idnits 2.17.1 draft-ietf-mmusic-dtls-sdp-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 17 characters in excess of 72. -- The draft header indicates that this document updates RFC7345, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC5763, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5763, updated by this document, for RFC5378 checks: 2007-11-12) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 25, 2016) is 2982 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5764' is mentioned on line 666, but not defined == Missing Reference: 'RFC4474' is mentioned on line 566, but not defined ** Obsolete undefined reference: RFC 4474 (Obsoleted by RFC 8224) == Missing Reference: 'RFCXXXX' is mentioned on line 815, but not defined == Missing Reference: 'ITU.T38.2010' is mentioned on line 785, but not defined == Unused Reference: 'RFC5234' is defined on line 984, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4572 (Obsoleted by RFC 8122) ** Obsolete normative reference: RFC 5245 (Obsoleted by RFC 8445, RFC 8839) == Outdated reference: A later version (-19) exists of draft-ietf-mmusic-sdp-mux-attributes-12 == Outdated reference: A later version (-54) exists of draft-ietf-mmusic-sdp-bundle-negotiation-25 Summary: 5 errors (**), 0 flaws (~~), 8 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 5763,7345 (if approved) R. Shpount 5 Intended status: Standards Track TurboBridge 6 Expires: August 28, 2016 February 25, 2016 8 Using the SDP Offer/Answer Mechanism for DTLS 9 draft-ietf-mmusic-dtls-sdp-09.txt 11 Abstract 13 This draft defines the SDP offer/answer procedures for negotiating 14 and establishing a DTLS association. The draft also defines the 15 criteria for when a new DTLS association must be established. 17 This draft defines a new SDP media-level attribute, 'dtls- 18 connection'. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on August 28, 2016. 37 Copyright Notice 39 Copyright (c) 2016 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 57 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3.2. Change of Local Transport Parameters . . . . . . . . . . 4 59 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 60 3.4. Multiple SDP fingerprint attributes . . . . . . . . . . . 4 61 4. SDP dtls-connection Attribute . . . . . . . . . . . . . . . . 4 62 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6 63 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 7 65 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 7 66 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 8 67 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 8 68 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 9 69 7. Transport Protocol Considerations . . . . . . . . . . . . . . 9 70 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 9 71 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 9 72 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 10 73 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 10 74 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 10 75 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 15 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 78 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 19 79 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 19 80 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 81 14.1. Normative References . . . . . . . . . . . . . . . . . . 21 82 14.2. Informative References . . . . . . . . . . . . . . . . . 22 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 85 1. Introduction 87 [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. 88 [RFC7345] defines SDP Offer/Answer procedures for UDPTL-DTLS. This 89 specification defines general Offer/Answer procedures for DTLS, based 90 on the procedures in [RFC5763]. Other specifications, defining 91 specific DTLS usages, can then reference this specification, in order 92 to ensure that the DTLS aspects are common among all usages. Having 93 common procedures is essential when multiple usages share the same 94 DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. 96 As defined in [RFC5763], a new DTLS association MUST be established 97 when transport parameters are changed. Transport parameter change is 98 not well defined when Interactive Connectivity Establishment (ICE) 99 [RFC5245] is used. One possible way to determine a transport change 100 is based on ufrag change, but the ufrag value is changed both when 101 ICE is negotiated and when ICE restart [RFC5245] occurs. These 102 events do not always require a new DTLS association to be 103 established, but currently there is no way to explicitly indicate in 104 an SDP offer or answer whether a new DTLS association is required. 105 To solve that problem, this draft defines a new SDP attribute, 'dtls- 106 connection'. The attribute is used in SDP offers and answers to 107 explicitly indicate whether a new DTLS association is to be 108 established/re-established. The attribute can be used both with and 109 without ICE. 111 2. Conventions 113 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 114 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 115 document are to be interpreted as described in [RFC2119]. 117 3. Establishing a new DTLS Association 119 3.1. General 121 A new DTLS association MUST be established in the following cases: 123 o The DTLS roles change; 125 o The fingerprint (certificate) value changes; or 127 o The intent to establish of a new DTLS association is explicitly 128 signaled; 130 NOTE: The first two items list above are based on the procedures in 131 [RFC5763]. This draft adds the support for explicit signaling. 