idnits 2.17.1 draft-ietf-mmusic-dtls-sdp-22.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC5763, updated by this document, for RFC5378 checks: 2007-11-12) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (March 15, 2017) is 2599 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Missing Reference: 'RFCXXXX' is mentioned on line 898, but not defined ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 4572 (Obsoleted by RFC 8122) == Outdated reference: A later version (-20) exists of draft-ietf-ice-rfc5245bis-08 == Outdated reference: A later version (-19) exists of draft-ietf-mmusic-sdp-mux-attributes-16 == Outdated reference: A later version (-54) exists of draft-ietf-mmusic-sdp-bundle-negotiation-36 -- Obsolete informational reference (is this intentional?): RFC 4474 (Obsoleted by RFC 8224) -- Obsolete informational reference (is this intentional?): RFC 5245 (Obsoleted by RFC 8445, RFC 8839) Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Holmberg 3 Internet-Draft Ericsson 4 Updates: 5763,7345 (if approved) R. Shpount 5 Intended status: Standards Track TurboBridge 6 Expires: September 16, 2017 March 15, 2017 8 Using the SDP Offer/Answer Mechanism for DTLS 9 draft-ietf-mmusic-dtls-sdp-22.txt 11 Abstract 13 This document defines the SDP offer/answer procedures for negotiating 14 and establishing a DTLS association. The document also defines the 15 criteria for when a new DTLS association must be established. The 16 document updates RFC 5763 and RFC 7345, by replacing common SDP 17 offer/answer procedures with a reference to this specification. 19 This document defines a new SDP media-level attribute, 'dtls-id'. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 16, 2017. 38 Copyright Notice 40 Copyright (c) 2017 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 3 57 3. Establishing a new DTLS Association . . . . . . . . . . . . . 3 58 3.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3.2. Change of Local Transport Parameters . . . . . . . . . . 4 60 3.3. Change of ICE ufrag value . . . . . . . . . . . . . . . . 4 61 4. SDP dtls-id Attribute . . . . . . . . . . . . . . . . . . . . 4 62 5. SDP Offer/Answer Procedures . . . . . . . . . . . . . . . . . 6 63 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 5.2. Generating the Initial SDP Offer . . . . . . . . . . . . 8 65 5.3. Generating the Answer . . . . . . . . . . . . . . . . . . 8 66 5.4. Offerer Processing of the SDP Answer . . . . . . . . . . 9 67 5.5. Modifying the Session . . . . . . . . . . . . . . . . . . 9 68 6. ICE Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 7. Transport Protocol Considerations . . . . . . . . . . . . . . 11 70 7.1. Transport Re-Usage . . . . . . . . . . . . . . . . . . . 11 71 8. SIP Considerations . . . . . . . . . . . . . . . . . . . . . 11 72 9. RFC Updates . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 9.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 11 74 9.2. Update to RFC 5763 . . . . . . . . . . . . . . . . . . . 11 75 9.3. Update to RFC 7345 . . . . . . . . . . . . . . . . . . . 16 76 10. Security Considerations . . . . . . . . . . . . . . . . . . . 20 77 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 78 12. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 20 79 13. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 20 80 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 81 14.1. Normative References . . . . . . . . . . . . . . . . . . 24 82 14.2. Informative References . . . . . . . . . . . . . . . . . 25 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26 85 1. Introduction 87 [RFC5763] defines SDP offer/answer procedures for SRTP-DTLS. 88 [RFC7345] defines SDP offer/answer procedures for UDPTL-DTLS. This 89 specification defines general offer/answer procedures for DTLS, based 90 on the procedures in [RFC5763]. Other specifications, defining 91 specific DTLS usages, can then reference this specification, in order 92 to ensure that the DTLS aspects are common among all usages. Having 93 common procedures is essential when multiple usages share the same 94 DTLS association [I-D.ietf-mmusic-sdp-bundle-negotiation]. The 95 document updates [RFC5763] and [RFC7345], by replacing common SDP 96 offer/answer procedures with a reference to this specification. 98 NOTE: Since the publication of [RFC5763], [RFC4474] has been 99 obsoleted by [I-D.ietf-stir-rfc4474bis]. The updating of the 100 references (and the associated procedures) within [RFC5763] is 101 outside the scope of this document. However, implementers of 102 [RFC5763] applications are encouraged to implement 103 [I-D.ietf-stir-rfc4474bis] instead of [RFC4474]. 105 As defined in [RFC5763], a new DTLS association MUST be established 106 when transport parameters are changed. Transport parameter change is 107 not well defined when Interactive Connectivity Establishment (ICE) 108 [I-D.ietf-ice-rfc5245bis] is used. One possible way to determine a 109 transport change is based on ufrag change, but the ufrag value is 110 changed both when ICE is negotiated and when ICE restart 111 [I-D.ietf-ice-rfc5245bis] occurs. These events do not always require 112 a new DTLS association to be established, but currently there is no 113 way to explicitly indicate in an SDP offer or answer whether a new 114 DTLS association is required. To solve that problem, this document 115 defines a new SDP attribute, 'dtls-id'. The pair of SDP 'dtls-id' 116 attribute values (the attribute values of the offerer and the 117 answerer) uniquely identifies the DTLS association. Providing a new 118 value of the 'dtls-id' attribute in an SDP offer or answers can be 119 used to indicate whether a new DTLS association is to be established. 121 2. Conventions 123 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 124 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 125 document are to be interpreted as described in [RFC2119]. 127 3. Establishing a new DTLS Association 129 3.1. General 131 A new DTLS association must be established between two endpoints 132 after a successful SDP offer/answer exchange in the following cases: 134 o The negotiated DTLS setup roles change; or 136 o One or more fingerprint values are modified, added or removed in 137 either an SDP offer or answer; or 139 o The intent to establish a new DTLS association is explicitly 140 signaled using SDP, by changing the value of the SDP 'dtls-id' 141 attribute defined in this document; 143 NOTE: The first two items above are based on the procedures in 144 [RFC5763]. This specification adds the support for explicit 145 signaling using the SDP 'dtls-id' attribute. 