draft-ietf-mmusic-dtls-sdp-08.txt   draft-ietf-mmusic-dtls-sdp-09.txt 
Network Working Group C. Holmberg Network Working Group C. Holmberg
Internet-Draft Ericsson Internet-Draft Ericsson
Updates: 5763,7345 (if approved) R. Shpount Updates: 5763,7345 (if approved) R. Shpount
Intended status: Standards Track TurboBridge Intended status: Standards Track TurboBridge
Expires: August 24, 2016 February 21, 2016 Expires: August 28, 2016 February 25, 2016
Using the SDP Offer/Answer Mechanism for DTLS Using the SDP Offer/Answer Mechanism for DTLS
draft-ietf-mmusic-dtls-sdp-08.txt draft-ietf-mmusic-dtls-sdp-09.txt
Abstract Abstract
This draft defines the SDP offer/answer procedures for negotiating This draft defines the SDP offer/answer procedures for negotiating
and establishing a DTLS association. The draft also defines the and establishing a DTLS association. The draft also defines the
criteria for when a new DTLS association must be established. criteria for when a new DTLS association must be established.
This draft defines a new SDP media-level attribute, 'dtls- This draft defines a new SDP media-level attribute, 'dtls-
connection'. connection'.
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 24, 2016. This Internet-Draft will expire on August 28, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 13
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3
3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Change of Local Transport Parameters . . . . . . . . . . 3 3.2. Change of Local Transport Parameters . . . . . . . . . . 4
3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4
3.4. Multiple SDP fingerprint attributes . . . . . . . . . . . 4 3.4. Multiple SDP fingerprint attributes . . . . . . . . . . . 4
4. SDP dtls-connection Attribute . . . . . . . . . . . . . . . . 4 4. SDP dtls-connection Attribute . . . . . . . . . . . . . . . . 4
5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 5 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6
5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 6 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 7
5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 7 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 7
5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 7 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 8
5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 8 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 8
6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 8 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 9
7. Transport Protocol Considerations . . . . . . . . . . . . . . 9 7. Transport Protocol Considerations . . . . . . . . . . . . . . 9
7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 9 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 9
8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 9 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 9
9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 9 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 9 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 10
9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 10 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 10
9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 15 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 15
10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19
13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 18 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 19
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 21
14.1. Normative References . . . . . . . . . . . . . . . . . . 20 14.1. Normative References . . . . . . . . . . . . . . . . . . 21
14.2. Informative References . . . . . . . . . . . . . . . . . 22 14.2. Informative References . . . . . . . . . . . . . . . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
[RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. This [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS.
draft defines the SDP Offer/Answer [RFC3264] procedures for [RFC7345] defines SDP Offer/Answer procedures for UDPTL-DTLS. This
negotiation DTLS in general, based on the procedures in [RFC5763]. specification defines general Offer/Answer procedures for DTLS, based
on the procedures in [RFC5763]. Other specifications, defining
specific DTLS usages, can then reference this specification, in order
to ensure that the DTLS aspects are common among all usages. Having
common procedures is essential when multiple usages share the same
DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation].
As defined in [RFC5763], a new DTLS association MUST be established As defined in [RFC5763], a new DTLS association MUST be established
when transport parameters are changed. Transport parameter change is when transport parameters are changed. Transport parameter change is
not well defined when Interactive Connectivity Establishment (ICE) not well defined when Interactive Connectivity Establishment (ICE)
[RFC5245] is used. One possible way to determine a transport change [RFC5245] is used. One possible way to determine a transport change
is based on ufrag change, but the ufrag value is changed both when is based on ufrag change, but the ufrag value is changed both when
ICE is negotiated and when ICE restart [RFC5245] occurs. These ICE is negotiated and when ICE restart [RFC5245] occurs. These
events do not always require a new DTLS association to be events do not always require a new DTLS association to be
established, but currently there is no way to explicitly indicate in established, but currently there is no way to explicitly indicate in
an SDP offer or answer whether a new DTLS association is required. an SDP offer or answer whether a new DTLS association is required.
