idnits 2.17.1 draft-ietf-mmusic-dtls-sdp-10.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There is 1 instance of too long lines in the document, the longest one being 17 characters in excess of 72. -- The draft header indicates that this document updates RFC7345, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC5763, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5763, updated by this document, for RFC5378 checks: 2007-11-12) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 3, 2016) is 2976 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC5764' is mentioned on line 656, but not defined == Missing Reference: 'RFC4474' is mentioned on line 557, but not defined ** Obsolete undefined reference: RFC 4474 (Obsoleted by RFC 8224) == Missing Reference: 'RFCXXXX' is mentioned on line 805, but not defined == Missing Reference: 'ITU.T38.2010' is mentioned on line 774, but not defined == Unused Reference: 'RFC5234' is defined on line 974, but no explicit reference was found in the text ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4572 (Obsoleted by RFC 8122) ** Obsolete normative reference: RFC 5245 (Obsoleted by RFC 8445, RFC 8839) == Outdated reference: A later version (-19) exists of draft-ietf-mmusic-sdp-mux-attributes-12 == Outdated reference: A later version (-54) exists of draft-ietf-mmusic-sdp-bundle-negotiation-25 Summary: 5 errors (**), 0 flaws (~~), 8 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 5763,7345 (if approved) R. Shpount 5 Intended status: Standards Track TurboBridge 6 Expires: September 4, 2016 March 3, 2016 8 Using the SDP Offer/Answer Mechanism for DTLS 9 draft-ietf-mmusic-dtls-sdp-10.txt 11 Abstract 13 This draft defines the SDP offer/answer procedures for negotiating 14 and establishing a DTLS association. The draft also defines the 15 criteria for when a new DTLS association must be established. 17 This draft defines a new SDP media-level attribute, 'dtls- 18 connection'. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at http://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on September 4, 2016. 37 Copyright Notice 39 Copyright (c) 2016 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (http://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 56 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 57 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 3.2. Change of Local Transport Parameters . . . . . . . . . . 3 59 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 60 4. SDP dtls-connection Attribute . . . . . . . . . . . . . . . . 4 61 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 5 62 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 5 63 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 6 64 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 7 65 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 7 66 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 8 67 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 8 68 7. Transport Protocol Considerations . . . . . . . . . . . . . . 9 69 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 9 70 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 9 71 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 9 72 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 9 73 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 9 74 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 15 75 10. Security Considerations . . . . . . . . . . . . . . . . . . . 18 76 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 18 77 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 18 78 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 18 79 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 80 14.1. Normative References . . . . . . . . . . . . . . . . . . 21 81 14.2. Informative References . . . . . . . . . . . . . . . . . 22 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 84 1. Introduction 86 [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. 87 [RFC7345] defines SDP Offer/Answer procedures for UDPTL-DTLS. This 88 specification defines general Offer/Answer procedures for DTLS, based 89 on the procedures in [RFC5763]. Other specifications, defining 90 specific DTLS usages, can then reference this specification, in order 91 to ensure that the DTLS aspects are common among all usages. Having 92 common procedures is essential when multiple usages share the same 93 DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. 95 As defined in [RFC5763], a new DTLS association MUST be established 96 when transport parameters are changed. Transport parameter change is 97 not well defined when Interactive Connectivity Establishment (ICE) 98 [RFC5245] is used. One possible way to determine a transport change 99 is based on ufrag change, but the ufrag value is changed both when 100 ICE is negotiated and when ICE restart [RFC5245] occurs. These 101 events do not always require a new DTLS association to be 102 established, but currently there is no way to explicitly indicate in 103 an SDP offer or answer whether a new DTLS association is required. 104 To solve that problem, this draft defines a new SDP attribute, 'dtls- 105 connection'. The attribute is used in SDP offers and answers to 106 explicitly indicate whether a new DTLS association is to be 107 established/re-established. The attribute can be used both with and 108 without ICE. 110 2. Conventions 112 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 113 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 114 document are to be interpreted as described in [RFC2119]. 