147 A new DTLS association can only be established as a result of the 148 successful SDP offer/answer exchange. Whenever an entity determines 149 that a new DTLS association is required, the entity MUST initiate an 150 SDP offer/answer exchange, following the procedures in Section 5. 152 The sections below describe typical cases where a new DTLS 153 association needs to be established. 155 In this document, a "new DTLS association" between two endpoints 156 refers to either an initial DTLS association (when no DTLS 157 association is currently established between the endpoints) or an 158 DTLS association replacing a previously established DTLS association. 160 3.2. Change of Local Transport Parameters 162 If an endpoint modifies its local transport parameters (address and/ 163 or port), and if the modification requires a new DTLS association, 164 the endpoint must change its local SDP 'dtls-id' attribute value (see 165 Section 4). 167 If the underlying transport prohibits a DTLS association from 168 spanning multiple transports, and if the transport is changed, the 169 endpoint must change its local SDP 'dtls-id' attribute value (see 170 Section 4). An example of such a case is when DTLS is carried over 171 SCTP, as described in [RFC6083]. 173 3.3. Change of ICE ufrag value 175 If an endpoint uses ICE, and modifies a local ufrag value, and if the 176 modification requires a new DTLS association, the endpoint MUST 177 change its local SDP 'dtls-id' attribute value (see Section 4). 179 4. SDP dtls-id Attribute 181 The pair of SDP 'dtls-id' attribute values (the attribute values of 182 the offerer and the answerer) uniquely identifies the DTLS 183 association. 185 Name: dtls-id 187 Value: dtls-id-value 189 Usage Level: media 191 Charset Dependent: no 193 Default Value: N/A 195 Syntax: 197 dtls-id-value = 20*255(dtls-id-char) 198 dtls-id-char = ALPHA / DIGIT / "+" / "/" / "-" / "_" 200 202 Example: 204 a=dtls-id:abc3de65cddef001be82 206 Every time an endpoint requests to establish a new DTLS association, 207 the endpoint MUST generate a new local 'dtls-id' attribute value. A 208 non-changed local 'dtls-id' attribute value, in combination with non- 209 changed fingerprints, indicates that the endpoint intends to reuse 210 the existing DTLS association. 212 The 'dtls-id' attribute value MUST be generated using a cryptographic 213 random function and include at least 120 bits of randomness. 215 No default value is defined for the SDP 'dtls-id' attribute. 216 Implementations that wish to use the attribute MUST explicitly 217 include it in SDP offers and answers. If an offer or answer does not 218 contain a 'dtls-id' attribute (this could happen if the offerer or 219 answerer represents an existing implementation that has not been 220 updated to support the 'dtls-id' attribute), unless there is another 221 mechanism to explicitly indicate that a new DTLS association is to be 222 established, a modification of one or more of the following 223 characteristics MUST be treated as an indication that an endpoint 224 wants to establish a new DTLS association: 226 o DTLS setup role; or 228 o fingerprint set; or 230 o local transport parameters; or 231 o ICE ufrag value 233 The mux category [I-D.ietf-mmusic-sdp-mux-attributes] for the 'dtls- 234 id' attribute is 'IDENTICAL', which means that the attribute value 235 must be identical across all media descriptions being multiplexed 236 [I-D.ietf-mmusic-sdp-bundle-negotiation]. 238 For RTP-based media, the 'dtls-id' attribute applies to the whole 239 associated media description. The attribute MUST NOT be defined per 240 source (using the SDP 'ssrc' attribute [RFC5576]). 242 The SDP offer/answer [RFC3264] procedures associated with the 243 attribute are defined in Section 5. 245 5. SDP Offer/Answer Procedures 247 5.1. General 249 This section defines the generic SDP offer/answer procedures for 250 negotiating a DTLS association. Additional procedures (e.g., 251 regarding usage of specific SDP attributes etc.) for individual DTLS 252 usages (e.g., SRTP-DTLS) are outside the scope of this specification, 253 and need to be specified in a usage specific specification. 255 NOTE: The procedures in this section are generalizations of 256 procedures first specified in SRTP-DTLS [RFC5763], with the addition 257 of usage of the SDP 'dtls-id' attribute. That document is herein 258 updated to make use of these new procedures. 260 The procedures in this section apply to an SDP media description 261 ("m=" line) associated with DTLS-protected media/data. 263 When an offerer or answerer indicates that it wants to establish a 264 new DTLS association, it needs to make sure that media packets in the 265 existing DTLS association and new DTLS association can be de- 266 multiplexed. In case of an ordered transport (e.g., SCTP) this can 267 be done simply by sending packets for the new DTLS association after 268 all packets for the existing DTLS association have been sent. In 269 case of an unordered transport, such as UDP, packets for the old DTLS 270 association can arrive after the answer SDP was received and after 271 the first packets for the new DTLS association were received. The 272 only way to de-multiplex packets belonging to the old and new DTLS 273 association is on the basis of transport 5-tuple. Because of this, 274 if an unordered transport is used for the DTLS association, a new 275 transport (3-tuple) must be allocated by at least one of the 276 endpoints so that DTLS packets can be de-multiplexed. 278 When an offerer needs to establish a new DTLS association, and if an 279 unordered transport (e.g., UDP) is used, the offerer MUST allocate a 280 new transport (3-tuple) for the offer in such a way that the offerer 281 can disambiguate any packets associated with the new DTLS association 282 from any packets associated with any other DTLS association. This 283 typically means using a local address and/or port, or a set of ICE 284 candidates (see Section 6), which were not recently used for any 285 other DTLS association. 287 When an answerer needs to establish a new DTLS association, if an 288 unordered transport is used, and if the offerer did not allocate a 289 new transport, the answerer MUST allocate a new transport for the 290 answer in such a way that it can disambiguate any packets associated 291 with the new DTLS association from any packets associated with any 292 other DTLS association. This typically means using a local address 293 and/or port, or a set of ICE candidates (see Section 6), which were 294 not recently used for any other DTLS association. 