133 Whenever an entity determines, based on the criteria above, that a 134 new DTLS association is required, the entity MUST initiate an 135 associated SDP offer/answer transaction, following the procedures in 136 Section 5. 138 The sections below describe typical cases where a new DTLS 139 association needs to be established. 141 3.2. Change of Local Transport Parameters 143 If an endpoint modifies its local transport parameters (address and/ 144 or port), and if the modification requires a new DTLS association, 145 the endpoint MUST change its DTLS role, change its fingerprint value, 146 and/or use the SDP 'dtls-connection' attribute with a 'new' value 147 Section 4. 149 If the underlying transport explicitly prohibits a DTLS association 150 to span multiple transports, the SDP 'dtls-connection' attribute MUST 151 be set to 'new' if the transport is changed. An example of such case 152 is when DTLS is carried over SCTP, as described in [RFC6083]. 154 3.3. Change of ICE ufrag value 156 If an endpoint uses ICE, and modifies a local ufrag value, and if the 157 modification requires a new DTLS association, the endpoint MUST 158 either change its DTLS role, its fingerprint value and/or use the SDP 159 'dtls-connection' attribute with a 'new' value Section 4. 161 3.4. Multiple SDP fingerprint attributes 163 It is possible to associate multiple SDP fingerprint attribute values 164 to an 'm-' line. If any of the attribute values associated with an 165 'm-' line are removed, or if any new attribute values are added, it 166 is considered a fingerprint value change. 168 4. SDP dtls-connection Attribute 170 The SDP 'connection' attribute [RFC4145] was originally defined for 171 connection-oriented protocols, e.g. TCP and TLS. This section 172 defines a similar attribute, 'dtls-connection', to be used with DTLS. 174 Name: dtls-connection 176 Value: conn-value 178 Usage Level: media 180 Charset Dependent: no 182 Syntax: 184 conn-value = "new" / "existing" 186 Example: 188 a=dtls-connection:existing 190 A 'dtls-connection' attribute value of 'new' indicates that a new 191 DTLS association MUST be established. A 'dtls-connection' attribute 192 value of 'existing' indicates an intention to reuse an existing 193 association. 195 Unlike the SDP 'connection' attribute for TLS, there is no default 196 value defined for the 'dtls-connection' attribute. Implementations 197 that wish to use the attribute MUST explicitly include it in SDP 198 offers and answers. If an offer or answer does not contain an 199 attribute (this could happen if the offerer or answerer represents an 200 existing implementation that has not been updated to support the 201 attribute defined in this specification), other means needs to be 202 used in order for endpoints to determine whether an offer or answer 203 is associated with an event that requires the DTLS association to be 204 re-established. 206 The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- 207 connection' attribute is 'IDENTICAL', which means that the attribute 208 value must be identical across all media descriptions being 209 multiplexed [I-D.ietf-mmusic-sdp-bundle-negotiation]. 211 For RTP-based media, the 'dtls-connection' attribute apply to whole 212 associated media description. The attribute MUST NOT be defined per 213 source (using the SDP 'ssrc' attribute [RFC5576]). 215 The SDP Offer/Answer [RFC3264] procedures associated with the 216 attribute are defined in Section 5 218 5. SDP Offer/Answer Procedures 220 5.1. General 222 This section defines the generic SDP offer/answer procedures for 223 negotiating a DTLS association. Additional procedures (e.g. 224 regarding usage of specific SDP attributes etc) for individual DTLS 225 usages (e.g. SRTP-DTLS) are outside the scope of this specification, 226 and need to be specified in a usage specific specification. 228 NOTE: The procedures in this section are generalizations of 229 procedures first specified in SRTP-DTLS [RFC5763], with the addition 230 of usage of the SDP 'dtls-connection' attribute. That document is 231 herein revised to make use of these new procedures. 233 The procedures in this section apply to an SDP media description 234 ("m=" line) associated a DTLS-protected media/data stream. 236 In order to negotiate a DTLS association, the following SDP 237 attributes are used: 239 o The SDP 'setup' attribute, defined in [RFC4145], is used to 240 negotiate the DTLS roles; 242 o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to 243 provide the fingerprint value; and 245 o The SDP 'dtls-connection' attribute, defined in this 246 specification, is used to explicitly indicate whether a new DTLS 247 association is to be established or a previous association is to 248 be used. 250 This specification does not define the usage of the SDP 'connection' 251 attribute [RFC4145] for negotiating a DTLS connection. However, the 252 attribute MAY be used if the DTLS association is used together with 253 another protocol, e.g. SCTP or TCP, for which the usage of the 254 attribute has been defined. 256 Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP 257 'setup' attribute 'holdconn' value when negotiating a DTLS 258 association. 260 Endpoints MUST support SHA-256 for generating and verifying the 261 fingerprint value associated with the DTLS association. The use of 262 SHA-256 is preferred. 264 Endpoints MUST, at a minimum, support 265 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 266 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 267 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 268 Secrecy (PFS) cipher suites over non-PFS cipher suites. 