116 3. Establishing a new DTLS Association 118 3.1. General 120 A new DTLS association MUST be established in the following cases: 122 o The DTLS roles change; 124 o A fingerprint (certificate) value changes; or 126 o The intent to establish of a new DTLS association is explicitly 127 signaled; 129 NOTE: The first two items list above are based on the procedures in 130 [RFC5763]. This draft adds the support for explicit signaling. 132 Whenever an entity determines, based on the criteria above, that a 133 new DTLS association is required, the entity MUST initiate an 134 associated SDP offer/answer transaction, following the procedures in 135 Section 5. 137 The sections below describe typical cases where a new DTLS 138 association needs to be established. 140 3.2. Change of Local Transport Parameters 142 If an endpoint modifies its local transport parameters (address and/ 143 or port), and if the modification requires a new DTLS association, 144 the endpoint MUST change its DTLS role, change its fingerprint value, 145 and/or use the SDP 'dtls-connection' attribute with a 'new' value 146 Section 4. 148 If the underlying transport explicitly prohibits a DTLS association 149 to span multiple transports, the SDP 'dtls-connection' attribute MUST 150 be set to 'new' if the transport is changed. An example of such case 151 is when DTLS is carried over SCTP, as described in [RFC6083]. 153 3.3. Change of ICE ufrag value 155 If an endpoint uses ICE, and modifies a local ufrag value, and if the 156 modification requires a new DTLS association, the endpoint MUST 157 either change its DTLS role, a fingerprint value and/or use the SDP 158 'dtls-connection' attribute with a 'new' value Section 4. 160 4. SDP dtls-connection Attribute 162 The SDP 'connection' attribute [RFC4145] was originally defined for 163 connection-oriented protocols, e.g. TCP and TLS. This section 164 defines a similar attribute, 'dtls-connection', to be used with DTLS. 166 Name: dtls-connection 168 Value: conn-value 170 Usage Level: media 172 Charset Dependent: no 174 Syntax: 176 conn-value = "new" / "existing" 178 Example: 180 a=dtls-connection:existing 182 A 'dtls-connection' attribute value of 'new' indicates that a new 183 DTLS association MUST be established. A 'dtls-connection' attribute 184 value of 'existing' indicates an intention to reuse an existing 185 association. 187 Unlike the SDP 'connection' attribute for TLS, there is no default 188 value defined for the 'dtls-connection' attribute. Implementations 189 that wish to use the attribute MUST explicitly include it in SDP 190 offers and answers. If an offer or answer does not contain an 191 attribute (this could happen if the offerer or answerer represents an 192 existing implementation that has not been updated to support the 193 attribute defined in this specification), other means needs to be 194 used in order for endpoints to determine whether an offer or answer 195 is associated with an event that requires the DTLS association to be 196 re-established. 198 The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- 199 connection' attribute is 'IDENTICAL', which means that the attribute 200 value must be identical across all media descriptions being 201 multiplexed [I-D.ietf-mmusic-sdp-bundle-negotiation]. 203 For RTP-based media, the 'dtls-connection' attribute apply to whole 204 associated media description. The attribute MUST NOT be defined per 205 source (using the SDP 'ssrc' attribute [RFC5576]). 207 The SDP Offer/Answer [RFC3264] procedures associated with the 208 attribute are defined in Section 5 210 5. SDP Offer/Answer Procedures 212 5.1. General 214 This section defines the generic SDP offer/answer procedures for 215 negotiating a DTLS association. Additional procedures (e.g. 216 regarding usage of specific SDP attributes etc) for individual DTLS 217 usages (e.g. SRTP-DTLS) are outside the scope of this specification, 218 and need to be specified in a usage specific specification. 220 NOTE: The procedures in this section are generalizations of 221 procedures first specified in SRTP-DTLS [RFC5763], with the addition 222 of usage of the SDP 'dtls-connection' attribute. That document is 223 herein revised to make use of these new procedures. 225 The procedures in this section apply to an SDP media description 226 ("m=" line) associated a DTLS-protected media/data stream. 228 In order to negotiate a DTLS association, the following SDP 229 attributes are used: 231 o The SDP 'setup' attribute, defined in [RFC4145], is used to 232 negotiate the DTLS roles; 234 o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to 235 provide a fingerprint value; and 237 o The SDP 'dtls-connection' attribute, defined in this 238 specification, is used to explicitly indicate whether a new DTLS 239 association is to be established or a previous association is to 240 be used. 242 This specification does not define the usage of the SDP 'connection' 243 attribute [RFC4145] for negotiating a DTLS connection. However, the 244 attribute MAY be used if the DTLS association is used together with 245 another protocol, e.g. SCTP or TCP, for which the usage of the 246 attribute has been defined. 248 Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP 249 'setup' attribute 'holdconn' value when negotiating a DTLS 250 association. 252 Endpoints MUST support SHA-256 for generating and verifying any 253 fingerprint value associated with the DTLS association. The use of 254 SHA-256 is preferred. 