IETF Logo Mail Archive

[Sipping] RE: DTLS-SRTP / ICE and gating/latching policy controls

"Fischer, Kai" <kai.fischer@siemens.com> Mon, 12 November 2007 10:30 UTC

Return-path: <sipping-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IrWZC-0003MN-6F; Mon, 12 Nov 2007 05:30:54 -0500
Received: from sipping by megatron.ietf.org with local (Exim 4.43) id 1IrWZA-0003MI-A9 for sipping-confirm+ok@megatron.ietf.org; Mon, 12 Nov 2007 05:30:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IrWZA-0003MA-0E for sipping@ietf.org; Mon, 12 Nov 2007 05:30:52 -0500
Received: from goliath.siemens.de ([192.35.17.28]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IrWZ5-0004PP-7X for sipping@ietf.org; Mon, 12 Nov 2007 05:30:51 -0500
Received: from mail2.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id lACAUiQp027142; Mon, 12 Nov 2007 11:30:44 +0100
Received: from mchp771a.ww002.siemens.net (mchp771a.ww002.siemens.net [139.25.131.189]) by mail2.siemens.de (8.12.6/8.12.6) with ESMTP id lACAUiH7006998; Mon, 12 Nov 2007 11:30:44 +0100
Received: from MCHP7RDA.ww002.siemens.net ([139.25.131.171]) by mchp771a.ww002.siemens.net with Microsoft SMTPSVC(6.0.3790.3959); Mon, 12 Nov 2007 11:30:43 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 12 Nov 2007 11:30:42 +0100
Message-ID: <198A10EC585EC74687BCA414E2A5971801E47DD7@MCHP7RDA.ww002.siemens.net>
In-Reply-To: <1ECE0EB50388174790F9694F77522CCF131C83C0@zrc2hxm0.corp.nortel.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: DTLS-SRTP / ICE and gating/latching policy controls
Thread-Index: Acgk8hxJ07RtozbQRBiMA0W/t30WugAIOoXw
References: <1ECE0EB50388174790F9694F77522CCF131C83C0@zrc2hxm0.corp.nortel.com>
From: "Fischer, Kai" <kai.fischer@siemens.com>
To: Brian Stucker <bstucker@nortel.com>, Eric Rescorla <ekr@networkresonance.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Dan Wing <dwing@cisco.com>, Francois Audet <audet@nortel.com>, "Fries, Steffen" <steffen.fries@siemens.com>, Mary Barnes <mary.barnes@nortel.com>, "Elwell, John" <john.elwell@siemens.com>
X-OriginalArrivalTime: 12 Nov 2007 10:30:43.0846 (UTC) FILETIME=[147FE260:01C82517]
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 0ddefe323dd869ab027dbfff7eff0465
Cc: sipping@ietf.org
Subject: [Sipping] RE: DTLS-SRTP / ICE and gating/latching policy controls
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Errors-To: sipping-bounces@ietf.org

Hi Brian,
thanks for discussing this problem in your draft.
By reading the text I have missed some discussions about the problems
and requirements to the signaling channel  part of media based key
management resp. DTLS-SRTP. Draft-fischl-sipping-media-dtls-03 proposes
to transport the certificate fingerprint as attribute in SDP to identify
the key that will be presented during the DTLS handshake. Integrity
protection of the signaling channel is achieved by RFC 4474, i.e. a
signature is formed about some SIP header fields and the complete body.
Since middle boxes acting as NAT entities manipulate the m and c lines
within SDP, a signature created on the path before the middle box will
be broken. Consequently, this would lead to the requirement, that the
middle box acting as outbound proxy is capable to act as Authentication
Service a la RFC 4474.

In Figure 4 Step 4 I think that the port in the m-line should be 50000
since the inbound port in the relay is also 50000.

Kai

> -----Original Message-----
> From: Brian Stucker [mailto:bstucker@nortel.com] 
> Sent: Montag, 12. November 2007 07:06
> To: Eric Rescorla; Hannes Tschofenig; Dan Wing; Francois 
> Audet; Fries, Steffen; Mary Barnes; Fischer, Kai; Elwell, John
> Cc: sipping@ietf.org
> Subject: DTLS-SRTP / ICE and gating/latching policy controls
> 
> There was some discussion about this over on the SIP list, 
> but since this is going to be submitted to SIPPING I'll start 
> the discussion over here.
> 
> The draft explains a couple of mechanisms (gating/latching) 
> that can complicate establishing an end-to-end media path, 
> and hence has interactions with media path signaling 
> protocols like ICE or DTLS-SRTP. It further goes into giving 
> examples of such complications and gives a few preliminary 
> recommendations to dealing with these interactions.
> 
> If you're following the DTLS-SRTP threads, you'll want to 
> give this a look. 
> 
> http://www.ietf.org/internet-drafts/draft-sipping-stucker-medi
a-path-middleboxes-00.txt <http://www.ietf.org/internet->
drafts/draft-sipping-stucker-media-path-middleboxes-00.txt>  
> 
> Regards, 
> Brian 
> 
> 


_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

v2.23.0 | Report a Bug | By Email