draft-ietf-mmusic-dtls-sdp-14.txt   draft-ietf-mmusic-dtls-sdp-15.txt 
Network Working Group C. Holmberg Network Working Group C. Holmberg
Internet-Draft Ericsson Internet-Draft Ericsson
Updates: 5763,7345 (if approved) R. Shpount Updates: 5763,7345 (if approved) R. Shpount
Intended status: Standards Track TurboBridge Intended status: Standards Track TurboBridge
Expires: January 19, 2017 July 18, 2016 Expires: May 4, 2017 October 31, 2016
Using the SDP Offer/Answer Mechanism for DTLS Using the SDP Offer/Answer Mechanism for DTLS
draft-ietf-mmusic-dtls-sdp-14.txt draft-ietf-mmusic-dtls-sdp-15.txt
Abstract Abstract
This draft defines the SDP offer/answer procedures for negotiating This document defines the SDP offer/answer procedures for negotiating
and establishing a DTLS association. The draft also defines the and establishing a DTLS association. The document also defines the
criteria for when a new DTLS association must be established. The criteria for when a new DTLS association must be established. The
draft updates RFC 5763 and RFC 7345, by replacing common SDP offer/ document updates RFC 5763 and RFC 7345, by replacing common SDP
answer procedures with a reference to this specification. offer/answer procedures with a reference to this specification.
This draft defines a new SDP media-level attribute, 'dtls-id'. This document defines a new SDP media-level attribute, 'dtls-id'.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 19, 2017. This Internet-Draft will expire on May 4, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 17 skipping to change at page 2, line 17
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3
3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.2. Change of Local Transport Parameters . . . . . . . . . . 4 3.2. Change of Local Transport Parameters . . . . . . . . . . 4
3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4
4. SDP dtls-id Attribute . . . . . . . . . . . . . . . . . . . . 4 4. SDP dtls-id Attribute . . . . . . . . . . . . . . . . . . . . 4
5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 5 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6
5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 5 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 7 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 8
5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 7 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 8
5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 8 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 9
5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 9 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 10
6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 9 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 10
7. Transport Protocol Considerations . . . . . . . . . . . . . . 10 7. Transport Protocol Considerations . . . . . . . . . . . . . . 11
7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 10 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 11
8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 10 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 11
9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 10 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 10 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 12
9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 11 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 12
9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 16 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 17
10. Security Considerations . . . . . . . . . . . . . . . . . . . 19 10. Security Considerations . . . . . . . . . . . . . . . . . . . 20
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20
13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 19 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 20
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
14.1. Normative References . . . . . . . . . . . . . . . . . . 22 14.1. Normative References . . . . . . . . . . . . . . . . . . 23
14.2. Informative References . . . . . . . . . . . . . . . . . 23 14.2. Informative References . . . . . . . . . . . . . . . . . 24
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
[RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS.
[RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This [RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This
specification defines general offer/answer procedures for DTLS, based specification defines general offer/answer procedures for DTLS, based
on the procedures in [RFC5763]. Other specifications, defining on the procedures in [RFC5763]. Other specifications, defining
specific DTLS usages, can then reference this specification, in order specific DTLS usages, can then reference this specification, in order
to ensure that the DTLS aspects are common among all usages. Having to ensure that the DTLS aspects are common among all usages. Having
common procedures is essential when multiple usages share the same common procedures is essential when multiple usages share the same
DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. The draft DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. The
updates [RFC5763] and [RFC7345], by replacing common SDP offer/answer document updates [RFC5763] and [RFC7345], by replacing common SDP
procedures with a reference to this specification. offer/answer procedures with a reference to this specification.
As defined in [RFC5763], a new DTLS association MUST be established As defined in [RFC5763], a new DTLS association MUST be established
when transport parameters are changed. Transport parameter change is when transport parameters are changed. Transport parameter change is
not well defined when Interactive Connectivity Establishment (ICE) not well defined when Interactive Connectivity Establishment (ICE)
[RFC5245] is used. One possible way to determine a transport change [I-D.ietf-ice-rfc5245bis] is used. One possible way to determine a
is based on ufrag change, but the ufrag value is changed both when transport change is based on ufrag change, but the ufrag value is
ICE is negotiated and when ICE restart [RFC5245] occurs. These changed both when ICE is negotiated and when ICE restart
events do not always require a new DTLS association to be [I-D.ietf-ice-rfc5245bis] occurs. These events do not always require
established, but currently there is no way to explicitly indicate in a new DTLS association to be established, but currently there is no
an SDP offer or answer whether a new DTLS association is required. way to explicitly indicate in an SDP offer or answer whether a new
To solve that problem, this draft defines a new SDP attribute, 'dtls- DTLS association is required. To solve that problem, this document
id'. The attribute contains a unique value associated with a DTLS defines a new SDP attribute, 'dtls-id'. The 'dtls-id' attribute pair
association, and by providing a new value in SDP offers and answers in combination with 'fingerprint' attribute values from offer and
the attribute can be used to indicate whether a new DTLS association answer SDP uniquely identifies the DTLS association. Providing a new
is to be established/re-established. value of 'dtls-id' attribute in SDP offer or answers can be used to
indicate whether a new DTLS association is to be established.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Establishing a new DTLS Association 3. Establishing a new DTLS Association
3.1. General 3.1. General
A new DTLS association MUST be established in the following cases: A new DTLS association MUST be established after a successfull SDP
offer/answer transaction in the following cases::
o The DTLS roles change; o The negotiated DTLS setup roles change; or
o One or more fingerprint values are modified, added or removed; or o One or more fingerprint values are modified, added or removed in
either an SDP offer or answer; or
o The intent to establish a new DTLS association is explicitly o The intent to establish a new DTLS association is explicitly
signaled; signaled by changing the value of the SDP 'dtls-id' attribute
defined in this document;
NOTE: The first two items list above are based on the procedures in NOTE: The first two items list above are based on the procedures in
[RFC5763]. This specification adds the support for explicit [RFC5763]. This specification adds the support for explicit
signaling. signaling using the SDP 'dtls-id' attribute.
