idnits 2.17.1 draft-ietf-mmusic-dtls-sdp-17.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5763, updated by this document, for RFC5378 checks: 2007-11-12) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 27, 2017) is 2645 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCXXXX' is mentioned on line 872, but not defined ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) == Outdated reference: A later version (-13) exists of draft-ietf-mmusic-4572-update-12 -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) -- Obsolete informational reference (is this intentional?): RFC 4572 (Obsoleted by RFC 8122) -- Obsolete informational reference (is this intentional?): RFC 5245 (Obsoleted by RFC 8445, RFC 8839) == Outdated reference: A later version (-20) exists of draft-ietf-ice-rfc5245bis-08 == Outdated reference: A later version (-19) exists of draft-ietf-mmusic-sdp-mux-attributes-16 == Outdated reference: A later version (-54) exists of draft-ietf-mmusic-sdp-bundle-negotiation-36 Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 5763,7345 (if approved) R. Shpount 5 Intended status: Standards Track TurboBridge 6 Expires: July 31, 2017 January 27, 2017 8 Using the SDP Offer/Answer Mechanism for DTLS 9 draft-ietf-mmusic-dtls-sdp-17.txt 11 Abstract 13 This document defines the SDP offer/answer procedures for negotiating 14 and establishing a DTLS association. The document also defines the 15 criteria for when a new DTLS association must be established. The 16 document updates RFC 5763 and RFC 7345, by replacing common SDP 17 offer/answer procedures with a reference to this specification. 19 This document defines a new SDP media-level attribute, 'dtls-id'. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on July 31, 2017. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 58 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.2. Change of Local Transport Parameters . . . . . . . . . . 4 60 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 61 4. SDP dtls-id Attribute . . . . . . . . . . . . . . . . . . . . 4 62 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 5 63 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 7 65 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 8 66 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 8 67 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 9 68 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 9 69 7. Transport Protocol Considerations . . . . . . . . . . . . . . 10 70 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 10 71 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 10 72 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 11 74 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 11 75 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 16 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 19 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 78 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 79 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 20 80 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 81 14.1. Normative References . . . . . . . . . . . . . . . . . . 23 82 14.2. Informative References . . . . . . . . . . . . . . . . . 24 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 85 1. Introduction 87 [RFC5763] defines SDP Offer/Answer procedures for SRTP-DTLS. 88 [RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This 89 specification defines general offer/answer procedures for DTLS, based 90 on the procedures in [RFC5763]. Other specifications, defining 91 specific DTLS usages, can then reference this specification, in order 92 to ensure that the DTLS aspects are common among all usages. Having 93 common procedures is essential when multiple usages share the same 94 DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. The 95 document updates [RFC5763] and [RFC7345], by replacing common SDP 96 offer/answer procedures with a reference to this specification. 98 As defined in [RFC5763], a new DTLS association MUST be established 99 when transport parameters are changed. Transport parameter change is 100 not well defined when Interactive Connectivity Establishment (ICE) 101 [I-D.ietf-ice-rfc5245bis] is used. One possible way to determine a 102 transport change is based on ufrag change, but the ufrag value is 103 changed both when ICE is negotiated and when ICE restart 104 [I-D.ietf-ice-rfc5245bis] occurs. These events do not always require 105 a new DTLS association to be established, but currently there is no 106 way to explicitly indicate in an SDP offer or answer whether a new 107 DTLS association is required. To solve that problem, this document 108 defines a new SDP attribute, 'dtls-id'. The pair of SDP 'dtls-id' 109 attribute values (the attribute values of the offerer and the 110 answerer) uniquely identifies the DTLS association. Providing a new 111 value of 'dtls-id' attribute in an SDP offer or answers can be used 112 to indicate whether a new DTLS association is to be established. 114 2. Conventions 116 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 117 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 118 document are to be interpreted as described in [RFC2119]. 120 3. Establishing a new DTLS Association 122 3.1. General 124 A new DTLS association MUST be established after a successful SDP 125 offer/answer transaction in the following cases: 127 o The negotiated DTLS setup roles change; or 129 o One or more fingerprint values are modified, added or removed in 130 either an SDP offer or answer; or 132 o The intent to establish a new DTLS association is explicitly 133 signaled by changing the value of the SDP 'dtls-id' attribute 134 defined in this document; 136 NOTE: The first two items list above are based on the procedures in 137 [RFC5763]. This specification adds the support for explicit 138 signaling using the SDP 'dtls-id' attribute. 140 A new DTLS association can only established as a result of the 141 successful SDP offer/answer transaction. Whenever an entity 142 determines that a new DTLS association is required, the entity MUST 143 initiate an SDP offer/answer transaction, following the procedures in 144 Section 5. 