296 In order to negotiate a DTLS association, the following SDP 297 attributes are used: 299 o The SDP 'setup' attribute, defined in [RFC4145], is used to 300 negotiate the DTLS roles; 302 o The SDP 'fingerprint' attribute, defined in 303 [I-D.ietf-mmusic-4572-update], is used to provide one or more 304 fingerprint values; and 306 o The SDP 'dtls-id' attribute, defined in this specification, is 307 used to identity the DTLS association. 309 This specification does not define the usage of the SDP 'connection' 310 attribute [RFC4145] for negotiating a DTLS association. However, the 311 attribute MAY be used if the DTLS association is used together with 312 another protocol (e.g., SCTP or TCP) for which the usage of the 313 attribute has been defined. 315 Unlike for TCP and TLS connections, endpoints MUST NOT use the SDP 316 'setup' attribute 'holdconn' value when negotiating a DTLS 317 association. 319 Endpoints MUST support the cipher suites as defined in 320 [I-D.ietf-mmusic-4572-update]. 322 The certificate received during the DTLS handshake MUST match a 323 certificate fingerprints received in SDP 'fingerprint' attributes 324 according to the procedures defined in [I-D.ietf-mmusic-4572-update]. 325 If fingerprints do not match the hashed certificate, then an endpoint 326 MUST tear down the media session immediately (see 327 [I-D.ietf-mmusic-4572-update]). Note that it is permissible to wait 328 until the other side's fingerprint(s) has been received before 329 establishing the connection; however, this may have undesirable 330 latency effects. 332 SDP offerers and answerers might reuse certificates across multiple 333 DTLS associations, and provide identical fingerprint values for each 334 DTLS association. The combination of the SDP 'dtls-id' attribute 335 values of the SDP offerer and answerer identifies each individual 336 DTLS association. 338 5.2. Generating the Initial SDP Offer 340 When an offerer sends the initial offer, the offerer MUST insert an 341 SDP 'setup' attribute according to the procedures in [RFC4145], and 342 one or more SDP 'fingerprint' attributes according to the procedures 343 in [I-D.ietf-mmusic-4572-update]. In addition, the offerer MUST 344 insert in the offer an SDP 'dtls-id' attribute with a unique value. 346 If the offerer inserts the SDP 'setup' attribute with an 'actpass' or 347 'passive' attribute value, the offerer MUST be prepared to receive a 348 DTLS ClientHello message (if a new DTLS association is established by 349 the answerer) from the answerer before the offerer receives the SDP 350 answer. 352 5.3. Generating the Answer 354 When an answerer sends an answer, the answerer MUST insert in the 355 answer an SDP 'setup' attribute according to the procedures in 356 [RFC4145], and one or more SDP 'fingerprint' attributes according to 357 the procedures in [I-D.ietf-mmusic-4572-update]. If the answerer 358 determines, based on the criteria specified in Section 3.1, that a 359 new DTLS association is to be established, the answerer MUST insert 360 in the associated answer an SDP 'dtls-id' attribute with a new unique 361 value. Note that the offerer and answerer generate their own local 362 'dtls-id' attribute values, and the combination of both values 363 identify the DTLS association. 365 If the answerer receives an offer that requires establishment of a 366 new DTLS association, and if the answerer does not accept the 367 establishment of a new DTLS association, the answerer MUST reject the 368 "m=" lines associated with the suggested DTLS association [RFC3264]. 370 If an answerer receives an offer that does not require the 371 establishment of a new DTLS association, and if the answerer 372 determines that a new DTLS association is not to be established, the 373 answerer MUST insert an SDP 'dtls-id' attribute with the previously 374 assigned value in the associated answer. In addition, the answerer 375 MUST insert an SDP 'setup' attribute with a value that does not 376 change the previously negotiated DTLS roles, and one or more SDP 377 'fingerprint' attributes values that do not change the previously 378 sent fingerprint set, in the associated answer. 380 If the answerer receives an offer that does not contain an SDP 'dtls- 381 id' attribute, the answerer MUST NOT insert a 'dtls-id' attribute in 382 the answer. 384 If a new DTLS association is to be established, and if the answerer 385 inserts an SDP 'setup' attribute with an 'active' value in the 386 answer, the answerer MUST initiate a DTLS handshake by sending a DTLS 387 ClientHello message towards the offerer. 389 5.4. Offerer Processing of the SDP Answer 391 When an offerer receives an answer that establishes a new DTLS 392 association based on criteria defined in Section 3.1, and if the 393 offerer becomes DTLS client (based on the value of the SDP 'setup' 394 attribute value [RFC4145]), the offerer MUST establish a DTLS 395 association. If the offerer becomes DTLS server, it MUST wait for 396 the answerer to establish the DTLS association. 398 If the answer does not establish a new DTLS association, the offerer 399 will continue using the previously established DTLS association. 401 NOTE: A new DTLS association can be established based on changes in 402 either an SDP offer or answer. When communicating with legacy 403 endpoints, an offerer can receive an answer that includes the same 404 fingerprint set and setup role. A new DTLS association MUST still be 405 established if such an answer was received as a response to an offer 406 which requested the establishment of a new DTLS association. 408 5.5. Modifying the Session 410 When the offerer sends a subsequent offer, and if the offerer wants 411 to establish a new DTLS association, the offerer MUST insert an SDP 412 'setup' attribute according to the procedures in [RFC4145], and one 413 or more SDP 'fingerprint' attributes according to the procedures in 414 [I-D.ietf-mmusic-4572-update]. In addition, the offerer MUST insert 415 in the offer an SDP 'dtls-id' attribute with a new unique value. 417 When the offerer sends a subsequent offer, and the offerer does not 418 want to establish a new DTLS association, and if a previously 419 established DTLS association exists, the offerer MUST insert an SDP 420 'dtls-id' attribute with the previously assigned value in the offer. 