draft-ietf-mmusic-dtls-sdp-22.txt   draft-ietf-mmusic-dtls-sdp-23.txt 
Network Working Group C. Holmberg Network Working Group C. Holmberg
Internet-Draft Ericsson Internet-Draft Ericsson
Updates: 5763,7345 (if approved) R. Shpount Updates: 5763,7345 (if approved) R. Shpount
Intended status: Standards Track TurboBridge Intended status: Standards Track TurboBridge
Expires: September 16, 2017 March 15, 2017 Expires: October 20, 2017 April 18, 2017
Using the SDP Offer/Answer Mechanism for DTLS Using the SDP Offer/Answer Mechanism for DTLS
draft-ietf-mmusic-dtls-sdp-22.txt draft-ietf-mmusic-dtls-sdp-23.txt
Abstract Abstract
This document defines the SDP offer/answer procedures for negotiating This document defines the SDP offer/answer procedures for negotiating
and establishing a DTLS association. The document also defines the and establishing a DTLS association. The document also defines the
criteria for when a new DTLS association must be established. The criteria for when a new DTLS association must be established. The
document updates RFC 5763 and RFC 7345, by replacing common SDP document updates RFC 5763 and RFC 7345, by replacing common SDP
offer/answer procedures with a reference to this specification. offer/answer procedures with a reference to this specification.
This document defines a new SDP media-level attribute, 'dtls-id'. This document defines a new SDP media-level attribute, 'tls-id'.
This document also defines how the 'tls-id' attribute can be used for
negotiating and establishing a TLS connection, in conjunction with
the procedures in RFC 4145 and RFC 8122.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 16, 2017. This Internet-Draft will expire on October 20, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 3. Establishing a new DTLS Association . . . . . . . . . . . . . 4
3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.2. Change of Local Transport Parameters . . . . . . . . . . 4 3.2. Change of Local Transport Parameters . . . . . . . . . . 4
3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 5
4. SDP dtls-id Attribute . . . . . . . . . . . . . . . . . . . . 4 4. SDP tls-id Attribute . . . . . . . . . . . . . . . . . . . . 5
5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6
5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 8 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 8
5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 8 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 8
5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 9 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 9
5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 9 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 10
6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 10 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 10
7. Transport Protocol Considerations . . . . . . . . . . . . . . 11 7. Transport Protocol Considerations . . . . . . . . . . . . . . 11
7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 11 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 11
8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 11 8. TLS Considerations . . . . . . . . . . . . . . . . . . . . . 11
9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 11 9. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 12
9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 11 10. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 13
9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 11 10.1. General . . . . . . . . . . . . . . . . . . . . . . . . 13
9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 16 10.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 13
10. Security Considerations . . . . . . . . . . . . . . . . . . . 20 10.2.1. Update to section 5 . . . . . . . . . . . . . . . . 13
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 10.2.2. Update to section 6.6 . . . . . . . . . . . . . . . 16
12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 10.2.3. Update to section 6.7.1 . . . . . . . . . . . . . . 17
13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 20 10.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 18
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 10.3.1. Update to section 4 . . . . . . . . . . . . . . . . 18
14.1. Normative References . . . . . . . . . . . . . . . . . . 24 10.3.2. Update to section 5.2.1 . . . . . . . . . . . . . . 21
14.2. Informative References . . . . . . . . . . . . . . . . . 25 11. Security Considerations . . . . . . . . . . . . . . . . . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 22
14. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 22
15. References . . . . . . . . . . . . . . . . . . . . . . . . . 26
15.1. Normative References . . . . . . . . . . . . . . . . . . 26
15.2. Informative References . . . . . . . . . . . . . . . . . 27
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction 1. Introduction
[RFC5763] defines SDP offer/answer procedures for SRTP-DTLS. [RFC5763] defines SDP offer/answer procedures for SRTP-DTLS.
[RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This [RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This
specification defines general offer/answer procedures for DTLS, based specification defines general offer/answer procedures for DTLS, based
on the procedures in [RFC5763]. Other specifications, defining on the procedures in [RFC5763]. Other specifications, defining
specific DTLS usages, can then reference this specification, in order specific DTLS usages, can then reference this specification, in order
to ensure that the DTLS aspects are common among all usages. Having to ensure that the DTLS aspects are common among all usages. Having
common procedures is essential when multiple usages share the same common procedures is essential when multiple usages share the same
skipping to change at page 3, line 16 skipping to change at page 3, line 29
obsoleted by [I-D.ietf-stir-rfc4474bis]. The updating of the obsoleted by [I-D.ietf-stir-rfc4474bis]. The updating of the
references (and the associated procedures) within [RFC5763] is references (and the associated procedures) within [RFC5763] is
outside the scope of this document. However, implementers of outside the scope of this document. However, implementers of
[RFC5763] applications are encouraged to implement [RFC5763] applications are encouraged to implement
[I-D.ietf-stir-rfc4474bis] instead of [RFC4474]. [I-D.ietf-stir-rfc4474bis] instead of [RFC4474].
As defined in [RFC5763], a new DTLS association MUST be established As defined in [RFC5763], a new DTLS association MUST be established
when transport parameters are changed. Transport parameter change is when transport parameters are changed. Transport parameter change is
not well defined when Interactive Connectivity Establishment (ICE) not well defined when Interactive Connectivity Establishment (ICE)
[I-D.ietf-ice-rfc5245bis] is used. One possible way to determine a [I-D.ietf-ice-rfc5245bis] is used. One possible way to determine a
transport change is based on ufrag change, but the ufrag value is transport change is based on ufrag [I-D.ietf-ice-rfc5245bis] change,
changed both when ICE is negotiated and when ICE restart but the ufrag value is changed both when ICE is negotiated and when
[I-D.ietf-ice-rfc5245bis] occurs. These events do not always require ICE restart [I-D.ietf-ice-rfc5245bis] occurs. These events do not
a new DTLS association to be established, but currently there is no always require a new DTLS association to be established, but
way to explicitly indicate in an SDP offer or answer whether a new currently there is no way to explicitly indicate in an SDP offer or
DTLS association is required. To solve that problem, this document answer whether a new DTLS association is required. To solve that
defines a new SDP attribute, 'dtls-id'. The pair of SDP 'dtls-id' problem, this document defines a new SDP attribute, 'tls-id'. The
attribute values (the attribute values of the offerer and the pair of SDP 'tls-id' attribute values (the attribute values of the
answerer) uniquely identifies the DTLS association. Providing a new offerer and the answerer) uniquely identifies the DTLS association.
value of the 'dtls-id' attribute in an SDP offer or answers can be Providing a new value of the 'tls-id' attribute in an SDP offer or
used to indicate whether a new DTLS association is to be established. answers can be used to indicate whether a new DTLS association is to
be established.
The SDP 'tls-id' attribute can also be used for negotiating a TLS
connection, using the procedures in this document in conjunction with
the procedures in [RFC5763] and [RFC8122]. The TLS specific
considerations are described in Section 8.
2. Conventions 2. Conventions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119]. document are to be interpreted as described in [RFC2119].