146 The sections below describe typical cases where a new DTLS 147 association needs to be established. 149 3.2. Change of Local Transport Parameters 151 If an endpoint modifies its local transport parameters (address and/ 152 or port), and if the modification requires a new DTLS association, 153 the endpoint MUST change its local SDP 'dtls-id' attribute value 154 Section 4. 156 If the underlying transport explicitly prohibits a DTLS association 157 to span multiple transports, and if the transport is changed, the 158 endpoint MUST change its local SDP 'dtls-id' attribute value 159 Section 4. An example of such case is when DTLS is carried over 160 SCTP, as described in [RFC6083]. 162 3.3. Change of ICE ufrag value 164 If an endpoint uses ICE, and modifies a local ufrag value, and if the 165 modification requires a new DTLS association, the endpoint MUST 166 change its local SDP 'dtls-id' attribute value Section 4. 168 4. SDP dtls-id Attribute 170 The pair of SDP 'dtls-id' attribute values (the attribute values of 171 the offerer and the answerer) uniquely identifies the DTLS 172 association. 174 Name: dtls-id 176 Value: dtls-id-value 178 Usage Level: media 180 Charset Dependent: no 182 Default Value: N/A 184 Syntax: 186 dtls-id-value = 0*256 188 Example: 190 a=dtls-id:abc3dl 192 Every time an endpoint requests to establish a new DTLS association, 193 the endpoint MUST generate a new unique local 'dtls-id' attribute 194 value. A non-changed local 'dtls-id' attribute value, in combination 195 with non-changed fingerprints, indicates that the endpoint intends to 196 reuse the existing DTLS association. 198 The mechanism to generate the unique local 'dtls-id' attribute value 199 MUST guarantee global uniqueness of the value for the lifetime of the 200 DTLS association associated with the attribute value. 202 No default value is defined for the SDP 'dtls-id' attribute. 203 Implementations that wish to use the attribute MUST explicitly 204 include it in SDP offers and answers. If an offer or answer does not 205 contain an attribute (this could happen if the offerer or answerer 206 represents an existing implementation that has not been updated to 207 support the 'dtls-id' attribute), the offer or answer MUST be treated 208 as if no 'dtls-id' attribute is included. Unless there is another 209 mechanism to explicitly indicate that a new DTLS association is to be 210 established, a modification of one or more of the following 211 characteristics MUST be treated as an indication that an endpoint 212 wants to establish a new DTLS association: 214 o DTLS setup role; or 216 o fingerprint set; or 218 o local transport parameters; or 220 o ICE ufrag value 222 The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- 223 id' attribute is 'IDENTICAL', which means that the attribute value 224 must be identical across all media descriptions being multiplexed 225 [I-D.ietf-mmusic-sdp-bundle-negotiation]. 227 For RTP-based media, the 'dtls-id' attribute apply to whole 228 associated media description. The attribute MUST NOT be defined per 229 source (using the SDP 'ssrc' attribute [RFC5576]). 231 The SDP offer/answer [RFC3264] procedures associated with the 232 attribute are defined in Section 5 234 5. SDP Offer/Answer Procedures 235 5.1. General 237 This section defines the generic SDP offer/answer procedures for 238 negotiating a DTLS association. Additional procedures (e.g., 239 regarding usage of specific SDP attributes etc.) for individual DTLS 240 usages (e.g., SRTP-DTLS) are outside the scope of this specification, 241 and need to be specified in a usage specific specification. 243 NOTE: The procedures in this section are generalizations of 244 procedures first specified in SRTP-DTLS [RFC5763], with the addition 245 of usage of the SDP 'dtls-id' attribute. That document is herein 246 updated to make use of these new procedures. 248 The procedures in this section apply to an SDP media description 249 ("m=" line) associated with DTLS-protected media/data. 251 When an offerer or answerer indicates that it wants to establish a 252 new DTLS association, it needs to make sure that media packets in the 253 existing DTLS association and new DTLS association can be de- 254 multiplexed. In case of ordered transport (e.g., SCTP) this can be 255 done simply by sending packets for new DTLS association after all 256 packets for existing DTLS association have been sent. In case of 257 unordered transport, such as UDP, packets for the old DTLS 258 association can arrive after the answer SDP was received and after 259 first packets for the new DTLS association were received. The only 260 way to de-multiplex packets belonging to old and new DTLS association 261 is on the basis of transport 5-tuple. Because of this, if unordered 262 transport is used for DTLS association, new transport (3-tuple) MUST 263 be allocated by at least one of the end points so that DTLS packets 264 can be de-multiplexed. 266 When an offerer needs to establish a new DTLS association, and if an 267 unordered transport (e.g., UDP) is used, the offerer MUST allocate a 268 new transport (3-tuple) for the offer in such a way that the offerer 269 can disambiguate any packets associated with the new DTLS association 270 from any packets associated with any other DTLS association. This 271 typically means using a local address and/or port, or a set of ICE 272 candidates (see Section 6), which were not recently used for any 273 other DTLS association. 275 When an answerer needs to establish a new DTLS association, if an 276 unordered transport is used, and if the offerer did not allocate a 277 new transport, the answerer MUST allocate a new transport for the 278 answer in such a way that it can disambiguate any packets associated 279 with new DTLS association from any packets associated with any other 280 DTLS association. This typically means using a local address and/or 281 port, or a set of ICE candidates (see Section 6), which were not 282 recently used for any other DTLS association. 284 In order to negotiate a DTLS association, the following SDP 285 attributes are used: 287 o The SDP 'setup' attribute, defined in [RFC4145], is used to 288 negotiate the DTLS roles; 290 o The SDP 'fingerprint' attribute, defined in 291 [I-D.ietf-mmusic-4572-update], is used to provide one or more 292 fingerprint values; and 294 o The SDP 'dtls-id' attribute, defined in this specification. 