Whenever an entity determines, based on the criteria above, that a A new DTLS association can only established as a result of the
new DTLS association is required, the entity MUST initiate an successful SDP offer/answer transaction. Whenever an entity
associated SDP offer/answer transaction, following the procedures in determines that a new DTLS association is required, the entity MUST
initiate an SDP offer/answer transaction, following the procedures in
Section 5. Section 5.
The sections below describe typical cases where a new DTLS The sections below describe typical cases where a new DTLS
association needs to be established. association needs to be established.
3.2. Change of Local Transport Parameters 3.2. Change of Local Transport Parameters
If an endpoint modifies its local transport parameters (address and/ If an endpoint modifies its local transport parameters (address and/
or port), and if the modification requires a new DTLS association, or port), and if the modification requires a new DTLS association,
the endpoint MUST change its DTLS role, change its fingerprint value, the endpoint MUST change its set of fingerprints and SDP 'dtls-id'
and/or use the SDP 'dtls-id' attribute with a new value Section 4. attribute so that together they represent a new unique set of values
Section 4.
If the underlying transport explicitly prohibits a DTLS association If the underlying transport explicitly prohibits a DTLS association
to span multiple transports, and if the transport is changed, a new to span multiple transports, and if the transport is changed, the
value MUST be assigned to the the SDP 'dtls-id' attribute. An endpoint MUST change its set of fingerprints and SDP 'dtls-id'
example of such case is when DTLS is carried over SCTP, as described attribute so that together they represent a new unique set of values
in [RFC6083]. Section 4. An example of such case is when DTLS is carried over
SCTP, as described in [RFC6083].
3.3. Change of ICE ufrag value 3.3. Change of ICE ufrag value
If an endpoint uses ICE, and modifies a local ufrag value, and if the If an endpoint uses ICE, and modifies a local ufrag value, and if the
modification requires a new DTLS association, the endpoint MUST modification requires a new DTLS association, the endpoint MUST
either change its DTLS role, a fingerprint value and/or assign a new change its set of fingerprints and SDP 'dtls-id' attribute so that
value to the SDP 'dtls-id' attribute Section 4. together they represent a new unique set of values Section 4.
4. SDP dtls-id Attribute 4. SDP dtls-id Attribute
The SDP 'dtls-id' attribute contains a unique value associated with a The 'dtls-id' attribute pair in combination with 'fingerprint'
attribute values from offer and answer SDP uniquely identifies the
DTLS association. DTLS association.
Name: dtls-id Name: dtls-id
Value: conn-value Value: dtls-id-value
Usage Level: media Usage Level: media
Charset Dependent: no Charset Dependent: no
Default Value: empty value
Syntax: Syntax:
conn-value = 1*256alphanum dtls-id-value = 0*256 <alpha-numeric defined in [RFC4566]>
Example: Example:
a=dtls-id:abc3dl a=dtls-id:abc3dl
A 'dtls-id' attribute that contains a new value indicates an Every time end point requests to establish a new DTLS association
intention to establish a new DTLS association. A 'dtls-id' attribute using the same set of fingerprints, a new unique value of 'dtls-id'
that contains a previously assigned value indicates an intention to attribute is allocated. A combination of the previously used 'dtls-
reuse an existing association. id' attribute in combination with the same fingerprint set indicates
an intention to reuse the existing association.
There is no default value defined for the SDP 'dtls-id' attribute. The default value for the SDP 'dtls-id' attribute is an empty value.
Implementations that wish to use the attribute MUST explicitly Implementations that wish to use the attribute MUST explicitly
include it in SDP offers and answers. If an offer or answer does not include it in SDP offers and answers. If an offer or answer does not
contain an attribute (this could happen if the offerer or answerer contain an attribute (this could happen if the offerer or answerer
represents an existing implementation that has not been updated to represents an existing implementation that has not been updated to
support the attribute defined in this specification or an support the attribute defined in this specification or an
implementation which allocates a new temporary certificate for each implementation which allocates a new temporary certificate for each
association and uses change in fingerprint to indicate new association and uses change in fingerprint to indicate new
association), other means needs to be used in order for endpoints to association), it should be treated as if 'dtls-id' attribute with an
determine whether an offer or answer is associated with an event that empty value value were included in SDP and procedures defined in this
requires the DTLS association to be re-established. specification should be used to determine if new DTLS association
should be established.