269 Implementations SHOULD disable TLS-level compression. 271 The certificate received during the DTLS handshake MUST match a 272 fingerprint received in an SDP "fingerprint" attribute. If a 273 fingerprint does not match the hashed certificate, then the endpoint 274 MUST tear down the media session immediately. Note that it is 275 permissible to wait until the other side's fingerprint has been 276 received before establishing the connection; however, this may have 277 undesirable latency effects. 279 5.2. Generating the Initial SDP Offer 281 When the offerer sends the initial offer, and the offerer wants to 282 establish a DTLS association, it MUST insert an SDP 'dtls-connection' 283 attribute with a 'new' value in the offer. In addition, the offerer 284 MUST insert an SDP 'setup' attribute according to the procedures in 285 [RFC4145], and one or more SDP 'fingerprint' attributes according to 286 the procedures in [RFC4572], in the offer. 288 If the offerer inserts the SDP 'setup' attribute with an 'actpass' or 289 'passive' value, the offerer MUST be prepared to receive a DTLS 290 ClientHello message (if a new DTLS association is established by the 291 answerer) from the answerer before it receives the SDP answer. 293 5.3. Generating the Answer 295 If an answerer receives an offer that contains an SDP 'dtls- 296 connection' attribute with a 'new' value, or if the answerer receives 297 an offer that contains an 'dtls-connection' attribute with an 298 'existing' value and the answerer determines (based on the criteria 299 for establishing a new DTLS association) that a new DTLS association 300 is to be established, the answerer MUST insert a 'new' value in the 301 associated answer. In addition, the answerer MUST insert an SDP 302 'setup' attribute according to the procedures in [RFC4145], and one 303 or more SDP 'fingerprint' attributes according to the procedures in 304 [RFC4572], in the answer. 306 If an answerer receives an offer that contains an SDP 'dtls- 307 connection' attribute with a 'new' value, and if the answerer does 308 not accept the establishment of a new DTLS association, the answerer 309 MUST reject the "m=" lines associated with the suggested DTLS 310 association [RFC3264]. 312 If an answerer receives an offer that contains a 'dtls-connection' 313 attribute with an 'existing' value, and if the answerer determines 314 that a new DTLS association is not to be established, the answerer 315 MUST insert a 'dtls-connection' attribute with an 'existing' value in 316 the associated answer. In addition, the answerer MUST insert an SDP 317 'setup' attribute with a value that does not change the previously 318 negotiated DTLS roles, and one or more SDP 'fingerprint' attributes 319 values that do not change the previously sent fingerprints, in the 320 answer. 322 If the answerer receives an offer that does not contain an SDP 'dtls- 323 connection' attribute, the answerer MUST NOT insert a 'dtls- 324 connection' attribute in the answer. 326 If a new DTLS association is to be established, and if the answerer 327 inserts an SDP 'setup' attribute with an 'active' value in the 328 answer, the answerer MUST initiate a DTLS handshake by sending a DTLS 329 ClientHello message towards the offerer. 331 5.4. Offerer Processing of the SDP Answer 333 When an offerer receives an answer that contains an SDP 'dtls- 334 connection' attribute with a 'new' value, and if the offerer becomes 335 DTLS client (based on the value of the SDP 'setup' attribute value 336 [RFC4145]), the offerer MUST establish a DTLS association. If the 337 offerer becomes DTLS server, it MUST wait for the answerer to 338 establish the DTLS association. 340 If the answer contains an SDP 'dtls-connection' attribute with an 341 'existing' value, the offerer will continue using the previously 342 established DTLS association. It is considered an error case if the 343 answer contains a 'dtls-connection' attribute with an 'existing' 344 value, and a DTLS association does not exist. 346 An offerer needs to be able to handle error conditions that can occur 347 during an offer/answer transaction, e.g. if an answer contains an SDP 348 'dtls-connection' attribute with an 'existing' value even if no DTLS 349 association exists, or if the answer contains a new fingerprint value 350 for an existing DTLS association. If such error case occurs, the 351 offerer SHOULD terminate the associated DTLS association (if it 352 exists) and send a new offer in order to terminate each media stream 353 using the DTLS association, by setting the associated port value to 354 zero [RFC4145]. 356 5.5. Modifying the Session 358 When the offerer sends a subsequent offer, and if the offerer wants 359 to establish a new DTLS association, the offerer MUST insert an SDP 360 'dtls-connection' attribute with a 'new' value in the offer. In 361 addition, the offerer MUST insert an SDP 'setup' attribute according 362 to the procedures in [RFC4145], and one or more SDP 'fingerprint' 363 attributes according to the procedures in [RFC4572], in the offer. 365 when the offerer sends a subsequent offer, and the offerer does not 366 want to establish a new DTLS association, and if a previously 367 established DTLS association exists, the offerer MUST insert an SDP 368 'dtls-connection' attribute with an 'existing' value in the offer. 