296 This specification does not define the usage of the SDP 'connection' 297 attribute [RFC4145] for negotiating a DTLS connection. However, the 298 attribute MAY be used if the DTLS association is used together with 299 another protocol (e.g., SCTP or TCP) for which the usage of the 300 attribute has been defined. 302 Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP 303 'setup' attribute 'holdconn' value when negotiating a DTLS 304 association. 306 Endpoints MUST support the cipher suites as defined in 307 [I-D.ietf-mmusic-4572-update]. 309 The certificate received during the DTLS handshake MUST match the 310 certificate fingerprints received in SDP 'fingerprint' attributes 311 according to procedures defined in [I-D.ietf-mmusic-4572-update]. If 312 fingerprints do not match the hashed certificate, then an endpoint 313 MUST tear down the media session immediately. Note that it is 314 permissible to wait until the other side's fingerprint has been 315 received before establishing the connection; however, this may have 316 undesirable latency effects. 318 SDP offerers and answerers might reuse certificates across multiple 319 DTLS associations, and provide identical fingerprint values for each 320 DTLS association. It MUST be ensured that the combination of SDP the 321 'dtls-id' attribute values of the SDP offerer and answerer is unique 322 across all DTLS associations that might be handled by the SDP offerer 323 and answerer. 325 5.2. Generating the Initial SDP Offer 327 When an offerer sends the initial offer, the offerer MUST insert an 328 SDP 'setup' attribute according to the procedures in [RFC4145], and 329 one or more SDP 'fingerprint' attributes according to the procedures 330 in [I-D.ietf-mmusic-4572-update]. In addition, the offerer MUST 331 insert in the offer an SDP 'dtls-id' attribute with a unique value. 333 If the offerer inserts the SDP 'setup' attribute with an 'actpass' or 334 'passive' attribute value, the offerer MUST be prepared to receive a 335 DTLS ClientHello message (if a new DTLS association is established by 336 the answerer) from the answerer before the offerer receives the SDP 337 answer. 339 5.3. Generating the Answer 341 When an answerer sends an answer, the answerer MUST insert in the 342 answer an SDP 'setup' attribute according to the procedures in 343 [RFC4145], and one or more SDP 'fingerprint' attributes according to 344 the procedures in [I-D.ietf-mmusic-4572-update]. If the answerer 345 determines, based on the criteria specified in Section 3.1, that a 346 new DTLS association is to be established, the answerer MUST insert 347 in the associated answer an SDP 'dtls-id' attribute with a new unique 348 value. Note that the offerer and answerer generate their own local 349 'dtls-id' attribute values, and the combination of both values 350 identify the DTLS association. 352 If the answerer receives an offer that requires establishment of a 353 new DTLS association, and if the answerer does not accept the 354 establishment of a new DTLS association, the answerer MUST reject the 355 "m=" lines associated with the suggested DTLS association [RFC3264]. 357 If an answerer receives an offer that does not require the 358 establishment of a new DTLS association, and if the answerer 359 determines that a new DTLS association is not to be established, the 360 answerer MUST insert an SDP 'dtls-id' attribute with the previously 361 assigned value in the associated answer. In addition, the answerer 362 MUST insert an SDP 'setup' attribute with a value that does not 363 change the previously negotiated DTLS roles, and one or more SDP 364 'fingerprint' attributes values that do not change the previously 365 sent fingerprint set, in the associated answer. 367 If the answerer receives an offer that does not contain an SDP 'dtls- 368 id' attribute, the answerer MUST NOT insert a 'dtls-id' attribute in 369 the answer. 371 If a new DTLS association is to be established, and if the answerer 372 inserts an SDP 'setup' attribute with an 'active' value in the 373 answer, the answerer MUST initiate a DTLS handshake by sending a DTLS 374 ClientHello message towards the offerer. 376 5.4. Offerer Processing of the SDP Answer 378 When an offerer receives an answer that establishes a new DTLS 379 association based on criteria defined in Section 3.1, and if the 380 offerer becomes DTLS client (based on the value of the SDP 'setup' 381 attribute value [RFC4145]), the offerer MUST establish a DTLS 382 association. If the offerer becomes DTLS server, it MUST wait for 383 the answerer to establish the DTLS association. 385 If the answer does not establish a new DTLS association, the offerer 386 will continue using the previously established DTLS association. 388 NOTE: A new DTLS association can be established based on changes in 389 either an SDP offer or answer. When communicating with legacy 390 endpoints, an offerer can receive an answer that includes the same 391 fingerprint set and setup role. A new DTLS association MUST still be 392 established if such an answer was received as a response to an offer 393 which requested the establishment of a new DTLS association. 395 5.5. Modifying the Session 397 When the offerer sends a subsequent offer, and if the offerer wants 398 to establish a new DTLS association, the offerer MUST insert an SDP 399 'setup' attribute according to the procedures in [RFC4145], and one 400 or more SDP 'fingerprint' attributes according to the procedures in 401 [I-D.ietf-mmusic-4572-update]. In addition, the offerer MUST insert 402 in the offer an SDP 'dtls-id' attribute with a new unique value. 404 When the offerer sends a subsequent offer, and the offerer does not 405 want to establish a new DTLS association, and if a previously 406 established DTLS association exists, the offerer MUST insert an SDP 407 'dtls-id' attribute with the previously assigned value in the offer. 