idnits 2.17.1 draft-ietf-mmusic-dtls-sdp-15.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5763, updated by this document, for RFC5378 checks: 2007-11-12) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (October 31, 2016) is 2726 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFC4474' is mentioned on line 648, but not defined ** Obsolete undefined reference: RFC 4474 (Obsoleted by RFC 8224) == Missing Reference: 'RFCXXXX' is mentioned on line 892, but not defined == Missing Reference: 'RFC5245' is mentioned on line 890, but not defined ** Obsolete undefined reference: RFC 5245 (Obsoleted by RFC 8445, RFC 8839) == Missing Reference: 'ITU.T38.2010' is mentioned on line 861, but not defined ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4572 (Obsoleted by RFC 8122) == Outdated reference: A later version (-13) exists of draft-ietf-mmusic-4572-update-07 == Outdated reference: A later version (-20) exists of draft-ietf-ice-rfc5245bis-04 == Outdated reference: A later version (-19) exists of draft-ietf-mmusic-sdp-mux-attributes-14 == Outdated reference: A later version (-54) exists of draft-ietf-mmusic-sdp-bundle-negotiation-36 Summary: 4 errors (**), 0 flaws (~~), 9 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 5763,7345 (if approved) R. Shpount 5 Intended status: Standards Track TurboBridge 6 Expires: May 4, 2017 October 31, 2016 8 Using the SDP Offer/Answer Mechanism for DTLS 9 draft-ietf-mmusic-dtls-sdp-15.txt 11 Abstract 13 This document defines the SDP offer/answer procedures for negotiating 14 and establishing a DTLS association. The document also defines the 15 criteria for when a new DTLS association must be established. The 16 document updates RFC 5763 and RFC 7345, by replacing common SDP 17 offer/answer procedures with a reference to this specification. 19 This document defines a new SDP media-level attribute, 'dtls-id'. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on May 4, 2017. 38 Copyright Notice 40 Copyright (c) 2016 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 58 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.2. Change of Local Transport Parameters . . . . . . . . . . 4 60 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 61 4. SDP dtls-id Attribute . . . . . . . . . . . . . . . . . . . . 4 62 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6 63 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 8 65 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 8 66 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 9 67 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 10 68 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 7. Transport Protocol Considerations . . . . . . . . . . . . . . 11 70 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 11 71 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 11 72 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 12 73 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 12 74 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 12 75 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 17 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 20 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 78 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 79 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 20 80 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 81 14.1. Normative References . . . . . . . . . . . . . . . . . . 23 82 14.2. Informative References . . . . . . . . . . . . . . . . . 24 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 85 1. Introduction 87 [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. 88 [RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This 89 specification defines general offer/answer procedures for DTLS, based 90 on the procedures in [RFC5763]. Other specifications, defining 91 specific DTLS usages, can then reference this specification, in order 92 to ensure that the DTLS aspects are common among all usages. Having 93 common procedures is essential when multiple usages share the same 94 DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. The 95 document updates [RFC5763] and [RFC7345], by replacing common SDP 96 offer/answer procedures with a reference to this specification. 98 As defined in [RFC5763], a new DTLS association MUST be established 99 when transport parameters are changed. Transport parameter change is 100 not well defined when Interactive Connectivity Establishment (ICE) 101 [I-D.ietf-ice-rfc5245bis] is used. One possible way to determine a 102 transport change is based on ufrag change, but the ufrag value is 103 changed both when ICE is negotiated and when ICE restart 104 [I-D.ietf-ice-rfc5245bis] occurs. These events do not always require 105 a new DTLS association to be established, but currently there is no 106 way to explicitly indicate in an SDP offer or answer whether a new 107 DTLS association is required. To solve that problem, this document 108 defines a new SDP attribute, 'dtls-id'. The 'dtls-id' attribute pair 109 in combination with 'fingerprint' attribute values from offer and 110 answer SDP uniquely identifies the DTLS association. Providing a new 111 value of 'dtls-id' attribute in SDP offer or answers can be used to 112 indicate whether a new DTLS association is to be established. 114 2. Conventions 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 3. Establishing a new DTLS Association 122 3.1. General 124 A new DTLS association MUST be established after a successfull SDP 125 offer/answer transaction in the following cases:: 127 o The negotiated DTLS setup roles change; or 129 o One or more fingerprint values are modified, added or removed in 130 either an SDP offer or answer; or 132 o The intent to establish a new DTLS association is explicitly 133 signaled by changing the value of the SDP 'dtls-id' attribute 134 defined in this document; 136 NOTE: The first two items list above are based on the procedures in 137 [RFC5763]. This specification adds the support for explicit 138 signaling using the SDP 'dtls-id' attribute. 140 A new DTLS association can only established as a result of the 141 successful SDP offer/answer transaction. Whenever an entity 142 determines that a new DTLS association is required, the entity MUST 143 initiate an SDP offer/answer transaction, following the procedures in 144 Section 5. 