256 Endpoints MUST, at a minimum, support 257 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 258 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 259 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 260 Secrecy (PFS) cipher suites over non-PFS cipher suites. 261 Implementations SHOULD disable TLS-level compression. 263 The certificate received during the DTLS handshake MUST match a 264 fingerprint received in an SDP "fingerprint" attribute. If a 265 fingerprint does not match the hashed certificate, then the endpoint 266 MUST tear down the media session immediately. Note that it is 267 permissible to wait until the other side's fingerprint has been 268 received before establishing the connection; however, this may have 269 undesirable latency effects. 271 5.2. Generating the Initial SDP Offer 273 When the offerer sends the initial offer, and the offerer wants to 274 establish a DTLS association, it MUST insert an SDP 'dtls-connection' 275 attribute with a 'new' value in the offer. In addition, the offerer 276 MUST insert an SDP 'setup' attribute according to the procedures in 277 [RFC4145], and one or more SDP 'fingerprint' attributes according to 278 the procedures in [RFC4572], in the offer. 280 If the offerer inserts the SDP 'setup' attribute with an 'actpass' or 281 'passive' value, the offerer MUST be prepared to receive a DTLS 282 ClientHello message (if a new DTLS association is established by the 283 answerer) from the answerer before it receives the SDP answer. 285 5.3. Generating the Answer 287 If an answerer receives an offer that contains an SDP 'dtls- 288 connection' attribute with a 'new' value, or if the answerer receives 289 an offer that contains an 'dtls-connection' attribute with an 290 'existing' value and the answerer determines (based on the criteria 291 for establishing a new DTLS association) that a new DTLS association 292 is to be established, the answerer MUST insert a 'new' value in the 293 associated answer. In addition, the answerer MUST insert an SDP 294 'setup' attribute according to the procedures in [RFC4145], and one 295 or more SDP 'fingerprint' attributes according to the procedures in 296 [RFC4572], in the answer. 298 If an answerer receives an offer that contains an SDP 'dtls- 299 connection' attribute with a 'new' value, and if the answerer does 300 not accept the establishment of a new DTLS association, the answerer 301 MUST reject the "m=" lines associated with the suggested DTLS 302 association [RFC3264]. 304 If an answerer receives an offer that contains a 'dtls-connection' 305 attribute with an 'existing' value, and if the answerer determines 306 that a new DTLS association is not to be established, the answerer 307 MUST insert a 'dtls-connection' attribute with an 'existing' value in 308 the associated answer. In addition, the answerer MUST insert an SDP 309 'setup' attribute with a value that does not change the previously 310 negotiated DTLS roles, and one or more SDP 'fingerprint' attributes 311 values that do not change the previously sent fingerprints, in the 312 answer. 314 If the answerer receives an offer that does not contain an SDP 'dtls- 315 connection' attribute, the answerer MUST NOT insert a 'dtls- 316 connection' attribute in the answer. 318 If a new DTLS association is to be established, and if the answerer 319 inserts an SDP 'setup' attribute with an 'active' value in the 320 answer, the answerer MUST initiate a DTLS handshake by sending a DTLS 321 ClientHello message towards the offerer. 323 5.4. Offerer Processing of the SDP Answer 325 When an offerer receives an answer that contains an SDP 'dtls- 326 connection' attribute with a 'new' value, and if the offerer becomes 327 DTLS client (based on the value of the SDP 'setup' attribute value 328 [RFC4145]), the offerer MUST establish a DTLS association. If the 329 offerer becomes DTLS server, it MUST wait for the answerer to 330 establish the DTLS association. 332 If the answer contains an SDP 'dtls-connection' attribute with an 333 'existing' value, the offerer will continue using the previously 334 established DTLS association. It is considered an error case if the 335 answer contains a 'dtls-connection' attribute with an 'existing' 336 value, and a DTLS association does not exist. 338 An offerer needs to be able to handle error conditions that can occur 339 during an offer/answer transaction, e.g. if an answer contains an SDP 340 'dtls-connection' attribute with an 'existing' value even if no DTLS 341 association exists, or if the answer contains one or more new 342 fingerprint values for an existing DTLS association. If such error 343 case occurs, the offerer SHOULD terminate the associated DTLS 344 association (if it exists) and send a new offer in order to terminate 345 each media stream using the DTLS association, by setting the 346 associated port value to zero [RFC4145]. 348 5.5. Modifying the Session 350 When the offerer sends a subsequent offer, and if the offerer wants 351 to establish a new DTLS association, the offerer MUST insert an SDP 352 'dtls-connection' attribute with a 'new' value in the offer. In 353 addition, the offerer MUST insert an SDP 'setup' attribute according 354 to the procedures in [RFC4145], and one or more SDP 'fingerprint' 355 attributes according to the procedures in [RFC4572], in the offer. 357 when the offerer sends a subsequent offer, and the offerer does not 358 want to establish a new DTLS association, and if a previously 359 established DTLS association exists, the offerer MUST insert an SDP 360 'dtls-connection' attribute with an 'existing' value in the offer. 