408 In addition, the offerer MUST insert an SDP 'setup' attribute, and 409 one or more SDP 'fingerprint' attributes with values that do not 410 change the previously sent fingerprint set, in the offer. The value 411 of the 'setup' attribute SHOULD be set to 'actpass', in order to 412 allow the answerer to establish a new DTLS association with a 413 different role, but MAY be set to the current negotiated role 414 ('active' or 'passive'). It MUST NOT be set to a value that changes 415 the current negotiated role. 417 NOTE: When a new DTLS association is being established, each endpoint 418 needs to be prepared to receive data on both the new and old DTLS 419 associations as long as both are alive. 421 6. ICE Considerations 423 When the Interactive Connectivity Establishment (ICE) mechanism 424 [I-D.ietf-ice-rfc5245bis] is used, the ICE connectivity checks are 425 performed before the DTLS handshake begins. Note that if aggressive 426 nomination mode is used, multiple candidate pairs may be marked valid 427 before ICE finally converges on a single candidate pair. 429 NOTE: Aggressive nomination has been deprecated from ICE, but must 430 still be supported for backwards compatibility reasons. 432 When new DTLS association is established over an unordered transport, 433 in order to disambiguate any packets associated with the newly 434 established DTLS association, at least one of the endpoints MUST 435 allocate a completely new set of ICE candidates which were not 436 recently used for any other DTLS association. This means the 437 answerer cannot initiate a new DTLS association unless the offerer 438 initiated ICE restart [I-D.ietf-ice-rfc5245bis]. If the answerer 439 wants to initiate a new DTLS association, it needs to initiate an ICE 440 restart and a new offer/answer exchange on its own. However, an ICE 441 restart does not by default require a new DTLS association to be 442 established. 444 NOTE: Simple Traversal of the UDP Protocol through NAT (STUN) packets 445 are sent directly over UDP, not over DTLS. [RFC5764] describes how 446 to demultiplex STUN packets from DTLS packets and SRTP packets. 448 Each ICE candidate associated with a component is treated as being 449 part of the same DTLS association. Therefore, from a DTLS 450 perspective it is not considered a change of local transport 451 parameters when an endpoint switches between those ICE candidates. 453 7. Transport Protocol Considerations 455 7.1. Transport Re-Usage 457 If DTLS is transported on top of a connection-oriented transport 458 protocol (e.g., TCP or SCTP), where all IP packets are acknowledged, 459 all DTLS packets associated with a previous DTLS association MUST be 460 acknowledged (or timed out) before a new DTLS association can be 461 established on the same transport. 463 8. SIP Considerations 465 When the Session Initiation Protocol (SIP) [RFC3261] is used as the 466 signal protocol for establishing a multimedia session, dialogs 467 [RFC3261] might be established between the caller and multiple 468 callees. This is referred to as forking. If forking occurs, 469 separate DTLS associations MUST be established between the caller and 470 each callee. 472 It is possible to send an INVITE request which does not contain an 473 SDP offer. Such an INVITE request is often referred to as an 'empty 474 INVITE', or an 'offer-less INVITE'. The receiving endpoint will 475 include the SDP offer in a response to the request. When the 476 endpoint generates such SDP offer, if a previously established DTLS 477 association exists, the offerer SHOULD insert an SDP 'dtls-id' 478 attribute, and one or more SDP 'fingerprint' attributes, with 479 previously assigned attribute values. If a previously established 480 DTLS association did not exists, the offer SHOULD be generated based 481 on the same rules as a new offer Section 5.2. Regardless of the 482 previous existence of a DTLS association, the SDP 'setup' attribute 483 MUST be included according to the rules defined in [RFC4145] and if 484 ICE is used, ICE restart MUST be initiated. 486 9. RFC Updates 488 9.1. General 490 This section updates specifications that use DTLS-protected media, in 491 order to reflect the procedures defined in this specification. 493 9.2. Update to RFC 5763 495 Update to section 5: 496 -------------------- 498 OLD TEXT: 500 5. Establishing a Secure Channel 502 The two endpoints in the exchange present their identities as part of 503 the DTLS handshake procedure using certificates. This document uses 504 certificates in the same style as described in "Connection-Oriented 505 Media Transport over the Transport Layer Security (TLS) Protocol in 506 the Session Description Protocol (SDP)" [RFC4572]. 508 If self-signed certificates are used, the content of the 509 subjectAltName attribute inside the certificate MAY use the uniform 510 resource identifier (URI) of the user. This is useful for debugging 511 purposes only and is not required to bind the certificate to one of 512 the communication endpoints. The integrity of the certificate is 513 ensured through the fingerprint attribute in the SDP. The 514 subjectAltName is not an important component of the certificate 515 verification. 517 The generation of public/private key pairs is relatively expensive. 518 Endpoints are not required to generate certificates for each session. 520 The offer/answer model, defined in [RFC3264], is used by protocols 521 like the Session Initiation Protocol (SIP) [RFC3261] to set up 522 multimedia sessions. In addition to the usual contents of an SDP 523 [RFC4566] message, each media description ("m=" line and associated 524 parameters) will also contain several attributes as specified in 525 [RFC5764], [RFC4145], and [RFC4572]. 527 When an endpoint wishes to set up a secure media session with another 528 endpoint, it sends an offer in a SIP message to the other endpoint. 529 This offer includes, as part of the SDP payload, the fingerprint of 530 the certificate that the endpoint wants to use. The endpoint SHOULD 531 send the SIP message containing the offer to the offerer's SIP proxy 532 over an integrity protected channel. The proxy SHOULD add an 533 Identity header field according to the procedures outlined in 534 [RFC4474]. The SIP message containing the offer SHOULD be sent to 535 the offerer's SIP proxy over an integrity protected channel. When 536 the far endpoint receives the SIP message, it can verify the identity 537 of the sender using the Identity header field. Since the Identity 538 header field is a digital signature across several SIP header fields, 539 in addition to the body of the SIP message, the receiver can also be 540 certain that the message has not been tampered with after the digital 541 signature was applied and added to the SIP message. 