3. Establishing a new DTLS Association 3. Establishing a new DTLS Association
3.1. General 3.1. General
A new DTLS association must be established between two endpoints A new DTLS association must be established between two endpoints
after a successful SDP offer/answer exchange in the following cases: after a successful SDP offer/answer exchange in the following cases:
o The negotiated DTLS setup roles change; or o The negotiated DTLS setup roles change; or
o One or more fingerprint values are modified, added or removed in o One or more fingerprint values are modified, added or removed in
either an SDP offer or answer; or either an SDP offer or answer; or
o The intent to establish a new DTLS association is explicitly o The intent to establish a new DTLS association is explicitly
signaled using SDP, by changing the value of the SDP 'dtls-id' signaled using SDP, by changing the value of the SDP 'tls-id'
attribute defined in this document; attribute defined in this document;
NOTE: The first two items above are based on the procedures in NOTE: The first two items above are based on the procedures in
[RFC5763]. This specification adds the support for explicit [RFC5763]. This specification adds the support for explicit
signaling using the SDP 'dtls-id' attribute. signaling using the SDP 'tls-id' attribute.
A new DTLS association can only be established as a result of the A new DTLS association can only be established as a result of the
successful SDP offer/answer exchange. Whenever an entity determines successful SDP offer/answer exchange. Whenever an entity determines
that a new DTLS association is required, the entity MUST initiate an that a new DTLS association is required, the entity MUST initiate an
SDP offer/answer exchange, following the procedures in Section 5. SDP offer/answer exchange, following the procedures in Section 5.
The sections below describe typical cases where a new DTLS The sections below describe typical cases where a new DTLS
association needs to be established. association needs to be established.
In this document, a "new DTLS association" between two endpoints In this document, a "new DTLS association" between two endpoints
refers to either an initial DTLS association (when no DTLS refers to either an initial DTLS association (when no DTLS
association is currently established between the endpoints) or an association is currently established between the endpoints) or an
DTLS association replacing a previously established DTLS association. DTLS association replacing a previously established DTLS association.
3.2. Change of Local Transport Parameters 3.2. Change of Local Transport Parameters
If an endpoint modifies its local transport parameters (address and/ If an endpoint modifies its local transport parameters (address and/
or port), and if the modification requires a new DTLS association, or port), and if the modification requires a new DTLS association,
the endpoint must change its local SDP 'dtls-id' attribute value (see the endpoint must change its local SDP 'tls-id' attribute value (see
Section 4). Section 4).
If the underlying transport prohibits a DTLS association from If the underlying transport prohibits a DTLS association from
spanning multiple transports, and if the transport is changed, the spanning multiple transports, and if the transport is changed, the
endpoint must change its local SDP 'dtls-id' attribute value (see endpoint must change its local SDP 'tls-id' attribute value (see
Section 4). An example of such a case is when DTLS is carried over Section 4). An example of such a case is when DTLS is carried over
SCTP, as described in [RFC6083]. SCTP, as described in [RFC6083].
3.3. Change of ICE ufrag value 3.3. Change of ICE ufrag value
If an endpoint uses ICE, and modifies a local ufrag value, and if the If an endpoint uses ICE, and modifies a local ufrag value, and if the
modification requires a new DTLS association, the endpoint MUST modification requires a new DTLS association, the endpoint MUST
change its local SDP 'dtls-id' attribute value (see Section 4). change its local SDP 'tls-id' attribute value (see Section 4).
4. SDP dtls-id Attribute 4. SDP tls-id Attribute
The pair of SDP 'dtls-id' attribute values (the attribute values of The pair of SDP 'tls-id' attribute values (the attribute values of
the offerer and the answerer) uniquely identifies the DTLS the offerer and the answerer) uniquely identifies the DTLS
association. association or TLS connection.
Name: dtls-id Name: tls-id
Value: dtls-id-value Value: tls-id-value
Usage Level: media Usage Level: media
Charset Dependent: no Charset Dependent: no
Default Value: N/A Default Value: N/A
Syntax: Syntax:
dtls-id-value = 20*255(dtls-id-char) tls-id-value = 20*255(tls-id-char)
dtls-id-char = ALPHA / DIGIT / "+" / "/" / "-" / "_" tls-id-char = ALPHA / DIGIT / "+" / "/" / "-" / "_"
<ALPHA and DIGIT defined in [RFC4566]> <ALPHA and DIGIT defined in [RFC4566]>
Example: Example:
a=dtls-id:abc3de65cddef001be82 a=tls-id:abc3de65cddef001be82
Every time an endpoint requests to establish a new DTLS association, Every time an endpoint requests to establish a new DTLS association,
the endpoint MUST generate a new local 'dtls-id' attribute value. A the endpoint MUST generate a new local 'tls-id' attribute value. A
non-changed local 'dtls-id' attribute value, in combination with non- non-changed local 'tls-id' attribute value, in combination with non-
changed fingerprints, indicates that the endpoint intends to reuse changed fingerprints, indicates that the endpoint intends to reuse
the existing DTLS association. the existing DTLS association.
The 'dtls-id' attribute value MUST be generated using a cryptographic The 'tls-id' attribute value MUST be generated using a strong random
random function and include at least 120 bits of randomness. function and include at least 120 bits of randomness.
No default value is defined for the SDP 'dtls-id' attribute. No default value is defined for the SDP 'tls-id' attribute.
Implementations that wish to use the attribute MUST explicitly Implementations that wish to use the attribute MUST explicitly
include it in SDP offers and answers. If an offer or answer does not include it in SDP offers and answers. If an offer or answer does not
contain a 'dtls-id' attribute (this could happen if the offerer or contain a 'tls-id' attribute (this could happen if the offerer or
answerer represents an existing implementation that has not been answerer represents an existing implementation that has not been
updated to support the 'dtls-id' attribute), unless there is another updated to support the 'tls-id' attribute), unless there is another
mechanism to explicitly indicate that a new DTLS association is to be mechanism to explicitly indicate that a new DTLS association is to be
established, a modification of one or more of the following established, a modification of one or more of the following
characteristics MUST be treated as an indication that an endpoint characteristics MUST be treated as an indication that an endpoint
wants to establish a new DTLS association: wants to establish a new DTLS association:
o DTLS setup role; or o DTLS setup role; or
o fingerprint set; or o fingerprint set; or
o local transport parameters; or o local transport parameters; or
skipping to change at page 6, line 4 skipping to change at page 6, line 17
mechanism to explicitly indicate that a new DTLS association is to be mechanism to explicitly indicate that a new DTLS association is to be
established, a modification of one or more of the following established, a modification of one or more of the following
characteristics MUST be treated as an indication that an endpoint characteristics MUST be treated as an indication that an endpoint
wants to establish a new DTLS association: wants to establish a new DTLS association:
o DTLS setup role; or o DTLS setup role; or
o fingerprint set; or o fingerprint set; or
o local transport parameters; or o local transport parameters; or
o ICE ufrag value o ICE ufrag value
The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'tls-
id' attribute is 'IDENTICAL', which means that the attribute value id' attribute is 'IDENTICAL', which means that the attribute value
must be identical across all media descriptions being multiplexed must be identical across all media descriptions being multiplexed
[I-D.ietf-mmusic-sdp-bundle-negotiation]. [I-D.ietf-mmusic-sdp-bundle-negotiation].