361 In addition, the offerer MUST insert an SDP 'setup' attribute with a 362 value that does not change the previously negotiated DTLS roles, and 363 one or more SDP 'fingerprint' attributes with values that do not 364 change the previously sent fingerprints, in the offer. 366 NOTE: When a new DTLS association is established, each endpoint needs 367 to be prepared to receive data on both the new and old DTLS 368 associations as long as both are alive. 370 6. ICE Considerations 372 When ICE is used, the ICE connectivity checks are performed before 373 the DTLS handshake begins. Note that if aggressive nomination mode 374 is used, multiple candidate pairs may be marked valid before ICE 375 finally converges on a single candidate pair. 377 An ICE restart [RFC5245] does not by default require a new DTLS 378 association to be established. 380 As defined in [RFC5763], each ICE candidate associated with a 381 component is treated as being part of the same DTLS association. 382 Therefore, from a DTLS perspective it is not considered a change of 383 local transport parameters when an endpoint switches between those 384 ICE candidates. 386 7. Transport Protocol Considerations 388 7.1. Transport Re-Usage 390 If DTLS is transported on top of a connection-oriented transport 391 protocol (e.g. TCP or SCTP), where all IP packets are acknowledged, 392 all DTLS packets associated with a previous DTLS association MUST be 393 acknowledged (or timed out) before a new DTLS association can be 394 established on the same transport. 396 8. SIP Considerations 398 When the Session Initiation Protocol (SIP) [RFC3261] is used as the 399 signal protocol for establishing a multimedia session, dialogs 400 [RFC3261] might be established between the caller and multiple 401 callees. This is referred to as forking. If forking occurs, 402 separate DTLS associations MUST be established between the caller and 403 each callee. 405 It is possible to send an INVITE request which does not contain an 406 SDP offer. Such INVITE request is often referred to as an 'empty 407 INVITE', or an 'offerless INVITE'. The receiving endpoint will 408 include the SDP offer in a response associated with the response. 409 When the endpoint generates such SDP offer, it MUST assign an SDP 410 'dtls-connection' attribute, with a 'new' value, to each 'm-' line 411 that describes DTLS protected media. If ICE is used, the endpoint 412 MUST allocate a new set of ICE candidates, in order to ensure that 413 two DTLS association would not be running over the same transport. 415 9. RFC Updates 417 9.1. General 419 This section updates specifications that use DTLS-protected media, in 420 order to reflect the procedures defined in this specification. 422 9.2. Update to RFC 5763 424 Update to section 5: 425 -------------------- 426 OLD TEXT: 428 5. Establishing a Secure Channel 430 The two endpoints in the exchange present their identities as part of 431 the DTLS handshake procedure using certificates. This document uses 432 certificates in the same style as described in "Connection-Oriented 433 Media Transport over the Transport Layer Security (TLS) Protocol in 434 the Session Description Protocol (SDP)" [RFC4572]. 436 If self-signed certificates are used, the content of the 437 subjectAltName attribute inside the certificate MAY use the uniform 438 resource identifier (URI) of the user. This is useful for debugging 439 purposes only and is not required to bind the certificate to one of 440 the communication endpoints. The integrity of the certificate is 441 ensured through the fingerprint attribute in the SDP. The 442 subjectAltName is not an important component of the certificate 443 verification. 445 The generation of public/private key pairs is relatively expensive. 446 Endpoints are not required to generate certificates for each session. 448 The offer/answer model, defined in [RFC3264], is used by protocols 449 like the Session Initiation Protocol (SIP) [RFC3261] to set up 450 multimedia sessions. In addition to the usual contents of an SDP 451 [RFC4566] message, each media description ("m=" line and associated 452 parameters) will also contain several attributes as specified in 453 [RFC5764], [RFC4145], and [RFC4572]. 455 When an endpoint wishes to set up a secure media session with another 456 endpoint, it sends an offer in a SIP message to the other endpoint. 457 This offer includes, as part of the SDP payload, the fingerprint of 458 the certificate that the endpoint wants to use. The endpoint SHOULD 459 send the SIP message containing the offer to the offerer's SIP proxy 460 over an integrity protected channel. The proxy SHOULD add an 461 Identity header field according to the procedures outlined in 462 [RFC4474]. The SIP message containing the offer SHOULD be sent to 463 the offerer's SIP proxy over an integrity protected channel. When 464 the far endpoint receives the SIP message, it can verify the identity 465 of the sender using the Identity header field. Since the Identity 466 header field is a digital signature across several SIP header fields, 467 in addition to the body of the SIP message, the receiver can also be 468 certain that the message has not been tampered with after the digital 469 signature was applied and added to the SIP message. 