543 The far endpoint (answerer) may now establish a DTLS association with 544 the offerer. Alternately, it can indicate in its answer that the 545 offerer is to initiate the TLS association. In either case, mutual 546 DTLS certificate-based authentication will be used. After completing 547 the DTLS handshake, information about the authenticated identities, 548 including the certificates, are made available to the endpoint 549 application. The answerer is then able to verify that the offerer's 550 certificate used for authentication in the DTLS handshake can be 551 associated to the certificate fingerprint contained in the offer in 552 the SDP. At this point, the answerer may indicate to the end user 553 that the media is secured. The offerer may only tentatively accept 554 the answerer's certificate since it may not yet have the answerer's 555 certificate fingerprint. 557 When the answerer accepts the offer, it provides an answer back to 558 the offerer containing the answerer's certificate fingerprint. At 559 this point, the offerer can accept or reject the peer's certificate 560 and the offerer can indicate to the end user that the media is 561 secured. 563 Note that the entire authentication and key exchange for securing the 564 media traffic is handled in the media path through DTLS. The 565 signaling path is only used to verify the peers' certificate 566 fingerprints. 568 The offer and answer MUST conform to the following requirements. 570 o The endpoint MUST use the setup attribute defined in [RFC4145]. 571 The endpoint that is the offerer MUST use the setup attribute 572 value of setup:actpass and be prepared to receive a client_hello 573 before it receives the answer. The answerer MUST use either a 574 setup attribute value of setup:active or setup:passive. Note that 575 if the answerer uses setup:passive, then the DTLS handshake will 576 not begin until the answerer is received, which adds additional 577 latency. setup:active allows the answer and the DTLS handshake to 578 occur in parallel. Thus, setup:active is RECOMMENDED. Whichever 579 party is active MUST initiate a DTLS handshake by sending a 580 ClientHello over each flow (host/port quartet). 582 o The endpoint MUST NOT use the connection attribute defined in 583 [RFC4145]. 585 o The endpoint MUST use the certificate fingerprint attribute as 586 specified in [RFC4572]. 588 o The certificate presented during the DTLS handshake MUST match the 589 fingerprint exchanged via the signaling path in the SDP. The 590 security properties of this mechanism are described in Section 8. 592 o If the fingerprint does not match the hashed certificate, then the 593 endpoint MUST tear down the media session immediately. Note that 594 it is permissible to wait until the other side's fingerprint has 595 been received before establishing the connection; however, this 596 may have undesirable latency effects. 598 NEW TEXT: 600 5. Establishing a Secure Channel 602 The two endpoints in the exchange present their identities as part of 603 the DTLS handshake procedure using certificates. This document uses 604 certificates in the same style as described in "Connection-Oriented 605 Media Transport over TLS in SDP" [I-D.ietf-mmusic-4572-update]. 607 If self-signed certificates are used, the content of the 608 subjectAltName attribute inside the certificate MAY use the uniform 609 resource identifier (URI) of the user. This is useful for debugging 610 purposes only and is not required to bind the certificate to one of 611 the communication endpoints. The integrity of the certificate is 612 ensured through the fingerprint attribute in the SDP. 614 The generation of public/private key pairs is relatively expensive. 615 Endpoints are not required to generate certificates for each session. 617 The offer/answer model, defined in [RFC3264], is used by protocols 618 like the Session Initiation Protocol (SIP) [RFC3261] to set up 619 multimedia sessions. 621 When an endpoint wishes to set up a secure media session with another 622 endpoint, it sends an offer in a SIP message to the other endpoint. 623 This offer includes, as part of the SDP payload, a fingerprint of 624 a certificate that the endpoint wants to use. The endpoint SHOULD 625 send the SIP message containing the offer to the offerer's SIP proxy 626 over an integrity protected channel. The proxy SHOULD add an 627 Identity header field according to the procedures outlined in 628 [RFC4474]. The SIP message containing the offer SHOULD be sent to 629 the offerer's SIP proxy over an integrity protected channel. When 630 the far endpoint receives the SIP message, it can verify the identity 631 of the sender using the Identity header field. Since the Identity 632 header field is a digital signature across several SIP header fields, 633 in addition to the body of the SIP message, the receiver can also be 634 certain that the message has not been tampered with after the digital 635 signature was applied and added to the SIP message. 637 The far endpoint (answerer) may now establish a DTLS association with 638 the offerer. Alternately, it can indicate in its answer that the 639 offerer is to initiate the DTLS association. In either case, mutual 640 DTLS certificate-based authentication will be used. After completing 641 the DTLS handshake, information about the authenticated identities, 642 including the certificates, are made available to the endpoint 643 application. The answerer is then able to verify that the offerer's 644 certificate used for authentication in the DTLS handshake can be 645 associated to the certificate fingerprint contained in the offer in 646 the SDP. At this point, the answerer may indicate to the end user 647 that the media is secured. The offerer may only tentatively accept 648 the answerer's certificate since it may not yet have the answerer's 649 certificate fingerprint. 