146 The sections below describe typical cases where a new DTLS 147 association needs to be established. 149 3.2. Change of Local Transport Parameters 151 If an endpoint modifies its local transport parameters (address and/ 152 or port), and if the modification requires a new DTLS association, 153 the endpoint MUST change its set of fingerprints and SDP 'dtls-id' 154 attribute so that together they represent a new unique set of values 155 Section 4. 157 If the underlying transport explicitly prohibits a DTLS association 158 to span multiple transports, and if the transport is changed, the 159 endpoint MUST change its set of fingerprints and SDP 'dtls-id' 160 attribute so that together they represent a new unique set of values 161 Section 4. An example of such case is when DTLS is carried over 162 SCTP, as described in [RFC6083]. 164 3.3. Change of ICE ufrag value 166 If an endpoint uses ICE, and modifies a local ufrag value, and if the 167 modification requires a new DTLS association, the endpoint MUST 168 change its set of fingerprints and SDP 'dtls-id' attribute so that 169 together they represent a new unique set of values Section 4. 171 4. SDP dtls-id Attribute 173 The 'dtls-id' attribute pair in combination with 'fingerprint' 174 attribute values from offer and answer SDP uniquely identifies the 175 DTLS association. 177 Name: dtls-id 179 Value: dtls-id-value 181 Usage Level: media 183 Charset Dependent: no 185 Default Value: empty value 187 Syntax: 189 dtls-id-value = 0*256 191 Example: 193 a=dtls-id:abc3dl 195 Every time end point requests to establish a new DTLS association 196 using the same set of fingerprints, a new unique value of 'dtls-id' 197 attribute is allocated. A combination of the previously used 'dtls- 198 id' attribute in combination with the same fingerprint set indicates 199 an intention to reuse the existing association. 201 The default value for the SDP 'dtls-id' attribute is an empty value. 202 Implementations that wish to use the attribute MUST explicitly 203 include it in SDP offers and answers. If an offer or answer does not 204 contain an attribute (this could happen if the offerer or answerer 205 represents an existing implementation that has not been updated to 206 support the attribute defined in this specification or an 207 implementation which allocates a new temporary certificate for each 208 association and uses change in fingerprint to indicate new 209 association), it should be treated as if 'dtls-id' attribute with an 210 empty value value were included in SDP and procedures defined in this 211 specification should be used to determine if new DTLS association 212 should be established. 214 The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- 215 id' attribute is 'IDENTICAL', which means that the attribute value 216 must be identical across all media descriptions being multiplexed 217 [I-D.ietf-mmusic-sdp-bundle-negotiation]. 219 For RTP-based media, the 'dtls-id' attribute apply to whole 220 associated media description. The attribute MUST NOT be defined per 221 source (using the SDP 'ssrc' attribute [RFC5576]). 223 The SDP offer/answer [RFC3264] procedures associated with the 224 attribute are defined in Section 5 226 5. SDP Offer/Answer Procedures 228 5.1. General 230 This section defines the generic SDP offer/answer procedures for 231 negotiating a DTLS association. Additional procedures (e.g., 232 regarding usage of specific SDP attributes etc) for individual DTLS 233 usages (e.g., SRTP-DTLS) are outside the scope of this specification, 234 and need to be specified in a usage specific specification. 236 NOTE: The procedures in this section are generalizations of 237 procedures first specified in SRTP-DTLS [RFC5763], with the addition 238 of usage of the SDP 'dtls-id' attribute. That document is herein 239 updated to make use of these new procedures. 241 The procedures in this section apply to an SDP media description 242 ("m=" line) associated with DTLS-protected media/data. 244 When an offerer or answerer indicates that it wants to establish a 245 new DTLS association, it needs to make sure that media packets in the 246 existing DTLS association and new DTLS association can be de- 247 multiplexed. In case of ordered transport (e.g., SCTP) this can be 248 done simply by sending packets for new DTLS association after all 249 packets for existing DTLS association have been sent. In case of 250 unordered transport, such as UDP, packets for the old DTLS 251 association can arrive after the answer SDP was received and after 252 first packets for the new DTLS association were received. The only 253 way to de-multiplex packets belonging to old and new DTLS association 254 is on the basis of transport 5-tuple. Because of this, if unordered 255 transport is used for DTLS association, new transport (3-tuple) MUST 256 be allocated by at least on the end points so that DTLS packets can 257 be de-multiplexed. 259 When an offerer needs to establish a new DTLS association, and if an 260 unordered transport (e.g., UDP) is used, the offerer MUST allocate a 261 new transport (3-tuple) for the offer in such a way that the offerer 262 can disambiguate any packets associated with the new DTLS association 263 from any packets associated with any other DTLS association. This 264 typically means using a local address and/or port, or a set of ICE 265 candidates (see Section 6), which were not recently used for any 266 other DTLS association. 268 When an answerer needs to establish a new DTLS association, if an 269 unordered transport is used, and if the offerer did not allocate a 270 new transport, the answerer MUST allocate a new transport for the 271 offer in answer a way that it can disambiguate any packets associated 272 with new DTLS association from any packets associated with any other 273 DTLS association. This typically means using a local address and/or 274 port, or a set of ICE candidates (see Section 6), which were not 275 recently used for any other DTLS association. 277 In order to negotiate a DTLS association, the following SDP 278 attributes are used: 280 o The SDP 'setup' attribute, defined in [RFC4145], is used to 281 negotiate the DTLS roles; 283 o The SDP 'fingerprint' attribute, defined in [RFC4572], is used to 284 provide a fingerprint values; and 286 o The SDP 'dtls-id' attribute, defined in this specification, which, 287 if fingerprints are reused, can be assigned a new value to 288 explicitly indicate the intention to establishing a new DTLS 289 association. 