skipping to change at page 3, line 29 skipping to change at page 3, line 36
3. Establishing a new DTLS Association 3. Establishing a new DTLS Association
3.1. General 3.1. General
A new DTLS association MUST be established in the following cases: A new DTLS association MUST be established in the following cases:
o The DTLS roles change; o The DTLS roles change;
o The fingerprint (certificate) value changes; or o The fingerprint (certificate) value changes; or
o The establishment of a new DTLS association is explicitly o The intent to establish of a new DTLS association is explicitly
signaled; signaled;
NOTE: The first two items list above are based on the procedures in NOTE: The first two items list above are based on the procedures in
[RFC5763]. This draft adds the support for explicit signaling. [RFC5763]. This draft adds the support for explicit signaling.
Whenever an entity determines, based on the criteria above, that a Whenever an entity determines, based on the criteria above, that a
new DTLS association is required, the entity MUST initiate an new DTLS association is required, the entity MUST initiate an
associated SDP offer/answer transaction, following the procedures in associated SDP offer/answer transaction, following the procedures in
Section 5. Section 5.
skipping to change at page 4, line 48 skipping to change at page 5, line 23
Syntax: Syntax:
conn-value = "new" / "existing" conn-value = "new" / "existing"
Example: Example:
a=dtls-connection:existing a=dtls-connection:existing
A 'dtls-connection' attribute value of 'new' indicates that a new A 'dtls-connection' attribute value of 'new' indicates that a new
DTLS association MUST be established. A 'dtls-connection' attribute DTLS association MUST be established. A 'dtls-connection' attribute
value of 'existing' indicates that a new DTLS association MUST NOT be value of 'existing' indicates an intention to reuse an existing
established. association.
Unlike the SDP 'connection' attribute for TLS, there is no default Unlike the SDP 'connection' attribute for TLS, there is no default
value defined for the 'dtls-connection' attribute. Implementations value defined for the 'dtls-connection' attribute. Implementations
that wish to use the attribute MUST explicitly include it in SDP that wish to use the attribute MUST explicitly include it in SDP
offers and answers. If an offer or answer does not contain an offers and answers. If an offer or answer does not contain an
attribute (this could happen if the offerer or answerer represents an attribute (this could happen if the offerer or answerer represents an
existing implementation that has not been updated to support the existing implementation that has not been updated to support the
attribute defined in this specification), other means needs to be attribute defined in this specification), other means needs to be
used in order for endpoints to determine whether an offer or answer used in order for endpoints to determine whether an offer or answer
is associated with an event that requires the DTLS association to be is associated with an event that requires the DTLS association to be
skipping to change at page 6, line 15 skipping to change at page 6, line 39
o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to
provide the fingerprint value; and provide the fingerprint value; and
o The SDP 'dtls-connection' attribute, defined in this o The SDP 'dtls-connection' attribute, defined in this
specification, is used to explicitly indicate whether a new DTLS specification, is used to explicitly indicate whether a new DTLS
association is to be established or a previous association is to association is to be established or a previous association is to
be used. be used.
This specification does not define the usage of the SDP 'connection' This specification does not define the usage of the SDP 'connection'
attribute [RFC4145] for negotiating a DTLS connection. However, the attribute [RFC4145] for negotiating a DTLS connection. However, the
attribute MAY be used if the DTLS connection is used together with attribute MAY be used if the DTLS association is used together with
another protocol, e.g. SCTP or TCP, for which the usage of the another protocol, e.g. SCTP or TCP, for which the usage of the
attribute has been defined. attribute has been defined.
Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP
'setup' attribute 'holdconn' value when negotiating a DTLS 'setup' attribute 'holdconn' value when negotiating a DTLS
association. association.