The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls-
id' attribute is 'IDENTICAL', which means that the attribute value id' attribute is 'IDENTICAL', which means that the attribute value
must be identical across all media descriptions being multiplexed must be identical across all media descriptions being multiplexed
[I-D.ietf-mmusic-sdp-bundle-negotiation]. [I-D.ietf-mmusic-sdp-bundle-negotiation].
For RTP-based media, the 'dtls-id' attribute apply to whole For RTP-based media, the 'dtls-id' attribute apply to whole
associated media description. The attribute MUST NOT be defined per associated media description. The attribute MUST NOT be defined per
source (using the SDP 'ssrc' attribute [RFC5576]). source (using the SDP 'ssrc' attribute [RFC5576]).
The SDP offer/answer [RFC3264] procedures associated with the The SDP offer/answer [RFC3264] procedures associated with the
attribute are defined in Section 5 attribute are defined in Section 5
5. SDP Offer/Answer Procedures 5. SDP Offer/Answer Procedures
5.1. General 5.1. General
This section defines the generic SDP offer/answer procedures for This section defines the generic SDP offer/answer procedures for
negotiating a DTLS association. Additional procedures (e.g. negotiating a DTLS association. Additional procedures (e.g.,
regarding usage of specific SDP attributes etc) for individual DTLS regarding usage of specific SDP attributes etc) for individual DTLS
usages (e.g. SRTP-DTLS) are outside the scope of this specification, usages (e.g., SRTP-DTLS) are outside the scope of this specification,
and need to be specified in a usage specific specification. and need to be specified in a usage specific specification.
NOTE: The procedures in this section are generalizations of NOTE: The procedures in this section are generalizations of
procedures first specified in SRTP-DTLS [RFC5763], with the addition procedures first specified in SRTP-DTLS [RFC5763], with the addition
of usage of the SDP 'dtls-id' attribute. That document is herein of usage of the SDP 'dtls-id' attribute. That document is herein
revised to make use of these new procedures. updated to make use of these new procedures.
The procedures in this section apply to an SDP media description The procedures in this section apply to an SDP media description
("m=" line) associated a DTLS-protected media/data. ("m=" line) associated with DTLS-protected media/data.
When an offerer or answerer indicates that it wants to establish a
new DTLS association, it needs to make sure that media packets in the
existing DTLS association and new DTLS association can be de-
multiplexed. In case of ordered transport (e.g., SCTP) this can be
done simply by sending packets for new DTLS association after all
packets for existing DTLS association have been sent. In case of
unordered transport, such as UDP, packets for the old DTLS
association can arrive after the answer SDP was received and after
first packets for the new DTLS association were received. The only
way to de-multiplex packets belonging to old and new DTLS association
is on the basis of transport 5-tuple. Because of this, if unordered
transport is used for DTLS association, new transport (3-tuple) MUST
be allocated by at least on the end points so that DTLS packets can
be de-multiplexed.
When an offerer needs to establish a new DTLS association, and if an When an offerer needs to establish a new DTLS association, and if an
unordered transport (e.g. UDP) is used, the offerer MUST allocate a unordered transport (e.g., UDP) is used, the offerer MUST allocate a
new transport for the offer in such a way that the offerer can new transport (3-tuple) for the offer in such a way that the offerer
disambiguate any packets associated with the new DTLS association can disambiguate any packets associated with the new DTLS association
from any packets associated with any other DTLS association. This from any packets associated with any other DTLS association. This
typically means using a local address and or port, or a set of ICE typically means using a local address and/or port, or a set of ICE
candidates (see Section 6), which were not recently used for any candidates (see Section 6), which were not recently used for any
other DTLS association. other DTLS association.
When an answerer needs to establish a new DTLS association, if an When an answerer needs to establish a new DTLS association, if an
unordered transport is used, and if the offerer did not allocate a unordered transport is used, and if the offerer did not allocate a
new transport, the answerer MUST allocate a new transport for the new transport, the answerer MUST allocate a new transport for the
offer in answer a way that it can disambiguate any packets associated offer in answer a way that it can disambiguate any packets associated
with new DTLS association from any packets associated with any other with new DTLS association from any packets associated with any other
DTLS association. This typically means using a local address and or DTLS association. This typically means using a local address and/or
port, or a set of ICE candidates (see Section 6), which were not port, or a set of ICE candidates (see Section 6), which were not
recently used for any other DTLS association. recently used for any other DTLS association.