291 This specification does not define the usage of the SDP 'connection' 292 attribute [RFC4145] for negotiating a DTLS connection. However, the 293 attribute MAY be used if the DTLS association is used together with 294 another protocol (e.g., SCTP or TCP) for which the usage of the 295 attribute has been defined. 297 Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP 298 'setup' attribute 'holdconn' value when negotiating a DTLS 299 association. 301 Endpoints MUST support SHA-256 for generating and verifying any 302 fingerprint value associated with the DTLS association. The use of 303 SHA-256 is preferred. 305 Endpoints MUST, at a minimum, support 306 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 307 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 308 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 309 Secrecy (PFS) cipher suites over non-PFS cipher suites. 310 Implementations SHOULD disable TLS-level compression. 312 The certificate received during the DTLS handshake MUST match the 313 certificate fingerprints received in SDP 'fingerprint' attributes 314 according to procedures defined in [I-D.ietf-mmusic-4572-update]. If 315 fingerprints do not match the hashed certificate, then an endpoint 316 MUST tear down the media session immediately. Note that it is 317 permissible to wait until the other side's fingerprint has been 318 received before establishing the connection; however, this may have 319 undesirable latency effects. 321 SDP offerers and answerers might reuse certificates across multiple 322 DTLS associations, and provide identical fingerprint values for each 323 DTLS association. It MUST be ensured that the combination of the 324 fingerprint values and the SDP 'dtls-id' attribute value is unique 325 across all DTLS associations. 327 If an SDP offerer or answerer generates a new temporary self-signed 328 certificate for each new DTLS association, they can omit the SDP 329 'dtls-id' attribute. 331 5.2. Generating the Initial SDP Offer 333 When an offerer sends the initial offer, the offerer MUST insert an 334 SDP 'setup' attribute according to the procedures in [RFC4145], and 335 one or more SDP 'fingerprint' attributes according to the procedures 336 in [RFC4572] and [I-D.ietf-mmusic-4572-update]. In addition, the 337 offerer MUST insert in the offer an SDP 'dtls-id' attribute with a 338 unique value for the offer fingerprint set. If the fingerprint set 339 is not unique due the certificate reuse across multiple SDP sessions 340 or endpoints, the 'dtls-id' attribute value MUST be generated in a 341 way that guarantees uniqueness across all current DTLS association 342 established using this fingerprint set, including DTLS association 343 established by other SDP sessions or other endpoints. 345 If the offerer inserts the SDP 'setup' attribute with an 'actpass' or 346 'passive' attribute value, the offerer MUST be prepared to receive a 347 DTLS ClientHello message (if a new DTLS association is established by 348 the answerer) from the answerer before the offerer receives the SDP 349 answer. 351 5.3. Generating the Answer 353 When an answerer sends an answer, the answerer MUST insert in the 354 answer an SDP 'setup' attribute according to the procedures in 355 [RFC4145], and one or more SDP 'fingerprint' attributes according to 356 the procedures in [RFC4572] and [I-D.ietf-mmusic-4572-update]. If 357 the answerer determines, based on the criteria specified in 358 Section 3.1, that a new DTLS association is to be established, the 359 answerer MUST insert in the associated answer an SDP 'dtls-id' 360 attribute with a unique value for the answer fingerprint set. If the 361 fingerprint set is not unique due the certificate reuse across 362 multiple SDP sessions or endpoints, 'dtls-id' value MUST be generated 363 in a way that guarantees uniqueness across all current DTLS 364 association established using this fingerprint set, including DTLS 365 association established by other SDP sessions or other endpoints. 367 If the answerer receives an offer that requires establishing a new 368 DTLS association, and if the answerer does not accept the 369 establishment of a new DTLS association, the answerer MUST reject the 370 "m=" lines associated with the suggested DTLS association [RFC3264]. 372 If an answerer receives an offer that does not require to establish a 373 new DTLS association, and if the answerer determines that a new DTLS 374 association is not to be established, the answerer MUST insert an SDP 375 'dtls-id' attribute with the previously assigned value in the 376 associated answer. In addition, the answerer MUST insert an SDP 377 'setup' attribute with a value that does not change the previously 378 negotiated DTLS roles, and one or more SDP 'fingerprint' attributes 379 values that do not change the previously sent fingerprints, in the 380 answer. 382 If the answerer receives an offer that does not contain an SDP 'dtls- 383 id' attribute, the answerer MUST NOT insert a 'dtls-id' attribute in 384 the answer. 386 If a new DTLS association is to be established, and if the answerer 387 inserts an SDP 'setup' attribute with an 'active' value in the 388 answer, the answerer MUST initiate a DTLS handshake by sending a DTLS 389 ClientHello message towards the offerer. 391 5.4. Offerer Processing of the SDP Answer 393 When an offerer receives an answer that establishes a new DTLS 394 association based on criteria defined in Section 3.1, and if the 395 offerer becomes DTLS client (based on the value of the SDP 'setup' 396 attribute value [RFC4145]), the offerer MUST establish a DTLS 397 association. If the offerer becomes DTLS server, it MUST wait for 398 the answerer to establish the DTLS association. 400 If the answer does not establish a new DTLS association, the offerer 401 will continue using the previously established DTLS association. 