
how much load can be removed from proxies such as sip-outbound
deployments, especially in terms of offloading things such as
subscriptions that require periodic updates.


On Nov 19, 2007 2:17 AM, Christer Holmberg
<christer.holmberg@ericsson.com> wrote:
>
> Hi,
>
> Some questions.
>
> First, it is true that there may be an intermediate which doesn't need
> to be in the path once the call has been established. But, normally is a
> reason why a proxy/intermediate insert a Record-Route. Why would they do
> that if they at the same time say that it is ok to remove them from the
> call path?
>

I think the most important reason would be if the proxy is there for
NAT or firewall traversal, but not to accomplish a call-management,
policy, billing, etc roll that requires it to be on-path for the
dialogs.  I think the clearest example of this is a single
sip-outbound proxy, which is deployed solely to facilitate NAT
traversal, but really has no interest in monitoring ongoing dialogs,
just helping to establish them.

> Second, in some environments user plane resources are reserved by some
> intermediate, and/or gate type-of-functions are controlled by some
> intermediate. These resources must be available during the whole call,
> but if the resource controlling intermediates are removed from the path,
> how will they know when to release the resources? Or, do you assume a
> terminal will only once send a "normal" INVITE, resources will be
> reserved, and then they will be available "forever"?

It was important to us that we preserve the ability of a proxy to
remain in the route if it desires, although for maximum efficiency, it
seems like it's usually best to establish a direct end-to-end
connection.  I'm unsure about the "forever" aspect of this. We
deliberately left the concept of "use this new flow for future dialogs
between these two UAs" as an open issue.  That's a clear gain in
efficiency (especially for non-dialog exchanges such as MESSAGE), but
I think it would require all of the proxies on the route (not just the
record-route proxies) to agree to authorize it.


>
> Third, you seem to assume that the media path will be end-to-end from
> the beginning. But, a B2BUA may also control a media proxy. And, even if
> the B2BUA is removed from the signalling path, the media may still
> traverse it.

Sorry, certainly didn't mean to imply that.  Obviously if a b2bua
feels it needs to be on-path for media and there is no direct path, it
seems unlikely that the SIP connection could be direct.

Bruce


_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

v2.23.0 | Report a Bug | By Email