idnits 2.17.1 draft-ietf-mmusic-dtls-sdp-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC5763, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC7315, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5763, updated by this document, for RFC5378 checks: 2007-11-12) (Using the creation date from RFC7315, updated by this document, for RFC5378 checks: 2005-10-20) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 5, 2016) is 2975 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5764' is mentioned on line 649, but not defined == Missing Reference: 'RFC4474' is mentioned on line 548, but not defined ** Obsolete undefined reference: RFC 4474 (Obsoleted by RFC 8224) == Missing Reference: 'RFCXXXX' is mentioned on line 796, but not defined == Missing Reference: 'ITU.T38.2010' is mentioned on line 765, but not defined == Unused Reference: 'RFC5234' is defined on line 928, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4572 (Obsoleted by RFC 8122) ** Obsolete normative reference: RFC 5245 (Obsoleted by RFC 8445, RFC 8839) Summary: 4 errors (**), 0 flaws (~~), 6 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 5763,7315 (if approved) R. Shpount 5 Intended status: Standards Track TurboBridge 6 Expires: August 8, 2016 February 5, 2016 8 Using the SDP Offer/Answer Mechanism for DTLS 9 draft-ietf-mmusic-dtls-sdp-06.txt 11 Abstract 13 This draft defines the SDP offer/answer procedures for negotiating 14 and establishing a DTLS association. The draft also defines the 15 criteria for when a new DTLS association must be established. 17 This draft defines a new SDP media-level attribute, 'dtls- 18 connection'. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 8, 2016. 37 Copyright Notice 39 Copyright (c) 2016 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 57 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3.2. Change of Local Transport Parameters . . . . . . . . . . 3 59 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 60 3.4. Multiple SDP fingerprint attributes . . . . . . . . . . . 4 61 4. SDP dtls-connection Attribute . . . . . . . . . . . . . . . . 4 62 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 5 63 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 6 65 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 6 66 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 7 67 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 8 68 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 8 69 7. Transport Protocol Considerations . . . . . . . . . . . . . . 8 70 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 9 71 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 9 72 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 9 73 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 9 75 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 14 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 78 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 79 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 18 80 14. Normative References . . . . . . . . . . . . . . . . . . . . 20 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 21 83 1. Introduction 85 [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. This 86 draft defines the SDP Offer/Answer [RFC3264] procedures for 87 negotiation DTLS in general, based on the procedures in [RFC5763]. 89 This draft also defines a new SDP attribute, 'dtls-connection'. The 90 attribute is used in SDP offers and answers to explicitly indicate 91 whether a new DTLS association is to be established. 93 As defined in [RFC5763], a new DTLS association MUST be established 94 when transport parameters are changed. Transport parameter change is 95 not well defined when Interactive Connectivity Establishment (ICE) 96 [RFC5245] is used. One possible way to determine a transport change 97 is based on ufrag change, but the ufrag value is changed both when 98 ICE is negotiated and when ICE restart [RFC5245] occurs. These 99 events do not always require a new DTLS association to be 100 established, but currently there is no way to explicitly indicate in 101 an SDP offer or answer whether a new DTLS association is required. 102 To solve that problem, this draft defines a new SDP attribute, 'dtls- 103 connection'. The attribute is used in SDP offers and answers to 104 explicitly indicate whether a new DTLS association is to be 105 established/re-established. The attribute can be used both with and 106 without ICE. 108 2. Conventions 110 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 111 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 112 document are to be interpreted as described in [RFC2119]. 114 3. Establishing a new DTLS Association 116 3.1. General 118 A new DTLS association MUST be established in the following cases: 120 o The DTLS roles change; 122 o The fingerprint (certificate) value changes; or 124 o The establishment of a new DTLS association is explicitly 125 signaled; 127 NOTE: The first two items list above are based on the procedures in 128 [RFC5763]. This draft adds the support for explicit signaling. 