Endpoints MUST support SHA-256 for generating and verifying the Endpoints MUST support SHA-256 for generating and verifying the
fingerprint value associated with the DTLS association. The use of fingerprint value associated with the DTLS association. The use of
SHA-256 is preferred. SHA-256 is preferred.
Endpoints MUST, at a minimum, support Endpoints MUST, at a minimum, support
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward
Secrecy (PFS) cipher suites over non-PFS cipher suites. Secrecy (PFS) cipher suites over non-PFS cipher suites.
Implementations SHOULD disable TLS-level compression. Implementations SHOULD disable TLS-level compression.
The certificate received during the DTLS handshake MUST match the The certificate received during the DTLS handshake MUST match a
fingerprint received in the SDP "fingerprint" attribute. If the fingerprint received in an SDP "fingerprint" attribute. If a
fingerprint does not match the hashed certificate, then the endpoint fingerprint does not match the hashed certificate, then the endpoint
MUST tear down the media session immediately. Note that it is MUST tear down the media session immediately. Note that it is
permissible to wait until the other side's fingerprint has been permissible to wait until the other side's fingerprint has been
received before establishing the connection; however, this may have received before establishing the connection; however, this may have
undesirable latency effects. undesirable latency effects.
5.2. Generating the Initial SDP Offer 5.2. Generating the Initial SDP Offer
When the offerer sends the initial offer, and the offerer wants to When the offerer sends the initial offer, and the offerer wants to
establish a DTLS association, it MUST insert an SDP 'dtls-connection' establish a DTLS association, it MUST insert an SDP 'dtls-connection'
attribute with a 'new' value in the offer. In addition, the offerer attribute with a 'new' value in the offer. In addition, the offerer
MUST insert an SDP 'setup' attribute according to the procedures in MUST insert an SDP 'setup' attribute according to the procedures in
[RFC4145], and an SDP 'fingerprint' attribute according to the [RFC4145], and one or more SDP 'fingerprint' attributes according to
procedures in [RFC4572], in the offer. the procedures in [RFC4572], in the offer.
If the offerer inserts the SDP 'setup' attribute with an 'actpass' or If the offerer inserts the SDP 'setup' attribute with an 'actpass' or
'passive' value, the offerer MUST be prepared to receive a DTLS 'passive' value, the offerer MUST be prepared to receive a DTLS
ClientHello message (if a new DTLS association is established by the ClientHello message (if a new DTLS association is established by the
answerer) from the answerer before it receives the SDP answer. answerer) from the answerer before it receives the SDP answer.
5.3. Generating the Answer 5.3. Generating the Answer
If an answerer receives an offer that contains an SDP 'dtls- If an answerer receives an offer that contains an SDP 'dtls-
connection' attribute with a 'new' value, or if the answerer receives connection' attribute with a 'new' value, or if the answerer receives
an offer that contains an 'dtls-connection' attribute with an an offer that contains an 'dtls-connection' attribute with an
'existing' value and the answerer determines (based on the criteria 'existing' value and the answerer determines (based on the criteria
for establishing a new DTLS association) that a new DTLS association for establishing a new DTLS association) that a new DTLS association
is to be established, the answerer MUST insert a 'new' value in the is to be established, the answerer MUST insert a 'new' value in the
associated answer. In addition, the answerer MUST insert an SDP associated answer. In addition, the answerer MUST insert an SDP
'setup' attribute according to the procedures in [RFC4145], and an 'setup' attribute according to the procedures in [RFC4145], and one
SDP 'fingerprint' attribute according to the procedures in [RFC4572], or more SDP 'fingerprint' attributes according to the procedures in
in the answer. [RFC4572], in the answer.
If an answerer receives an offer that contains an SDP 'dtls- If an answerer receives an offer that contains an SDP 'dtls-
connection' attribute with a 'new' value, and if the answerer does connection' attribute with a 'new' value, and if the answerer does
not accept the establishment of a new DTLS association, the answerer not accept the establishment of a new DTLS association, the answerer
MUST reject the "m=" lines associated with the suggested DTLS MUST reject the "m=" lines associated with the suggested DTLS
association [RFC3264]. association [RFC3264].