In order to negotiate a DTLS association, the following SDP In order to negotiate a DTLS association, the following SDP
attributes are used: attributes are used:
o The SDP 'setup' attribute, defined in [RFC4145], is used to o The SDP 'setup' attribute, defined in [RFC4145], is used to
negotiate the DTLS roles; negotiate the DTLS roles;
o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to
provide a fingerprint value; and provide a fingerprint values; and
o The SDP 'dtls-id' attribute, defined in this specification, o The SDP 'dtls-id' attribute, defined in this specification, which,
indicates a unique value associated with the DTLS association. if fingerprints are reused, can be assigned a new value to
The attribute value can be used to explicitly indicate the explicitly indicate the intention to establishing a new DTLS
intention of establishing a new DTLS association. association.
This specification does not define the usage of the SDP 'connection' This specification does not define the usage of the SDP 'connection'
attribute [RFC4145] for negotiating a DTLS connection. However, the attribute [RFC4145] for negotiating a DTLS connection. However, the
attribute MAY be used if the DTLS association is used together with attribute MAY be used if the DTLS association is used together with
another protocol, e.g. SCTP or TCP, for which the usage of the another protocol (e.g., SCTP or TCP) for which the usage of the
attribute has been defined. attribute has been defined.
Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP
'setup' attribute 'holdconn' value when negotiating a DTLS 'setup' attribute 'holdconn' value when negotiating a DTLS
association. association.
Endpoints MUST support SHA-256 for generating and verifying any Endpoints MUST support SHA-256 for generating and verifying any
fingerprint value associated with the DTLS association. The use of fingerprint value associated with the DTLS association. The use of
SHA-256 is preferred. SHA-256 is preferred.
Endpoints MUST, at a minimum, support Endpoints MUST, at a minimum, support
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward
Secrecy (PFS) cipher suites over non-PFS cipher suites. Secrecy (PFS) cipher suites over non-PFS cipher suites.
Implementations SHOULD disable TLS-level compression. Implementations SHOULD disable TLS-level compression.
The certificate received during the DTLS handshake MUST match at The certificate received during the DTLS handshake MUST match the
least one of the certificate fingerprints received in SDP certificate fingerprints received in SDP 'fingerprint' attributes
'fingerprint' attributes. If no fingerprint matches the hashed according to procedures defined in [I-D.ietf-mmusic-4572-update]. If
certificate, then an endpoint MUST tear down the media session fingerprints do not match the hashed certificate, then an endpoint
immediately. Note that it is permissible to wait until the other MUST tear down the media session immediately. Note that it is
side's fingerprint has been received before establishing the permissible to wait until the other side's fingerprint has been
connection; however, this may have undesirable latency effects. received before establishing the connection; however, this may have
undesirable latency effects.
SDP offerers and answerers might reuse certificates across multiple SDP offerers and answerers might reuse certificates across multiple
DTLS associations, and provide identical fingerprint values for each DTLS associations, and provide identical fingerprint values for each
DTLS association. It MUST be ensured that the combination of the DTLS association. It MUST be ensured that the combination of the
fingerprint values and the SDP 'dtls-id' attribute value is unique fingerprint values and the SDP 'dtls-id' attribute value is unique
across all DTLS associations. across all DTLS associations.
If an SDP offerer or answerer generates a new temporary self-signed If an SDP offerer or answerer generates a new temporary self-signed
certificate for each new DTLS association, they can omit the SDP certificate for each new DTLS association, they can omit the SDP
'dtls-id' attribute. 'dtls-id' attribute.
5.2. Generating the Initial SDP Offer 5.2. Generating the Initial SDP Offer
When the offerer sends the initial offer, and the offerer wants to When an offerer sends the initial offer, the offerer MUST insert an
establish a DTLS association, it MUST insert an SDP 'dtls-id' SDP 'setup' attribute according to the procedures in [RFC4145], and
attribute with a new value in the offer. In addition, the offerer one or more SDP 'fingerprint' attributes according to the procedures
MUST insert an SDP 'setup' attribute according to the procedures in in [RFC4572] and [I-D.ietf-mmusic-4572-update]. In addition, the
[RFC4145], and one or more SDP 'fingerprint' attributes according to offerer MUST insert in the offer an SDP 'dtls-id' attribute with a
the procedures in [RFC4572], in the offer. unique value for the offer fingerprint set. If the fingerprint set
is not unique due the certificate reuse across multiple SDP sessions
or endpoints, the 'dtls-id' attribute value MUST be generated in a
way that guarantees uniqueness across all current DTLS association
established using this fingerprint set, including DTLS association
established by other SDP sessions or other endpoints.
If the offerer inserts the SDP 'setup' attribute with an 'actpass' or If the offerer inserts the SDP 'setup' attribute with an 'actpass' or
'passive' value, the offerer MUST be prepared to receive a DTLS 'passive' attribute value, the offerer MUST be prepared to receive a
ClientHello message (if a new DTLS association is established by the DTLS ClientHello message (if a new DTLS association is established by
answerer) from the answerer before it receives the SDP answer. the answerer) from the answerer before the offerer receives the SDP
answer.