130 Whenever an entity determines, based on the criteria above, that a 131 new DTLS association is required, the entity MUST initiate an 132 associated SDP offer/answer transaction, following to the procedures 133 in Section 5. 135 The sections below describe typical cases where a new DTLS 136 association needs to be established. 138 3.2. Change of Local Transport Parameters 140 If an endpoint modifies its local transport parameters (IP address 141 and/or port), and if the modification requires a new DTLS 142 association, the endpoint MUST either change its DTLS role, its 143 fingerprint value and/or use the SDP 'dtls-connection' attribute with 144 a 'new' value Section 4. 146 3.3. Change of ICE ufrag value 148 If an endpoint uses ICE, and modifies a local ufrag value, and if the 149 modification requires a new DTLS association, the endpoint MUST 150 either change its DTLS role, its fingerprint value and/or use the SDP 151 'dtls-connection' attribute with a 'new' value Section 4. 153 3.4. Multiple SDP fingerprint attributes 155 It is possible to associate multiple SDP fingerprint attribute values 156 to an 'm-' line. If any of the attribute values associated with an 157 'm-' line are removed, or if any new attribute values are added, it 158 is considered a fingerprint value change. 160 4. SDP dtls-connection Attribute 162 The SDP 'connection' attribute [RFC4145] was originally defined for 163 connection-oriented protocols, e.g. TCP and TLS. This section 164 defines a similar attribute, 'dtls-connection', to be used with DTLS. 166 Name: dtls-connection 168 Value: conn-value 170 Usage Level: media 172 Charset Dependent: no 174 Syntax: 176 conn-value = "new" / "existing" 178 Example: 180 a=dtls-connection:existing 182 A 'dtls-connection' attribute value of 'new' indicates that a new 183 DTLS association MUST be established. A 'dtls-connection' attribute 184 value of 'existing' indicates that a new DTLS association MUST NOT be 185 established. 187 Unlike the SDP 'connection' attribute for TLS, there is no default 188 value defined for the 'dtls-connection' attribute. Implementations 189 that wish to use the attribute MUST explicitly include it in SDP 190 offers and answers. If an offer or answer does not contain an 191 attribute, other means needs to be used in order for endpoints to 192 determine whether an offer or answer is associated with an event that 193 requires the DTLS association to be re-established. 195 The SDP Offer/Answer [RFC3264] procedures associated with the 196 attribute are defined in Section 5 198 5. SDP Offer/Answer Procedures 200 5.1. General 202 This section defines the generic SDP offer/answer procedures for 203 negotiating a DTLS association. Additional procedures (e.g. 204 regarding usage of usage specific SDP attributes etc) for individual 205 DTLS usages (e.g. SRTP-DTLS) are outside the scope of this 206 specification, and needs to be specified in a usage specific 207 specification. 209 NOTE: The procedures in this section are generalizations of 210 procedures first specified in SRTP-DTLS [RFC5763], with the addition 211 of usage of the SDP 'dtls-connection' attribute. That document is 212 herein revised to make use of these new procedures. 214 The procedures in this section apply to an SDP media description 215 ("m=" line) associated a DTLS-protected media/data stream. 217 In order to negotiate a DTLS association, the following SDP 218 attributes are used: 220 o The SDP 'setup' attribute, defined in [RFC4145], is used to 221 negotiate the DTLS roles; 223 o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to 224 provide the fingerprint value; and 226 o The SDP 'dtls-connection' attribute, defined in this 227 specification, is used to explicitly indicate whether a new DTLS 228 association is to be established or whether a previous association 229 is to be used. 231 Endpoints MUST NOT use the SDP 'connection' attribute [RFC4145] when 232 negotiating a DTLS association. 234 The SDP 'connection' attribute MAY be used if the usage is associated 235 with another protocol layer, e.g. SCTP or TCP, used together with 236 DTLS. 238 Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP 239 'setup' attribute 'holdconn' value when negotiating a DTLS 240 association. 242 Endpoints MUST support SHA-256 for generating and verifying the 243 fingerprint value associated with the DTLS association. The use of 244 SHA-256 is preferred. 246 Endpoints MUST, at a minimum, support 247 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 248 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 249 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 250 Secrecy (PFS) cipher suites over non-PFS cipher suites. 251 Implementations SHOULD disable TLS-level compression. 253 The certificate received during the DTLS handshake MUST match the 254 fingerprint received in the SDP "fingerprint" attribute. If the 255 fingerprint does not match the hashed certificate, then the endpoint 256 MUST tear down the media session immediately. Note that it is 257 permissible to wait until the other side's fingerprint has been 258 received before establishing the connection; however, this may have 259 undesirable latency effects. 