471 The far endpoint (answerer) may now establish a DTLS association with 472 the offerer. Alternately, it can indicate in its answer that the 473 offerer is to initiate the TLS association. In either case, mutual 474 DTLS certificate-based authentication will be used. After completing 475 the DTLS handshake, information about the authenticated identities, 476 including the certificates, are made available to the endpoint 477 application. The answerer is then able to verify that the offerer's 478 certificate used for authentication in the DTLS handshake can be 479 associated to the certificate fingerprint contained in the offer in 480 the SDP. At this point, the answerer may indicate to the end user 481 that the media is secured. The offerer may only tentatively accept 482 the answerer's certificate since it may not yet have the answerer's 483 certificate fingerprint. 485 When the answerer accepts the offer, it provides an answer back to 486 the offerer containing the answerer's certificate fingerprint. At 487 this point, the offerer can accept or reject the peer's certificate 488 and the offerer can indicate to the end user that the media is 489 secured. 491 Note that the entire authentication and key exchange for securing the 492 media traffic is handled in the media path through DTLS. The 493 signaling path is only used to verify the peers' certificate 494 fingerprints. 496 The offer and answer MUST conform to the following requirements. 498 o The endpoint MUST use the setup attribute defined in [RFC4145]. 499 The endpoint that is the offerer MUST use the setup attribute 500 value of setup:actpass and be prepared to receive a client_hello 501 before it receives the answer. The answerer MUST use either a 502 setup attribute value of setup:active or setup:passive. Note that 503 if the answerer uses setup:passive, then the DTLS handshake will 504 not begin until the answerer is received, which adds additional 505 latency. setup:active allows the answer and the DTLS handshake to 506 occur in parallel. Thus, setup:active is RECOMMENDED. Whichever 507 party is active MUST initiate a DTLS handshake by sending a 508 ClientHello over each flow (host/port quartet). 510 o The endpoint MUST NOT use the connection attribute defined in 511 [RFC4145]. 513 o The endpoint MUST use the certificate fingerprint attribute as 514 specified in [RFC4572]. 516 o The certificate presented during the DTLS handshake MUST match the 517 fingerprint exchanged via the signaling path in the SDP. The 518 security properties of this mechanism are described in Section 8. 520 o If the fingerprint does not match the hashed certificate, then the 521 endpoint MUST tear down the media session immediately. Note that 522 it is permissible to wait until the other side's fingerprint has 523 been received before establishing the connection; however, this 524 may have undesirable latency effects. 526 NEW TEXT: 528 5. Establishing a Secure Channel 530 The two endpoints in the exchange present their identities as part of 531 the DTLS handshake procedure using certificates. This document uses 532 certificates in the same style as described in "Connection-Oriented 533 Media Transport over the Transport Layer Security (TLS) Protocol in 534 the Session Description Protocol (SDP)" [RFC4572]. 536 If self-signed certificates are used, the content of the 537 subjectAltName attribute inside the certificate MAY use the uniform 538 resource identifier (URI) of the user. This is useful for debugging 539 purposes only and is not required to bind the certificate to one of 540 the communication endpoints. The integrity of the certificate is 541 ensured through the fingerprint attribute in the SDP. 543 The generation of public/private key pairs is relatively expensive. 544 Endpoints are not required to generate certificates for each session. 546 The offer/answer model, defined in [RFC3264], is used by protocols 547 like the Session Initiation Protocol (SIP) [RFC3261] to set up 548 multimedia sessions. 550 When an endpoint wishes to set up a secure media session with another 551 endpoint, it sends an offer in a SIP message to the other endpoint. 552 This offer includes, as part of the SDP payload, a fingerprint of 553 a certificate that the endpoint wants to use. The endpoint SHOULD 554 send the SIP message containing the offer to the offerer's SIP proxy 555 over an integrity protected channel. The proxy SHOULD add an 556 Identity header field according to the procedures outlined in 557 [RFC4474]. The SIP message containing the offer SHOULD be sent to 558 the offerer's SIP proxy over an integrity protected channel. When 559 the far endpoint receives the SIP message, it can verify the identity 560 of the sender using the Identity header field. Since the Identity 561 header field is a digital signature across several SIP header fields, 562 in addition to the body of the SIP message, the receiver can also be 563 certain that the message has not been tampered with after the digital 564 signature was applied and added to the SIP message. 566 The far endpoint (answerer) may now establish a DTLS association with 567 the offerer. Alternately, it can indicate in its answer that the 568 offerer is to initiate the DTLS association. In either case, mutual 569 DTLS certificate-based authentication will be used. After completing 570 the DTLS handshake, information about the authenticated identities, 571 including the certificates, are made available to the endpoint 572 application. The answerer is then able to verify that the offerer's 573 certificate used for authentication in the DTLS handshake can be 574 associated to the certificate fingerprint contained in the offer in 575 the SDP. At this point, the answerer may indicate to the end user 576 that the media is secured. The offerer may only tentatively accept 577 the answerer's certificate since it may not yet have the answerer's 578 certificate fingerprint. 