5.3. Generating the Answer 5.3. Generating the Answer
If an answerer receives an offer that contains an SDP 'dtls-id' When an answerer sends an answer, the answerer MUST insert in the
attribute with a new value, or if the answerer receives an offer that answer an SDP 'setup' attribute according to the procedures in
contains an 'dtls-id' attribute with a previously assigned value and [RFC4145], and one or more SDP 'fingerprint' attributes according to
the answerer determines (based on the criteria for establishing a new the procedures in [RFC4572] and [I-D.ietf-mmusic-4572-update]. If
DTLS association) that a new DTLS association is to be established, the answerer determines, based on the criteria specified in
the answerer MUST insert a new value in the associated answer. In Section 3.1, that a new DTLS association is to be established, the
addition, the answerer MUST insert an SDP 'setup' attribute according answerer MUST insert in the associated answer an SDP 'dtls-id'
to the procedures in [RFC4145], and one or more SDP 'fingerprint' attribute with a unique value for the answer fingerprint set. If the
attributes according to the procedures in [RFC4572], in the answer. fingerprint set is not unique due the certificate reuse across
multiple SDP sessions or endpoints, 'dtls-id' value MUST be generated
in a way that guarantees uniqueness across all current DTLS
association established using this fingerprint set, including DTLS
association established by other SDP sessions or other endpoints.
If an answerer receives an offer that contains an SDP 'dtls-id' If the answerer receives an offer that requires establishing a new
attribute with a new value, and if the answerer does not accept the DTLS association, and if the answerer does not accept the
establishment of a new DTLS association, the answerer MUST reject the establishment of a new DTLS association, the answerer MUST reject the
"m=" lines associated with the suggested DTLS association [RFC3264]. "m=" lines associated with the suggested DTLS association [RFC3264].
If an answerer receives an offer that contains a 'dtls-id' attribute If an answerer receives an offer that does not require to establish a
with a previously assigned value, and if the answerer determines that new DTLS association, and if the answerer determines that a new DTLS
a new DTLS association is not to be established, the answerer MUST association is not to be established, the answerer MUST insert an SDP
insert a 'dtls-id' attribute with the previously assigned value in 'dtls-id' attribute with the previously assigned value in the
the associated answer. In addition, the answerer MUST insert an SDP associated answer. In addition, the answerer MUST insert an SDP
'setup' attribute with a value that does not change the previously 'setup' attribute with a value that does not change the previously
negotiated DTLS roles, and one or more SDP 'fingerprint' attributes negotiated DTLS roles, and one or more SDP 'fingerprint' attributes
values that do not change the previously sent fingerprints, in the values that do not change the previously sent fingerprints, in the
answer. answer.
If the answerer receives an offer that does not contain an SDP 'dtls- If the answerer receives an offer that does not contain an SDP 'dtls-
id' attribute, the answerer MUST NOT insert a 'dtls-id' attribute in id' attribute, the answerer MUST NOT insert a 'dtls-id' attribute in
the answer. the answer.
If a new DTLS association is to be established, and if the answerer If a new DTLS association is to be established, and if the answerer
inserts an SDP 'setup' attribute with an 'active' value in the inserts an SDP 'setup' attribute with an 'active' value in the
answer, the answerer MUST initiate a DTLS handshake by sending a DTLS answer, the answerer MUST initiate a DTLS handshake by sending a DTLS
ClientHello message towards the offerer. ClientHello message towards the offerer.
5.4. Offerer Processing of the SDP Answer 5.4. Offerer Processing of the SDP Answer
When an offerer receives an answer that contains an SDP 'dtls-id' When an offerer receives an answer that establishes a new DTLS
attribute with a new value, and if the offerer becomes DTLS client association based on criteria defined in Section 3.1, and if the
(based on the value of the SDP 'setup' attribute value [RFC4145]), offerer becomes DTLS client (based on the value of the SDP 'setup'
the offerer MUST establish a DTLS association. If the offerer attribute value [RFC4145]), the offerer MUST establish a DTLS
becomes DTLS server, it MUST wait for the answerer to establish the association. If the offerer becomes DTLS server, it MUST wait for
DTLS association. the answerer to establish the DTLS association.
If the answer contains an SDP 'dtls-id' attribute with a previously If the answer does not establish a new DTLS association, the offerer
assigned value, the offerer will continue using the previously will continue using the previously established DTLS association.
established DTLS association. It is considered an error case if the
answer contains a 'dtls-id' attribute with a previously assigned
value, and a DTLS association does not exist.
An offerer needs to be able to handle error conditions that can occur NOTE: New DTLS association can be established based on changes in
during an offer/answer transaction, e.g. if an answer contains an SDP either offer or answer SDP. When communicating with legacy end
'dtls-id' attribute with a previosuly assigned value even if no DTLS points, offerer can receive the answer that uses the same fingerprint
association exists, or if the answer contains one or more new values and negotiate the same setup roles. The new DTLS association
fingerprint values for an existing DTLS association. If such error MUST still be established if such an answer was received as a
case occurs, the offerer SHOULD terminate the associated DTLS response to an offer which requested to establish a new DTLS
association (if it exists) and send a new offer in order to terminate association.
each media stream using the DTLS association, by setting the
associated port value to zero [RFC4145].