For RTP-based media, the 'dtls-id' attribute applies to the whole For RTP-based media, the 'tls-id' attribute applies to the whole
associated media description. The attribute MUST NOT be defined per associated media description. The attribute MUST NOT be defined per
source (using the SDP 'ssrc' attribute [RFC5576]). source (using the SDP 'ssrc' attribute [RFC5576]).
The SDP offer/answer [RFC3264] procedures associated with the The SDP offer/answer [RFC3264] procedures associated with the
attribute are defined in Section 5. attribute are defined in Section 5.
5. SDP Offer/Answer Procedures 5. SDP Offer/Answer Procedures
5.1. General 5.1. General
This section defines the generic SDP offer/answer procedures for This section defines the generic SDP offer/answer procedures for
negotiating a DTLS association. Additional procedures (e.g., negotiating a DTLS association. Additional procedures (e.g.,
regarding usage of specific SDP attributes etc.) for individual DTLS regarding usage of specific SDP attributes etc.) for individual DTLS
usages (e.g., SRTP-DTLS) are outside the scope of this specification, usages (e.g., SRTP-DTLS) are outside the scope of this specification,
and need to be specified in a usage specific specification. and need to be specified in a usage specific specification.
NOTE: The procedures in this section are generalizations of NOTE: The procedures in this section are generalizations of
procedures first specified in SRTP-DTLS [RFC5763], with the addition procedures first specified in SRTP-DTLS [RFC5763], with the addition
of usage of the SDP 'dtls-id' attribute. That document is herein of usage of the SDP 'tls-id' attribute. That document is herein
updated to make use of these new procedures. updated to make use of these new procedures.
The procedures in this section apply to an SDP media description The procedures in this section apply to an SDP media description
("m=" line) associated with DTLS-protected media/data. ("m=" line) associated with DTLS-protected media/data.
When an offerer or answerer indicates that it wants to establish a When an offerer or answerer indicates that it wants to establish a
new DTLS association, it needs to make sure that media packets in the new DTLS association, it needs to make sure that media packets
existing DTLS association and new DTLS association can be de- associated with any previously established DTLS association and the
multiplexed. In case of an ordered transport (e.g., SCTP) this can new DTLS association can be de-multiplexed. In case of an ordered
be done simply by sending packets for the new DTLS association after transport (e.g., SCTP) this can be done simply by sending packets for
all packets for the existing DTLS association have been sent. In the new DTLS association after all packets associated with a
case of an unordered transport, such as UDP, packets for the old DTLS previously established DTLS association has been sent. In case of an
association can arrive after the answer SDP was received and after unordered transport, such as UDP, packets associated with a
the first packets for the new DTLS association were received. The previously established DTLS association can arrive after the answer
only way to de-multiplex packets belonging to the old and new DTLS SDP was received and after the first packets associated with the new
association is on the basis of transport 5-tuple. Because of this, DTLS association were received. The only way to de-multiplex packets
if an unordered transport is used for the DTLS association, a new associated with with a previously established DTLS association and
transport (3-tuple) must be allocated by at least one of the the new DTLS association is on the basis of transport 5-tuple.
endpoints so that DTLS packets can be de-multiplexed. Because of this, if an unordered transport is used for the DTLS
association, a new transport (3-tuple) must be allocated by at least
one of the endpoints so that DTLS packets can be de-multiplexed.
When an offerer needs to establish a new DTLS association, and if an When an offerer needs to establish a new DTLS association, and if an
unordered transport (e.g., UDP) is used, the offerer MUST allocate a unordered transport (e.g., UDP) is used, the offerer MUST allocate a
new transport (3-tuple) for the offer in such a way that the offerer new transport (3-tuple) for the offer in such a way that the offerer
can disambiguate any packets associated with the new DTLS association can disambiguate any packets associated with the new DTLS association
from any packets associated with any other DTLS association. This from any packets associated with any other DTLS association. This
typically means using a local address and/or port, or a set of ICE typically means using a local address and/or port, or a set of ICE
candidates (see Section 6), which were not recently used for any candidates (see Section 6), which were not recently used for any
other DTLS association. other DTLS association.
skipping to change at page 7, line 29 skipping to change at page 7, line 43
other DTLS association. This typically means using a local address other DTLS association. This typically means using a local address
and/or port, or a set of ICE candidates (see Section 6), which were and/or port, or a set of ICE candidates (see Section 6), which were
not recently used for any other DTLS association. not recently used for any other DTLS association.
In order to negotiate a DTLS association, the following SDP In order to negotiate a DTLS association, the following SDP
attributes are used: attributes are used:
o The SDP 'setup' attribute, defined in [RFC4145], is used to o The SDP 'setup' attribute, defined in [RFC4145], is used to
negotiate the DTLS roles; negotiate the DTLS roles;
o The SDP 'fingerprint' attribute, defined in o The SDP 'fingerprint' attribute, defined in [RFC8122], is used to
[I-D.ietf-mmusic-4572-update], is used to provide one or more provide one or more fingerprint values; and
fingerprint values; and
o The SDP 'dtls-id' attribute, defined in this specification, is o The SDP 'tls-id' attribute, defined in this specification, is used
used to identity the DTLS association. to identity the DTLS association.
This specification does not define the usage of the SDP 'connection' This specification does not define the usage of the SDP 'connection'
attribute [RFC4145] for negotiating a DTLS association. However, the attribute [RFC4145] for negotiating a DTLS association. However, the
attribute MAY be used if the DTLS association is used together with attribute MAY be used if the DTLS association is used together with
another protocol (e.g., SCTP or TCP) for which the usage of the another protocol (e.g., SCTP or TCP) for which the usage of the
attribute has been defined. attribute has been defined.
Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP
'setup' attribute 'holdconn' value when negotiating a DTLS 'setup' attribute 'holdconn' value when negotiating a DTLS
association. association.
Endpoints MUST support the cipher suites as defined in Endpoints MUST support the cipher suites as defined in [RFC8122].
[I-D.ietf-mmusic-4572-update].
The certificate received during the DTLS handshake MUST match a The certificate received during the DTLS handshake MUST match a
certificate fingerprints received in SDP 'fingerprint' attributes certificate fingerprint received in SDP 'fingerprint' attributes
according to the procedures defined in [I-D.ietf-mmusic-4572-update]. according to the procedures defined in [RFC8122]. If fingerprints do
If fingerprints do not match the hashed certificate, then an endpoint not match the hashed certificate, then an endpoint MUST tear down the
MUST tear down the media session immediately (see media session immediately (see [RFC8122]). Note that it is
[I-D.ietf-mmusic-4572-update]). Note that it is permissible to wait permissible to wait until the other side's fingerprint(s) has been
until the other side's fingerprint(s) has been received before received before establishing the connection; however, this may have
establishing the connection; however, this may have undesirable undesirable latency effects.
latency effects.
SDP offerers and answerers might reuse certificates across multiple SDP offerers and answerers might reuse certificates across multiple
DTLS associations, and provide identical fingerprint values for each DTLS associations, and provide identical fingerprint values for each
DTLS association. The combination of the SDP 'dtls-id' attribute DTLS association. The combination of the SDP 'tls-id' attribute
values of the SDP offerer and answerer identifies each individual values of the SDP offerer and answerer identifies each individual
DTLS association. DTLS association.