403 NOTE: New DTLS association can be established based on changes in 404 either offer or answer SDP. When communicating with legacy end 405 points, offerer can receive the answer that uses the same fingerprint 406 values and negotiate the same setup roles. The new DTLS association 407 MUST still be established if such an answer was received as a 408 response to an offer which requested to establish a new DTLS 409 association. 411 5.5. Modifying the Session 413 When the offerer sends a subsequent offer, and if the offerer wants 414 to establish a new DTLS association, the offerer MUST insert an SDP 415 'setup' attribute according to the procedures in [RFC4145], and one 416 or more SDP 'fingerprint' attributes according to the procedures in 417 [RFC4572] and [I-D.ietf-mmusic-4572-update]. In addition, offerer 418 MUST insert in the offer an SDP 'dtls-id' attribute with a new unique 419 value for the offer fingerprint set. If the fingerprint set is not 420 unique due the certificate reuse across multiple SDP sessions or 421 endpoints, the 'dtls-id' attribute value MUST be generated in a way 422 that guarantees uniqueness across all current DTLS association 423 established using this fingerprint set, including DTLS association 424 established by other SDP sessions or other endpoints. 426 When the offerer sends a subsequent offer, and the offerer does not 427 want to establish a new DTLS association, and if a previously 428 established DTLS association exists, the offerer MUST insert an SDP 429 'dtls-id' attribute with the previously assigned value in the offer. 430 In addition, the offerer MUST insert an SDP 'setup' attribute with a 431 value that does not change the previously negotiated DTLS roles, and 432 one or more SDP 'fingerprint' attributes with values that do not 433 change the previously sent fingerprints, in the offer. 435 NOTE: When a new DTLS association is being established, each endpoint 436 needs to be prepared to receive data on both the new and old DTLS 437 associations as long as both are alive. 439 6. ICE Considerations 441 When the Interactive Connectivity Establishment (ICE) mechansim 442 [I-D.ietf-ice-rfc5245bis] is used, the ICE connectivity checks are 443 performed before the DTLS handshake begins. Note that if aggressive 444 nomination mode is used, multiple candidate pairs may be marked valid 445 before ICE finally converges on a single candidate pair. 447 NOTE: Aggressive nomination has been deprecated from ICE, but must 448 still be supported for backwards compatibility reasons. 450 When new DTLS association is established over an unordered transport, 451 in order to disambiguate any packets associated with the newly 452 established DTLS association, at least one of the endpoints MUST 453 allocate a completely new set of ICE candidates which were not 454 recently used for any other DTLS association. This means the 455 answerer cannot initiate a new DTLS association unless the offerer 456 initiated ICE restart [I-D.ietf-ice-rfc5245bis]. If the answerer 457 wants to initiate a new DTLS association, it needs to initiate an ICE 458 restart and a new offer/answer exchange on its own. However, an ICE 459 restart does not by default require a new DTLS association to be 460 established. 462 NOTE: Simple Traversal of the UDP Protocol through NAT (STUN) packets 463 are sent directly over UDP, not over DTLS. [RFC5764] describes how 464 to demultiplex STUN packets from DTLS packets and SRTP packets. 466 Each ICE candidate associated with a component is treated as being 467 part of the same DTLS association. Therefore, from a DTLS 468 perspective it is not considered a change of local transport 469 parameters when an endpoint switches between those ICE candidates. 471 7. Transport Protocol Considerations 473 7.1. Transport Re-Usage 475 If DTLS is transported on top of a connection-oriented transport 476 protocol (e.g., TCP or SCTP), where all IP packets are acknowledged, 477 all DTLS packets associated with a previous DTLS association MUST be 478 acknowledged (or timed out) before a new DTLS association can be 479 established on the same transport. 481 8. SIP Considerations 483 When the Session Initiation Protocol (SIP) [RFC3261] is used as the 484 signal protocol for establishing a multimedia session, dialogs 485 [RFC3261] might be established between the caller and multiple 486 callees. This is referred to as forking. If forking occurs, 487 separate DTLS associations MUST be established between the caller and 488 each callee. 490 It is possible to send an INVITE request which does not contain an 491 SDP offer. Such an INVITE request is often referred to as an 'empty 492 INVITE', or an 'offer-less INVITE'. The receiving endpoint will 493 include the SDP offer in a response to the request. When the 494 endpoint generates such SDP offer, if a previously established DTLS 495 association exists, the offerer SHOULD insert an SDP 'dtls-id' 496 attribute, and one or more SDP 'fingerprint' attributes, with 497 previously assigned attribute values. If a previously established 498 DTLS association did not exists, the offer SHOULD be generated based 499 on the same rules as a new offer Section 5.2. Regardless of the 500 previous existence of a DTLS association, the SDP 'setup' attribute 501 MUST be included according to the rules defined in [RFC4145] and if 502 ICE is used, ICE restart MUST be initiated. 504 9. RFC Updates 506 9.1. General 508 This section updates specifications that use DTLS-protected media, in 509 order to reflect the procedures defined in this specification. 511 9.2. Update to RFC 5763 513 Update to section 5: 514 -------------------- 516 OLD TEXT: 518 5. Establishing a Secure Channel 520 The two endpoints in the exchange present their identities as part of 521 the DTLS handshake procedure using certificates. This document uses 522 certificates in the same style as described in "Connection-Oriented 523 Media Transport over the Transport Layer Security (TLS) Protocol in 524 the Session Description Protocol (SDP)" [RFC4572]. 526 If self-signed certificates are used, the content of the 527 subjectAltName attribute inside the certificate MAY use the uniform 528 resource identifier (URI) of the user. This is useful for debugging 529 purposes only and is not required to bind the certificate to one of 530 the communication endpoints. The integrity of the certificate is 531 ensured through the fingerprint attribute in the SDP. The 532 subjectAltName is not an important component of the certificate 533 verification. 