If an answerer receives an offer that contains a 'dtls-connection' If an answerer receives an offer that contains a 'dtls-connection'
attribute with an 'existing' value, and if the answerer determines attribute with an 'existing' value, and if the answerer determines
that a new DTLS association is not to be established, the answerer that a new DTLS association is not to be established, the answerer
MUST insert a 'dtls-connection' attribute with an 'existing' value in MUST insert a 'dtls-connection' attribute with an 'existing' value in
the associated answer. In addition, the answerer MUST insert an SDP the associated answer. In addition, the answerer MUST insert an SDP
'setup' attribute with a value that does not change the previously 'setup' attribute with a value that does not change the previously
negotiated DTLS roles, and an SDP 'fingerprint' attribute with a negotiated DTLS roles, and one or more SDP 'fingerprint' attributes
value that does not change the previously sent fingerprint, in the values that do not change the previously sent fingerprints, in the
answer. answer.
If the answerer receives an offer that does not contain an SDP 'dtls- If the answerer receives an offer that does not contain an SDP 'dtls-
connection' attribute, the answerer MUST NOT insert a 'dtls- connection' attribute, the answerer MUST NOT insert a 'dtls-
connection' attribute in the answer. connection' attribute in the answer.
If a new DTLS association is to be established, and if the answerer If a new DTLS association is to be established, and if the answerer
inserts an SDP 'setup' attribute with an 'active' value in the inserts an SDP 'setup' attribute with an 'active' value in the
answer, the answerer MUST initiate a DTLS handshake by sending a DTLS answer, the answerer MUST initiate a DTLS handshake by sending a DTLS
ClientHello message towards the offerer. ClientHello message towards the offerer.
skipping to change at page 8, line 16 skipping to change at page 8, line 39
If the answer contains an SDP 'dtls-connection' attribute with an If the answer contains an SDP 'dtls-connection' attribute with an
'existing' value, the offerer will continue using the previously 'existing' value, the offerer will continue using the previously
established DTLS association. It is considered an error case if the established DTLS association. It is considered an error case if the
answer contains a 'dtls-connection' attribute with an 'existing' answer contains a 'dtls-connection' attribute with an 'existing'
value, and a DTLS association does not exist. value, and a DTLS association does not exist.
An offerer needs to be able to handle error conditions that can occur An offerer needs to be able to handle error conditions that can occur
during an offer/answer transaction, e.g. if an answer contains an SDP during an offer/answer transaction, e.g. if an answer contains an SDP
'dtls-connection' attribute with an 'existing' value even if no DTLS 'dtls-connection' attribute with an 'existing' value even if no DTLS
connection exists, or if the answer contains a new fingerprint value association exists, or if the answer contains a new fingerprint value
for an existing DTLS connection. If such error case occurs, the for an existing DTLS association. If such error case occurs, the
offerer SHOULD terminate the associated DTLS connection (if it offerer SHOULD terminate the associated DTLS association (if it
exists) and send a new offer in order to terminate each media stream exists) and send a new offer in order to terminate each media stream
using the DTLS association, by setting the associated port value to using the DTLS association, by setting the associated port value to
zero [RFC4145]. zero [RFC4145].
5.5. Modifying the Session 5.5. Modifying the Session
When the offerer sends a subsequent offer, and if the offerer wants When the offerer sends a subsequent offer, and if the offerer wants
to establish a new DTLS association, the offerer MUST insert an SDP to establish a new DTLS association, the offerer MUST insert an SDP
'dtls-connection' attribute with a 'new' value in the offer. In 'dtls-connection' attribute with a 'new' value in the offer. In
addition, the offerer MUST insert an SDP 'setup' attribute according addition, the offerer MUST insert an SDP 'setup' attribute according
to the procedures in [RFC4145], and an SDP 'fingerprint' attribute to the procedures in [RFC4145], and one or more SDP 'fingerprint'
according to the procedures in [RFC4572], in the offer. attributes according to the procedures in [RFC4572], in the offer.