369 In addition, the offerer MUST insert an SDP 'setup' attribute with a 370 value that does not change the previously negotiated DTLS roles, and 371 one or more SDP 'fingerprint' attributes with values that do not 372 change the previously sent fingerprints, in the offer. 374 NOTE: When a new DTLS association is established, each endpoint needs 375 to be prepared to receive data on both the new and old DTLS 376 associations as long as both are alive. 378 6. ICE Considerations 380 When ICE is used, the ICE connectivity checks are performed before 381 the DTLS handshake begins. Note that if aggressive nomination mode 382 is used, multiple candidate pairs may be marked valid before ICE 383 finally converges on a single candidate pair. 385 An ICE restart [RFC5245] does not by default require a new DTLS 386 association to be established. 388 As defined in [RFC5763], each ICE candidate associated with a 389 component is treated as being part of the same DTLS association. 390 Therefore, from a DTLS perspective it is not considered a change of 391 local transport parameters when an endpoint switches between those 392 ICE candidates. 394 7. Transport Protocol Considerations 396 7.1. Transport Re-Usage 398 If DTLS is transported on top of a connection-oriented transport 399 protocol (e.g. TCP or SCTP), where all IP packets are acknowledged, 400 all DTLS packets associated with a previous DTLS association MUST be 401 acknowledged (or timed out) before a new DTLS association can be 402 established on the same transport. 404 8. SIP Considerations 406 When the Session Initiation Protocol (SIP) [RFC3261] is used as the 407 signal protocol for establishing a multimedia session, dialogs 408 [RFC3261] might be established between the caller and multiple 409 callees. This is referred to as forking. If forking occurs, 410 separate DTLS associations MUST be established between the caller and 411 each callee. 413 It is possible to send an INVITE request which does not contain an 414 SDP offer. Such INVITE request is often referred to as an 'empty 415 INVITE', or an 'offerless INVITE'. The receiving endpoint will 416 include the SDP offer in a response associated with the response. 417 When the endpoint generates such SDP offer, it MUST assign an SDP 418 'dtls-connection' attribute, with a 'new' value, to each 'm-' line 419 that describes DTLS protected media. If ICE is used, the endpoint 420 MUST allocate a new set of ICE candidates, in order to ensure that 421 two DTLS association would not be running over the same transport. 423 9. RFC Updates 425 9.1. General 427 This section updates specifications that use DTLS-protected media, in 428 order to reflect the procedures defined in this specification. 430 9.2. Update to RFC 5763 432 Update to section 5: 433 -------------------- 435 OLD TEXT: 437 5. Establishing a Secure Channel 439 The two endpoints in the exchange present their identities as part of 440 the DTLS handshake procedure using certificates. This document uses 441 certificates in the same style as described in "Connection-Oriented 442 Media Transport over the Transport Layer Security (TLS) Protocol in 443 the Session Description Protocol (SDP)" [RFC4572]. 445 If self-signed certificates are used, the content of the 446 subjectAltName attribute inside the certificate MAY use the uniform 447 resource identifier (URI) of the user. This is useful for debugging 448 purposes only and is not required to bind the certificate to one of 449 the communication endpoints. The integrity of the certificate is 450 ensured through the fingerprint attribute in the SDP. The 451 subjectAltName is not an important component of the certificate 452 verification. 454 The generation of public/private key pairs is relatively expensive. 455 Endpoints are not required to generate certificates for each session. 457 The offer/answer model, defined in [RFC3264], is used by protocols 458 like the Session Initiation Protocol (SIP) [RFC3261] to set up 459 multimedia sessions. In addition to the usual contents of an SDP 460 [RFC4566] message, each media description ("m=" line and associated 461 parameters) will also contain several attributes as specified in 462 [RFC5764], [RFC4145], and [RFC4572]. 464 When an endpoint wishes to set up a secure media session with another 465 endpoint, it sends an offer in a SIP message to the other endpoint. 466 This offer includes, as part of the SDP payload, the fingerprint of 467 the certificate that the endpoint wants to use. The endpoint SHOULD 468 send the SIP message containing the offer to the offerer's SIP proxy 469 over an integrity protected channel. The proxy SHOULD add an 470 Identity header field according to the procedures outlined in 471 [RFC4474]. The SIP message containing the offer SHOULD be sent to 472 the offerer's SIP proxy over an integrity protected channel. When 473 the far endpoint receives the SIP message, it can verify the identity 474 of the sender using the Identity header field. Since the Identity 475 header field is a digital signature across several SIP header fields, 476 in addition to the body of the SIP message, the receiver can also be 477 certain that the message has not been tampered with after the digital 478 signature was applied and added to the SIP message. 