5.2. Generating the Initial SDP Offer 5.2. Generating the Initial SDP Offer
When an offerer sends the initial offer, the offerer MUST insert an When an offerer sends the initial offer, the offerer MUST insert an
SDP 'setup' attribute according to the procedures in [RFC4145], and SDP 'setup' attribute according to the procedures in [RFC4145], and
one or more SDP 'fingerprint' attributes according to the procedures one or more SDP 'fingerprint' attributes according to the procedures
in [I-D.ietf-mmusic-4572-update]. In addition, the offerer MUST in [RFC8122]. In addition, the offerer MUST insert in the offer an
insert in the offer an SDP 'dtls-id' attribute with a unique value. SDP 'tls-id' attribute with a unique value.
If the offerer inserts the SDP 'setup' attribute with an 'actpass' or If the offerer inserts the SDP 'setup' attribute with an 'actpass' or
'passive' attribute value, the offerer MUST be prepared to receive a 'passive' attribute value, the offerer MUST be prepared to receive a
DTLS ClientHello message (if a new DTLS association is established by DTLS ClientHello message (if a new DTLS association is established by
the answerer) from the answerer before the offerer receives the SDP the answerer) from the answerer before the offerer receives the SDP
answer. answer.
5.3. Generating the Answer 5.3. Generating the Answer
When an answerer sends an answer, the answerer MUST insert in the When an answerer sends an answer, the answerer MUST insert in the
answer an SDP 'setup' attribute according to the procedures in answer an SDP 'setup' attribute according to the procedures in
[RFC4145], and one or more SDP 'fingerprint' attributes according to [RFC4145], and one or more SDP 'fingerprint' attributes according to
the procedures in [I-D.ietf-mmusic-4572-update]. If the answerer the procedures in [RFC8122]. If the answerer determines, based on
determines, based on the criteria specified in Section 3.1, that a the criteria specified in Section 3.1, that a new DTLS association is
new DTLS association is to be established, the answerer MUST insert to be established, the answerer MUST insert in the associated answer
in the associated answer an SDP 'dtls-id' attribute with a new unique an SDP 'tls-id' attribute with a new unique value. Note that the
value. Note that the offerer and answerer generate their own local offerer and answerer generate their own local 'tls-id' attribute
'dtls-id' attribute values, and the combination of both values values, and the combination of both values identify the DTLS
identify the DTLS association. association.
If the answerer receives an offer that requires establishment of a If the answerer receives an offer that requires establishment of a
new DTLS association, and if the answerer does not accept the new DTLS association, and if the answerer does not accept the
establishment of a new DTLS association, the answerer MUST reject the establishment of a new DTLS association, the answerer MUST reject the
"m=" lines associated with the suggested DTLS association [RFC3264]. "m=" lines associated with the suggested DTLS association [RFC3264].
If an answerer receives an offer that does not require the If an answerer receives an offer that does not require the
establishment of a new DTLS association, and if the answerer establishment of a new DTLS association, and if the answerer
determines that a new DTLS association is not to be established, the determines that a new DTLS association is not to be established, the
answerer MUST insert an SDP 'dtls-id' attribute with the previously answerer MUST insert an SDP 'tls-id' attribute with the previously
assigned value in the associated answer. In addition, the answerer assigned value in the associated answer. In addition, the answerer
MUST insert an SDP 'setup' attribute with a value that does not MUST insert an SDP 'setup' attribute with a value that does not
change the previously negotiated DTLS roles, and one or more SDP change the previously negotiated DTLS roles, and one or more SDP
'fingerprint' attributes values that do not change the previously 'fingerprint' attributes values that do not change the previously
sent fingerprint set, in the associated answer. sent fingerprint set, in the associated answer.
If the answerer receives an offer that does not contain an SDP 'dtls- If the answerer receives an offer that does not contain an SDP 'tls-
id' attribute, the answerer MUST NOT insert a 'dtls-id' attribute in id' attribute, the answerer MUST NOT insert a 'tls-id' attribute in
the answer. the answer.
If a new DTLS association is to be established, and if the answerer If a new DTLS association is to be established, and if the answerer
inserts an SDP 'setup' attribute with an 'active' value in the inserts an SDP 'setup' attribute with an 'active' value in the
answer, the answerer MUST initiate a DTLS handshake by sending a DTLS answer, the answerer MUST initiate a DTLS handshake by sending a DTLS
ClientHello message towards the offerer. ClientHello message towards the offerer.
5.4. Offerer Processing of the SDP Answer 5.4. Offerer Processing of the SDP Answer
When an offerer receives an answer that establishes a new DTLS When an offerer receives an answer that establishes a new DTLS
association based on criteria defined in Section 3.1, and if the association based on criteria defined in Section 3.1, and if the
offerer becomes DTLS client (based on the value of the SDP 'setup' offerer becomes DTLS client (based on the value of the SDP 'setup'
attribute value [RFC4145]), the offerer MUST establish a DTLS attribute value [RFC4145]), the offerer MUST establish a DTLS
association. If the offerer becomes DTLS server, it MUST wait for association. If the offerer becomes DTLS server, it MUST wait for
the answerer to establish the DTLS association. the answerer to establish the DTLS association.
If the answer does not establish a new DTLS association, the offerer If the offerer indiciated a desire to reuse an existing DTLS
will continue using the previously established DTLS association. association and the answerer does not request the establishment of a
new DTLS assocation, the offerer will continue to use the previously
established DTLS association.
NOTE: A new DTLS association can be established based on changes in NOTE: A new DTLS association can be established based on changes in
either an SDP offer or answer. When communicating with legacy either an SDP offer or answer. When communicating with legacy
endpoints, an offerer can receive an answer that includes the same endpoints, an offerer can receive an answer that includes the same
fingerprint set and setup role. A new DTLS association MUST still be fingerprint set and setup role. A new DTLS association MUST still be
established if such an answer was received as a response to an offer established if such an answer was received as a response to an offer
which requested the establishment of a new DTLS association. which requested the establishment of a new DTLS association.
5.5. Modifying the Session 5.5. Modifying the Session
When the offerer sends a subsequent offer, and if the offerer wants When the offerer sends a subsequent offer, and if the offerer wants
to establish a new DTLS association, the offerer MUST insert an SDP to establish a new DTLS association, the offerer MUST insert an SDP
'setup' attribute according to the procedures in [RFC4145], and one 'setup' attribute according to the procedures in [RFC4145], and one
or more SDP 'fingerprint' attributes according to the procedures in or more SDP 'fingerprint' attributes according to the procedures in
[I-D.ietf-mmusic-4572-update]. In addition, the offerer MUST insert [RFC8122]. In addition, the offerer MUST insert in the offer an SDP
in the offer an SDP 'dtls-id' attribute with a new unique value. 'tls-id' attribute with a new unique value.
When the offerer sends a subsequent offer, and the offerer does not When the offerer sends a subsequent offer, and the offerer does not
want to establish a new DTLS association, and if a previously want to establish a new DTLS association, and if a previously
established DTLS association exists, the offerer MUST insert an SDP established DTLS association exists, the offerer MUST insert an SDP
'dtls-id' attribute with the previously assigned value in the offer. 'tls-id' attribute with the previously assigned value in the offer.