261 5.2. Generating the Initial SDP Offer 263 When the offerer sends the initial offer, and the offerer wants to 264 establish a DTLS association, it MUST insert an SDP 'dtls-connection' 265 attribute with a 'new' value in the offer. In addition, the offerer 266 MUST insert an SDP 'setup' attribute according to the procedures in 267 [RFC4145], and an SDP 'fingerprint' attribute according to the 268 procedures in [RFC4572], in the offer. 270 If the offerer inserts the SDP 'setup' attribute with an 'actpass' or 271 'passive' value, the offerer MUST be prepared to receive a DTLS 272 ClientHello message (if a new DTLS association is established by the 273 answerer) from the answerer before it receives the SDP answer. 275 5.3. Generating the Answer 277 If an answerer receives an offer that contains an SDP 'dtls- 278 connection' attribute with a 'new' value, or if the answerer receives 279 and offer that contains an 'dtls-connection' attribute with an 280 'existing' value and the answerer determines (based on the criteria 281 for establishing a new DTLS association) that a new DTLS association 282 is to be established, the answerer MUST insert a 'new' value in the 283 associated answer. In addition, the answerer MUST insert an SDP 284 'setup' attribute according to the procedures in [RFC4145], and an 285 SDP 'fingerprint' attribute according to the procedures in [RFC4572], 286 in the answer. 288 If an answerer receives an offer that contains an SDP 'dtls- 289 connection' attribute with a 'new' value, and if the answerer does 290 not accept the establishment of a new DTLS association, the answerer 291 MUST reject the "m=" lines associated with the suggested DTLS 292 association [RFC3264]. 294 If an answerer receives an offer that contains a 'dtls-connection' 295 attribute with an 'existing' value, and if the answerer determines 296 that a new DTLS association is not to be established, the answerer 297 MUST insert a 'dtls-connection' attribute with an 'existing' value in 298 the associated answer. In addition, the answerer MUST insert an SDP 299 'setup' attribute with a value that does not change the previously 300 negotiated DTLS roles, and an SDP 'fingerprint' attribute with a 301 value that does not change the previously sent fingerprint, in the 302 answer. 304 If the answerer receives an offer that does not contain an SDP 'dtls- 305 connection' attribute, the answerer MUST NOT insert a 'dtls- 306 connection' attribute in the answer. 308 If a new DTLS association is to be established, and if the answerer 309 inserts an SDP 'setup' attribute with an 'active' value in the 310 answer, the answerer MUST initiate a DTLS handshake by sending a DTLS 311 ClientHello message towards the the offerer. 313 5.4. Offerer Processing of the SDP Answer 315 When an offerer receives an answer that contains an SDP 'dtls- 316 connection' attribute with a 'new' value, and if the offerer becomes 317 DTLS client (based on the value of the SDP 'setup' attribute value 318 [RFC4145]), the offerer MUST establish a DTLS association. If the 319 offerer becomes DTLS server, it MUST wait for the answerer to 320 establish the DTLS association. 322 If the answer contains an SDP 'dtls-connection' attribute with an 323 'existing' value, the offerer will continue using the previously 324 established DTLS association. It is considered an error case if the 325 answer contains a 'dtls-connection' attribute with an 'existing' 326 value, and a DTLS association does not exist. 328 An offerer needs to be able to handle error conditions that can occur 329 during an offer/answer transaction, e.g. if an answer contains an SDP 330 'dtls-connection' attribute with an 'existing' value even if no DTLS 331 connection exists, or if the answer contains a new fingerprint value 332 for an existing DTLS connection. If such error case occurs, the 333 offerer SHOULD terminate the associated DTLS connection (if it 334 exists) and send a new offer in order to terminate each media stream 335 using the DTLS association, by setting the associated port value to 336 zero [RFC4145]. 338 5.5. Modifying the Session 340 When the offerer sends a subsequent offer, and if the offerer wants 341 to establish a new DTLS association, the offerer MUST insert an SDP 342 'dtls-connection' attribute with a 'new' value in the offer. In 343 addition, the offerer MUST insert an SDP 'setup' attribute according 344 to the procedures in [RFC4145], and an SDP 'fingerprint' attribute 345 according to the procedures in [RFC4572], in the offer. 347 when the offerer sends a subsequent offer, and the offerer does not 348 want to establish a new DTLS association, and if a previously 349 established DTLS association exists, the offerer MUST insert an SDP 350 'dtls-connection' attribute with an 'existing' value in the offer. 351 In addition, the offerer MUST insert an SDP 'setup' attribute with a 352 value that does not change the previously negotiated DTLS roles, and 353 an SDP 'fingerprint' attribute with a value that does not change the 354 previously sent fingerprint, in the offer. 