580 When the answerer accepts the offer, it provides an answer back to 581 the offerer containing the answerer's certificate fingerprint. At 582 this point, the offerer can accept or reject the peer's certificate 583 and the offerer can indicate to the end user that the media is 584 secured. 586 Note that the entire authentication and key exchange for securing the 587 media traffic is handled in the media path through DTLS. The 588 signaling path is only used to verify the peers' certificate 589 fingerprints. 591 The offerer and answerer MUST follow the SDP offer/answer procedures 592 defined in [RFCXXXX]. 594 Update to section 6.6: 595 ---------------------- 597 OLD TEXT: 599 6.6. Session Modification 601 Once an answer is provided to the offerer, either endpoint MAY 602 request a session modification that MAY include an updated offer. 603 This session modification can be carried in either an INVITE or 604 UPDATE request. The peers can reuse the existing associations if 605 they are compatible (i.e., they have the same key fingerprints and 606 transport parameters), or establish a new one following the same 607 rules are for initial exchanges, tearing down the existing 608 association as soon as the offer/answer exchange is completed. Note 609 that if the active/passive status of the endpoints changes, a new 610 connection MUST be established. 612 NEW TEXT: 614 6.6. Session Modification 615 Once an answer is provided to the offerer, either endpoint MAY 616 request a session modification that MAY include an updated offer. 617 This session modification can be carried in either an INVITE or 618 UPDATE request. The peers can reuse an existing DTLS association, 619 or establish a new one, following the procedures in [RFCXXXX]. 621 Update to section 6.7.1: 622 ------------------------ 624 OLD TEXT: 626 6.7.1. ICE Interaction 628 Interactive Connectivity Establishment (ICE), as specified in 629 [RFC5245], provides a methodology of allowing participants in 630 multimedia sessions to verify mutual connectivity. When ICE is being 631 used, the ICE connectivity checks are performed before the DTLS 632 handshake begins. Note that if aggressive nomination mode is used, 633 multiple candidate pairs may be marked valid before ICE finally 634 converges on a single candidate pair. Implementations MUST treat all 635 ICE candidate pairs associated with a single component as part of the 636 same DTLS association. Thus, there will be only one DTLS handshake 637 even if there are multiple valid candidate pairs. Note that this may 638 mean adjusting the endpoint IP addresses if the selected candidate 639 pair shifts, just as if the DTLS packets were an ordinary media 640 stream. 642 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 643 packets are sent directly over UDP, not over DTLS. [RFC5764] 644 describes how to demultiplex STUN packets from DTLS packets and SRTP 645 packets. 647 NEW TEXT: 649 6.7.1. ICE Interaction 651 The Interactive Connectivity Establishment (ICE) [RFC5245] 652 considerations for DTLS-protected media are described in 653 [RFCXXXX]. 655 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 656 packets are sent directly over UDP, not over DTLS. [RFC5764] 657 describes how to demultiplex STUN packets from DTLS packets and SRTP 658 packets. 660 9.3. Update to RFC 7345 662 Update to section 4: 663 -------------------- 665 OLD TEXT: 667 4. SDP Offerer/Answerer Procedures 669 4.1. General 671 An endpoint (i.e., both the offerer and the answerer) MUST create an 672 SDP media description ("m=" line) for each UDPTL-over-DTLS media 673 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 674 "proto" field of the "m=" line. 676 The procedures in this section apply to an "m=" line associated with 677 a UDPTL-over-DTLS media stream. 679 In order to negotiate a UDPTL-over-DTLS media stream, the following 680 SDP attributes are used: 682 o The SDP attributes defined for UDPTL over UDP, as described in 683 [ITU.T38.2010]; and 685 o The SDP attributes, defined in [RFC4145] and [RFC4572], as 686 described in this section. 688 The endpoint MUST NOT use the SDP "connection" attribute [RFC4145]. 690 In order to negotiate the TLS roles for the UDPTL-over-DTLS transport 691 connection, the endpoint MUST use the SDP "setup" attribute 692 [RFC4145]. 694 If the endpoint supports, and is willing to use, a cipher suite with 695 an associated certificate, the endpoint MUST include an SDP 696 "fingerprint" attribute [RFC4572]. The endpoint MUST support SHA-256 697 for generating and verifying the SDP "fingerprint" attribute value. 698 The use of SHA-256 is preferred. UDPTL over DTLS, at a minimum, MUST 699 support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 700 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 701 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 702 Secrecy (PFS) cipher suites over non-PFS cipher suites. 703 Implementations SHOULD disable TLS-level compression. 705 If a cipher suite with an associated certificate is selected during 706 the DTLS handshake, the certificate received during the DTLS 707 handshake MUST match the fingerprint received in the SDP 708 "fingerprint" attribute. If the fingerprint does not match the 709 hashed certificate, then the endpoint MUST tear down the media 710 session immediately. Note that it is permissible to wait until the 711 other side's fingerprint has been received before establishing the 712 connection; however, this may have undesirable latency effects. 