535 The generation of public/private key pairs is relatively expensive. 536 Endpoints are not required to generate certificates for each session. 538 The offer/answer model, defined in [RFC3264], is used by protocols 539 like the Session Initiation Protocol (SIP) [RFC3261] to set up 540 multimedia sessions. In addition to the usual contents of an SDP 541 [RFC4566] message, each media description ("m=" line and associated 542 parameters) will also contain several attributes as specified in 543 [RFC5764], [RFC4145], and [RFC4572]. 545 When an endpoint wishes to set up a secure media session with another 546 endpoint, it sends an offer in a SIP message to the other endpoint. 547 This offer includes, as part of the SDP payload, the fingerprint of 548 the certificate that the endpoint wants to use. The endpoint SHOULD 549 send the SIP message containing the offer to the offerer's SIP proxy 550 over an integrity protected channel. The proxy SHOULD add an 551 Identity header field according to the procedures outlined in 552 [RFC4474]. The SIP message containing the offer SHOULD be sent to 553 the offerer's SIP proxy over an integrity protected channel. When 554 the far endpoint receives the SIP message, it can verify the identity 555 of the sender using the Identity header field. Since the Identity 556 header field is a digital signature across several SIP header fields, 557 in addition to the body of the SIP message, the receiver can also be 558 certain that the message has not been tampered with after the digital 559 signature was applied and added to the SIP message. 561 The far endpoint (answerer) may now establish a DTLS association with 562 the offerer. Alternately, it can indicate in its answer that the 563 offerer is to initiate the TLS association. In either case, mutual 564 DTLS certificate-based authentication will be used. After completing 565 the DTLS handshake, information about the authenticated identities, 566 including the certificates, are made available to the endpoint 567 application. The answerer is then able to verify that the offerer's 568 certificate used for authentication in the DTLS handshake can be 569 associated to the certificate fingerprint contained in the offer in 570 the SDP. At this point, the answerer may indicate to the end user 571 that the media is secured. The offerer may only tentatively accept 572 the answerer's certificate since it may not yet have the answerer's 573 certificate fingerprint. 575 When the answerer accepts the offer, it provides an answer back to 576 the offerer containing the answerer's certificate fingerprint. At 577 this point, the offerer can accept or reject the peer's certificate 578 and the offerer can indicate to the end user that the media is 579 secured. 581 Note that the entire authentication and key exchange for securing the 582 media traffic is handled in the media path through DTLS. The 583 signaling path is only used to verify the peers' certificate 584 fingerprints. 586 The offer and answer MUST conform to the following requirements. 588 o The endpoint MUST use the setup attribute defined in [RFC4145]. 589 The endpoint that is the offerer MUST use the setup attribute 590 value of setup:actpass and be prepared to receive a client_hello 591 before it receives the answer. The answerer MUST use either a 592 setup attribute value of setup:active or setup:passive. Note that 593 if the answerer uses setup:passive, then the DTLS handshake will 594 not begin until the answerer is received, which adds additional 595 latency. setup:active allows the answer and the DTLS handshake to 596 occur in parallel. Thus, setup:active is RECOMMENDED. Whichever 597 party is active MUST initiate a DTLS handshake by sending a 598 ClientHello over each flow (host/port quartet). 600 o The endpoint MUST NOT use the connection attribute defined in 601 [RFC4145]. 603 o The endpoint MUST use the certificate fingerprint attribute as 604 specified in [RFC4572]. 606 o The certificate presented during the DTLS handshake MUST match the 607 fingerprint exchanged via the signaling path in the SDP. The 608 security properties of this mechanism are described in Section 8. 610 o If the fingerprint does not match the hashed certificate, then the 611 endpoint MUST tear down the media session immediately. Note that 612 it is permissible to wait until the other side's fingerprint has 613 been received before establishing the connection; however, this 614 may have undesirable latency effects. 616 NEW TEXT: 618 5. Establishing a Secure Channel 620 The two endpoints in the exchange present their identities as part of 621 the DTLS handshake procedure using certificates. This document uses 622 certificates in the same style as described in "Connection-Oriented 623 Media Transport over the Transport Layer Security (TLS) Protocol in 624 the Session Description Protocol (SDP)" [RFC4572]. 626 If self-signed certificates are used, the content of the 627 subjectAltName attribute inside the certificate MAY use the uniform 628 resource identifier (URI) of the user. This is useful for debugging 629 purposes only and is not required to bind the certificate to one of 630 the communication endpoints. The integrity of the certificate is 631 ensured through the fingerprint attribute in the SDP. 633 The generation of public/private key pairs is relatively expensive. 634 Endpoints are not required to generate certificates for each session. 636 The offer/answer model, defined in [RFC3264], is used by protocols 637 like the Session Initiation Protocol (SIP) [RFC3261] to set up 638 multimedia sessions. 640 When an endpoint wishes to set up a secure media session with another 641 endpoint, it sends an offer in a SIP message to the other endpoint. 642 This offer includes, as part of the SDP payload, a fingerprint of 643 a certificate that the endpoint wants to use. The endpoint SHOULD 644 send the SIP message containing the offer to the offerer's SIP proxy 645 over an integrity protected channel. The proxy SHOULD add an 646 Identity header field according to the procedures outlined in 648 [RFC4474]. The SIP message containing the offer SHOULD be sent to 649 the offerer's SIP proxy over an integrity protected channel. When 650 the far endpoint receives the SIP message, it can verify the identity 651 of the sender using the Identity header field. Since the Identity 652 header field is a digital signature across several SIP header fields, 653 in addition to the body of the SIP message, the receiver can also be 654 certain that the message has not been tampered with after the digital 655 signature was applied and added to the SIP message. 