651 When the answerer accepts the offer, it provides an answer back to 652 the offerer containing the answerer's certificate fingerprint. At 653 this point, the offerer can accept or reject the peer's certificate 654 and the offerer can indicate to the end user that the media is 655 secured. 657 Note that the entire authentication and key exchange for securing 658 the media traffic is handled in the media path through DTLS. The 659 signaling path is only used to verify the peers' certificate 660 fingerprints. 662 The offerer and answerer MUST follow the SDP offer/answer procedures 663 defined in [RFCXXXX]. 665 Update to section 6.6: 667 ---------------------- 669 OLD TEXT: 671 6.6. Session Modification 673 Once an answer is provided to the offerer, either endpoint MAY 674 request a session modification that MAY include an updated offer. 675 This session modification can be carried in either an INVITE or 676 UPDATE request. The peers can reuse the existing associations if 677 they are compatible (i.e., they have the same key fingerprints and 678 transport parameters), or establish a new one following the same 679 rules are for initial exchanges, tearing down the existing 680 association as soon as the offer/answer exchange is completed. Note 681 that if the active/passive status of the endpoints changes, a new 682 connection MUST be established. 684 NEW TEXT: 686 6.6. Session Modification 688 Once an answer is provided to the offerer, either endpoint MAY 689 request a session modification that MAY include an updated offer. 690 This session modification can be carried in either an INVITE or 691 UPDATE request. The peers can reuse an existing DTLS association, 692 or establish a new one, following the procedures in [RFCXXXX]. 694 Update to section 6.7.1: 695 ------------------------ 697 OLD TEXT: 699 6.7.1. ICE Interaction 701 Interactive Connectivity Establishment (ICE), as specified in 702 [RFC5245], provides a methodology of allowing participants in 703 multimedia sessions to verify mutual connectivity. When ICE is being 704 used, the ICE connectivity checks are performed before the DTLS 705 handshake begins. Note that if aggressive nomination mode is used, 706 multiple candidate pairs may be marked valid before ICE finally 707 converges on a single candidate pair. Implementations MUST treat all 708 ICE candidate pairs associated with a single component as part of the 709 same DTLS association. Thus, there will be only one DTLS handshake 710 even if there are multiple valid candidate pairs. Note that this may 711 mean adjusting the endpoint IP addresses if the selected candidate 712 pair shifts, just as if the DTLS packets were an ordinary media 713 stream. 715 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 716 packets are sent directly over UDP, not over DTLS. [RFC5764] 717 describes how to demultiplex STUN packets from DTLS packets and SRTP 718 packets. 720 NEW TEXT: 722 6.7.1. ICE Interaction 724 The Interactive Connectivity Establishment (ICE) 725 [I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media 726 are described in [RFCXXXX]. 728 9.3. Update to RFC 7345 730 Update to section 4: 731 -------------------- 733 OLD TEXT: 735 4. SDP Offerer/Answerer Procedures 737 4.1. General 739 An endpoint (i.e., both the offerer and the answerer) MUST create an 740 SDP media description ("m=" line) for each UDPTL-over-DTLS media 741 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 742 "proto" field of the "m=" line. 744 The procedures in this section apply to an "m=" line associated with 745 a UDPTL-over-DTLS media stream. 747 In order to negotiate a UDPTL-over-DTLS media stream, the following 748 SDP attributes are used: 750 o The SDP attributes defined for UDPTL over UDP, as described in 751 [ITU.T38.2010]; and 753 o The SDP attributes, defined in [RFC4145] and [RFC4572], as 754 described in this section. 756 The endpoint MUST NOT use the SDP "connection" attribute [RFC4145]. 758 In order to negotiate the TLS roles for the UDPTL-over-DTLS transport 759 connection, the endpoint MUST use the SDP "setup" attribute 760 [RFC4145]. 762 If the endpoint supports, and is willing to use, a cipher suite with 763 an associated certificate, the endpoint MUST include an SDP 764 "fingerprint" attribute [RFC4572]. The endpoint MUST support SHA-256 765 for generating and verifying the SDP "fingerprint" attribute value. 766 The use of SHA-256 is preferred. UDPTL over DTLS, at a minimum, MUST 767 support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 768 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 769 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 770 Secrecy (PFS) cipher suites over non-PFS cipher suites. 771 Implementations SHOULD disable TLS-level compression. 773 If a cipher suite with an associated certificate is selected during 774 the DTLS handshake, the certificate received during the DTLS 775 handshake MUST match the fingerprint received in the SDP 776 "fingerprint" attribute. If the fingerprint does not match the 777 hashed certificate, then the endpoint MUST tear down the media 778 session immediately. Note that it is permissible to wait until the 779 other side's fingerprint has been received before establishing the 780 connection; however, this may have undesirable latency effects. 782 4.2. Generating the Initial Offer 784 The offerer SHOULD assign the SDP "setup" attribute with a value of 785 "actpass", unless the offerer insists on being either the sender or 786 receiver of the DTLS ClientHello message, in which case the offerer 787 can use either a value of "active" (the offerer will be the sender of 788 ClientHello) or "passive" (the offerer will be the receiver of 789 ClientHello). The offerer MUST NOT assign an SDP "setup" attribute 790 with a "holdconn" value. 792 If the offerer assigns the SDP "setup" attribute with a value of 793 "actpass" or "passive", the offerer MUST be prepared to receive a 794 DTLS ClientHello message before it receives the SDP answer. 