714 4.2. Generating the Initial Offer 716 The offerer SHOULD assign the SDP "setup" attribute with a value of 717 "actpass", unless the offerer insists on being either the sender or 718 receiver of the DTLS ClientHello message, in which case the offerer 719 can use either a value of "active" (the offerer will be the sender of 720 ClientHello) or "passive" (the offerer will be the receiver of 721 ClientHello). The offerer MUST NOT assign an SDP "setup" attribute 722 with a "holdconn" value. 724 If the offerer assigns the SDP "setup" attribute with a value of 725 "actpass" or "passive", the offerer MUST be prepared to receive a 726 DTLS ClientHello message before it receives the SDP answer. 728 4.3. Generating the Answer 730 If the answerer accepts the offered UDPTL-over-DTLS transport 731 connection, in the associated SDP answer, the answerer MUST assign an 732 SDP "setup" attribute with a value of either "active" or "passive", 733 according to the procedures in [RFC4145]. The answerer MUST NOT 734 assign an SDP "setup" attribute with a value of "holdconn". 736 If the answerer assigns an SDP "setup" attribute with a value of 737 "active" value, the answerer MUST initiate a DTLS handshake by 738 sending a DTLS ClientHello message on the negotiated media stream, 739 towards the IP address and port of the offerer. 741 4.4. Offerer Processing of the Answer 743 When the offerer receives an SDP answer, if the offerer ends up being 744 active it MUST initiate a DTLS handshake by sending a DTLS 745 ClientHello message on the negotiated media stream, towards the IP 746 address and port of the answerer. 748 4.5. Modifying the Session 750 Once an offer/answer exchange has been completed, either endpoint MAY 751 send a new offer in order to modify the session. The endpoints can 752 reuse the existing DTLS association if the key fingerprint values and 753 transport parameters indicated by each endpoint are unchanged. 754 Otherwise, following the rules for the initial offer/answer exchange, 755 the endpoints can negotiate and create a new DTLS association and, 756 once created, delete the previous DTLS association, following the 757 same rules for the initial offer/answer exchange. Each endpoint 758 needs to be prepared to receive data on both the new and old DTLS 759 associations as long as both are alive. 761 NEW TEXT: 763 4. SDP Offerer/Answerer Procedures 765 An endpoint (i.e., both the offerer and the answerer) MUST create an 766 SDP media description ("m=" line) for each UDPTL-over-DTLS media 767 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 768 "proto" field of the "m=" line. 770 The offerer and answerer MUST follow the SDP offer/answer procedures 771 defined in [RFCXXXX] in order to negotiate the DTLS association 772 associated with the UDPTL-over-DTLS media stream. In addition, 773 the offerer and answerer MUST use the SDP attributes defined for 774 UDPTL over UDP, as defined in [ITU.T38.2010]. 776 Update to section 5.2.1: 777 ------------------------ 779 OLD TEXT: 781 5.2.1. ICE Usage 783 When Interactive Connectivity Establishment (ICE) [RFC5245] is being 784 used, the ICE connectivity checks are performed before the DTLS 785 handshake begins. Note that if aggressive nomination mode is used, 786 multiple candidate pairs may be marked valid before ICE finally 787 converges on a single candidate pair. User Agents (UAs) MUST treat 788 all ICE candidate pairs associated with a single component as part of 789 the same DTLS association. Thus, there will be only one DTLS 790 handshake even if there are multiple valid candidate pairs. Note 791 that this may mean adjusting the endpoint IP addresses if the 792 selected candidate pair shifts, just as if the DTLS packets were an 793 ordinary media stream. In the case of an ICE restart, the DTLS 794 handshake procedure is repeated, and a new DTLS association is 795 created. Once the DTLS handshake is completed and the new DTLS 796 association has been created, the previous DTLS association is 797 deleted. 799 NEW TEXT: 801 5.2.1. ICE Usage 803 The Interactive Connectivity Establishment (ICE) [RFC5245] 804 considerations for DTLS-protected media are described in 805 [RFCXXXX]. 807 10. Security Considerations 809 This specification does not modify the security considerations 810 associated with DTLS, or the SDP offer/answer mechanism. In addition 811 to the introduction of the SDP 'dtls-connection' attribute, the 812 specification simply clarifies the procedures for negotiating and 813 establishing a DTLS association. 815 11. IANA Considerations 817 This document updates the "Session Description Protocol Parameters" 818 registry as specified in Section 8.2.2 of [RFC4566]. Specifically, 819 it adds the SDP dtls-connection attribute to the table for SDP media 820 level attributes. 822 Attribute name: dtls-connection 823 Type of attribute: media-level 824 Subject to charset: no 825 Purpose: Indicate whether a new DTLS association is to be established/re-established. 826 Appropriate Values: see Section 4 827 Contact name: Christer Holmberg 828 Category: IDENTICAL 830 12. Acknowledgements 832 Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, 833 Charles Eckel and Gonzalo Salgueiro for providing comments and 834 suggestions on the draft. 836 13. Change Log 838 [RFC EDITOR NOTE: Please remove this section when publishing] 840 Changes from draft-ietf-mmusic-sdp-dtls-08 842 o Offer/Answer section modified in order to allow sending of 843 multiple SDP 'fingerprint' attributes. 845 o Terminology made consistent: 'DTLS connection' replaced with 'DTLS 846 association'. 848 o Editorial changes based on comments from Paul Kyzivat. 