In addition, the offerer MUST insert an SDP 'setup' attribute, and In addition, the offerer MUST insert an SDP 'setup' attribute, and
one or more SDP 'fingerprint' attributes with values that do not one or more SDP 'fingerprint' attributes with values that do not
change the previously sent fingerprint set, in the offer. The value change the previously sent fingerprint set, in the offer. The value
of the 'setup' attribute SHOULD be set to 'actpass', in order to of the 'setup' attribute SHOULD be set to 'actpass', in order to
allow the answerer to establish a new DTLS association with a allow the answerer to establish a new DTLS association with a
different role, but MAY be set to the current negotiated role different role, but MAY be set to the current negotiated role
('active' or 'passive'). It MUST NOT be set to a value that changes ('active' or 'passive'). It MUST NOT be set to a value that changes
the current negotiated role. the current negotiated role.
NOTE: When a new DTLS association is being established, each endpoint NOTE: When a new DTLS association is being established, each endpoint
skipping to change at page 11, line 15 skipping to change at page 11, line 26
7. Transport Protocol Considerations 7. Transport Protocol Considerations
7.1. Transport Re-Usage 7.1. Transport Re-Usage
If DTLS is transported on top of a connection-oriented transport If DTLS is transported on top of a connection-oriented transport
protocol (e.g., TCP or SCTP), where all IP packets are acknowledged, protocol (e.g., TCP or SCTP), where all IP packets are acknowledged,
all DTLS packets associated with a previous DTLS association MUST be all DTLS packets associated with a previous DTLS association MUST be
acknowledged (or timed out) before a new DTLS association can be acknowledged (or timed out) before a new DTLS association can be
established on the same instance of that transport (5-tuple). established on the same instance of that transport (5-tuple).
8. SIP Considerations 8. TLS Considerations
The procedures in this document can also be used for negotiating and
establishing aTLS connection, with the restriction described below.
As specified in [RFC4145], the SDP 'connection' attribute is used to
indicate whether to establish a new TLS connection. An offerer and
answerer MUST ensure that the 'connection' attribute value and the
'tls-id' attribute value does not cause a conflict regarding whether
a new TLS connection is to be established or not.
NOTE: Even though the SDP 'connection' attribute can be used to
indicate whether a new TLS connection is to be established, the
unique combination of SDP 'tls-id' attribute values can be used to
identity a TLS connection. The unique value can be used e.g., within
TLS protocol extensions to differentiate between mulitple TLS
connections and correlate those connections with specific offer/
answer exchanges.
If an offerer or answerer inserts an SDP 'connection' attribute with
a 'new' value in the offer/answer, the offerer/answerer MUST also
insert an SDP 'tls-id' attribute with a new unique value.
If an offerer or answerer inserts an SDP 'connection' attribute with
a 'existing' value in the offer/answer, and if a previously
established TLS connection exists, the offerer/answerer MUST also
insert an SDP 'tls-id' attribute with the previously assigned value
in the offer/answer.
If an offerer or answerer receives an offer/answer with conflicting
attribute values, the offerer/answerer MUST process the offer/answer
as misformed.
An endpoint must not make assumptions regarding the support of the
SDP 'tls-id' attribute by the peer. Therefore, to avoid ambiguity,
both offerers and answerers MUST always use the 'connection'
attribute in conjunction with the 'tls-id' attribute.
NOTE: As defined in [RFC4145], if the SDP 'connection' attribute is
not explicitly present, the implicit default value is 'new'.
The SDP example below is based on the example in section 3.4 of
[RFC3261], with the addition of the SDP 'tls-id' attribute.
m=image 54111 TCP/TLS t38
c=IN IP4 192.0.2.2
a=tls-id:abc3de65cddef001be82
a=setup:passive
a=connection:new
a=fingerprint:SHA-256 \
12:DF:3E:5D:49:6B:19:E5:7C:AB:4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF: \
3E:5D:49:6B:19:E5:7C:AB:4A:AD
a=fingerprint:SHA-1 \
4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
9. SIP Considerations
When the Session Initiation Protocol (SIP) [RFC3261] is used as the When the Session Initiation Protocol (SIP) [RFC3261] is used as the
signal protocol for establishing a multimedia session, dialogs signal protocol for establishing a multimedia session, dialogs
[RFC3261] might be established between the caller and multiple [RFC3261] might be established between the caller and multiple
callees. This is referred to as forking. If forking occurs, callees. This is referred to as forking. If forking occurs,
separate DTLS associations will be established between the caller and separate DTLS associations will be established between the caller and
each callee. each callee.
It is possible to send an INVITE request which does not contain an It is possible to send an INVITE request which does not contain an
SDP offer. Such an INVITE request is often referred to as an 'empty SDP offer. Such an INVITE request is often referred to as an 'empty
INVITE', or an 'offer-less INVITE'. The receiving endpoint will INVITE', or an 'offer-less INVITE'. The receiving endpoint will
include the SDP offer in a response to the request. When the include the SDP offer in a response to the request. When the
endpoint generates such SDP offer, if a previously established DTLS endpoint generates such SDP offer, if a previously established DTLS
association exists, the offerer MUST insert an SDP 'dtls-id' association exists, the offerer MUST insert an SDP 'tls-id'
attribute, and one or more SDP 'fingerprint' attributes, with attribute, and one or more SDP 'fingerprint' attributes, with
previously assigned attribute values. If a previously established previously assigned attribute values. If a previously established
DTLS association did not exist, the offer MUST be generated based on DTLS association did not exist, the offer MUST be generated based on
the same rules as a new offer (see Section 5.2). Regardless of the the same rules as a new offer (see Section 5.2). Regardless of the
previous existence of a DTLS association, the SDP 'setup' attribute previous existence of a DTLS association, the SDP 'setup' attribute
MUST be included according to the rules defined in [RFC4145] and if MUST be included according to the rules defined in [RFC4145] and if
ICE is used, ICE restart MUST be initiated. ICE is used, ICE restart MUST be initiated.
9. RFC Updates 10. RFC Updates
9.1. General 10.1. General
This section updates specifications that use DTLS-protected media, in This section updates specifications that use DTLS-protected media, in
order to reflect the procedures defined in this specification. order to reflect the procedures defined in this specification.
9.2. Update to RFC 5763 10.2. Update to RFC 5763
Update to section 5: 10.2.1. Update to section 5
OLD TEXT: OLD TEXT:
5. Establishing a Secure Channel 5. Establishing a Secure Channel
The two endpoints in the exchange present their identities as part of The two endpoints in the exchange present their identities as part of
the DTLS handshake procedure using certificates. This document uses the DTLS handshake procedure using certificates. This document uses
certificates in the same style as described in "Connection-Oriented certificates in the same style as described in "Connection-Oriented
Media Transport over the Transport Layer Security (TLS) Protocol in Media Transport over the Transport Layer Security (TLS) Protocol in
the Session Description Protocol (SDP)" [RFC4572]. the Session Description Protocol (SDP)" [RFC4572].
skipping to change at page 15, line 26 skipping to change at page 16, line 46
secured. secured.
Note that the entire authentication and key exchange for securing Note that the entire authentication and key exchange for securing
the media traffic is handled in the media path through DTLS. The the media traffic is handled in the media path through DTLS. The
signaling path is only used to verify the peers' certificate signaling path is only used to verify the peers' certificate
fingerprints. fingerprints.
The offerer and answerer MUST follow the SDP offer/answer procedures The offerer and answerer MUST follow the SDP offer/answer procedures
defined in [RFCXXXX]. defined in [RFCXXXX].
[RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 10.2.2. Update to section 6.6
of this document.] OLD TEXT:
Update to section 6.6:
OLD TEXT:
6.6. Session Modification
Once an answer is provided to the offerer, either endpoint MAY
request a session modification that MAY include an updated offer.
This session modification can be carried in either an INVITE or
UPDATE request. The peers can reuse the existing associations if
they are compatible (i.e., they have the same key fingerprints and
transport parameters), or establish a new one following the same
rules are for initial exchanges, tearing down the existing
association as soon as the offer/answer exchange is completed. Note
that if the active/passive status of the endpoints changes, a new
connection MUST be established.
NEW TEXT: 6.6. Session Modification
6.6. Session Modification Once an answer is provided to the offerer, either endpoint MAY
request a session modification that MAY include an updated offer.
This session modification can be carried in either an INVITE or
UPDATE request. The peers can reuse the existing associations if
they are compatible (i.e., they have the same key fingerprints and
transport parameters), or establish a new one following the same
rules are for initial exchanges, tearing down the existing
association as soon as the offer/answer exchange is completed. Note
that if the active/passive status of the endpoints changes, a new
connection MUST be established.
Once an answer is provided to the offerer, either endpoint MAY NEW TEXT:
request a session modification that MAY include an updated offer.
This session modification can be carried in either an INVITE or
UPDATE request. The peers can reuse an existing DTLS association,
or establish a new one, following the procedures in [RFCXXXX].
[RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 6.6. Session Modification
of this document.]
Update to section 6.7.1: Once an answer is provided to the offerer, either endpoint MAY
request a session modification that MAY include an updated offer.
This session modification can be carried in either an INVITE or
UPDATE request. The peers can reuse an existing DTLS association,
or establish a new one, following the procedures in [RFCXXXX].
10.2.3. Update to section 6.7.1
OLD TEXT: OLD TEXT:
6.7.1. ICE Interaction 6.7.1. ICE Interaction
Interactive Connectivity Establishment (ICE), as specified in Interactive Connectivity Establishment (ICE), as specified in
[RFC5245], provides a methodology of allowing participants in [RFC5245], provides a methodology of allowing participants in
multimedia sessions to verify mutual connectivity. When ICE is being multimedia sessions to verify mutual connectivity. When ICE is being
used, the ICE connectivity checks are performed before the DTLS used, the ICE connectivity checks are performed before the DTLS
handshake begins. Note that if aggressive nomination mode is used, handshake begins. Note that if aggressive nomination mode is used,
multiple candidate pairs may be marked valid before ICE finally multiple candidate pairs may be marked valid before ICE finally
skipping to change at page 16, line 46 skipping to change at page 18, line 35
packets. packets.
NEW TEXT: NEW TEXT:
6.7.1. ICE Interaction 6.7.1. ICE Interaction
The Interactive Connectivity Establishment (ICE) The Interactive Connectivity Establishment (ICE)
[I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media [I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media
are described in [RFCXXXX]. are described in [RFCXXXX].
9.3. Update to RFC 7345 10.3. Update to RFC 7345
[RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number
of this document.]
Update to section 4: 10.3.1. Update to section 4
OLD TEXT: OLD TEXT:
4. SDP Offerer/Answerer Procedures 4. SDP Offerer/Answerer Procedures
4.1. General 4.1. General
An endpoint (i.e., both the offerer and the answerer) MUST create an An endpoint (i.e., both the offerer and the answerer) MUST create an
SDP media description ("m=" line) for each UDPTL-over-DTLS media SDP media description ("m=" line) for each UDPTL-over-DTLS media
stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the
skipping to change at page 19, line 22 skipping to change at page 21, line 7
SDP media description ("m=" line) for each UDPTL-over-DTLS media SDP media description ("m=" line) for each UDPTL-over-DTLS media
stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the
"proto" field of the "m=" line. "proto" field of the "m=" line.
The offerer and answerer MUST follow the SDP offer/answer procedures The offerer and answerer MUST follow the SDP offer/answer procedures
defined in [RFCXXXX] in order to negotiate the DTLS association defined in [RFCXXXX] in order to negotiate the DTLS association
associated with the UDPTL-over-DTLS media stream. In addition, associated with the UDPTL-over-DTLS media stream. In addition,
the offerer and answerer MUST use the SDP attributes defined for the offerer and answerer MUST use the SDP attributes defined for
UDPTL over UDP, as defined in [ITU.T38.2010]. UDPTL over UDP, as defined in [ITU.T38.2010].
[RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 10.3.2. Update to section 5.2.1
of this document.]
Update to section 5.2.1:
OLD TEXT: OLD TEXT:
5.2.1. ICE Usage 5.2.1. ICE Usage
When Interactive Connectivity Establishment (ICE) [RFC5245] is being When Interactive Connectivity Establishment (ICE) [RFC5245] is being
used, the ICE connectivity checks are performed before the DTLS used, the ICE connectivity checks are performed before the DTLS
handshake begins. Note that if aggressive nomination mode is used, handshake begins. Note that if aggressive nomination mode is used,
multiple candidate pairs may be marked valid before ICE finally multiple candidate pairs may be marked valid before ICE finally
converges on a single candidate pair. User Agents (UAs) MUST treat converges on a single candidate pair. User Agents (UAs) MUST treat
all ICE candidate pairs associated with a single component as part all ICE candidate pairs associated with a single component as part
of the same DTLS association. Thus, there will be only one DTLS of the same DTLS association. Thus, there will be only one DTLS
handshake even if there are multiple valid candidate pairs. Note handshake even if there are multiple valid candidate pairs. Note
that this may mean adjusting the endpoint IP addresses if the that this may mean adjusting the endpoint IP addresses if the
selected candidate pair shifts, just as if the DTLS packets were an selected candidate pair shifts, just as if the DTLS packets were an
ordinary media stream. In the case of an ICE restart, the DTLS ordinary media stream. In the case of an ICE restart, the DTLS
handshake procedure is repeated, and a new DTLS association is handshake procedure is repeated, and a new DTLS association is
created. Once the DTLS handshake is completed and the new DTLS created. Once the DTLS handshake is completed and the new DTLS
association has been created, the previous DTLS association is association has been created, the previous DTLS association is
deleted. deleted.
NEW TEXT: NEW TEXT:
5.2.1. ICE Usage 5.2.1. ICE Usage
The Interactive Connectivity Establishment (ICE) The Interactive Connectivity Establishment (ICE)
[I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media [I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media
are described in [RFCXXXX]. are described in [RFCXXXX].
[RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number [RFC EDITOR NOTE: Througout the document, please replace RFCXXXX
of this document.] with the RFC number of this document.]
10. Security Considerations 11. Security Considerations
This specification does not modify the security considerations This specification does not modify the security considerations
associated with DTLS, or the SDP offer/answer mechanism. In addition associated with DTLS, or the SDP offer/answer mechanism. In addition
to the introduction of the SDP 'dtls-id' attribute, the specification to the introduction of the SDP 'tls-id' attribute, the specification
simply clarifies the procedures for negotiating and establishing a simply clarifies the procedures for negotiating and establishing a
DTLS association. DTLS association.