796 4.3. Generating the Answer 798 If the answerer accepts the offered UDPTL-over-DTLS transport 799 connection, in the associated SDP answer, the answerer MUST assign an 800 SDP "setup" attribute with a value of either "active" or "passive", 801 according to the procedures in [RFC4145]. The answerer MUST NOT 802 assign an SDP "setup" attribute with a value of "holdconn". 804 If the answerer assigns an SDP "setup" attribute with a value of 805 "active" value, the answerer MUST initiate a DTLS handshake by 806 sending a DTLS ClientHello message on the negotiated media stream, 807 towards the IP address and port of the offerer. 809 4.4. Offerer Processing of the Answer 810 When the offerer receives an SDP answer, if the offerer ends up being 811 active it MUST initiate a DTLS handshake by sending a DTLS 812 ClientHello message on the negotiated media stream, towards the IP 813 address and port of the answerer. 815 4.5. Modifying the Session 817 Once an offer/answer exchange has been completed, either endpoint MAY 818 send a new offer in order to modify the session. The endpoints can 819 reuse the existing DTLS association if the key fingerprint values and 820 transport parameters indicated by each endpoint are unchanged. 821 Otherwise, following the rules for the initial offer/answer exchange, 822 the endpoints can negotiate and create a new DTLS association and, 823 once created, delete the previous DTLS association, following the 824 same rules for the initial offer/answer exchange. Each endpoint 825 needs to be prepared to receive data on both the new and old DTLS 826 associations as long as both are alive. 828 NEW TEXT: 830 4. SDP Offerer/Answerer Procedures 832 An endpoint (i.e., both the offerer and the answerer) MUST create an 833 SDP media description ("m=" line) for each UDPTL-over-DTLS media 834 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 835 "proto" field of the "m=" line. 837 The offerer and answerer MUST follow the SDP offer/answer procedures 838 defined in [RFCXXXX] in order to negotiate the DTLS association 839 associated with the UDPTL-over-DTLS media stream. In addition, 840 the offerer and answerer MUST use the SDP attributes defined for 841 UDPTL over UDP, as defined in [ITU.T38.2010]. 843 Update to section 5.2.1: 844 ------------------------ 846 OLD TEXT: 848 5.2.1. ICE Usage 850 When Interactive Connectivity Establishment (ICE) [RFC5245] is being 851 used, the ICE connectivity checks are performed before the DTLS 852 handshake begins. Note that if aggressive nomination mode is used, 853 multiple candidate pairs may be marked valid before ICE finally 854 converges on a single candidate pair. User Agents (UAs) MUST treat 855 all ICE candidate pairs associated with a single component as part 856 of the same DTLS association. Thus, there will be only one DTLS 857 handshake even if there are multiple valid candidate pairs. Note 858 that this may mean adjusting the endpoint IP addresses if the 859 selected candidate pair shifts, just as if the DTLS packets were an 860 ordinary media stream. In the case of an ICE restart, the DTLS 861 handshake procedure is repeated, and a new DTLS association is 862 created. Once the DTLS handshake is completed and the new DTLS 863 association has been created, the previous DTLS association is 864 deleted. 866 NEW TEXT: 868 5.2.1. ICE Usage 870 The Interactive Connectivity Establishment (ICE) 871 [I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media 872 are described in [RFCXXXX]. 874 10. Security Considerations 876 This specification does not modify the security considerations 877 associated with DTLS, or the SDP offer/answer mechanism. In addition 878 to the introduction of the SDP 'dtls-id' attribute, the specification 879 simply clarifies the procedures for negotiating and establishing a 880 DTLS association. 882 11. IANA Considerations 884 This document updates the "Session Description Protocol Parameters" 885 registry as specified in Section 8.2.2 of [RFC4566]. Specifically, 886 it adds the SDP 'dtls-id' attribute to the table for SDP media level 887 attributes. 889 Attribute name: dtls-id 890 Type of attribute: media-level 891 Subject to charset: no 892 Purpose: Indicates whether a new DTLS association is to be 893 established/re-established. 894 Appropriate Values: see Section 4 895 Contact name: Christer Holmberg 896 Mux Category: IDENTICAL 898 12. Acknowledgements 900 Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, 901 Charles Eckel and Gonzalo Salgueiro for providing comments and 902 suggestions on the document. 904 13. Change Log 906 [RFC EDITOR NOTE: Please remove this section when publishing] 908 Changes from draft-ietf-mmusic-sdp-dtls-16 910 o Editorial changes based on 2nd WGLC comments from Christian Groves 911 and Nevenka Biondic. 913 Changes from draft-ietf-mmusic-sdp-dtls-15 915 o dtls-id attribute value made globally unique 917 Changes from draft-ietf-mmusic-sdp-dtls-14 919 o Changes based on comments from Flemming: 921 o - Additional dtls-is clarifiations 923 o - Editorial fixes 925 Changes from draft-ietf-mmusic-sdp-dtls-13 927 o Text about the updated RFCs added to Abstract and Introduction 929 o Reference to RFC 5763 removed from section 6 (ICE Considerations) 931 o Reference to RFC 5763 removed from section 8 (SIP Considerations) 933 Changes from draft-ietf-mmusic-sdp-dtls-12 935 o "unreliable" changed to "unordered" 937 Changes from draft-ietf-mmusic-sdp-dtls-11 939 o Attribute name changed to dtls-id 941 o Additional text based on comments from Roman Shpount. 943 Changes from draft-ietf-mmusic-sdp-dtls-10 945 o Modified document to use dtls-id instead of dtls-connection 946 o Changes are based on comments from Eric Rescorla, Justin Uberti, 947 and Paul Kyzivat. 949 Changes from draft-ietf-mmusic-sdp-dtls-08 951 o Offer/Answer section modified in order to allow sending of 952 multiple SDP 'fingerprint' attributes. 954 o Terminology made consistent: 'DTLS connection' replaced with 'DTLS 955 association'. 957 o Editorial changes based on comments from Paul Kyzivat. 959 Changes from draft-ietf-mmusic-sdp-dtls-07 961 o Reference to RFC 7315 replaced with reference to RFC 7345. 963 Changes from draft-ietf-mmusic-sdp-dtls-06 965 o Text on restrictions regarding spanning a DTLS association over 966 multiple transports added. 968 o Mux category added to IANA Considerations. 