421 In addition, the offerer MUST insert an SDP 'setup' attribute, and 422 one or more SDP 'fingerprint' attributes with values that do not 423 change the previously sent fingerprint set, in the offer. The value 424 of the 'setup' attribute SHOULD be set to 'actpass', in order to 425 allow the answerer to establish a new DTLS association with a 426 different role, but MAY be set to the current negotiated role 427 ('active' or 'passive'). It MUST NOT be set to a value that changes 428 the current negotiated role. 430 NOTE: When a new DTLS association is being established, each endpoint 431 needs to be prepared to receive data on both the new and old DTLS 432 associations as long as both are alive. 434 6. ICE Considerations 436 When the Interactive Connectivity Establishment (ICE) mechanism 437 [I-D.ietf-ice-rfc5245bis] is used, the ICE connectivity checks are 438 performed before the DTLS handshake begins. Note that if aggressive 439 nomination mode is used, multiple candidate pairs may be marked valid 440 before ICE finally converges on a single candidate pair. 442 NOTE: Aggressive nomination has been deprecated from ICE, but must 443 still be supported for backwards compatibility reasons 444 [I-D.ietf-ice-rfc5245bis]. 446 When a new DTLS association is established over an unordered 447 transport, in order to disambiguate any packets associated with the 448 newly established DTLS association, at least one of the endpoints 449 MUST allocate a completely new set of ICE candidates which were not 450 recently used for any other DTLS association. This means the 451 answerer cannot initiate a new DTLS association unless the offerer 452 initiated ICE restart [I-D.ietf-ice-rfc5245bis]. If the answerer 453 wants to initiate a new DTLS association, it needs to initiate an ICE 454 restart and a new offer/answer exchange on its own. However, an ICE 455 restart does not by default require a new DTLS association to be 456 established. 458 NOTE: Simple Traversal of the UDP Protocol through NAT (STUN) packets 459 are sent directly over UDP, not over DTLS. [RFC5764] describes how 460 to demultiplex STUN packets from DTLS packets and SRTP packets. 462 Each ICE candidate associated with a component is treated as being 463 part of the same DTLS association. Therefore, from a DTLS 464 perspective it is not considered a change of local transport 465 parameters when an endpoint switches between those ICE candidates. 467 7. Transport Protocol Considerations 469 7.1. Transport Re-Usage 471 If DTLS is transported on top of a connection-oriented transport 472 protocol (e.g., TCP or SCTP), where all IP packets are acknowledged, 473 all DTLS packets associated with a previous DTLS association MUST be 474 acknowledged (or timed out) before a new DTLS association can be 475 established on the same instance of that transport (5-tuple). 477 8. SIP Considerations 479 When the Session Initiation Protocol (SIP) [RFC3261] is used as the 480 signal protocol for establishing a multimedia session, dialogs 481 [RFC3261] might be established between the caller and multiple 482 callees. This is referred to as forking. If forking occurs, 483 separate DTLS associations will be established between the caller and 484 each callee. 486 It is possible to send an INVITE request which does not contain an 487 SDP offer. Such an INVITE request is often referred to as an 'empty 488 INVITE', or an 'offer-less INVITE'. The receiving endpoint will 489 include the SDP offer in a response to the request. When the 490 endpoint generates such SDP offer, if a previously established DTLS 491 association exists, the offerer MUST insert an SDP 'dtls-id' 492 attribute, and one or more SDP 'fingerprint' attributes, with 493 previously assigned attribute values. If a previously established 494 DTLS association did not exist, the offer MUST be generated based on 495 the same rules as a new offer (see Section 5.2). Regardless of the 496 previous existence of a DTLS association, the SDP 'setup' attribute 497 MUST be included according to the rules defined in [RFC4145] and if 498 ICE is used, ICE restart MUST be initiated. 500 9. RFC Updates 502 9.1. General 504 This section updates specifications that use DTLS-protected media, in 505 order to reflect the procedures defined in this specification. 507 9.2. Update to RFC 5763 509 Update to section 5: 510 -------------------- 512 OLD TEXT: 514 5. Establishing a Secure Channel 516 The two endpoints in the exchange present their identities as part of 517 the DTLS handshake procedure using certificates. This document uses 518 certificates in the same style as described in "Connection-Oriented 519 Media Transport over the Transport Layer Security (TLS) Protocol in 520 the Session Description Protocol (SDP)" [RFC4572]. 522 If self-signed certificates are used, the content of the 523 subjectAltName attribute inside the certificate MAY use the uniform 524 resource identifier (URI) of the user. This is useful for debugging 525 purposes only and is not required to bind the certificate to one of 526 the communication endpoints. The integrity of the certificate is 527 ensured through the fingerprint attribute in the SDP. The 528 subjectAltName is not an important component of the certificate 529 verification. 531 The generation of public/private key pairs is relatively expensive. 532 Endpoints are not required to generate certificates for each session. 534 The offer/answer model, defined in [RFC3264], is used by protocols 535 like the Session Initiation Protocol (SIP) [RFC3261] to set up 536 multimedia sessions. In addition to the usual contents of an SDP 537 [RFC4566] message, each media description ("m=" line and associated 538 parameters) will also contain several attributes as specified in 539 [RFC5764], [RFC4145], and [RFC4572]. 541 When an endpoint wishes to set up a secure media session with another 542 endpoint, it sends an offer in a SIP message to the other endpoint. 543 This offer includes, as part of the SDP payload, the fingerprint of 544 the certificate that the endpoint wants to use. The endpoint SHOULD 545 send the SIP message containing the offer to the offerer's SIP proxy 546 over an integrity protected channel. The proxy SHOULD add an 547 Identity header field according to the procedures outlined in 548 [RFC4474]. The SIP message containing the offer SHOULD be sent to 549 the offerer's SIP proxy over an integrity protected channel. When 550 the far endpoint receives the SIP message, it can verify the identity 551 of the sender using the Identity header field. Since the Identity 552 header field is a digital signature across several SIP header fields, 553 in addition to the body of the SIP message, the receiver can also be 554 certain that the message has not been tampered with after the digital 555 signature was applied and added to the SIP message. 