when the offerer sends a subsequent offer, and the offerer does not when the offerer sends a subsequent offer, and the offerer does not
want to establish a new DTLS association, and if a previously want to establish a new DTLS association, and if a previously
established DTLS association exists, the offerer MUST insert an SDP established DTLS association exists, the offerer MUST insert an SDP
'dtls-connection' attribute with an 'existing' value in the offer. 'dtls-connection' attribute with an 'existing' value in the offer.
In addition, the offerer MUST insert an SDP 'setup' attribute with a In addition, the offerer MUST insert an SDP 'setup' attribute with a
value that does not change the previously negotiated DTLS roles, and value that does not change the previously negotiated DTLS roles, and
an SDP 'fingerprint' attribute with a value that does not change the one or more SDP 'fingerprint' attributes with values that do not
previously sent fingerprint, in the offer. change the previously sent fingerprints, in the offer.
NOTE: When a new DTLS association is established, each endpoint needs NOTE: When a new DTLS association is established, each endpoint needs
to be prepared to receive data on both the new and old DTLS to be prepared to receive data on both the new and old DTLS
associations as long as both are alive. associations as long as both are alive.
6. ICE Considerations 6. ICE Considerations
When ICE is used, the ICE connectivity checks are performed before When ICE is used, the ICE connectivity checks are performed before
the DTLS handshake begins. Note that if aggressive nomination mode the DTLS handshake begins. Note that if aggressive nomination mode
is used, multiple candidate pairs may be marked valid before ICE is used, multiple candidate pairs may be marked valid before ICE
skipping to change at page 12, line 30 skipping to change at page 12, line 50
the DTLS handshake procedure using certificates. This document uses the DTLS handshake procedure using certificates. This document uses
certificates in the same style as described in "Connection-Oriented certificates in the same style as described in "Connection-Oriented
Media Transport over the Transport Layer Security (TLS) Protocol in Media Transport over the Transport Layer Security (TLS) Protocol in
the Session Description Protocol (SDP)" [RFC4572]. the Session Description Protocol (SDP)" [RFC4572].
If self-signed certificates are used, the content of the If self-signed certificates are used, the content of the
subjectAltName attribute inside the certificate MAY use the uniform subjectAltName attribute inside the certificate MAY use the uniform
resource identifier (URI) of the user. This is useful for debugging resource identifier (URI) of the user. This is useful for debugging
purposes only and is not required to bind the certificate to one of purposes only and is not required to bind the certificate to one of
the communication endpoints. The integrity of the certificate is the communication endpoints. The integrity of the certificate is
ensured through the fingerprint attribute in the SDP. The ensured through the fingerprint attribute in the SDP.
subjectAltName is not an important component of the certificate
verification.
The generation of public/private key pairs is relatively expensive. The generation of public/private key pairs is relatively expensive.
Endpoints are not required to generate certificates for each session. Endpoints are not required to generate certificates for each session.
The offer/answer model, defined in [RFC3264], is used by protocols The offer/answer model, defined in [RFC3264], is used by protocols
like the Session Initiation Protocol (SIP) [RFC3261] to set up like the Session Initiation Protocol (SIP) [RFC3261] to set up
multimedia sessions. multimedia sessions.
When an endpoint wishes to set up a secure media session with another When an endpoint wishes to set up a secure media session with another
endpoint, it sends an offer in a SIP message to the other endpoint. endpoint, it sends an offer in a SIP message to the other endpoint.
skipping to change at page 13, line 11 skipping to change at page 13, line 30
the offerer's SIP proxy over an integrity protected channel. When the offerer's SIP proxy over an integrity protected channel. When
the far endpoint receives the SIP message, it can verify the identity the far endpoint receives the SIP message, it can verify the identity
of the sender using the Identity header field. Since the Identity of the sender using the Identity header field. Since the Identity
header field is a digital signature across several SIP header fields, header field is a digital signature across several SIP header fields,
in addition to the body of the SIP message, the receiver can also be in addition to the body of the SIP message, the receiver can also be
certain that the message has not been tampered with after the digital certain that the message has not been tampered with after the digital
signature was applied and added to the SIP message. signature was applied and added to the SIP message.