356 NOTE: When a new DTLS association is established, each endpoint needs 357 to be prepared to receive data on both the new and old DTLS 358 associations as long as both are alive. 360 6. ICE Considerations 362 When ICE is used, the ICE connectivity checks are performed before 363 the DTLS handshake begins. Note that if aggressive nomination mode 364 is used, multiple candidate pairs may be marked valid before ICE 365 finally converges on a single candidate pair. 367 An ICE restart [RFC5245] does not by default require a new DTLS 368 association to be established. 370 As defined in [RFC5763], each ICE candidate associated with a 371 component is treated as being part of the same DTLS association. 372 Therefore, from a DTLS perspective it is not considered a change of 373 local transport parameters when an endpoint switches between those 374 ICE candidates. 376 7. Transport Protocol Considerations 377 7.1. Transport Re-Usage 379 If DTLS is transported on top of a connection-oriented transport 380 protocol (e.g. TCP or SCTP), where all IP packets are acknowledged, 381 all DTLS packets associated with a previous DTLS association MUST be 382 acknowledged (or timed out) before a new DTLS association can be 383 established on the same transport. 385 8. SIP Considerations 387 When the Session Initiation Protocol (SIP) [RFC3261] is used as the 388 signal protocol for establishing a multimedia session, dialogs 389 [RFC3261] might be established between the caller and multiple 390 callees. This is referred to as forking. If forking occurs, 391 separate DTLS associations MUST be established between the caller and 392 each callee. 394 It is possible to send an INVITE request which does not contain an 395 SDP offer. Such INVITE request is often referred to as an 'empty 396 INVITE', or an 'offerless INVITE'. The receiving endpoint will 397 include the SDP offer in a response associated with the response. 398 When the endpoint generates such SDP offer, it MUST assign an SDP 399 connection attribute, with a 'new' value, to each 'm-' line that 400 describes DTLS protected media. If ICE is used, the endpoint MUST 401 allocate a new set of ICE candidates, in order to ensure that two 402 DTLS association would not be running over the same transport. 404 9. RFC Updates 406 9.1. General 408 This section updates specifications that use DTLS-protected media, in 409 order to reflect the procedures defined in this specification. 411 9.2. Update to RFC 5763 413 Update to section 5: 414 -------------------- 416 OLD TEXT: 418 5. Establishing a Secure Channel 420 The two endpoints in the exchange present their identities as part of 421 the DTLS handshake procedure using certificates. This document uses 422 certificates in the same style as described in "Connection-Oriented 423 Media Transport over the Transport Layer Security (TLS) Protocol in 424 the Session Description Protocol (SDP)" [RFC4572]. 426 If self-signed certificates are used, the content of the 427 subjectAltName attribute inside the certificate MAY use the uniform 428 resource identifier (URI) of the user. This is useful for debugging 429 purposes only and is not required to bind the certificate to one of 430 the communication endpoints. The integrity of the certificate is 431 ensured through the fingerprint attribute in the SDP. The 432 subjectAltName is not an important component of the certificate 433 verification. 435 The generation of public/private key pairs is relatively expensive. 436 Endpoints are not required to generate certificates for each session. 438 The offer/answer model, defined in [RFC3264], is used by protocols 439 like the Session Initiation Protocol (SIP) [RFC3261] to set up 440 multimedia sessions. In addition to the usual contents of an SDP 441 [RFC4566] message, each media description ("m=" line and associated 442 parameters) will also contain several attributes as specified in 443 [RFC5764], [RFC4145], and [RFC4572]. 445 When an endpoint wishes to set up a secure media session with another 446 endpoint, it sends an offer in a SIP message to the other endpoint. 447 This offer includes, as part of the SDP payload, the fingerprint of 448 the certificate that the endpoint wants to use. The endpoint SHOULD 449 send the SIP message containing the offer to the offerer's SIP proxy 450 over an integrity protected channel. The proxy SHOULD add an 451 Identity header field according to the procedures outlined in 452 [RFC4474]. The SIP message containing the offer SHOULD be sent to 453 the offerer's SIP proxy over an integrity protected channel. When 454 the far endpoint receives the SIP message, it can verify the identity 455 of the sender using the Identity header field. Since the Identity 456 header field is a digital signature across several SIP header fields, 457 in addition to the body of the SIP message, the receiver can also be 458 certain that the message has not been tampered with after the digital 459 signature was applied and added to the SIP message. 