557 The far endpoint (answerer) may now establish a DTLS association with 558 the offerer. Alternately, it can indicate in its answer that the 559 offerer is to initiate the TLS association. In either case, mutual 560 DTLS certificate-based authentication will be used. After completing 561 the DTLS handshake, information about the authenticated identities, 562 including the certificates, are made available to the endpoint 563 application. The answerer is then able to verify that the offerer's 564 certificate used for authentication in the DTLS handshake can be 565 associated to the certificate fingerprint contained in the offer in 566 the SDP. At this point, the answerer may indicate to the end user 567 that the media is secured. The offerer may only tentatively accept 568 the answerer's certificate since it may not yet have the answerer's 569 certificate fingerprint. 571 When the answerer accepts the offer, it provides an answer back to 572 the offerer containing the answerer's certificate fingerprint. At 573 this point, the offerer can accept or reject the peer's certificate 574 and the offerer can indicate to the end user that the media is 575 secured. 577 Note that the entire authentication and key exchange for securing the 578 media traffic is handled in the media path through DTLS. The 579 signaling path is only used to verify the peers' certificate 580 fingerprints. 582 The offer and answer MUST conform to the following requirements. 584 o The endpoint MUST use the setup attribute defined in [RFC4145]. 585 The endpoint that is the offerer MUST use the setup attribute 586 value of setup:actpass and be prepared to receive a client_hello 587 before it receives the answer. The answerer MUST use either a 588 setup attribute value of setup:active or setup:passive. Note that 589 if the answerer uses setup:passive, then the DTLS handshake will 590 not begin until the answerer is received, which adds additional 591 latency. setup:active allows the answer and the DTLS handshake to 592 occur in parallel. Thus, setup:active is RECOMMENDED. Whichever 593 party is active MUST initiate a DTLS handshake by sending a 594 ClientHello over each flow (host/port quartet). 596 o The endpoint MUST NOT use the connection attribute defined in 597 [RFC4145]. 599 o The endpoint MUST use the certificate fingerprint attribute as 600 specified in [RFC4572]. 602 o The certificate presented during the DTLS handshake MUST match the 603 fingerprint exchanged via the signaling path in the SDP. The 604 security properties of this mechanism are described in Section 8. 606 o If the fingerprint does not match the hashed certificate, then the 607 endpoint MUST tear down the media session immediately. Note that 608 it is permissible to wait until the other side's fingerprint has 609 been received before establishing the connection; however, this 610 may have undesirable latency effects. 612 NEW TEXT: 614 5. Establishing a Secure Channel 616 The two endpoints in the exchange present their identities as part of 617 the DTLS handshake procedure using certificates. This document uses 618 certificates in the same style as described in "Connection-Oriented 619 Media Transport over the Transport Layer Security (TLS) Protocol in 620 the Session Description Protocol (SDP)" [RFC4572]. 622 If self-signed certificates are used, the content of the 623 subjectAltName attribute inside the certificate MAY use the uniform 624 resource identifier (URI) of the user. This is useful for debugging 625 purposes only and is not required to bind the certificate to one of 626 the communication endpoints. The integrity of the certificate is 627 ensured through the fingerprint attribute in the SDP. 629 The generation of public/private key pairs is relatively expensive. 630 Endpoints are not required to generate certificates for each session. 632 The offer/answer model, defined in [RFC3264], is used by protocols 633 like the Session Initiation Protocol (SIP) [RFC3261] to set up 634 multimedia sessions. 636 When an endpoint wishes to set up a secure media session with another 637 endpoint, it sends an offer in a SIP message to the other endpoint. 638 This offer includes, as part of the SDP payload, a fingerprint of 639 a certificate that the endpoint wants to use. The endpoint SHOULD 640 send the SIP message containing the offer to the offerer's SIP proxy 641 over an integrity protected channel. The proxy SHOULD add an 642 Identity header field according to the procedures outlined in 643 [RFC4474]. When the far endpoint receives the SIP message, it can 644 verify the identity of the sender using the Identity header field. 645 Since the Identity header field is a digital signature across several 646 SIP header fields, in addition to the body of the SIP message, the 647 receiver can also be certain that the message has not been tampered 648 with after the digital signature was applied and added to the SIP 649 message. 651 The far endpoint (answerer) may now establish a DTLS association with 652 the offerer. Alternately, it can indicate in its answer that the 653 offerer is to initiate the DTLS association. In either case, mutual 654 DTLS certificate-based authentication will be used. After completing 655 the DTLS handshake, information about the authenticated identities, 656 including the certificates, are made available to the endpoint 657 application. The answerer is then able to verify that the offerer's 658 certificate used for authentication in the DTLS handshake can be 659 associated to a certificate fingerprint contained in the offer in 660 the SDP. At this point, the answerer may indicate to the end user 661 that the media is secured. The offerer may only tentatively accept 662 the answerer's certificate since it may not yet have the answerer's 663 certificate fingerprint. 665 When the answerer accepts the offer, it provides an answer back to 666 the offerer containing the answerer's certificate fingerprint. At 667 this point, the offerer can accept or reject the peer's certificate 668 and the offerer can indicate to the end user that the media is 669 secured. 671 Note that the entire authentication and key exchange for securing 672 the media traffic is handled in the media path through DTLS. The 673 signaling path is only used to verify the peers' certificate 674 fingerprints. 