480 The far endpoint (answerer) may now establish a DTLS association with 481 the offerer. Alternately, it can indicate in its answer that the 482 offerer is to initiate the TLS association. In either case, mutual 483 DTLS certificate-based authentication will be used. After completing 484 the DTLS handshake, information about the authenticated identities, 485 including the certificates, are made available to the endpoint 486 application. The answerer is then able to verify that the offerer's 487 certificate used for authentication in the DTLS handshake can be 488 associated to the certificate fingerprint contained in the offer in 489 the SDP. At this point, the answerer may indicate to the end user 490 that the media is secured. The offerer may only tentatively accept 491 the answerer's certificate since it may not yet have the answerer's 492 certificate fingerprint. 494 When the answerer accepts the offer, it provides an answer back to 495 the offerer containing the answerer's certificate fingerprint. At 496 this point, the offerer can accept or reject the peer's certificate 497 and the offerer can indicate to the end user that the media is 498 secured. 500 Note that the entire authentication and key exchange for securing the 501 media traffic is handled in the media path through DTLS. The 502 signaling path is only used to verify the peers' certificate 503 fingerprints. 505 The offer and answer MUST conform to the following requirements. 507 o The endpoint MUST use the setup attribute defined in [RFC4145]. 508 The endpoint that is the offerer MUST use the setup attribute 509 value of setup:actpass and be prepared to receive a client_hello 510 before it receives the answer. The answerer MUST use either a 511 setup attribute value of setup:active or setup:passive. Note that 512 if the answerer uses setup:passive, then the DTLS handshake will 513 not begin until the answerer is received, which adds additional 514 latency. setup:active allows the answer and the DTLS handshake to 515 occur in parallel. Thus, setup:active is RECOMMENDED. Whichever 516 party is active MUST initiate a DTLS handshake by sending a 517 ClientHello over each flow (host/port quartet). 519 o The endpoint MUST NOT use the connection attribute defined in 520 [RFC4145]. 522 o The endpoint MUST use the certificate fingerprint attribute as 523 specified in [RFC4572]. 525 o The certificate presented during the DTLS handshake MUST match the 526 fingerprint exchanged via the signaling path in the SDP. The 527 security properties of this mechanism are described in Section 8. 529 o If the fingerprint does not match the hashed certificate, then the 530 endpoint MUST tear down the media session immediately. Note that 531 it is permissible to wait until the other side's fingerprint has 532 been received before establishing the connection; however, this 533 may have undesirable latency effects. 535 NEW TEXT: 537 5. Establishing a Secure Channel 539 The two endpoints in the exchange present their identities as part of 540 the DTLS handshake procedure using certificates. This document uses 541 certificates in the same style as described in "Connection-Oriented 542 Media Transport over the Transport Layer Security (TLS) Protocol in 543 the Session Description Protocol (SDP)" [RFC4572]. 545 If self-signed certificates are used, the content of the 546 subjectAltName attribute inside the certificate MAY use the uniform 547 resource identifier (URI) of the user. This is useful for debugging 548 purposes only and is not required to bind the certificate to one of 549 the communication endpoints. The integrity of the certificate is 550 ensured through the fingerprint attribute in the SDP. 552 The generation of public/private key pairs is relatively expensive. 553 Endpoints are not required to generate certificates for each session. 555 The offer/answer model, defined in [RFC3264], is used by protocols 556 like the Session Initiation Protocol (SIP) [RFC3261] to set up 557 multimedia sessions. 559 When an endpoint wishes to set up a secure media session with another 560 endpoint, it sends an offer in a SIP message to the other endpoint. 561 This offer includes, as part of the SDP payload, the fingerprint of 562 the certificate that the endpoint wants to use. The endpoint SHOULD 563 send the SIP message containing the offer to the offerer's SIP proxy 564 over an integrity protected channel. The proxy SHOULD add an 565 Identity header field according to the procedures outlined in 566 [RFC4474]. The SIP message containing the offer SHOULD be sent to 567 the offerer's SIP proxy over an integrity protected channel. When 568 the far endpoint receives the SIP message, it can verify the identity 569 of the sender using the Identity header field. Since the Identity 570 header field is a digital signature across several SIP header fields, 571 in addition to the body of the SIP message, the receiver can also be 572 certain that the message has not been tampered with after the digital 573 signature was applied and added to the SIP message. 575 The far endpoint (answerer) may now establish a DTLS association with 576 the offerer. Alternately, it can indicate in its answer that the 577 offerer is to initiate the DTLS association. In either case, mutual 578 DTLS certificate-based authentication will be used. After completing 579 the DTLS handshake, information about the authenticated identities, 580 including the certificates, are made available to the endpoint 581 application. The answerer is then able to verify that the offerer's 582 certificate used for authentication in the DTLS handshake can be 583 associated to the certificate fingerprint contained in the offer in 584 the SDP. At this point, the answerer may indicate to the end user 585 that the media is secured. The offerer may only tentatively accept 586 the answerer's certificate since it may not yet have the answerer's 587 certificate fingerprint. 