461 The far endpoint (answerer) may now establish a DTLS association with 462 the offerer. Alternately, it can indicate in its answer that the 463 offerer is to initiate the TLS association. In either case, mutual 464 DTLS certificate-based authentication will be used. After completing 465 the DTLS handshake, information about the authenticated identities, 466 including the certificates, are made available to the endpoint 467 application. The answerer is then able to verify that the offerer's 468 certificate used for authentication in the DTLS handshake can be 469 associated to the certificate fingerprint contained in the offer in 470 the SDP. At this point, the answerer may indicate to the end user 471 that the media is secured. The offerer may only tentatively accept 472 the answerer's certificate since it may not yet have the answerer's 473 certificate fingerprint. 475 When the answerer accepts the offer, it provides an answer back to 476 the offerer containing the answerer's certificate fingerprint. At 477 this point, the offerer can accept or reject the peer's certificate 478 and the offerer can indicate to the end user that the media is 479 secured. 481 Note that the entire authentication and key exchange for securing the 482 media traffic is handled in the media path through DTLS. The 483 signaling path is only used to verify the peers' certificate 484 fingerprints. 486 The offer and answer MUST conform to the following requirements. 488 o The endpoint MUST use the setup attribute defined in [RFC4145]. 489 The endpoint that is the offerer MUST use the setup attribute 490 value of setup:actpass and be prepared to receive a client_hello 491 before it receives the answer. The answerer MUST use either a 492 setup attribute value of setup:active or setup:passive. Note that 493 if the answerer uses setup:passive, then the DTLS handshake will 494 not begin until the answerer is received, which adds additional 495 latency. setup:active allows the answer and the DTLS handshake to 496 occur in parallel. Thus, setup:active is RECOMMENDED. Whichever 497 party is active MUST initiate a DTLS handshake by sending a 498 ClientHello over each flow (host/port quartet). 500 o The endpoint MUST NOT use the connection attribute defined in 501 [RFC4145]. 503 o The endpoint MUST use the certificate fingerprint attribute as 504 specified in [RFC4572]. 506 o The certificate presented during the DTLS handshake MUST match the 507 fingerprint exchanged via the signaling path in the SDP. The 508 security properties of this mechanism are described in Section 8. 510 o If the fingerprint does not match the hashed certificate, then the 511 endpoint MUST tear down the media session immediately. Note that 512 it is permissible to wait until the other side's fingerprint has 513 been received before establishing the connection; however, this 514 may have undesirable latency effects. 516 NEW TEXT: 518 5. Establishing a Secure Channel 519 The two endpoints in the exchange present their identities as part of 520 the DTLS handshake procedure using certificates. This document uses 521 certificates in the same style as described in "Connection-Oriented 522 Media Transport over the Transport Layer Security (TLS) Protocol in 523 the Session Description Protocol (SDP)" [RFC4572]. 525 If self-signed certificates are used, the content of the 526 subjectAltName attribute inside the certificate MAY use the uniform 527 resource identifier (URI) of the user. This is useful for debugging 528 purposes only and is not required to bind the certificate to one of 529 the communication endpoints. The integrity of the certificate is 530 ensured through the fingerprint attribute in the SDP. The 531 subjectAltName is not an important component of the certificate 532 verification. 534 The generation of public/private key pairs is relatively expensive. 535 Endpoints are not required to generate certificates for each session. 537 The offer/answer model, defined in [RFC3264], is used by protocols 538 like the Session Initiation Protocol (SIP) [RFC3261] to set up 539 multimedia sessions. 541 When an endpoint wishes to set up a secure media session with another 542 endpoint, it sends an offer in a SIP message to the other endpoint. 543 This offer includes, as part of the SDP payload, the fingerprint of 544 the certificate that the endpoint wants to use. The endpoint SHOULD 545 send the SIP message containing the offer to the offerer's SIP proxy 546 over an integrity protected channel. The proxy SHOULD add an 547 Identity header field according to the procedures outlined in 548 [RFC4474]. The SIP message containing the offer SHOULD be sent to 549 the offerer's SIP proxy over an integrity protected channel. When 550 the far endpoint receives the SIP message, it can verify the identity 551 of the sender using the Identity header field. Since the Identity 552 header field is a digital signature across several SIP header fields, 553 in addition to the body of the SIP message, the receiver can also be 554 certain that the message has not been tampered with after the digital 555 signature was applied and added to the SIP message. 