676 The offerer and answerer MUST follow the SDP offer/answer procedures 677 defined in [RFCXXXX]. 679 [RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 680 of this document.] 682 Update to section 6.6: 683 ---------------------- 685 OLD TEXT: 687 6.6. Session Modification 689 Once an answer is provided to the offerer, either endpoint MAY 690 request a session modification that MAY include an updated offer. 691 This session modification can be carried in either an INVITE or 692 UPDATE request. The peers can reuse the existing associations if 693 they are compatible (i.e., they have the same key fingerprints and 694 transport parameters), or establish a new one following the same 695 rules are for initial exchanges, tearing down the existing 696 association as soon as the offer/answer exchange is completed. Note 697 that if the active/passive status of the endpoints changes, a new 698 connection MUST be established. 700 NEW TEXT: 702 6.6. Session Modification 704 Once an answer is provided to the offerer, either endpoint MAY 705 request a session modification that MAY include an updated offer. 706 This session modification can be carried in either an INVITE or 707 UPDATE request. The peers can reuse an existing DTLS association, 708 or establish a new one, following the procedures in [RFCXXXX]. 710 [RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 711 of this document.] 713 Update to section 6.7.1: 714 ------------------------ 716 OLD TEXT: 718 6.7.1. ICE Interaction 720 Interactive Connectivity Establishment (ICE), as specified in 721 [RFC5245], provides a methodology of allowing participants in 722 multimedia sessions to verify mutual connectivity. When ICE is being 723 used, the ICE connectivity checks are performed before the DTLS 724 handshake begins. Note that if aggressive nomination mode is used, 725 multiple candidate pairs may be marked valid before ICE finally 726 converges on a single candidate pair. Implementations MUST treat all 727 ICE candidate pairs associated with a single component as part of the 728 same DTLS association. Thus, there will be only one DTLS handshake 729 even if there are multiple valid candidate pairs. Note that this may 730 mean adjusting the endpoint IP addresses if the selected candidate 731 pair shifts, just as if the DTLS packets were an ordinary media 732 stream. 734 Note that Simple Traversal of the UDP Protocol through NAT (STUN) 735 packets are sent directly over UDP, not over DTLS. [RFC5764] 736 describes how to demultiplex STUN packets from DTLS packets and SRTP 737 packets. 739 NEW TEXT: 741 6.7.1. ICE Interaction 743 The Interactive Connectivity Establishment (ICE) 744 [I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media 745 are described in [RFCXXXX]. 747 9.3. Update to RFC 7345 749 [RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 750 of this document.] 752 Update to section 4: 753 -------------------- 755 OLD TEXT: 757 4. SDP Offerer/Answerer Procedures 759 4.1. General 761 An endpoint (i.e., both the offerer and the answerer) MUST create an 762 SDP media description ("m=" line) for each UDPTL-over-DTLS media 763 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 764 "proto" field of the "m=" line. 766 The procedures in this section apply to an "m=" line associated with 767 a UDPTL-over-DTLS media stream. 769 In order to negotiate a UDPTL-over-DTLS media stream, the following 770 SDP attributes are used: 772 o The SDP attributes defined for UDPTL over UDP, as described in 773 [ITU.T38.2010]; and 775 o The SDP attributes, defined in [RFC4145] and [RFC4572], as 776 described in this section. 778 The endpoint MUST NOT use the SDP "connection" attribute [RFC4145]. 780 In order to negotiate the TLS roles for the UDPTL-over-DTLS transport 781 connection, the endpoint MUST use the SDP "setup" attribute 782 [RFC4145]. 784 If the endpoint supports, and is willing to use, a cipher suite with 785 an associated certificate, the endpoint MUST include an SDP 786 "fingerprint" attribute [RFC4572]. The endpoint MUST support SHA-256 787 for generating and verifying the SDP "fingerprint" attribute value. 788 The use of SHA-256 is preferred. UDPTL over DTLS, at a minimum, MUST 789 support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support 790 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. UDPTL over DTLS MUST prefer 791 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 and any other Perfect Forward 792 Secrecy (PFS) cipher suites over non-PFS cipher suites. 793 Implementations SHOULD disable TLS-level compression. 795 If a cipher suite with an associated certificate is selected during 796 the DTLS handshake, the certificate received during the DTLS 797 handshake MUST match the fingerprint received in the SDP 798 "fingerprint" attribute. If the fingerprint does not match the 799 hashed certificate, then the endpoint MUST tear down the media 800 session immediately. Note that it is permissible to wait until the 801 other side's fingerprint has been received before establishing the 802 connection; however, this may have undesirable latency effects. 804 4.2. Generating the Initial Offer 806 The offerer SHOULD assign the SDP "setup" attribute with a value of 807 "actpass", unless the offerer insists on being either the sender or 808 receiver of the DTLS ClientHello message, in which case the offerer 809 can use either a value of "active" (the offerer will be the sender of 810 ClientHello) or "passive" (the offerer will be the receiver of 811 ClientHello). The offerer MUST NOT assign an SDP "setup" attribute 812 with a "holdconn" value. 814 If the offerer assigns the SDP "setup" attribute with a value of 815 "actpass" or "passive", the offerer MUST be prepared to receive a 816 DTLS ClientHello message before it receives the SDP answer. 818 4.3. Generating the Answer 820 If the answerer accepts the offered UDPTL-over-DTLS transport 821 connection, in the associated SDP answer, the answerer MUST assign an 822 SDP "setup" attribute with a value of either "active" or "passive", 823 according to the procedures in [RFC4145]. The answerer MUST NOT 824 assign an SDP "setup" attribute with a value of "holdconn". 826 If the answerer assigns an SDP "setup" attribute with a value of 827 "active" value, the answerer MUST initiate a DTLS handshake by 828 sending a DTLS ClientHello message on the negotiated media stream, 829 towards the IP address and port of the offerer. 