5.5. Modifying the Session 5.5. Modifying the Session
When the offerer sends a subsequent offer, and if the offerer wants When the offerer sends a subsequent offer, and if the offerer wants
to establish a new DTLS association, the offerer MUST insert an SDP to establish a new DTLS association, the offerer MUST insert an SDP
'dtls-id' attribute with a new value in the offer. In addition, the 'setup' attribute according to the procedures in [RFC4145], and one
offerer MUST insert an SDP 'setup' attribute according to the or more SDP 'fingerprint' attributes according to the procedures in
procedures in [RFC4145], and one or more SDP 'fingerprint' attributes [RFC4572] and [I-D.ietf-mmusic-4572-update]. In addition, offerer
according to the procedures in [RFC4572], in the offer. MUST insert in the offer an SDP 'dtls-id' attribute with a new unique
value for the offer fingerprint set. If the fingerprint set is not
unique due the certificate reuse across multiple SDP sessions or
endpoints, the 'dtls-id' attribute value MUST be generated in a way
that guarantees uniqueness across all current DTLS association
established using this fingerprint set, including DTLS association
established by other SDP sessions or other endpoints.
when the offerer sends a subsequent offer, and the offerer does not When the offerer sends a subsequent offer, and the offerer does not
want to establish a new DTLS association, and if a previously want to establish a new DTLS association, and if a previously
established DTLS association exists, the offerer MUST insert an SDP established DTLS association exists, the offerer MUST insert an SDP
'dtls-id' attribute with a previously assigned value in the offer. 'dtls-id' attribute with the previously assigned value in the offer.
In addition, the offerer MUST insert an SDP 'setup' attribute with a In addition, the offerer MUST insert an SDP 'setup' attribute with a
value that does not change the previously negotiated DTLS roles, and value that does not change the previously negotiated DTLS roles, and
one or more SDP 'fingerprint' attributes with values that do not one or more SDP 'fingerprint' attributes with values that do not
change the previously sent fingerprints, in the offer. change the previously sent fingerprints, in the offer.
NOTE: When a new DTLS association is established, each endpoint needs NOTE: When a new DTLS association is being established, each endpoint
to be prepared to receive data on both the new and old DTLS needs to be prepared to receive data on both the new and old DTLS
associations as long as both are alive. associations as long as both are alive.
6. ICE Considerations 6. ICE Considerations
When ICE is used, the ICE connectivity checks are performed before When the Interactive Connectivity Establishment (ICE) mechansim
the DTLS handshake begins. Note that if aggressive nomination mode [I-D.ietf-ice-rfc5245bis] is used, the ICE connectivity checks are
is used, multiple candidate pairs may be marked valid before ICE performed before the DTLS handshake begins. Note that if aggressive
finally converges on a single candidate pair. nomination mode is used, multiple candidate pairs may be marked valid
before ICE finally converges on a single candidate pair.
NOTE: Aggressive nomination has been deprecated from ICE, but must NOTE: Aggressive nomination has been deprecated from ICE, but must
still be supported for backwards compatibility reasons. still be supported for backwards compatibility reasons.
When new DTLS association is established over an unordered transport, When new DTLS association is established over an unordered transport,
in order to disambiguate any packets associated with newly in order to disambiguate any packets associated with the newly
established DTLS association, at least one of the endpoints MUST established DTLS association, at least one of the endpoints MUST
allocate a completely new set of ICE candidates which were not allocate a completely new set of ICE candidates which were not
recently used for any other DTLS association. This means that recently used for any other DTLS association. This means the
answerer cannot initiate a new DTLS association unless the offerer answerer cannot initiate a new DTLS association unless the offerer
initiated ICE restart [RFC5245]. If the answerer wants to initiate a initiated ICE restart [I-D.ietf-ice-rfc5245bis]. If the answerer
new DTLS association, it needs to initiate an ICE restart on its own. wants to initiate a new DTLS association, it needs to initiate an ICE
However, an ICE restart does not by default require a new DTLS restart and a new offer/answer exchange on its own. However, an ICE
association to be established. restart does not by default require a new DTLS association to be
established.
NOTE: Simple Traversal of the UDP Protocol through NAT (STUN) packets NOTE: Simple Traversal of the UDP Protocol through NAT (STUN) packets
are sent directly over UDP, not over DTLS. [RFC3261] describes how are sent directly over UDP, not over DTLS. [RFC5764] describes how
to demultiplex STUN packets from DTLS packets and SRTP packets. to demultiplex STUN packets from DTLS packets and SRTP packets.
Each ICE candidate associated with a component is treated as being Each ICE candidate associated with a component is treated as being
part of the same DTLS association. Therefore, from a DTLS part of the same DTLS association. Therefore, from a DTLS
perspective it is not considered a change of local transport perspective it is not considered a change of local transport
parameters when an endpoint switches between those ICE candidates. parameters when an endpoint switches between those ICE candidates.