557 The far endpoint (answerer) may now establish a DTLS association with 558 the offerer. Alternately, it can indicate in its answer that the 559 offerer is to initiate the TLS association. In either case, mutual 560 DTLS certificate-based authentication will be used. After completing 561 the DTLS handshake, information about the authenticated identities, 562 including the certificates, are made available to the endpoint 563 application. The answerer is then able to verify that the offerer's 564 certificate used for authentication in the DTLS handshake can be 565 associated to the certificate fingerprint contained in the offer in 566 the SDP. At this point, the answerer may indicate to the end user 567 that the media is secured. The offerer may only tentatively accept 568 the answerer's certificate since it may not yet have the answerer's 569 certificate fingerprint. 571 When the answerer accepts the offer, it provides an answer back to 572 the offerer containing the answerer's certificate fingerprint. At 573 this point, the offerer can accept or reject the peer's certificate 574 and the offerer can indicate to the end user that the media is 575 secured. 577 Note that the entire authentication and key exchange for securing the 578 media traffic is handled in the media path through DTLS. The 579 signaling path is only used to verify the peers' certificate 580 fingerprints. 582 The offerer and answerer MUST follow the SDP offer/answer procedures 583 defined in [RFCXXXX]. 585 Update to section 6.6: 586 ---------------------- 588 OLD TEXT: 590 6.6. Session Modification 592 Once an answer is provided to the offerer, either endpoint MAY 593 request a session modification that MAY include an updated offer. 594 This session modification can be carried in either an INVITE or 595 UPDATE request. The peers can reuse the existing associations if 596 they are compatible (i.e., they have the same key fingerprints and 597 transport parameters), or establish a new one following the same 598 rules are for initial exchanges, tearing down the existing 599 association as soon as the offer/answer exchange is completed. Note 600 that if the active/passive status of the endpoints changes, a new 601 connection MUST be established. 603 NEW TEXT: 605 6.6. Session Modification 607 Once an answer is provided to the offerer, either endpoint MAY 608 request a session modification that MAY include an updated offer. 609 This session modification can be carried in either an INVITE or 610 UPDATE request. The peers can reuse an existing DTLS association, 611 or establish a new one, following the procedures in [RFCXXXX]. 613 Update to section 6.7.1: 615 ------------------------ 617 OLD TEXT: 619 6.7.1. ICE Interaction 621 Interactive Connectivity Establishment (ICE), as specified in 622 [RFC5245], provides a methodology of allowing participants in 623 multimedia sessions to verify mutual connectivity. When ICE is being 624 used, the ICE connectivity checks are performed before the DTLS 625 handshake begins. Note that if aggressive nomination mode is used, 626 multiple candidate pairs may be marked valid before ICE finally 627 converges on a single candidate pair. Implementations MUST treat all 628 ICE candidate pairs associated with a single component as part of the 629 same DTLS association. Thus, there will be only one DTLS handshake 630 even if there are multiple valid candidate pairs. Note that this may 631 mean adjusting the endpoint IP addresses if the selected candidate 632 pair shifts, just as if the DTLS packets were an ordinary media 633 stream. 635 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 636 packets are sent directly over UDP, not over DTLS. [RFC5764] 637 describes how to demultiplex STUN packets from DTLS packets and SRTP 638 packets. 640 NEW TEXT: 642 6.7.1. ICE Interaction 644 The Interactive Connectivity Establishment (ICE) [RFC5245] 645 considerations for DTLS-protected media are described in 646 [RFCXXXX]. 648 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 649 packets are sent directly over UDP, not over DTLS. [RFC5764] 650 describes how to demultiplex STUN packets from DTLS packets and SRTP 651 packets. 653 9.3. Update to RFC 7345 655 Update to section 4: 656 -------------------- 658 OLD TEXT: 660 4. SDP Offerer/Answerer Procedures 661 4.1. General 663 An endpoint (i.e., both the offerer and the answerer) MUST create an 664 SDP media description ("m=" line) for each UDPTL-over-DTLS media 665 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 666 "proto" field of the "m=" line. 668 The procedures in this section apply to an "m=" line associated with 669 a UDPTL-over-DTLS media stream. 671 In order to negotiate a UDPTL-over-DTLS media stream, the following 672 SDP attributes are used: 674 o The SDP attributes defined for UDPTL over UDP, as described in 675 [ITU.T38.2010]; and 677 o The SDP attributes, defined in [RFC4145] and [RFC4572], as 678 described in this section. 680 The endpoint MUST NOT use the SDP "connection" attribute [RFC4145]. 682 In order to negotiate the TLS roles for the UDPTL-over-DTLS transport 683 connection, the endpoint MUST use the SDP "setup" attribute 684 [RFC4145]. 