657 The far endpoint (answerer) may now establish a DTLS association with 658 the offerer. Alternately, it can indicate in its answer that the 659 offerer is to initiate the DTLS association. In either case, mutual 660 DTLS certificate-based authentication will be used. After completing 661 the DTLS handshake, information about the authenticated identities, 662 including the certificates, are made available to the endpoint 663 application. The answerer is then able to verify that the offerer's 664 certificate used for authentication in the DTLS handshake can be 665 associated to the certificate fingerprint contained in the offer in 666 the SDP. At this point, the answerer may indicate to the end user 667 that the media is secured. The offerer may only tentatively accept 668 the answerer's certificate since it may not yet have the answerer's 669 certificate fingerprint. 671 When the answerer accepts the offer, it provides an answer back to 672 the offerer containing the answerer's certificate fingerprint. At 673 this point, the offerer can accept or reject the peer's certificate 674 and the offerer can indicate to the end user that the media is 675 secured. 677 Note that the entire authentication and key exchange for securing the 678 media traffic is handled in the media path through DTLS. The 679 signaling path is only used to verify the peers' certificate 680 fingerprints. 682 The offerer and answerer MUST follow the SDP offer/answer procedures 683 defined in [RFCXXXX]. 685 Update to section 6.6: 686 ---------------------- 688 OLD TEXT: 690 6.6. Session Modification 692 Once an answer is provided to the offerer, either endpoint MAY 693 request a session modification that MAY include an updated offer. 694 This session modification can be carried in either an INVITE or 695 UPDATE request. The peers can reuse the existing associations if 696 they are compatible (i.e., they have the same key fingerprints and 697 transport parameters), or establish a new one following the same 698 rules are for initial exchanges, tearing down the existing 699 association as soon as the offer/answer exchange is completed. Note 700 that if the active/passive status of the endpoints changes, a new 701 connection MUST be established. 703 NEW TEXT: 705 6.6. Session Modification 707 Once an answer is provided to the offerer, either endpoint MAY 708 request a session modification that MAY include an updated offer. 709 This session modification can be carried in either an INVITE or 710 UPDATE request. The peers can reuse an existing DTLS association, 711 or establish a new one, following the procedures in [RFCXXXX]. 713 Update to section 6.7.1: 714 ------------------------ 716 OLD TEXT: 718 6.7.1. ICE Interaction 720 Interactive Connectivity Establishment (ICE), as specified in 721 [RFC5245], provides a methodology of allowing participants in 722 multimedia sessions to verify mutual connectivity. When ICE is being 723 used, the ICE connectivity checks are performed before the DTLS 724 handshake begins. Note that if aggressive nomination mode is used, 725 multiple candidate pairs may be marked valid before ICE finally 726 converges on a single candidate pair. Implementations MUST treat all 727 ICE candidate pairs associated with a single component as part of the 728 same DTLS association. Thus, there will be only one DTLS handshake 729 even if there are multiple valid candidate pairs. Note that this may 730 mean adjusting the endpoint IP addresses if the selected candidate 731 pair shifts, just as if the DTLS packets were an ordinary media 732 stream. 734 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 735 packets are sent directly over UDP, not over DTLS. [RFC5764] 736 describes how to demultiplex STUN packets from DTLS packets and SRTP 737 packets. 739 NEW TEXT: 741 6.7.1. ICE Interaction 742 The Interactive Connectivity Establishment (ICE) [RFC5245] 743 considerations for DTLS-protected media are described in 744 [RFCXXXX]. 746 9.3. Update to RFC 7345 748 Update to section 4: 749 -------------------- 751 OLD TEXT: 753 4. SDP Offerer/Answerer Procedures 755 4.1. General 757 An endpoint (i.e., both the offerer and the answerer) MUST create an 758 SDP media description ("m=" line) for each UDPTL-over-DTLS media 759 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 760 "proto" field of the "m=" line. 762 The procedures in this section apply to an "m=" line associated with 763 a UDPTL-over-DTLS media stream. 765 In order to negotiate a UDPTL-over-DTLS media stream, the following 766 SDP attributes are used: 768 o The SDP attributes defined for UDPTL over UDP, as described in 769 [ITU.T38.2010]; and 771 o The SDP attributes, defined in [RFC4145] and [RFC4572], as 772 described in this section. 774 The endpoint MUST NOT use the SDP "connection" attribute [RFC4145]. 776 In order to negotiate the TLS roles for the UDPTL-over-DTLS transport 777 connection, the endpoint MUST use the SDP "setup" attribute 778 [RFC4145]. 780 If the endpoint supports, and is willing to use, a cipher suite with 781 an associated certificate, the endpoint MUST include an SDP 782 "fingerprint" attribute [RFC4572]. The endpoint MUST support SHA-256 783 for generating and verifying the SDP "fingerprint" attribute value. 784 The use of SHA-256 is preferred. UDPTL over DTLS, at a minimum, MUST 785 support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 786 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 787 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 788 Secrecy (PFS) cipher suites over non-PFS cipher suites. 790 Implementations SHOULD disable TLS-level compression. 792 If a cipher suite with an associated certificate is selected during 793 the DTLS handshake, the certificate received during the DTLS 794 handshake MUST match the fingerprint received in the SDP 795 "fingerprint" attribute. If the fingerprint does not match the 796 hashed certificate, then the endpoint MUST tear down the media 797 session immediately. Note that it is permissible to wait until the 798 other side's fingerprint has been received before establishing the 799 connection; however, this may have undesirable latency effects. 