Re: [TLS] [rtcweb] Number of DTLS sessions/DTLS connections; RE: What the gateway draft should say about mux/non-mux

Christer Holmberg <> Wed, 05 August 2015 12:39 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id F23571B2E41; Wed, 5 Aug 2015 05:39:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id r6fmQIGrG47I; Wed, 5 Aug 2015 05:39:16 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 998001A89C5; Wed, 5 Aug 2015 05:39:14 -0700 (PDT)
X-AuditID: c1b4fb3a-f79356d000006281-96-55c203f0936d
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id F6.E4.25217.0F302C55; Wed, 5 Aug 2015 14:39:12 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0210.002; Wed, 5 Aug 2015 14:39:12 +0200
From: Christer Holmberg <>
To: "Asveren, Tolga" <>, "Schwarz, Albrecht (Albrecht)" <>, "<>" <>
Thread-Topic: [rtcweb] Number of DTLS sessions/DTLS connections; RE: What the gateway draft should say about mux/non-mux
Thread-Index: AQHQz1VVWzrNLwNmjUSvQIGN1uVQpZ39Df+ggAAl8YCAACS3wA==
Date: Wed, 05 Aug 2015 12:39:10 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B348E9576ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKIsWRmVeSWpSXmKPExsUyM+Jvje4H5kOhBhsuaFn8af3FaLH2Xzu7 xezO90wWn853MTqweLQ+28vqsWTJTyaPS5//swcwR3HZpKTmZJalFunbJXBl9C9eyFTwaAlT xbxTG9kaGHvmMnUxcnJICJhI9P39zghhi0lcuLeeDcQWEjjKKLHmUngXIxeQvYhR4tbSJ0AN HBxsAhYS3f+0QeIiArMZJVZ/OAU2iFnAQOLvietgg4QFqiQOzrvPCmKLCFRLPDh1nR3CdpL4 0jGZGWQOi4CKxM5zfiBhXgFfiXOrVrBA7HrMIvF4zx+wIzgFEiUe71sANp8R6Ljvp9ZA7RKX uPVkPtQDAhJL9pxnhrBFJV4+/scKYStK7DzbzgxRny/x8tdSVohlghInZz5hmcAoOgvJqFlI ymYhKZsFdCqzgKbE+l36ECWKElO6H7JD2BoSrXPmsiOLL2BkX8UoWpxaXJybbmSkl1qUmVxc nJ+nl5dasokRGI8Ht/y22sF48LnjIUYBDkYlHl6FvIOhQqyJZcWVuYcYpTlYlMR5Z2zOCxUS SE8sSc1OTS1ILYovKs1JLT7EyMTBKdXA6La67PucjdlxH3fM/fHyV0nCv4smShcOqNZfenls 5gchzist1ZZBVxfFZx25krZnpV/EttxHpve5jKRPvc7UizEXntRy7UnIkxnRe63imUNv7A7J bCh8oXH1s9zUg9uVhZ6JxpxaEMzW2s0vkB7Go6gdtITfyCP/X9CVBeUl/Jd16vhfLTc+pMRS nJFoqMVcVJwIAISUnwSoAgAA
Archived-At: <>
X-Mailman-Approved-At: Tue, 11 Aug 2015 10:49:32 -0700
Cc: " (" <>
Subject: Re: [TLS] [rtcweb] Number of DTLS sessions/DTLS connections; RE: What the gateway draft should say about mux/non-mux
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 05 Aug 2015 12:39:19 -0000


I guess we could add some clarification text to the SDP-DTLS draft.



From: Asveren, Tolga []
Sent: 5. elokuuta 2015 15:27
To: Christer Holmberg; Schwarz, Albrecht (Albrecht); <>
Cc: (
Subject: RE: [rtcweb] Number of DTLS sessions/DTLS connections; RE: What the gateway draft should say about mux/non-mux

Yes, completely agree.