850 Changes from draft-ietf-mmusic-sdp-dtls-07 852 o Reference to RFC 7315 replaced with reference to RFC 7345. 854 Changes from draft-ietf-mmusic-sdp-dtls-06 856 o Text on restrictions regarding spanning a DTLS association over 857 multiple transports added. 859 o Mux category added to IANA Considerations. 861 o Normative text regarding mux category and source-specific 862 applicability added. 864 o Reference to RFC 7315 added. 866 o Clarified that offerer/answerer that has not been updated to 867 support this specification will not include the dtls-connection 868 attribute in offers and answers. 870 o Editorial corrections based on WGLC comments from Charles Eckel. 872 Changes from draft-ietf-mmusic-sdp-dtls-05 874 o Text on handling offer/answer error conditions added. 876 Changes from draft-ietf-mmusic-sdp-dtls-04 878 o Editorial nits fixed based on comments from Paul Kyzivat: 880 Changes from draft-ietf-mmusic-sdp-dtls-03 882 o Changes based on comments from Paul Kyzivat: 884 o - Modification of dtls-connection attribute section. 886 o - Removal of IANA considerations subsection. 888 o - Making note into normative text in o/a section. 890 o Changes based on comments from Martin Thompson: 892 o - Abbreviations section removed. 894 o - Clarify that a new DTLS association requires a new o/a 895 transaction. 897 Changes from draft-ietf-mmusic-sdp-dtls-02 899 o - Updated RFCs added to boilerplate. 901 Changes from draft-ietf-mmusic-sdp-dtls-01 903 o - Annex regarding 'dtls-connection-id' attribute removed. 905 o - Additional SDP offer/answer procedures, related to certificates, 906 added. 908 o - Updates to RFC 5763 and RFC 7345 added. 910 o - Transport protocol considerations added. 912 Changes from draft-ietf-mmusic-sdp-dtls-00 914 o - SDP 'connection' attribute replaced with new 'dtls-connection' 915 attribute. 917 o - IANA Considerations added. 919 o - E-mail regarding 'dtls-connection-id' attribute added as Annex. 921 Changes from draft-holmberg-mmusic-sdp-dtls-01 923 o - draft-ietf-mmusic version of draft submitted. 925 o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision 926 with another expired draft. 928 o - Clarify that if ufrag in offer is unchanged, it must be 929 unchanged in associated answer. 931 o - SIP Considerations section added. 933 o - Section about multiple SDP fingerprint attributes added. 935 Changes from draft-holmberg-mmusic-sdp-dtls-00 937 o - Editorial changes and clarifications. 939 14. References 941 14.1. Normative References 943 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 944 Requirement Levels", BCP 14, RFC 2119, 945 DOI 10.17487/RFC2119, March 1997, 946 . 948 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 949 A., Peterson, J., Sparks, R., Handley, M., and E. 950 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 951 DOI 10.17487/RFC3261, June 2002, 952 . 954 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 955 with Session Description Protocol (SDP)", RFC 3264, 956 DOI 10.17487/RFC3264, June 2002, 957 . 959 [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in 960 the Session Description Protocol (SDP)", RFC 4145, 961 DOI 10.17487/RFC4145, September 2005, 962 . 964 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 965 Description Protocol", RFC 4566, DOI 10.17487/RFC4566, 966 July 2006, . 968 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 969 Transport Layer Security (TLS) Protocol in the Session 970 Description Protocol (SDP)", RFC 4572, 971 DOI 10.17487/RFC4572, July 2006, 972 . 974 [RFC5234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax 975 Specifications: ABNF", STD 68, RFC 5234, 976 DOI 10.17487/RFC5234, January 2008, 977 . 979 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 980 (ICE): A Protocol for Network Address Translator (NAT) 981 Traversal for Offer/Answer Protocols", RFC 5245, 982 DOI 10.17487/RFC5245, April 2010, 983 . 985 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 986 for Establishing a Secure Real-time Transport Protocol 987 (SRTP) Security Context Using Datagram Transport Layer 988 Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 989 2010, . 991 [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP 992 Transport Layer (UDPTL) over Datagram Transport Layer 993 Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August 994 2014, . 996 14.2. Informative References 998 [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific 999 Media Attributes in the Session Description Protocol 1000 (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, 1001 . 1003 [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram 1004 Transport Layer Security (DTLS) for Stream Control 1005 Transmission Protocol (SCTP)", RFC 6083, 1006 DOI 10.17487/RFC6083, January 2011, 1007 . 1009 [I-D.ietf-mmusic-sdp-mux-attributes] 1010 Nandakumar, S., "A Framework for SDP Attributes when 1011 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-12 1012 (work in progress), January 2016. 1014 [I-D.ietf-mmusic-sdp-bundle-negotiation] 1015 Holmberg, C., Alvestrand, H., and C. Jennings, 1016 "Negotiating Media Multiplexing Using the Session 1017 Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- 1018 negotiation-25 (work in progress), January 2016. 1020 Authors' Addresses 1022 Christer Holmberg 1023 Ericsson 1024 Hirsalantie 11 1025 Jorvas 02420 1026 Finland 1028 Email: christer.holmberg@ericsson.com 1029 Roman Shpount 1030 TurboBridge 1031 4905 Del Ray Avenue, Suite 300 1032 Bethesda, MD 20814 1033 USA 1035 Phone: +1 (240) 292-6632 1036 Email: rshpount@turbobridge.com