11. IANA Considerations 12. IANA Considerations
This document updates the "Session Description Protocol Parameters" This document updates the "Session Description Protocol Parameters"
registry as specified in Section 8.2.2 of [RFC4566]. Specifically, registry as specified in Section 8.2.2 of [RFC4566]. Specifically,
it adds the SDP 'dtls-id' attribute to the table for SDP media level it adds the SDP 'tls-id' attribute to the table for SDP media level
attributes. attributes.
Attribute name: dtls-id Attribute name: tls-id
Type of attribute: media-level Type of attribute: media-level
Subject to charset: no Subject to charset: no
Purpose: Indicates whether a new DTLS association is to be Purpose: Indicates whether a new DTLS association or TLS connection
established/re-established. is to be established/re-established.
Appropriate Values: see Section 4 Appropriate Values: see Section 4
Contact name: Christer Holmberg Contact name: Christer Holmberg
Mux Category: IDENTICAL Mux Category: IDENTICAL
12. Acknowledgements 13. Acknowledgements
Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa,
Charles Eckel, Gonzalo Salgueiro and Paul Jones for providing Charles Eckel, Gonzalo Salgueiro and Paul Jones for providing
comments and suggestions on the document. Ben Campbell performed an comments and suggestions on the document. Ben Campbell performed an
AD review. AD review.
13. Change Log 14. Change Log
[RFC EDITOR NOTE: Please remove this section when publishing] [RFC EDITOR NOTE: Please remove this section when publishing]
Changes from draft-ietf-mmusic-sdp-dtls-22
o Support for TLS added.
o Editorial changes based on sec-dir review by Rich Salz.
o Editorial changes based on gen-art review by Paul Kyzivat.
o Editorial changes based on ops-dir review by Carlos Pignataro.
Changes from draft-ietf-mmusic-sdp-dtls-21 Changes from draft-ietf-mmusic-sdp-dtls-21
o Changes based on AD review by Ben Campbell. o Changes based on AD review by Ben Campbell.
o (https://www.ietf.org/mail-archive/web/mmusic/current/ o (https://www.ietf.org/mail-archive/web/mmusic/current/
msg17707.html) msg17707.html)
Changes from draft-ietf-mmusic-sdp-dtls-20 Changes from draft-ietf-mmusic-sdp-dtls-20
o Change to length and randomness of tls-id attribute value.
o Change to length and randomness of dtls-id attribute value.
Changes from draft-ietf-mmusic-sdp-dtls-19 Changes from draft-ietf-mmusic-sdp-dtls-19
o Change based on comment from Roman. o Change based on comment from Roman.
Changes from draft-ietf-mmusic-sdp-dtls-18 Changes from draft-ietf-mmusic-sdp-dtls-18
o Changes based on comments from Flemming. o Changes based on comments from Flemming.
o - Change in dtls-id value definition. o - Change in tls-id value definition.
o - Editorial fixes. o - Editorial fixes.
Changes from draft-ietf-mmusic-sdp-dtls-17 Changes from draft-ietf-mmusic-sdp-dtls-17
o Reference fix. o Reference fix.
Changes from draft-ietf-mmusic-sdp-dtls-16 Changes from draft-ietf-mmusic-sdp-dtls-16
o Editorial changes based on 2nd WGLC comments from Christian Groves o Editorial changes based on 2nd WGLC comments from Christian Groves
and Nevenka Biondic. and Nevenka Biondic.
Changes from draft-ietf-mmusic-sdp-dtls-15 Changes from draft-ietf-mmusic-sdp-dtls-15
o dtls-id attribute value made globally unique o tls-id attribute value made globally unique
Changes from draft-ietf-mmusic-sdp-dtls-14 Changes from draft-ietf-mmusic-sdp-dtls-14
o Changes based on comments from Flemming: o Changes based on comments from Flemming:
o - Additional dtls-is clarifiations o - Additional dtls-is clarifiations
o - Editorial fixes o - Editorial fixes
Changes from draft-ietf-mmusic-sdp-dtls-13 Changes from draft-ietf-mmusic-sdp-dtls-13
skipping to change at page 22, line 4 skipping to change at page 23, line 44
o - Additional dtls-is clarifiations o - Additional dtls-is clarifiations
o - Editorial fixes o - Editorial fixes
Changes from draft-ietf-mmusic-sdp-dtls-13 Changes from draft-ietf-mmusic-sdp-dtls-13
o Text about the updated RFCs added to Abstract and Introduction o Text about the updated RFCs added to Abstract and Introduction
o Reference to RFC 5763 removed from section 6 (ICE Considerations) o Reference to RFC 5763 removed from section 6 (ICE Considerations)
o Reference to RFC 5763 removed from section 8 (SIP Considerations) o Reference to RFC 5763 removed from section 8 (SIP Considerations)
Changes from draft-ietf-mmusic-sdp-dtls-12 Changes from draft-ietf-mmusic-sdp-dtls-12
o "unreliable" changed to "unordered" o "unreliable" changed to "unordered"
Changes from draft-ietf-mmusic-sdp-dtls-11 Changes from draft-ietf-mmusic-sdp-dtls-11
o Attribute name changed to tls-id
o Attribute name changed to dtls-id
o Additional text based on comments from Roman Shpount. o Additional text based on comments from Roman Shpount.
Changes from draft-ietf-mmusic-sdp-dtls-10 Changes from draft-ietf-mmusic-sdp-dtls-10
o Modified document to use dtls-id instead of dtls-connection o Modified document to use tls-id instead of dtls-connection
o Changes are based on comments from Eric Rescorla, Justin Uberti, o Changes are based on comments from Eric Rescorla, Justin Uberti,
and Paul Kyzivat. and Paul Kyzivat.
Changes from draft-ietf-mmusic-sdp-dtls-08 Changes from draft-ietf-mmusic-sdp-dtls-08
o Offer/Answer section modified in order to allow sending of o Offer/Answer section modified in order to allow sending of
multiple SDP 'fingerprint' attributes. multiple SDP 'fingerprint' attributes.
o Terminology made consistent: 'DTLS connection' replaced with 'DTLS o Terminology made consistent: 'DTLS connection' replaced with 'DTLS
skipping to change at page 22, line 50 skipping to change at page 24, line 42
multiple transports added. multiple transports added.
o Mux category added to IANA Considerations. o Mux category added to IANA Considerations.
o Normative text regarding mux category and source-specific o Normative text regarding mux category and source-specific
applicability added. applicability added.
o Reference to RFC 7315 added. o Reference to RFC 7315 added.
o Clarified that offerer/answerer that has not been updated to o Clarified that offerer/answerer that has not been updated to
support this specification will not include the dtls-id attribute support this specification will not include the tls-id attribute
in offers and answers. in offers and answers.
o Editorial corrections based on WGLC comments from Charles Eckel. o Editorial corrections based on WGLC comments from Charles Eckel.
Changes from draft-ietf-mmusic-sdp-dtls-05 Changes from draft-ietf-mmusic-sdp-dtls-05
o Text on handling offer/answer error conditions added. o Text on handling offer/answer error conditions added.