7. Transport Protocol Considerations 7. Transport Protocol Considerations
7.1. Transport Re-Usage 7.1. Transport Re-Usage
If DTLS is transported on top of a connection-oriented transport If DTLS is transported on top of a connection-oriented transport
protocol (e.g. TCP or SCTP), where all IP packets are acknowledged, protocol (e.g., TCP or SCTP), where all IP packets are acknowledged,
all DTLS packets associated with a previous DTLS association MUST be all DTLS packets associated with a previous DTLS association MUST be
acknowledged (or timed out) before a new DTLS association can be acknowledged (or timed out) before a new DTLS association can be
established on the same transport. established on the same transport.
8. SIP Considerations 8. SIP Considerations
When the Session Initiation Protocol (SIP) [RFC3261] is used as the When the Session Initiation Protocol (SIP) [RFC3261] is used as the
signal protocol for establishing a multimedia session, dialogs signal protocol for establishing a multimedia session, dialogs
[RFC3261] might be established between the caller and multiple [RFC3261] might be established between the caller and multiple
callees. This is referred to as forking. If forking occurs, callees. This is referred to as forking. If forking occurs,
separate DTLS associations MUST be established between the caller and separate DTLS associations MUST be established between the caller and
each callee. each callee.
It is possible to send an INVITE request which does not contain an It is possible to send an INVITE request which does not contain an
SDP offer. Such INVITE request is often referred to as an 'empty SDP offer. Such an INVITE request is often referred to as an 'empty
INVITE', or an 'offer-less INVITE'. The receiving endpoint will INVITE', or an 'offer-less INVITE'. The receiving endpoint will
include the SDP offer in a response associated with the response. include the SDP offer in a response to the request. When the
When the endpoint generates such SDP offer, if a previously endpoint generates such SDP offer, if a previously established DTLS
established DTLS association exists, the offerer SHOULD insert an SDP association exists, the offerer SHOULD insert an SDP 'dtls-id'
'dtls-id' attribute, and one or more SDP 'fingerprint' attributes, attribute, and one or more SDP 'fingerprint' attributes, with
with previously assigned attribute values. If a previously previously assigned attribute values. If a previously established
established DTLS association did not exists offer SHOULD be generated DTLS association did not exists, the offer SHOULD be generated based
based on the same rules as new offer Section 5.2. Regardless of the on the same rules as a new offer Section 5.2. Regardless of the
previous existence of DTLS association, the SDP 'setup' attribute previous existence of a DTLS association, the SDP 'setup' attribute
MUST be included according to rules defiend in [RFC4145] and if ICE MUST be included according to the rules defined in [RFC4145] and if
is used, ICE restart MUST be initiated. ICE is used, ICE restart MUST be initiated.
9. RFC Updates 9. RFC Updates
9.1. General 9.1. General
This section updates specifications that use DTLS-protected media, in This section updates specifications that use DTLS-protected media, in
order to reflect the procedures defined in this specification. order to reflect the procedures defined in this specification.
9.2. Update to RFC 5763 9.2. Update to RFC 5763
skipping to change at page 15, line 45 skipping to change at page 17, line 4
stream. stream.
Note that Simple Traversal of the UDP Protocol through NAT (STUN) Note that Simple Traversal of the UDP Protocol through NAT (STUN)
packets are sent directly over UDP, not over DTLS. [RFC5764] packets are sent directly over UDP, not over DTLS. [RFC5764]
describes how to demultiplex STUN packets from DTLS packets and SRTP describes how to demultiplex STUN packets from DTLS packets and SRTP
packets. packets.
NEW TEXT: NEW TEXT:
6.7.1. ICE Interaction 6.7.1. ICE Interaction
The Interactive Connectivity Establishment (ICE) [RFC5245] The Interactive Connectivity Establishment (ICE) [RFC5245]
considerations for DTLS-protected media are described in considerations for DTLS-protected media are described in
[RFCXXXX]. [RFCXXXX].
Note that Simple Traversal of the UDP Protocol through NAT (STUN)
packets are sent directly over UDP, not over DTLS. [RFC5764]
describes how to demultiplex STUN packets from DTLS packets and SRTP
packets.
9.3. Update to RFC 7345 9.3. Update to RFC 7345
Update to section 4: Update to section 4:
-------------------- --------------------
OLD TEXT: OLD TEXT:
4. SDP Offerer/Answerer Procedures 4. SDP Offerer/Answerer Procedures
4.1. General 4.1. General
skipping to change at page 19, line 32 skipping to change at page 20, line 32
This document updates the "Session Description Protocol Parameters" This document updates the "Session Description Protocol Parameters"
registry as specified in Section 8.2.2 of [RFC4566]. Specifically, registry as specified in Section 8.2.2 of [RFC4566]. Specifically,
it adds the SDP dtls-id attribute to the table for SDP media level it adds the SDP dtls-id attribute to the table for SDP media level
attributes. attributes.
Attribute name: dtls-id Attribute name: dtls-id
Type of attribute: media-level Type of attribute: media-level
Subject to charset: no Subject to charset: no
Purpose: Indicate whether a new DTLS association is to be Purpose: Indicate whether a new DTLS association is to be
established/re-established. established/re-established.