686 If the endpoint supports, and is willing to use, a cipher suite with 687 an associated certificate, the endpoint MUST include an SDP 688 "fingerprint" attribute [RFC4572]. The endpoint MUST support SHA-256 689 for generating and verifying the SDP "fingerprint" attribute value. 690 The use of SHA-256 is preferred. UDPTL over DTLS, at a minimum, MUST 691 support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 692 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 693 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 694 Secrecy (PFS) cipher suites over non-PFS cipher suites. 695 Implementations SHOULD disable TLS-level compression. 697 If a cipher suite with an associated certificate is selected during 698 the DTLS handshake, the certificate received during the DTLS 699 handshake MUST match the fingerprint received in the SDP 700 "fingerprint" attribute. If the fingerprint does not match the 701 hashed certificate, then the endpoint MUST tear down the media 702 session immediately. Note that it is permissible to wait until the 703 other side's fingerprint has been received before establishing the 704 connection; however, this may have undesirable latency effects. 706 4.2. Generating the Initial Offer 708 The offerer SHOULD assign the SDP "setup" attribute with a value of 709 "actpass", unless the offerer insists on being either the sender or 710 receiver of the DTLS ClientHello message, in which case the offerer 711 can use either a value of "active" (the offerer will be the sender of 712 ClientHello) or "passive" (the offerer will be the receiver of 713 ClientHello). The offerer MUST NOT assign an SDP "setup" attribute 714 with a "holdconn" value. 716 If the offerer assigns the SDP "setup" attribute with a value of 717 "actpass" or "passive", the offerer MUST be prepared to receive a 718 DTLS ClientHello message before it receives the SDP answer. 720 4.3. Generating the Answer 722 If the answerer accepts the offered UDPTL-over-DTLS transport 723 connection, in the associated SDP answer, the answerer MUST assign an 724 SDP "setup" attribute with a value of either "active" or "passive", 725 according to the procedures in [RFC4145]. The answerer MUST NOT 726 assign an SDP "setup" attribute with a value of "holdconn". 728 If the answerer assigns an SDP "setup" attribute with a value of 729 "active" value, the answerer MUST initiate a DTLS handshake by 730 sending a DTLS ClientHello message on the negotiated media stream, 731 towards the IP address and port of the offerer. 733 4.4. Offerer Processing of the Answer 735 When the offerer receives an SDP answer, if the offerer ends up being 736 active it MUST initiate a DTLS handshake by sending a DTLS 737 ClientHello message on the negotiated media stream, towards the IP 738 address and port of the answerer. 740 4.5. Modifying the Session 742 Once an offer/answer exchange has been completed, either endpoint MAY 743 send a new offer in order to modify the session. The endpoints can 744 reuse the existing DTLS association if the key fingerprint values and 745 transport parameters indicated by each endpoint are unchanged. 746 Otherwise, following the rules for the initial offer/answer exchange, 747 the endpoints can negotiate and create a new DTLS association and, 748 once created, delete the previous DTLS association, following the 749 same rules for the initial offer/answer exchange. Each endpoint 750 needs to be prepared to receive data on both the new and old DTLS 751 associations as long as both are alive. 753 NEW TEXT: 755 4. SDP Offerer/Answerer Procedures 756 An endpoint (i.e., both the offerer and the answerer) MUST create an 757 SDP media description ("m=" line) for each UDPTL-over-DTLS media 758 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 759 "proto" field of the "m=" line. 761 The offerer and answerer MUST follow the SDP offer/answer procedures 762 defined in [RFCXXXX] in order to negotiate the DTLS association 763 associated with the UDPTL-over-DTLS media stream. In addition, 764 the offerer and answerer MUST use the SDP attributes defined for 765 UDPTL over UDP, as defined in [ITU.T38.2010]. 767 Update to section 5.2.1: 768 ------------------------ 770 OLD TEXT: 772 5.2.1. ICE Usage 774 When Interactive Connectivity Establishment (ICE) [RFC5245] is being 775 used, the ICE connectivity checks are performed before the DTLS 776 handshake begins. Note that if aggressive nomination mode is used, 777 multiple candidate pairs may be marked valid before ICE finally 778 converges on a single candidate pair. User Agents (UAs) MUST treat 779 all ICE candidate pairs associated with a single component as part of 780 the same DTLS association. Thus, there will be only one DTLS 781 handshake even if there are multiple valid candidate pairs. Note 782 that this may mean adjusting the endpoint IP addresses if the 783 selected candidate pair shifts, just as if the DTLS packets were an 784 ordinary media stream. In the case of an ICE restart, the DTLS 785 handshake procedure is repeated, and a new DTLS association is 786 created. Once the DTLS handshake is completed and the new DTLS 787 association has been created, the previous DTLS association is 788 deleted. 