831 4.4. Offerer Processing of the Answer 833 When the offerer receives an SDP answer, if the offerer ends up being 834 active it MUST initiate a DTLS handshake by sending a DTLS 835 ClientHello message on the negotiated media stream, towards the IP 836 address and port of the answerer. 838 4.5. Modifying the Session 840 Once an offer/answer exchange has been completed, either endpoint MAY 841 send a new offer in order to modify the session. The endpoints can 842 reuse the existing DTLS association if the key fingerprint values and 843 transport parameters indicated by each endpoint are unchanged. 844 Otherwise, following the rules for the initial offer/answer exchange, 845 the endpoints can negotiate and create a new DTLS association and, 846 once created, delete the previous DTLS association, following the 847 same rules for the initial offer/answer exchange. Each endpoint 848 needs to be prepared to receive data on both the new and old DTLS 849 associations as long as both are alive. 851 NEW TEXT: 853 4. SDP Offerer/Answerer Procedures 855 An endpoint (i.e., both the offerer and the answerer) MUST create an 856 SDP media description ("m=" line) for each UDPTL-over-DTLS media 857 stream and MUST assign a UDP/TLS/UDPTL value (see Table 1) to the 858 "proto" field of the "m=" line. 860 The offerer and answerer MUST follow the SDP offer/answer procedures 861 defined in [RFCXXXX] in order to negotiate the DTLS association 862 associated with the UDPTL-over-DTLS media stream. In addition, 863 the offerer and answerer MUST use the SDP attributes defined for 864 UDPTL over UDP, as defined in [ITU.T38.2010]. 866 [RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 867 of this document.] 869 Update to section 5.2.1: 870 ------------------------ 872 OLD TEXT: 874 5.2.1. ICE Usage 876 When Interactive Connectivity Establishment (ICE) [RFC5245] is being 877 used, the ICE connectivity checks are performed before the DTLS 878 handshake begins. Note that if aggressive nomination mode is used, 879 multiple candidate pairs may be marked valid before ICE finally 880 converges on a single candidate pair. User Agents (UAs) MUST treat 881 all ICE candidate pairs associated with a single component as part 882 of the same DTLS association. Thus, there will be only one DTLS 883 handshake even if there are multiple valid candidate pairs. Note 884 that this may mean adjusting the endpoint IP addresses if the 885 selected candidate pair shifts, just as if the DTLS packets were an 886 ordinary media stream. In the case of an ICE restart, the DTLS 887 handshake procedure is repeated, and a new DTLS association is 888 created. Once the DTLS handshake is completed and the new DTLS 889 association has been created, the previous DTLS association is 890 deleted. 892 NEW TEXT: 894 5.2.1. ICE Usage 896 The Interactive Connectivity Establishment (ICE) 897 [I-D.ietf-ice-rfc5245bis] considerations for DTLS-protected media 898 are described in [RFCXXXX]. 900 [RFC EDITOR NOTE: Please replace RFCXXXX with the RFC number 901 of this document.] 903 10. Security Considerations 905 This specification does not modify the security considerations 906 associated with DTLS, or the SDP offer/answer mechanism. In addition 907 to the introduction of the SDP 'dtls-id' attribute, the specification 908 simply clarifies the procedures for negotiating and establishing a 909 DTLS association. 911 11. IANA Considerations 913 This document updates the "Session Description Protocol Parameters" 914 registry as specified in Section 8.2.2 of [RFC4566]. Specifically, 915 it adds the SDP 'dtls-id' attribute to the table for SDP media level 916 attributes. 918 Attribute name: dtls-id 919 Type of attribute: media-level 920 Subject to charset: no 921 Purpose: Indicates whether a new DTLS association is to be 922 established/re-established. 923 Appropriate Values: see Section 4 924 Contact name: Christer Holmberg 925 Mux Category: IDENTICAL 927 12. Acknowledgements 929 Thanks to Justin Uberti, Martin Thomson, Paul Kyzivat, Jens Guballa, 930 Charles Eckel, Gonzalo Salgueiro and Paul Jones for providing 931 comments and suggestions on the document. Ben Campbell performed an 932 AD review. 934 13. Change Log 936 [RFC EDITOR NOTE: Please remove this section when publishing] 938 Changes from draft-ietf-mmusic-sdp-dtls-21 939 o Changes based on AD review by Ben Campbell. 941 o (https://www.ietf.org/mail-archive/web/mmusic/current/ 942 msg17707.html) 944 Changes from draft-ietf-mmusic-sdp-dtls-20 946 o Change to length and randomness of dtls-id attribute value. 948 Changes from draft-ietf-mmusic-sdp-dtls-19 950 o Change based on comment from Roman. 952 Changes from draft-ietf-mmusic-sdp-dtls-18 954 o Changes based on comments from Flemming. 956 o - Change in dtls-id value definition. 958 o - Editorial fixes. 960 Changes from draft-ietf-mmusic-sdp-dtls-17 962 o Reference fix. 964 Changes from draft-ietf-mmusic-sdp-dtls-16 966 o Editorial changes based on 2nd WGLC comments from Christian Groves 967 and Nevenka Biondic. 969 Changes from draft-ietf-mmusic-sdp-dtls-15 971 o dtls-id attribute value made globally unique 973 Changes from draft-ietf-mmusic-sdp-dtls-14 975 o Changes based on comments from Flemming: 977 o - Additional dtls-is clarifiations 979 o - Editorial fixes 981 Changes from draft-ietf-mmusic-sdp-dtls-13 983 o Text about the updated RFCs added to Abstract and Introduction 985 o Reference to RFC 5763 removed from section 6 (ICE Considerations) 986 o Reference to RFC 5763 removed from section 8 (SIP Considerations) 988 Changes from draft-ietf-mmusic-sdp-dtls-12 990 o "unreliable" changed to "unordered" 992 Changes from draft-ietf-mmusic-sdp-dtls-11 994 o Attribute name changed to dtls-id 996 o Additional text based on comments from Roman Shpount. 998 Changes from draft-ietf-mmusic-sdp-dtls-10 1000 o Modified document to use dtls-id instead of dtls-connection 1002 o Changes are based on comments from Eric Rescorla, Justin Uberti, 1003 and Paul Kyzivat. 1005 Changes from draft-ietf-mmusic-sdp-dtls-08 1007 o Offer/Answer section modified in order to allow sending of 1008 multiple SDP 'fingerprint' attributes. 1010 o Terminology made consistent: 'DTLS connection' replaced with 'DTLS 1011 association'. 1013 o Editorial changes based on comments from Paul Kyzivat. 1015 Changes from draft-ietf-mmusic-sdp-dtls-07 1017 o Reference to RFC 7315 replaced with reference to RFC 7345. 1019 Changes from draft-ietf-mmusic-sdp-dtls-06 1021 o Text on restrictions regarding spanning a DTLS association over 1022 multiple transports added. 1024 o Mux category added to IANA Considerations. 