Appropriate Values: see Section 4 Appropriate Values: see Section 4
Contact name: Christer Holmberg Contact name: Christer Holmberg
Category: IDENTICAL Mux Category: IDENTICAL
12. Acknowledgements 12. Acknowledgements
Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa,
Charles Eckel and Gonzalo Salgueiro for providing comments and Charles Eckel and Gonzalo Salgueiro for providing comments and
suggestions on the draft. suggestions on the document.
13. Change Log 13. Change Log
[RFC EDITOR NOTE: Please remove this section when publishing] [RFC EDITOR NOTE: Please remove this section when publishing]
Changes from draft-ietf-mmusic-sdp-dtls-14
o Changes based on comments from Flemming:
o - Additional dtls-is clarifiations
o - Editorial fixes
Changes from draft-ietf-mmusic-sdp-dtls-13 Changes from draft-ietf-mmusic-sdp-dtls-13
o Text about the updated RFCs added to Abstract and Introduction o Text about the updated RFCs added to Abstract and Introduction
o Reference to RFC 5763 removed from section 6 (ICE Considerations) o Reference to RFC 5763 removed from section 6 (ICE Considerations)
o Reference to RFC 5763 removed from section 8 (SIP Considerations) o Reference to RFC 5763 removed from section 8 (SIP Considerations)
Changes from draft-ietf-mmusic-sdp-dtls-12 Changes from draft-ietf-mmusic-sdp-dtls-12
o "unreliable" changed to "unordered" o "unreliable" changed to "unordered"
Changes from draft-ietf-mmusic-sdp-dtls-11 Changes from draft-ietf-mmusic-sdp-dtls-11
skipping to change at page 23, line 20 skipping to change at page 24, line 25
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>. July 2006, <http://www.rfc-editor.org/info/rfc4566>.
[RFC4572] Lennox, J., "Connection-Oriented Media Transport over the [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the
Transport Layer Security (TLS) Protocol in the Session Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", RFC 4572, Description Protocol (SDP)", RFC 4572,
DOI 10.17487/RFC4572, July 2006, DOI 10.17487/RFC4572, July 2006,
<http://www.rfc-editor.org/info/rfc4572>. <http://www.rfc-editor.org/info/rfc4572>.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245,
DOI 10.17487/RFC5245, April 2010,
<http://www.rfc-editor.org/info/rfc5245>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <http://www.rfc-editor.org/info/rfc5763>. 2010, <http://www.rfc-editor.org/info/rfc5763>.
[RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP
Transport Layer (UDPTL) over Datagram Transport Layer Transport Layer (UDPTL) over Datagram Transport Layer
Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August
2014, <http://www.rfc-editor.org/info/rfc7345>. 2014, <http://www.rfc-editor.org/info/rfc7345>.
[I-D.ietf-mmusic-4572-update]
Holmberg, C., "SDP Fingerprint Attribute Usage
Clarifications", draft-ietf-mmusic-4572-update-07 (work in
progress), September 2016.
14.2. Informative References 14.2. Informative References
[RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific
Media Attributes in the Session Description Protocol Media Attributes in the Session Description Protocol
(SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009,
<http://www.rfc-editor.org/info/rfc5576>. <http://www.rfc-editor.org/info/rfc5576>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010,
<http://www.rfc-editor.org/info/rfc5764>.
[RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram
Transport Layer Security (DTLS) for Stream Control Transport Layer Security (DTLS) for Stream Control
Transmission Protocol (SCTP)", RFC 6083, Transmission Protocol (SCTP)", RFC 6083,
DOI 10.17487/RFC6083, January 2011, DOI 10.17487/RFC6083, January 2011,
<http://www.rfc-editor.org/info/rfc6083>. <http://www.rfc-editor.org/info/rfc6083>.
[I-D.ietf-ice-rfc5245bis]
Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive
Connectivity Establishment (ICE): A Protocol for Network
Address Translator (NAT) Traversal", draft-ietf-ice-
rfc5245bis-04 (work in progress), June 2016.
[I-D.ietf-mmusic-sdp-mux-attributes] [I-D.ietf-mmusic-sdp-mux-attributes]
Nandakumar, S., "A Framework for SDP Attributes when Nandakumar, S., "A Framework for SDP Attributes when
Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-13 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-14
(work in progress), June 2016. (work in progress), September 2016.
[I-D.ietf-mmusic-sdp-bundle-negotiation] [I-D.ietf-mmusic-sdp-bundle-negotiation]
Holmberg, C., Alvestrand, H., and C. Jennings, Holmberg, C., Alvestrand, H., and C. Jennings,
"Negotiating Media Multiplexing Using the Session "Negotiating Media Multiplexing Using the Session
Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle-
negotiation-31 (work in progress), June 2016. negotiation-36 (work in progress), October 2016.
Authors' Addresses Authors' Addresses
Christer Holmberg Christer Holmberg
Ericsson Ericsson
Hirsalantie 11 Hirsalantie 11
Jorvas 02420 Jorvas 02420
Finland Finland
Email: christer.holmberg@ericsson.com Email: christer.holmberg@ericsson.com
 End of changes. 69 change blocks. 
187 lines changed or deleted 242 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/