790 NEW TEXT: 792 5.2.1. ICE Usage 794 The Interactive Connectivity Establishment (ICE) [RFC5245] 795 considerations for DTLS-protected media are described in 796 [RFCXXXX]. 798 10. Security Considerations 800 This specification does not modify the security considerations 801 associated with DTLS, or the SDP offer/answer mechanism. In addition 802 to the introduction of the SDP 'dtls-connection' attribute, the 803 specification simply clarifies the procedures for negotiating and 804 establishing a DTLS association. 806 11. IANA Considerations 808 This document updates the "Session Description Protocol Parameters" 809 registry as specified in Section 8.2.2 of [RFC4566]. Specifically, 810 it adds the SDP dtls-connection attribute to the table for SDP media 811 level attributes. 813 Attribute name: dtls-connection 814 Type of attribute: media-level 815 Subject to charset: no 816 Purpose: TBD 817 Appropriate Values: see Section X 818 Contact name: Christer Holmberg 820 12. Acknowledgements 822 Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat and Jens 823 Guballa for providing comments and suggestions on the draft. 825 13. Change Log 827 [RFC EDITOR NOTE: Please remove this section when publishing] 829 Changes from draft-ietf-mmusic-sdp-dtls-05 831 o Text on handling offer/answer error conditions added. 833 Changes from draft-ietf-mmusic-sdp-dtls-04 835 o Editorial nits fixed based on comments from Paul Kyzivat: 837 Changes from draft-ietf-mmusic-sdp-dtls-03 839 o Changes based on comments from Paul Kyzivat: 841 o - Modification of dtls-connection attribute section. 843 o - Removal of IANA considerations subsection. 845 o - Making note into normative text in o/a section. 847 o Changes based on comments from Martin Thompson: 849 o - Abbreviations section removed. 851 o - Clarify that a new DTLS association requires a new o/a 852 transaction. 854 Changes from draft-ietf-mmusic-sdp-dtls-02 856 o - Updated RFCs added to boilerplate. 858 Changes from draft-ietf-mmusic-sdp-dtls-01 860 o - Annex regarding 'dtls-connection-id' attribute removed. 862 o - Additional SDP offer/answer procedures, related to certificates, 863 added. 865 o - Updates to RFC 5763 and RFC 7345 added. 867 o - Transport protocol considerations added. 869 Changes from draft-ietf-mmusic-sdp-dtls-00 871 o - SDP 'connection' attribute replaced with new 'dtls-connection' 872 attribute. 874 o - IANA Considerations added. 876 o - E-mail regarding 'dtls-connection-id' attribute added as Annex. 878 Changes from draft-holmberg-mmusic-sdp-dtls-01 880 o - draft-ietf-mmusic version of draft submitted. 882 o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision 883 with another expired draft. 885 o - Clarify that if ufrag in offer is unchanged, it must be 886 unchanged in associated answer. 888 o - SIP Considerations section added. 890 o - Section about multiple SDP fingerprint attributes added. 892 Changes from draft-holmberg-mmusic-sdp-dtls-00 893 o - Editorial changes and clarifications. 895 14. Normative References 897 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 898 Requirement Levels", BCP 14, RFC 2119, 899 DOI 10.17487/RFC2119, March 1997, 900 . 902 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 903 A., Peterson, J., Sparks, R., Handley, M., and E. 904 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 905 DOI 10.17487/RFC3261, June 2002, 906 . 908 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 909 with Session Description Protocol (SDP)", RFC 3264, 910 DOI 10.17487/RFC3264, June 2002, 911 . 913 [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in 914 the Session Description Protocol (SDP)", RFC 4145, 915 DOI 10.17487/RFC4145, September 2005, 916 . 918 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 919 Description Protocol", RFC 4566, DOI 10.17487/RFC4566, 920 July 2006, . 922 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 923 Transport Layer Security (TLS) Protocol in the Session 924 Description Protocol (SDP)", RFC 4572, 925 DOI 10.17487/RFC4572, July 2006, 926 . 928 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 929 Specifications: ABNF", STD 68, RFC 5234, 930 DOI 10.17487/RFC5234, January 2008, 931 . 933 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 934 (ICE): A Protocol for Network Address Translator (NAT) 935 Traversal for Offer/Answer Protocols", RFC 5245, 936 DOI 10.17487/RFC5245, April 2010, 937 . 939 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 940 for Establishing a Secure Real-time Transport Protocol 941 (SRTP) Security Context Using Datagram Transport Layer 942 Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 943 2010, . 945 Authors' Addresses 947 Christer Holmberg 948 Ericsson 949 Hirsalantie 11 950 Jorvas 02420 951 Finland 953 Email: christer.holmberg@ericsson.com 955 Roman Shpount 956 TurboBridge 957 4905 Del Ray Avenue, Suite 300 958 Bethesda, MD 20814 959 USA 961 Phone: +1 (240) 292-6632 962 Email: rshpount@turbobridge.com