1026 o Normative text regarding mux category and source-specific 1027 applicability added. 1029 o Reference to RFC 7315 added. 1031 o Clarified that offerer/answerer that has not been updated to 1032 support this specification will not include the dtls-id attribute 1033 in offers and answers. 1035 o Editorial corrections based on WGLC comments from Charles Eckel. 1037 Changes from draft-ietf-mmusic-sdp-dtls-05 1039 o Text on handling offer/answer error conditions added. 1041 Changes from draft-ietf-mmusic-sdp-dtls-04 1043 o Editorial nits fixed based on comments from Paul Kyzivat: 1045 Changes from draft-ietf-mmusic-sdp-dtls-03 1047 o Changes based on comments from Paul Kyzivat: 1049 o - Modification of dtls-id attribute section. 1051 o - Removal of IANA considerations subsection. 1053 o - Making note into normative text in o/a section. 1055 o Changes based on comments from Martin Thompson: 1057 o - Abbreviations section removed. 1059 o - Clarify that a new DTLS association requires a new o/a 1060 transaction. 1062 Changes from draft-ietf-mmusic-sdp-dtls-02 1064 o - Updated RFCs added to boilerplate. 1066 Changes from draft-ietf-mmusic-sdp-dtls-01 1068 o - Annex regarding 'dtls-id-id' attribute removed. 1070 o - Additional SDP offer/answer procedures, related to certificates, 1071 added. 1073 o - Updates to RFC 5763 and RFC 7345 added. 1075 o - Transport protocol considerations added. 1077 Changes from draft-ietf-mmusic-sdp-dtls-00 1079 o - SDP 'connection' attribute replaced with new 'dtls-id' 1080 attribute. 1082 o - IANA Considerations added. 1084 o - E-mail regarding 'dtls-id-id' attribute added as Annex. 1086 Changes from draft-holmberg-mmusic-sdp-dtls-01 1088 o - draft-ietf-mmusic version of draft submitted. 1090 o - Draft file name change (sdp-dtls -> dtls-sdp) due to collision 1091 with another expired draft. 1093 o - Clarify that if ufrag in offer is unchanged, it must be 1094 unchanged in associated answer. 1096 o - SIP Considerations section added. 1098 o - Section about multiple SDP fingerprint attributes added. 1100 Changes from draft-holmberg-mmusic-sdp-dtls-00 1102 o - Editorial changes and clarifications. 1104 14. References 1106 14.1. Normative References 1108 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1109 Requirement Levels", BCP 14, RFC 2119, 1110 DOI 10.17487/RFC2119, March 1997, 1111 . 1113 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 1114 A., Peterson, J., Sparks, R., Handley, M., and E. 1115 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 1116 DOI 10.17487/RFC3261, June 2002, 1117 . 1119 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 1120 with Session Description Protocol (SDP)", RFC 3264, 1121 DOI 10.17487/RFC3264, June 2002, 1122 . 1124 [RFC4145] Yon, D. and G. Camarillo, "TCP-Based Media Transport in 1125 the Session Description Protocol (SDP)", RFC 4145, 1126 DOI 10.17487/RFC4145, September 2005, 1127 . 1129 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 1130 Description Protocol", RFC 4566, DOI 10.17487/RFC4566, 1131 July 2006, . 1133 [RFC4572] Lennox, J., "Connection-Oriented Media Transport over the 1134 Transport Layer Security (TLS) Protocol in the Session 1135 Description Protocol (SDP)", RFC 4572, 1136 DOI 10.17487/RFC4572, July 2006, 1137 . 1139 [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework 1140 for Establishing a Secure Real-time Transport Protocol 1141 (SRTP) Security Context Using Datagram Transport Layer 1142 Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 1143 2010, . 1145 [RFC7345] Holmberg, C., Sedlacek, I., and G. Salgueiro, "UDP 1146 Transport Layer (UDPTL) over Datagram Transport Layer 1147 Security (DTLS)", RFC 7345, DOI 10.17487/RFC7345, August 1148 2014, . 1150 [I-D.ietf-ice-rfc5245bis] 1151 Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive 1152 Connectivity Establishment (ICE): A Protocol for Network 1153 Address Translator (NAT) Traversal", draft-ietf-ice- 1154 rfc5245bis-08 (work in progress), December 2016. 1156 [I-D.ietf-mmusic-4572-update] 1157 Lennox, J. and C. Holmberg, "Connection-Oriented Media 1158 Transport over TLS in SDP", draft-ietf-mmusic- 1159 4572-update-13 (work in progress), February 2017. 1161 [I-D.ietf-mmusic-sdp-mux-attributes] 1162 Nandakumar, S., "A Framework for SDP Attributes when 1163 Multiplexing", draft-ietf-mmusic-sdp-mux-attributes-16 1164 (work in progress), December 2016. 1166 [I-D.ietf-mmusic-sdp-bundle-negotiation] 1167 Holmberg, C., Alvestrand, H., and C. Jennings, 1168 "Negotiating Media Multiplexing Using the Session 1169 Description Protocol (SDP)", draft-ietf-mmusic-sdp-bundle- 1170 negotiation-36 (work in progress), October 2016. 1172 14.2. Informative References 1174 [RFC4474] Peterson, J. and C. Jennings, "Enhancements for 1175 Authenticated Identity Management in the Session 1176 Initiation Protocol (SIP)", RFC 4474, 1177 DOI 10.17487/RFC4474, August 2006, 1178 . 1180 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 1181 (ICE): A Protocol for Network Address Translator (NAT) 1182 Traversal for Offer/Answer Protocols", RFC 5245, 1183 DOI 10.17487/RFC5245, April 2010, 1184 . 1186 [RFC5576] Lennox, J., Ott, J., and T. Schierl, "Source-Specific 1187 Media Attributes in the Session Description Protocol 1188 (SDP)", RFC 5576, DOI 10.17487/RFC5576, June 2009, 1189 . 1191 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 1192 Security (DTLS) Extension to Establish Keys for the Secure 1193 Real-time Transport Protocol (SRTP)", RFC 5764, 1194 DOI 10.17487/RFC5764, May 2010, 1195 . 1197 [RFC6083] Tuexen, M., Seggelmann, R., and E. Rescorla, "Datagram 1198 Transport Layer Security (DTLS) for Stream Control 1199 Transmission Protocol (SCTP)", RFC 6083, 1200 DOI 10.17487/RFC6083, January 2011, 1201 . 1203 [I-D.ietf-stir-rfc4474bis] 1204 Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, 1205 "Authenticated Identity Management in the Session 1206 Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-16 1207 (work in progress), February 2017. 1209 [ITU.T38.2010] 1210 International Telecommunications Union, "Procedures for 1211 real-time Group 3 facsimile communication over IP 1212 networks", ITU-T Recommendation T.38, September 2010. 1214 Authors' Addresses 1216 Christer Holmberg 1217 Ericsson 1218 Hirsalantie 11 1219 Jorvas 02420 1220 Finland 1222 Email: christer.holmberg@ericsson.com 1223 Roman Shpount 1224 TurboBridge 1225 4905 Del Ray Avenue, Suite 300 1226 Bethesda, MD 20814 1227 USA 1229 Phone: +1 (240) 292-6632 1230 Email: rshpount@turbobridge.com