UDP Transport Layer (UDPTL) over Datagram Transport Layer Security (DTLS)
draft-ietf-mmusic-udptl-dtls-10

[Ballot discuss]


Apologies for the brief review, (I'm a bit short of time;-)
but I have the following questions:

(1) Don't you need to mandate sha-256 as MTI for the rfc4572 fingerprint ?

(2) What DTLS ciphersuites are MTI?

(MTI = mandatory to implement, just in case:-)

[Ballot comment]
UPDATE:
I asked Dave Crocker for a review, as he chaired the fax working group, way back when.  One comment that he made, which I agree with and want to pass on, is this:

<< When the technical details of a reference are so fundamental to a new specification, I prefer the citation to it to be as precise as possible, to save the reader from having to do searching.  Hence I suggest that the initial reference to UDPTL should explicitly cite "Section 9" of the t38.2010 doc. >>

-----

Christer has responded to all my earlier comments; I leave the responses here for the record.  Thanks!

-- Section 4.2 --

  The offerer SHOULD assign the SDP "setup" attribute with a value of
  "actpass".  Alternatively, the offerer MAY assign the SDP "setup"
  attribute with a value of "active" or "passive".  The offerer MUST
  NOT assign an SDP "setup" attribute with a "holdconn" value.

Standard SHOULD/MAY problem: MAY is not an alternative to SHOULD; MAY is entirely optional.

In order to resolve this, let me first ask *why* the offerer SHOULD set "setup" to "actpass", under what conditions might the offerer need to use "active" or "passive" instead, and what are the consequences of doing that?

-------------------------

RESPONSE:
Setting the value to "actpass" allows the terminating endpoint to determine the TLS role, ie which endpoint will send ClientHello.

"active" or "passive" is used if the offerer, for whatever reason, insists on being either the sender (TLS client) or receiver (TLS server) of the ClientHello.

In order to solve the SHOULD/MAY problem, I suggest the following modified text:

        The offerer SHOULD assign the SDP "setup" attribute with a value of
        "actpass", unless it insists on being either the sender or receiver of the
        DTLS ClientHello message, in which case it can use either a value of
        "active" (sender of ClientHello) or "passive" (receiver of ClientHello).

---------------------------------------------------

-- Section 5.2.2 --

  The UA MUST demultiplex packets arriving on the IP address and port
  associated with the DTLS association, e.g. as follows:

I'm not sure what the "e.g. as follows" is saying.  Are the two bullets meant to be one example how how one might demultiplex the packets, and there are also other ways one might do it?  Are the two bullets a suggested way, or just an example?  Or is there some other sense that I'm not seeing? 

-------------------------

RESPONSE:
The idea is to mandate support of the mechanism described in the document, but to not prevent usage of alternative future mechanisms.

I agree that the current text is a little confusing, so I suggest the following modified text:

        "The UA MUST support the following mechanism for
        demultiplexing packets arriving on the IP address and
        port associated with the DTLS association:"

        o  If the value of the first byte of the packet is 0 or 1, then the
        packet is STUN.
        o  If the value of the first byte of the packet is between 20 and 63
        (inclusive), the packet is DTLS."

---------------------------------------------------

Very, very small, tiny point, which you can completely ignore if you like: "SHALL" and "MUST" mean exactly the same thing, and I always find it preferable to use one or the other, consistently.  You mostly use "MUST", but in Sections 3, 5.1, and 5.2.2 you have one instance each of "SHALL".  I mildly, mildly suggest that you change those three to "MUST", to be consistent.

-------------------------

RESPONSE:
I agree with you, and I am happy to replace SHALL with MUST.

---------------------------------------------------

-- Section 4.4 --

  When the offerer receives an SDP answer and, if the offerer ends up
  being active it MUST initiate a DTLS handshake by sending a DTLS
  ClientHello message on the negotiated media stream, towards the IP
  address and port of the answerer.

That reads oddly to me, mostly, I think, because of the "and, if" bit.  Maybe you just need to delete the comma and the "if".  Alternatively, you could delete "and".

-------------------------

RESPONSE:
I suggest to remove "and".