589 When the answerer accepts the offer, it provides an answer back to 590 the offerer containing the answerer's certificate fingerprint. At 591 this point, the offerer can accept or reject the peer's certificate 592 and the offerer can indicate to the end user that the media is 593 secured. 595 Note that the entire authentication and key exchange for securing the 596 media traffic is handled in the media path through DTLS. The 597 signaling path is only used to verify the peers' certificate 598 fingerprints. 600 The offerer and answerer MUST follow the SDP offer/answer procedures 601 defined in [RFCXXXX]. 603 Update to section 6.6: 604 ---------------------- 606 OLD TEXT: 608 6.6. Session Modification 610 Once an answer is provided to the offerer, either endpoint MAY 611 request a session modification that MAY include an updated offer. 612 This session modification can be carried in either an INVITE or 613 UPDATE request. The peers can reuse the existing associations if 614 they are compatible (i.e., they have the same key fingerprints and 615 transport parameters), or establish a new one following the same 616 rules are for initial exchanges, tearing down the existing 617 association as soon as the offer/answer exchange is completed. Note 618 that if the active/passive status of the endpoints changes, a new 619 connection MUST be established. 621 NEW TEXT: 623 6.6. Session Modification 625 Once an answer is provided to the offerer, either endpoint MAY 626 request a session modification that MAY include an updated offer. 627 This session modification can be carried in either an INVITE or 628 UPDATE request. The peers can reuse an existing DTLS association, 629 or establish a new one, following the procedures in [RFCXXXX]. 631 Update to section 6.7.1: 632 ------------------------ 634 OLD TEXT: 636 6.7.1. ICE Interaction 638 Interactive Connectivity Establishment (ICE), as specified in 639 [RFC5245], provides a methodology of allowing participants in 640 multimedia sessions to verify mutual connectivity. When ICE is being 641 used, the ICE connectivity checks are performed before the DTLS 642 handshake begins. Note that if aggressive nomination mode is used, 643 multiple candidate pairs may be marked valid before ICE finally 644 converges on a single candidate pair. Implementations MUST treat all 645 ICE candidate pairs associated with a single component as part of the 646 same DTLS association. Thus, there will be only one DTLS handshake 647 even if there are multiple valid candidate pairs. Note that this may 648 mean adjusting the endpoint IP addresses if the selected candidate 649 pair shifts, just as if the DTLS packets were an ordinary media 650 stream. 652 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 653 packets are sent directly over UDP, not over DTLS. [RFC5764] 654 describes how to demultiplex STUN packets from DTLS packets and SRTP 655 packets. 657 NEW TEXT: 659 6.7.1. ICE Interaction 661 The Interactive Connectivity Establishment (ICE) [RFC5245] 662 considerations for DTLS-protected media are described in 663 [RFCXXXX]. 665 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 666 packets are sent directly over UDP, not over DTLS. [RFC5764] 667 describes how to demultiplex STUN packets from DTLS packets and SRTP 668 packets. 670 9.3. Update to RFC 7345 672 Update to section 4: 673 -------------------- 675 OLD TEXT: 677 4. SDP Offerer/Answerer Procedures 679 4.1. General 681 An endpoint (i.e., both the offerer and the answerer) MUST create an 682 SDP media description ("m=" line) for each UDPTL-over-DTLS media 683 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 684 "proto" field of the "m=" line. 686 The procedures in this section apply to an "m=" line associated with 687 a UDPTL-over-DTLS media stream. 689 In order to negotiate a UDPTL-over-DTLS media stream, the following 690 SDP attributes are used: 692 o The SDP attributes defined for UDPTL over UDP, as described in 694 [ITU.T38.2010]; and 696 o The SDP attributes, defined in [RFC4145] and [RFC4572], as 697 described in this section. 699 The endpoint MUST NOT use the SDP "connection" attribute [RFC4145]. 701 In order to negotiate the TLS roles for the UDPTL-over-DTLS transport 702 connection, the endpoint MUST use the SDP "setup" attribute 703 [RFC4145]. 705 If the endpoint supports, and is willing to use, a cipher suite with 706 an associated certificate, the endpoint MUST include an SDP 707 "fingerprint" attribute [RFC4572]. The endpoint MUST support SHA-256 708 for generating and verifying the SDP "fingerprint" attribute value. 709 The use of SHA-256 is preferred. UDPTL over DTLS, at a minimum, MUST 710 support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 711 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 712 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 713 Secrecy (PFS) cipher suites over non-PFS cipher suites. 714 Implementations SHOULD disable TLS-level compression. 716 If a cipher suite with an associated certificate is selected during 717 the DTLS handshake, the certificate received during the DTLS 718 handshake MUST match the fingerprint received in the SDP 719 "fingerprint" attribute. If the fingerprint does not match the 720 hashed certificate, then the endpoint MUST tear down the media 721 session immediately. Note that it is permissible to wait until the 722 other side's fingerprint has been received before establishing the 723 connection; however, this may have undesirable latency effects. 