And I think what Albrecht proposes below is the right way of addressing the “no-rtcp-mux implementation difficulties” problem: Adding clarifications/amendments in the respective normative specification rather than disallowing a combination in a profile because it is “confusing”.
Honestly, I think the number of DTLS connections to use, when bundling/muxing is not used, is not really that hard to figure out (for somebody who actually understands the whole story) but obviously no harm of adding some clarifications. DataChannel aspects need to be crisply specified though. What is the main advantage of letting DataChannel potentially use one of the exsiting DTLS connections? Just to save some time on negotiation?


From: rtcweb [] On Behalf Of Christer Holmberg
Sent: Wednesday, August 05, 2015 4:13 AM
To: Schwarz, Albrecht (Albrecht) <<>>; <<>> <<>>
Cc:<> (<>) <<>>
Subject: Re: [rtcweb] Number of DTLS sessions/DTLS connections; RE: What the gateway draft should say about mux/non-mux


We shall not make RFC 5764 corrections in the RTCWEB specs.



From: rtcweb [] On Behalf Of Schwarz, Albrecht (Albrecht)
Sent: 5. elokuuta 2015 11:04
To: <<>>
Cc:<> (<>)
Subject: [rtcweb] Number of DTLS sessions/DTLS connections; RE: What the gateway draft should say about mux/non-mux

Roman, Bernard,
right, RFC 5764 is too vague on that aspect. Thanks for confirming the number of DTLS sessions, which is inline with our understanding.
Would appreciate if this could be somewhere fixed in an rtcweb draft due to significant side effects.
This topic is also an ongoing FAQ.

The most simple case is given by a scenario with usage of bundling plus usage of RTP/RTCP transport multiplexing, leading to a single DTLS session/DTLS connection, which could be then also shared for WebRTC data.

Both capabilities are mandated in the rtp usage draft:
=> bundling
=> RTP/RTCP transport multiplexing

Now, IF bundling is not used OR RTP/RTCP transport multiplexing is not used THEN there will be more than one DTLS session/DTLS connection (either 2 or 4 in case of audio & video).
Raising the question which DTLS connection is used for additional WebRTC data traffic? - Because
indicates the sharing option.
Would then be a 3rd (or 5th) self-contained DTLS session/DTLS connection for WebRTC data traffic?

Add explicit text to clause
about (in red), something like:

   WebRTC implementations MUST support multiplexing of DTLS and RTP over
   the same port pair, as described in the DTLS-SRTP specification
   [RFC5764], section 5.1.2<>.  All application layer protocol payloads
   over this DTLS connection are SCTP packets.

   Note 1: There will be two DTLS sessions/DTLS connections when RTP/RTCP transport multiplexing is not applied. WebRTC data traffic could still share one of these DTLS connections … (“which one?”) … or There should be then a separate, self-contained DTLS session/DTLS connection established exclusively for WebRTC data.

   Note 2: There are similar considerations in case of bundling.

   Protocol identification MUST be supplied as part of the DTLS
   handshake, as specified in [I-D.ietf-rtcweb-alpn<>].


Using (D)TLS terminology according to

From: Bernard Aboba []
Sent: Mittwoch, 5. August 2015 04:04
To: Roman Shpount
Cc: Asveren, Tolga; Christer Holmberg; Eric Rescorla; Schwarz, Albrecht (Albrecht); Rauschenbach, Uwe (Nokia - DE/Munich); <<>>
Subject: Re: [rtcweb] What the gateway draft should say about mux/non-mux

On Aug 4, 2015, at 16:33, Roman Shpount <<>> wrote:

Most of the people implement this wrong, since you need to create two DTLS sessions: one for RTP and another for RTCP. And then use different keys or possibly even encryption profiles for RTP and RTCP. I commonly see one session for RTP and keys negotiated there used for both RTP and RTCP, which is wrong.

[BA] Yes, that is only one of several common mistakes.  Unfortunately, RFC 5764 does not rule out all of these and the security documents are not crystal clear on how things must be done. It is much harder to mess up RTP/RTCP mux.  Given what I've seen so far, non-mux could become a support nightmare.