801 4.2. Generating the Initial Offer 803 The offerer SHOULD assign the SDP "setup" attribute with a value of 804 "actpass", unless the offerer insists on being either the sender or 805 receiver of the DTLS ClientHello message, in which case the offerer 806 can use either a value of "active" (the offerer will be the sender of 807 ClientHello) or "passive" (the offerer will be the receiver of 808 ClientHello). The offerer MUST NOT assign an SDP "setup" attribute 809 with a "holdconn" value. 811 If the offerer assigns the SDP "setup" attribute with a value of 812 "actpass" or "passive", the offerer MUST be prepared to receive a 813 DTLS ClientHello message before it receives the SDP answer. 815 4.3. Generating the Answer 817 If the answerer accepts the offered UDPTL-over-DTLS transport 818 connection, in the associated SDP answer, the answerer MUST assign an 819 SDP "setup" attribute with a value of either "active" or "passive", 820 according to the procedures in [RFC4145]. The answerer MUST NOT 821 assign an SDP "setup" attribute with a value of "holdconn". 823 If the answerer assigns an SDP "setup" attribute with a value of 824 "active" value, the answerer MUST initiate a DTLS handshake by 825 sending a DTLS ClientHello message on the negotiated media stream, 826 towards the IP address and port of the offerer. 828 4.4. Offerer Processing of the Answer 830 When the offerer receives an SDP answer, if the offerer ends up being 831 active it MUST initiate a DTLS handshake by sending a DTLS 832 ClientHello message on the negotiated media stream, towards the IP 833 address and port of the answerer. 835 4.5. Modifying the Session 837 Once an offer/answer exchange has been completed, either endpoint MAY 838 send a new offer in order to modify the session. The endpoints can 839 reuse the existing DTLS association if the key fingerprint values and 840 transport parameters indicated by each endpoint are unchanged. 841 Otherwise, following the rules for the initial offer/answer exchange, 842 the endpoints can negotiate and create a new DTLS association and, 843 once created, delete the previous DTLS association, following the 844 same rules for the initial offer/answer exchange. Each endpoint 845 needs to be prepared to receive data on both the new and old DTLS 846 associations as long as both are alive. 848 NEW TEXT: 850 4. SDP Offerer/Answerer Procedures 852 An endpoint (i.e., both the offerer and the answerer) MUST create an 853 SDP media description ("m=" line) for each UDPTL-over-DTLS media 854 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 855 "proto" field of the "m=" line. 857 The offerer and answerer MUST follow the SDP offer/answer procedures 858 defined in [RFCXXXX] in order to negotiate the DTLS association 859 associated with the UDPTL-over-DTLS media stream. In addition, 860 the offerer and answerer MUST use the SDP attributes defined for 861 UDPTL over UDP, as defined in [ITU.T38.2010]. 863 Update to section 5.2.1: 864 ------------------------ 866 OLD TEXT: 868 5.2.1. ICE Usage 870 When Interactive Connectivity Establishment (ICE) [RFC5245] is being 871 used, the ICE connectivity checks are performed before the DTLS 872 handshake begins. Note that if aggressive nomination mode is used, 873 multiple candidate pairs may be marked valid before ICE finally 874 converges on a single candidate pair. User Agents (UAs) MUST treat 875 all ICE candidate pairs associated with a single component as part of 876 the same DTLS association. Thus, there will be only one DTLS 877 handshake even if there are multiple valid candidate pairs. Note 878 that this may mean adjusting the endpoint IP addresses if the 879 selected candidate pair shifts, just as if the DTLS packets were an 880 ordinary media stream. In the case of an ICE restart, the DTLS 881 handshake procedure is repeated, and a new DTLS association is 882 created. Once the DTLS handshake is completed and the new DTLS 883 association has been created, the previous DTLS association is 884 deleted. 886 NEW TEXT: 888 5.2.1. ICE Usage 890 The Interactive Connectivity Establishment (ICE) [RFC5245] 891 considerations for DTLS-protected media are described in 892 [RFCXXXX]. 894 10. Security Considerations 896 This specification does not modify the security considerations 897 associated with DTLS, or the SDP offer/answer mechanism. In addition 898 to the introduction of the SDP 'dtls-id' attribute, the specification 899 simply clarifies the procedures for negotiating and establishing a 900 DTLS association. 902 11. IANA Considerations 904 This document updates the "Session Description Protocol Parameters" 905 registry as specified in Section 8.2.2 of [RFC4566]. Specifically, 906 it adds the SDP dtls-id attribute to the table for SDP media level 907 attributes. 909 Attribute name: dtls-id 910 Type of attribute: media-level 911 Subject to charset: no 912 Purpose: Indicate whether a new DTLS association is to be 913 established/re-established. 914 Appropriate Values: see Section 4 915 Contact name: Christer Holmberg 916 Mux Category: IDENTICAL 918 12. Acknowledgements 920 Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, 921 Charles Eckel and Gonzalo Salgueiro for providing comments and 922 suggestions on the document. 924 13. Change Log 926 [RFC EDITOR NOTE: Please remove this section when publishing] 928 Changes from draft-ietf-mmusic-sdp-dtls-14 930 o Changes based on comments from Flemming: 932 o - Additional dtls-is clarifiations 934 o - Editorial fixes 936 Changes from draft-ietf-mmusic-sdp-dtls-13 938 o Text about the updated RFCs added to Abstract and Introduction 940 o Reference to RFC 5763 removed from section 6 (ICE Considerations) 942 o Reference to RFC 5763 removed from section 8 (SIP Considerations) 944 Changes from draft-ietf-mmusic-sdp-dtls-12 946 o "unreliable" changed to "unordered" 948 Changes from draft-ietf-mmusic-sdp-dtls-11 950 o Attribute name changed to dtls-id 952 o Additional text based on comments from Roman Shpount. 