725 4.2. Generating the Initial Offer 727 The offerer SHOULD assign the SDP "setup" attribute with a value of 728 "actpass", unless the offerer insists on being either the sender or 729 receiver of the DTLS ClientHello message, in which case the offerer 730 can use either a value of "active" (the offerer will be the sender of 731 ClientHello) or "passive" (the offerer will be the receiver of 732 ClientHello). The offerer MUST NOT assign an SDP "setup" attribute 733 with a "holdconn" value. 735 If the offerer assigns the SDP "setup" attribute with a value of 736 "actpass" or "passive", the offerer MUST be prepared to receive a 737 DTLS ClientHello message before it receives the SDP answer. 739 4.3. Generating the Answer 741 If the answerer accepts the offered UDPTL-over-DTLS transport 742 connection, in the associated SDP answer, the answerer MUST assign an 743 SDP "setup" attribute with a value of either "active" or "passive", 744 according to the procedures in [RFC4145]. The answerer MUST NOT 745 assign an SDP "setup" attribute with a value of "holdconn". 747 If the answerer assigns an SDP "setup" attribute with a value of 748 "active" value, the answerer MUST initiate a DTLS handshake by 749 sending a DTLS ClientHello message on the negotiated media stream, 750 towards the IP address and port of the offerer. 752 4.4. Offerer Processing of the Answer 754 When the offerer receives an SDP answer, if the offerer ends up being 755 active it MUST initiate a DTLS handshake by sending a DTLS 756 ClientHello message on the negotiated media stream, towards the IP 757 address and port of the answerer. 759 4.5. Modifying the Session 761 Once an offer/answer exchange has been completed, either endpoint MAY 762 send a new offer in order to modify the session. The endpoints can 763 reuse the existing DTLS association if the key fingerprint values and 764 transport parameters indicated by each endpoint are unchanged. 765 Otherwise, following the rules for the initial offer/answer exchange, 766 the endpoints can negotiate and create a new DTLS association and, 767 once created, delete the previous DTLS association, following the 768 same rules for the initial offer/answer exchange. Each endpoint 769 needs to be prepared to receive data on both the new and old DTLS 770 associations as long as both are alive. 772 NEW TEXT: 774 4. SDP Offerer/Answerer Procedures 776 An endpoint (i.e., both the offerer and the answerer) MUST create an 777 SDP media description ("m=" line) for each UDPTL-over-DTLS media 778 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 779 "proto" field of the "m=" line. 781 The offerer and answerer MUST follow the SDP offer/answer procedures 782 defined in [RFCXXXX] in order to negotiate the DTLS association 783 associated with the UDPTL-over-DTLS media stream. In addition, 784 the offerer and answerer MUST use the SDP attributes defined for 785 UDPTL over UDP, as defined in [ITU.T38.2010]. 787 Update to section 5.2.1: 788 ------------------------ 789 OLD TEXT: 791 5.2.1. ICE Usage 793 When Interactive Connectivity Establishment (ICE) [RFC5245] is being 794 used, the ICE connectivity checks are performed before the DTLS 795 handshake begins. Note that if aggressive nomination mode is used, 796 multiple candidate pairs may be marked valid before ICE finally 797 converges on a single candidate pair. User Agents (UAs) MUST treat 798 all ICE candidate pairs associated with a single component as part of 799 the same DTLS association. Thus, there will be only one DTLS 800 handshake even if there are multiple valid candidate pairs. Note 801 that this may mean adjusting the endpoint IP addresses if the 802 selected candidate pair shifts, just as if the DTLS packets were an 803 ordinary media stream. In the case of an ICE restart, the DTLS 804 handshake procedure is repeated, and a new DTLS association is 805 created. Once the DTLS handshake is completed and the new DTLS 806 association has been created, the previous DTLS association is 807 deleted. 809 NEW TEXT: 811 5.2.1. ICE Usage 813 The Interactive Connectivity Establishment (ICE) [RFC5245] 814 considerations for DTLS-protected media are described in 815 [RFCXXXX]. 817 10. Security Considerations 819 This specification does not modify the security considerations 820 associated with DTLS, or the SDP offer/answer mechanism. In addition 821 to the introduction of the SDP 'dtls-connection' attribute, the 822 specification simply clarifies the procedures for negotiating and 823 establishing a DTLS association. 825 11. IANA Considerations 827 This document updates the "Session Description Protocol Parameters" 828 registry as specified in Section 8.2.2 of [RFC4566]. Specifically, 829 it adds the SDP dtls-connection attribute to the table for SDP media 830 level attributes. 832 Attribute name: dtls-connection 833 Type of attribute: media-level 834 Subject to charset: no 835 Purpose: Indicate whether a new DTLS association is to be established/re-established. 836 Appropriate Values: see Section 4 837 Contact name: Christer Holmberg 838 Category: IDENTICAL 840 12. Acknowledgements 842 Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, 843 Charles Eckel and Gonzalo Salgueiro for providing comments and 844 suggestions on the draft. 846 13. Change Log 848 [RFC EDITOR NOTE: Please remove this section when publishing] 850 Changes from draft-ietf-mmusic-sdp-dtls-08 852 o Offer/Answer section modified in order to allow sending of 853 multiple SDP 'fingerprint' attributes. 855 o Terminology made consistant: 'DTLS connection' replaced with 'DTLS 856 association'. 858 o Editorial changes based on comments from Paul Kyzivat. 