The far endpoint (answerer) may now establish a DTLS association with The far endpoint (answerer) may now establish a DTLS association with
the offerer. Alternately, it can indicate in its answer that the the offerer. Alternately, it can indicate in its answer that the
offerer is to initiate the TLS association. In either case, mutual offerer is to initiate the DTLS association. In either case, mutual
DTLS certificate-based authentication will be used. After completing DTLS certificate-based authentication will be used. After completing
the DTLS handshake, information about the authenticated identities, the DTLS handshake, information about the authenticated identities,
including the certificates, are made available to the endpoint including the certificates, are made available to the endpoint
application. The answerer is then able to verify that the offerer's application. The answerer is then able to verify that the offerer's
certificate used for authentication in the DTLS handshake can be certificate used for authentication in the DTLS handshake can be
associated to the certificate fingerprint contained in the offer in associated to the certificate fingerprint contained in the offer in
the SDP. At this point, the answerer may indicate to the end user the SDP. At this point, the answerer may indicate to the end user
that the media is secured. The offerer may only tentatively accept that the media is secured. The offerer may only tentatively accept
the answerer's certificate since it may not yet have the answerer's the answerer's certificate since it may not yet have the answerer's
certificate fingerprint. certificate fingerprint.
skipping to change at page 18, line 39 skipping to change at page 19, line 15
Attribute name: dtls-connection Attribute name: dtls-connection
Type of attribute: media-level Type of attribute: media-level
Subject to charset: no Subject to charset: no
Purpose: Indicate whether a new DTLS association is to be established/re-established. Purpose: Indicate whether a new DTLS association is to be established/re-established.
Appropriate Values: see Section 4 Appropriate Values: see Section 4
Contact name: Christer Holmberg Contact name: Christer Holmberg
Category: IDENTICAL Category: IDENTICAL
12. Acknowledgements 12. Acknowledgements
Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat and Jens Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa,
Guballa for providing comments and suggestions on the draft. Charles Eckel and Gonzalo Salgueiro for providing comments and
suggestions on the draft.
13. Change Log 13. Change Log
[RFC EDITOR NOTE: Please remove this section when publishing] [RFC EDITOR NOTE: Please remove this section when publishing]
Changes from draft-ietf-mmusic-sdp-dtls-08
o Offer/Answer section modified in order to allow sending of
multiple SDP 'fingerprint' attributes.
o Terminology made consistant: 'DTLS connection' replaced with 'DTLS
association'.
o Editorial changes based on comments from Paul Kyzivat.
Changes from draft-ietf-mmusic-sdp-dtls-07 Changes from draft-ietf-mmusic-sdp-dtls-07
o Reference to RFC 7315 replaced with reference to RFC 7345. o Reference to RFC 7315 replaced with reference to RFC 7345.
Changes from draft-ietf-mmusic-sdp-dtls-06 Changes from draft-ietf-mmusic-sdp-dtls-06
o Text on restrictions regarding spanning a DTLS connection over o Text on restrictions regarding spanning a DTLS association over
multiple transports added. multiple transports added.
o Mux category added to IANA Considerations. o Mux category added to IANA Considerations.
o Normative text regarding mux category and source-specific o Normative text regarding mux category and source-specific
applicability added. applicability added.
o Reference to RFC 7315 added. o Reference to RFC 7315 added.
o Clarified that offerer/answerer that has not been updated to o Clarified that offerer/answerer that has not been updated to
 End of changes. 27 change blocks. 
46 lines changed or deleted 61 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/