954 Changes from draft-ietf-mmusic-sdp-dtls-10 956 o Modified document to use dtls-id instead of dtls-connection 958 o Changes are based on comments from Eric Rescorla, Justin Uberti, 959 and Paul Kyzivat. 961 Changes from draft-ietf-mmusic-sdp-dtls-08 963 o Offer/Answer section modified in order to allow sending of 964 multiple SDP 'fingerprint' attributes. 966 o Terminology made consistent: 'DTLS connection' replaced with 'DTLS 967 association'. 969 o Editorial changes based on comments from Paul Kyzivat. 971 Changes from draft-ietf-mmusic-sdp-dtls-07 973 o Reference to RFC 7315 replaced with reference to RFC 7345. 975 Changes from draft-ietf-mmusic-sdp-dtls-06 977 o Text on restrictions regarding spanning a DTLS association over 978 multiple transports added. 980 o Mux category added to IANA Considerations. 982 o Normative text regarding mux category and source-specific 983 applicability added. 985 o Reference to RFC 7315 added. 987 o Clarified that offerer/answerer that has not been updated to 988 support this specification will not include the dtls-id attribute 989 in offers and answers. 991 o Editorial corrections based on WGLC comments from Charles Eckel. 993 Changes from draft-ietf-mmusic-sdp-dtls-05 995 o Text on handling offer/answer error conditions added. 997 Changes from draft-ietf-mmusic-sdp-dtls-04 999 o Editorial nits fixed based on comments from Paul Kyzivat: 1001 Changes from draft-ietf-mmusic-sdp-dtls-03 1003 o Changes based on comments from Paul Kyzivat: 1005 o - Modification of dtls-id attribute section. 1007 o - Removal of IANA considerations subsection. 1009 o - Making note into normative text in o/a section. 1011 o Changes based on comments from Martin Thompson: 1013 o - Abbreviations section removed. 1015 o - Clarify that a new DTLS association requires a new o/a 1016 transaction. 1018 Changes from draft-ietf-mmusic-sdp-dtls-02 1020 o - Updated RFCs added to boilerplate. 1022 Changes from draft-ietf-mmusic-sdp-dtls-01 1024 o - Annex regarding 'dtls-id-id' attribute removed. 1026 o - Additional SDP offer/answer procedures, related to certificates, 1027 added. 1029 o - Updates to RFC 5763 and RFC 7345 added. 1031 o - Transport protocol considerations added. 1033 Changes from draft-ietf-mmusic-sdp-dtls-00 1035 o - SDP 'connection' attribute replaced with new 'dtls-id' 1036 attribute. 1038 o - IANA Considerations added. 1040 o - E-mail regarding 'dtls-id-id' attribute added as Annex. 1042 Changes from draft-holmberg-mmusic-sdp-dtls-01 1044 o - draft-ietf-mmusic version of draft submitted. 1046 o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision 1047 with another expired draft. 1049 o - Clarify that if ufrag in offer is unchanged, it must be 1050 unchanged in associated answer. 1052 o - SIP Considerations section added. 1054 o - Section about multiple SDP fingerprint attributes added. 1056 Changes from draft-holmberg-mmusic-sdp-dtls-00 1058 o - Editorial changes and clarifications. 1060 14. References 1062 14.1. Normative References 1064 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1065 Requirement Levels", BCP 14, RFC 2119, 1066 DOI 10.17487/RFC2119, March 1997, 1067 . 1069 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1070 A., Peterson, J., Sparks, R., Handley, M., and E. 1071 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1072 DOI 10.17487/RFC3261, June 2002, 1073 . 1075 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 1076 with Session Description Protocol (SDP)", RFC 3264, 1077 DOI 10.17487/RFC3264, June 2002, 1078 . 1080 [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in 1081 the Session Description Protocol (SDP)", RFC 4145, 1082 DOI 10.17487/RFC4145, September 2005, 1083 . 1085 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 1086 Description Protocol", RFC 4566, DOI 10.17487/RFC4566, 1087 July 2006, . 1089 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 1090 Transport Layer Security (TLS) Protocol in the Session 1091 Description Protocol (SDP)", RFC 4572, 1092 DOI 10.17487/RFC4572, July 2006, 1093 . 1095 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 1096 for Establishing a Secure Real-time Transport Protocol 1097 (SRTP) Security Context Using Datagram Transport Layer 1098 Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 1099 2010, . 1101 [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP 1102 Transport Layer (UDPTL) over Datagram Transport Layer 1103 Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August 1104 2014, . 1106 [I-D.ietf-mmusic-4572-update] 1107 Holmberg, C., "SDP Fingerprint Attribute Usage 1108 Clarifications", draft-ietf-mmusic-4572-update-07 (work in 1109 progress), September 2016. 1111 14.2. Informative References 1113 [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific 1114 Media Attributes in the Session Description Protocol 1115 (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, 1116 . 1118 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 1119 Security (DTLS) Extension to Establish Keys for the Secure 1120 Real-time Transport Protocol (SRTP)", RFC 5764, 1121 DOI 10.17487/RFC5764, May 2010, 1122 . 1124 [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram 1125 Transport Layer Security (DTLS) for Stream Control 1126 Transmission Protocol (SCTP)", RFC 6083, 1127 DOI 10.17487/RFC6083, January 2011, 1128 . 1130 [I-D.ietf-ice-rfc5245bis] 1131 Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive 1132 Connectivity Establishment (ICE): A Protocol for Network 1133 Address Translator (NAT) Traversal", draft-ietf-ice- 1134 rfc5245bis-04 (work in progress), June 2016. 1136 [I-D.ietf-mmusic-sdp-mux-attributes] 1137 Nandakumar, S., "A Framework for SDP Attributes when 1138 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-14 1139 (work in progress), September 2016. 1141 [I-D.ietf-mmusic-sdp-bundle-negotiation] 1142 Holmberg, C., Alvestrand, H., and C. Jennings, 1143 "Negotiating Media Multiplexing Using the Session 1144 Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- 1145 negotiation-36 (work in progress), October 2016. 1147 Authors' Addresses 1149 Christer Holmberg 1150 Ericsson 1151 Hirsalantie 11 1152 Jorvas 02420 1153 Finland 1155 Email: christer.holmberg@ericsson.com 1157 Roman Shpount 1158 TurboBridge 1159 4905 Del Ray Avenue, Suite 300 1160 Bethesda, MD 20814 1161 USA 1163 Phone: +1 (240) 292-6632 1164 Email: rshpount@turbobridge.com