Changes from draft-ietf-mmusic-sdp-dtls-04 Changes from draft-ietf-mmusic-sdp-dtls-04
o Editorial nits fixed based on comments from Paul Kyzivat: o Editorial nits fixed based on comments from Paul Kyzivat:
Changes from draft-ietf-mmusic-sdp-dtls-03 Changes from draft-ietf-mmusic-sdp-dtls-03
o Changes based on comments from Paul Kyzivat: o Changes based on comments from Paul Kyzivat:
o - Modification of dtls-id attribute section. o - Modification of tls-id attribute section.
o - Removal of IANA considerations subsection. o - Removal of IANA considerations subsection.
o - Making note into normative text in o/a section. o - Making note into normative text in o/a section.
o Changes based on comments from Martin Thompson: o Changes based on comments from Martin Thompson:
o - Abbreviations section removed. o - Abbreviations section removed.
o - Clarify that a new DTLS association requires a new o/a o - Clarify that a new DTLS association requires a new o/a
transaction. transaction.
Changes from draft-ietf-mmusic-sdp-dtls-02 Changes from draft-ietf-mmusic-sdp-dtls-02
o - Updated RFCs added to boilerplate. o - Updated RFCs added to boilerplate.
Changes from draft-ietf-mmusic-sdp-dtls-01 Changes from draft-ietf-mmusic-sdp-dtls-01
o - Annex regarding 'dtls-id-id' attribute removed. o - Annex regarding 'tls-id-id' attribute removed.
o - Additional SDP offer/answer procedures, related to certificates, o - Additional SDP offer/answer procedures, related to certificates,
added. added.
o - Updates to RFC 5763 and RFC 7345 added. o - Updates to RFC 5763 and RFC 7345 added.
o - Transport protocol considerations added. o - Transport protocol considerations added.
Changes from draft-ietf-mmusic-sdp-dtls-00 Changes from draft-ietf-mmusic-sdp-dtls-00
o - SDP 'connection' attribute replaced with new 'dtls-id' o - SDP 'connection' attribute replaced with new 'tls-id' attribute.
attribute.
o - IANA Considerations added. o - IANA Considerations added.
o - E-mail regarding 'dtls-id-id' attribute added as Annex. o - E-mail regarding 'tls-id-id' attribute added as Annex.
Changes from draft-holmberg-mmusic-sdp-dtls-01 Changes from draft-holmberg-mmusic-sdp-dtls-01
o - draft-ietf-mmusic version of draft submitted. o - draft-ietf-mmusic version of draft submitted.
o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision
with another expired draft. with another expired draft.
o - Clarify that if ufrag in offer is unchanged, it must be o - Clarify that if ufrag in offer is unchanged, it must be
unchanged in associated answer. unchanged in associated answer.
o - SIP Considerations section added. o - SIP Considerations section added.
o - Section about multiple SDP fingerprint attributes added. o - Section about multiple SDP fingerprint attributes added.
Changes from draft-holmberg-mmusic-sdp-dtls-00 Changes from draft-holmberg-mmusic-sdp-dtls-00
o - Editorial changes and clarifications. o - Editorial changes and clarifications.
14. References 15. References
14.1. Normative References 15.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
skipping to change at page 25, line 5 skipping to change at page 26, line 45
[RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in
the Session Description Protocol (SDP)", RFC 4145, the Session Description Protocol (SDP)", RFC 4145,
DOI 10.17487/RFC4145, September 2005, DOI 10.17487/RFC4145, September 2005,
<http://www.rfc-editor.org/info/rfc4145>. <http://www.rfc-editor.org/info/rfc4145>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566, Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <http://www.rfc-editor.org/info/rfc4566>. July 2006, <http://www.rfc-editor.org/info/rfc4566>.
[RFC4572] Lennox, J., "Connection-Oriented Media Transport over the
Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", RFC 4572,
DOI 10.17487/RFC4572, July 2006,
<http://www.rfc-editor.org/info/rfc4572>.
[RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework
for Establishing a Secure Real-time Transport Protocol for Establishing a Secure Real-time Transport Protocol
(SRTP) Security Context Using Datagram Transport Layer (SRTP) Security Context Using Datagram Transport Layer
Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May
2010, <http://www.rfc-editor.org/info/rfc5763>. 2010, <http://www.rfc-editor.org/info/rfc5763>.
[RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP
Transport Layer (UDPTL) over Datagram Transport Layer Transport Layer (UDPTL) over Datagram Transport Layer
Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August
2014, <http://www.rfc-editor.org/info/rfc7345>. 2014, <http://www.rfc-editor.org/info/rfc7345>.
[RFC8122] Lennox, J. and C. Holmberg, "Connection-Oriented Media
Transport over the Transport Layer Security (TLS) Protocol
in the Session Description Protocol (SDP)", RFC 8122,
DOI 10.17487/RFC8122, March 2017,
<http://www.rfc-editor.org/info/rfc8122>.
[I-D.ietf-ice-rfc5245bis] [I-D.ietf-ice-rfc5245bis]
Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive
Connectivity Establishment (ICE): A Protocol for Network Connectivity Establishment (ICE): A Protocol for Network
Address Translator (NAT) Traversal", draft-ietf-ice- Address Translator (NAT) Traversal", draft-ietf-ice-
rfc5245bis-08 (work in progress), December 2016. rfc5245bis-08 (work in progress), December 2016.
[I-D.ietf-mmusic-4572-update]
Lennox, J. and C. Holmberg, "Connection-Oriented Media
Transport over TLS in SDP", draft-ietf-mmusic-
4572-update-13 (work in progress), February 2017.
[I-D.ietf-mmusic-sdp-mux-attributes] [I-D.ietf-mmusic-sdp-mux-attributes]
Nandakumar, S., "A Framework for SDP Attributes when Nandakumar, S., "A Framework for SDP Attributes when
Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-16 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-16
(work in progress), December 2016. (work in progress), December 2016.
[I-D.ietf-mmusic-sdp-bundle-negotiation] [I-D.ietf-mmusic-sdp-bundle-negotiation]
Holmberg, C., Alvestrand, H., and C. Jennings, Holmberg, C., Alvestrand, H., and C. Jennings,
"Negotiating Media Multiplexing Using the Session "Negotiating Media Multiplexing Using the Session
Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle-
negotiation-36 (work in progress), October 2016. negotiation-38 (work in progress), April 2017.
14.2. Informative References 15.2. Informative References
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, Initiation Protocol (SIP)", RFC 4474,
DOI 10.17487/RFC4474, August 2006, DOI 10.17487/RFC4474, August 2006,
<http://www.rfc-editor.org/info/rfc4474>. <http://www.rfc-editor.org/info/rfc4474>.
[RFC4572] Lennox, J., "Connection-Oriented Media Transport over the
Transport Layer Security (TLS) Protocol in the Session
Description Protocol (SDP)", RFC 4572,
DOI 10.17487/RFC4572, July 2006,
<http://www.rfc-editor.org/info/rfc4572>.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT) (ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245, Traversal for Offer/Answer Protocols", RFC 5245,
DOI 10.17487/RFC5245, April 2010, DOI 10.17487/RFC5245, April 2010,
<http://www.rfc-editor.org/info/rfc5245>. <http://www.rfc-editor.org/info/rfc5245>.
[RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific
Media Attributes in the Session Description Protocol Media Attributes in the Session Description Protocol
(SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009,
<http://www.rfc-editor.org/info/rfc5576>. <http://www.rfc-editor.org/info/rfc5576>.
 End of changes. 96 change blocks. 
214 lines changed or deleted 282 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/