970 o Normative text regarding mux category and source-specific 971 applicability added. 973 o Reference to RFC 7315 added. 975 o Clarified that offerer/answerer that has not been updated to 976 support this specification will not include the dtls-id attribute 977 in offers and answers. 979 o Editorial corrections based on WGLC comments from Charles Eckel. 981 Changes from draft-ietf-mmusic-sdp-dtls-05 983 o Text on handling offer/answer error conditions added. 985 Changes from draft-ietf-mmusic-sdp-dtls-04 987 o Editorial nits fixed based on comments from Paul Kyzivat: 989 Changes from draft-ietf-mmusic-sdp-dtls-03 991 o Changes based on comments from Paul Kyzivat: 993 o - Modification of dtls-id attribute section. 995 o - Removal of IANA considerations subsection. 997 o - Making note into normative text in o/a section. 999 o Changes based on comments from Martin Thompson: 1001 o - Abbreviations section removed. 1003 o - Clarify that a new DTLS association requires a new o/a 1004 transaction. 1006 Changes from draft-ietf-mmusic-sdp-dtls-02 1008 o - Updated RFCs added to boilerplate. 1010 Changes from draft-ietf-mmusic-sdp-dtls-01 1012 o - Annex regarding 'dtls-id-id' attribute removed. 1014 o - Additional SDP offer/answer procedures, related to certificates, 1015 added. 1017 o - Updates to RFC 5763 and RFC 7345 added. 1019 o - Transport protocol considerations added. 1021 Changes from draft-ietf-mmusic-sdp-dtls-00 1023 o - SDP 'connection' attribute replaced with new 'dtls-id' 1024 attribute. 1026 o - IANA Considerations added. 1028 o - E-mail regarding 'dtls-id-id' attribute added as Annex. 1030 Changes from draft-holmberg-mmusic-sdp-dtls-01 1032 o - draft-ietf-mmusic version of draft submitted. 1034 o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision 1035 with another expired draft. 1037 o - Clarify that if ufrag in offer is unchanged, it must be 1038 unchanged in associated answer. 1040 o - SIP Considerations section added. 1042 o - Section about multiple SDP fingerprint attributes added. 1044 Changes from draft-holmberg-mmusic-sdp-dtls-00 1046 o - Editorial changes and clarifications. 1048 14. References 1050 14.1. Normative References 1052 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1053 Requirement Levels", BCP 14, RFC 2119, 1054 DOI 10.17487/RFC2119, March 1997, 1055 . 1057 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1058 A., Peterson, J., Sparks, R., Handley, M., and E. 1059 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1060 DOI 10.17487/RFC3261, June 2002, 1061 . 1063 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 1064 with Session Description Protocol (SDP)", RFC 3264, 1065 DOI 10.17487/RFC3264, June 2002, 1066 . 1068 [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in 1069 the Session Description Protocol (SDP)", RFC 4145, 1070 DOI 10.17487/RFC4145, September 2005, 1071 . 1073 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 1074 Description Protocol", RFC 4566, DOI 10.17487/RFC4566, 1075 July 2006, . 1077 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 1078 for Establishing a Secure Real-time Transport Protocol 1079 (SRTP) Security Context Using Datagram Transport Layer 1080 Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 1081 2010, . 1083 [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP 1084 Transport Layer (UDPTL) over Datagram Transport Layer 1085 Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August 1086 2014, . 1088 [I-D.ietf-mmusic-4572-update] 1089 Lennox, J. and C. Holmberg, "Connection-Oriented Media 1090 Transport over TLS in SDP", draft-ietf-mmusic- 1091 4572-update-12 (work in progress), January 2017. 1093 14.2. Informative References 1095 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for 1096 Authenticated Identity Management in the Session 1097 Initiation Protocol (SIP)", RFC 4474, 1098 DOI 10.17487/RFC4474, August 2006, 1099 . 1101 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 1102 Transport Layer Security (TLS) Protocol in the Session 1103 Description Protocol (SDP)", RFC 4572, 1104 DOI 10.17487/RFC4572, July 2006, 1105 . 1107 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 1108 (ICE): A Protocol for Network Address Translator (NAT) 1109 Traversal for Offer/Answer Protocols", RFC 5245, 1110 DOI 10.17487/RFC5245, April 2010, 1111 . 1113 [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific 1114 Media Attributes in the Session Description Protocol 1115 (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, 1116 . 1118 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 1119 Security (DTLS) Extension to Establish Keys for the Secure 1120 Real-time Transport Protocol (SRTP)", RFC 5764, 1121 DOI 10.17487/RFC5764, May 2010, 1122 . 1124 [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram 1125 Transport Layer Security (DTLS) for Stream Control 1126 Transmission Protocol (SCTP)", RFC 6083, 1127 DOI 10.17487/RFC6083, January 2011, 1128 . 1130 [I-D.ietf-ice-rfc5245bis] 1131 Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive 1132 Connectivity Establishment (ICE): A Protocol for Network 1133 Address Translator (NAT) Traversal", draft-ietf-ice- 1134 rfc5245bis-08 (work in progress), December 2016. 1136 [I-D.ietf-mmusic-sdp-mux-attributes] 1137 Nandakumar, S., "A Framework for SDP Attributes when 1138 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-16 1139 (work in progress), December 2016. 1141 [I-D.ietf-mmusic-sdp-bundle-negotiation] 1142 Holmberg, C., Alvestrand, H., and C. Jennings, 1143 "Negotiating Media Multiplexing Using the Session 1144 Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- 1145 negotiation-36 (work in progress), October 2016. 1147 [ITU.T38.2010] 1148 International Telecommunications Union, "Procedures for 1149 real-time Group 3 facsimile communication over IP 1150 networks", ITU-T Recommendation T.38, September 2010. 1152 Authors' Addresses 1154 Christer Holmberg 1155 Ericsson 1156 Hirsalantie 11 1157 Jorvas 02420 1158 Finland 1160 Email: christer.holmberg@ericsson.com 1162 Roman Shpount 1163 TurboBridge 1164 4905 Del Ray Avenue, Suite 300 1165 Bethesda, MD 20814 1166 USA 1168 Phone: +1 (240) 292-6632 1169 Email: rshpount@turbobridge.com