860 Changes from draft-ietf-mmusic-sdp-dtls-07 862 o Reference to RFC 7315 replaced with reference to RFC 7345. 864 Changes from draft-ietf-mmusic-sdp-dtls-06 866 o Text on restrictions regarding spanning a DTLS association over 867 multiple transports added. 869 o Mux category added to IANA Considerations. 871 o Normative text regarding mux category and source-specific 872 applicability added. 874 o Reference to RFC 7315 added. 876 o Clarified that offerer/answerer that has not been updated to 877 support this specification will not include the dtls-connection 878 attribute in offers and answers. 880 o Editorial corrections based on WGLC comments from Charles Eckel. 882 Changes from draft-ietf-mmusic-sdp-dtls-05 884 o Text on handling offer/answer error conditions added. 886 Changes from draft-ietf-mmusic-sdp-dtls-04 888 o Editorial nits fixed based on comments from Paul Kyzivat: 890 Changes from draft-ietf-mmusic-sdp-dtls-03 892 o Changes based on comments from Paul Kyzivat: 894 o - Modification of dtls-connection attribute section. 896 o - Removal of IANA considerations subsection. 898 o - Making note into normative text in o/a section. 900 o Changes based on comments from Martin Thompson: 902 o - Abbreviations section removed. 904 o - Clarify that a new DTLS association requires a new o/a 905 transaction. 907 Changes from draft-ietf-mmusic-sdp-dtls-02 909 o - Updated RFCs added to boilerplate. 911 Changes from draft-ietf-mmusic-sdp-dtls-01 913 o - Annex regarding 'dtls-connection-id' attribute removed. 915 o - Additional SDP offer/answer procedures, related to certificates, 916 added. 918 o - Updates to RFC 5763 and RFC 7345 added. 920 o - Transport protocol considerations added. 922 Changes from draft-ietf-mmusic-sdp-dtls-00 924 o - SDP 'connection' attribute replaced with new 'dtls-connection' 925 attribute. 927 o - IANA Considerations added. 929 o - E-mail regarding 'dtls-connection-id' attribute added as Annex. 931 Changes from draft-holmberg-mmusic-sdp-dtls-01 933 o - draft-ietf-mmusic version of draft submitted. 935 o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision 936 with another expired draft. 938 o - Clarify that if ufrag in offer is unchanged, it must be 939 unchanged in associated answer. 941 o - SIP Considerations section added. 943 o - Section about multiple SDP fingerprint attributes added. 945 Changes from draft-holmberg-mmusic-sdp-dtls-00 947 o - Editorial changes and clarifications. 949 14. References 951 14.1. Normative References 953 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 954 Requirement Levels", BCP 14, RFC 2119, 955 DOI 10.17487/RFC2119, March 1997, 956 . 958 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 959 A., Peterson, J., Sparks, R., Handley, M., and E. 960 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 961 DOI 10.17487/RFC3261, June 2002, 962 . 964 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 965 with Session Description Protocol (SDP)", RFC 3264, 966 DOI 10.17487/RFC3264, June 2002, 967 . 969 [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in 970 the Session Description Protocol (SDP)", RFC 4145, 971 DOI 10.17487/RFC4145, September 2005, 972 . 974 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 975 Description Protocol", RFC 4566, DOI 10.17487/RFC4566, 976 July 2006, . 978 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 979 Transport Layer Security (TLS) Protocol in the Session 980 Description Protocol (SDP)", RFC 4572, 981 DOI 10.17487/RFC4572, July 2006, 982 . 984 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 985 Specifications: ABNF", STD 68, RFC 5234, 986 DOI 10.17487/RFC5234, January 2008, 987 . 989 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 990 (ICE): A Protocol for Network Address Translator (NAT) 991 Traversal for Offer/Answer Protocols", RFC 5245, 992 DOI 10.17487/RFC5245, April 2010, 993 . 995 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 996 for Establishing a Secure Real-time Transport Protocol 997 (SRTP) Security Context Using Datagram Transport Layer 998 Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 999 2010, . 1001 [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP 1002 Transport Layer (UDPTL) over Datagram Transport Layer 1003 Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August 1004 2014, . 1006 14.2. Informative References 1008 [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific 1009 Media Attributes in the Session Description Protocol 1010 (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, 1011 . 1013 [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram 1014 Transport Layer Security (DTLS) for Stream Control 1015 Transmission Protocol (SCTP)", RFC 6083, 1016 DOI 10.17487/RFC6083, January 2011, 1017 . 1019 [I-D.ietf-mmusic-sdp-mux-attributes] 1020 Nandakumar, S., "A Framework for SDP Attributes when 1021 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-12 1022 (work in progress), January 2016. 1024 [I-D.ietf-mmusic-sdp-bundle-negotiation] 1025 Holmberg, C., Alvestrand, H., and C. Jennings, 1026 "Negotiating Media Multiplexing Using the Session 1027 Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- 1028 negotiation-25 (work in progress), January 2016. 1030 Authors' Addresses 1032 Christer Holmberg 1033 Ericsson 1034 Hirsalantie 11 1035 Jorvas 02420 1036 Finland 1038 Email: christer.holmberg@ericsson.com 1040 Roman Shpount 1041 TurboBridge 1042 4905 Del Ray Avenue, Suite 300 1043 Bethesda, MD 20814 1044 USA 1046 Phone: +1 (240) 292-6632 1047 Email: rshpount@turbobridge.com