        "When the offerer receives an SDP answer, if the offerer ends up
        being active it MUST initiate a DTLS handshake by sending a DTLS
        ClientHello message on the negotiated media stream, towards the IP
        address and port of the answerer."

---------------------------------------------------

-- Section 5.3 --

  After the DTLS handshake caused by rekeying has completed, because of
  possible packet reordering on the wire, packets protected by the
  previous set of keys can arrive.

That sentence seems awkward because things come in an odd order -- kind of backward.  May I suggest this?:

NEW
  During rekeying, packets protected by the previous set of keys can
  arrive after the DTLS handshake caused by rekeying has completed,
  because packets can be reordered on the wire.
END

-------------------------

RESPONSE:
Looks good. I'll update as suggested.

---------------------------------------------------

-- Section 6 --

  The standard DTLS strategy for authenticating the communicating
  parties is to give the server (and optionally the client) a PKIX
  [RFC5280] certificate.  The client then verifies the certificate and
  checks that the name in the certificate matches the server's domain
  name.  This works because there are a relatively small number of
  servers with well-defined names; a situation that does not usually
  occur in the VoIP context.

I don't follow the last sentence.  I don't understand why there are relatively few servers that have well defined names.  I don't see why that's important with respect to how authentication by cert validation works.  And I don't get how this relates to VoIP.  Can you explain, please?

-------------------------

RESPONSE:
We borrowed the text from RFC 5763.

However, I agree that the VoIP text is confusing, and suggest the following modified text:

        "The standard DTLS strategy for authenticating the communicating
        parties is to give the server (and optionally the client) a PKIX
        [RFC5280] certificate.  The client then verifies the certificate and
        checks that the name in the certificate matches the server's domain
        name.  This works because there are a relatively small number of
        servers and the cost for issuing and deploying PKIX certificates can
        be justified. Issuing and deploying PKIX certificates to all clients is
        not realistic in most deployment scenarios."

---------------------------------------------------

[Ballot discuss]
Thanks to Pete for raising questions on the introduction.  From the discussion so far, I think this will be easy to resolve, but would like to make sure that happens for clarity in the document, so I am using this Discuss as a placeholder for that.

From Pete's comment, the introduction is not clear as to why this solution is needed.  When you dig deeper, (and it takes a bit of researching), you can see that a solution is needed for secure IP transport.  I'd like to see the introduction expanded to better explain the problem and existing gap.  The transition to IP from telephony protocols (T.30) makes sense as a major motivation.  An issue that comes up for someone new to this is that the T.30 document explains the solution as an application layer approach that applies to any protocol, so there must be a gap here that the experts are aware of and can explain. 
With the current text on existing solutions, the reader has to know a lot more to understand T.38 RTP and UDPTL.  The listed solutions talk about T.30 and RTP, so unless the reader knows they are competing solutions (doesn't say that in the introduction, just puts them both in the T.38 document for reference), they won't know why this doesn't fit the bill.

If you start searching around, RFC4612 section 3 must have been written before UDPTL tool off and gained the market share.  I am including all of this so you might see where someone new to this work would need additional information in the introduction to better set the understanding for the reader.

I had suspected when I read it yesterday that the main reason was that traditional faxing is going away and integration with applications is needed for how people work, but that is not said anywhere.  Regulatory requirements also drive this with the need for transport encryption (no need to name the many ones as they will change and evolve).

[Ballot comment]
I will simply ask this as a question; I have no intention of DISCUSSing it. If the SEC ADs are interested, they are in a much better position to DISCUSS:

Given that there's confidentiality/integrity protection available at the application layer, I was left to wonder why 3GPP wanted to do it at the transport layer. I'm worried that the reason they want to do this is in order to more easily *violate* confidentiality: Doing it at the transport layer means that intermediaries can peek at the contents of the FAX, whereas doing it at the application layer prevents everybody but the end users from being able to peek. Is that what's going on here? If so, and if this is considered a reasonable thing to want to do, that should probably be called out as a potential vulnerability in the security considerations (or perhaps a new privacy considerations) section.

Sorry for thinking nefarious thoughts, but I've got to ask.

[Ballot comment]
Christer has responded to all my comments; I leave the responses here for the record.  Thanks!

-- Section 4.2 --

  The offerer SHOULD assign the SDP "setup" attribute with a value of
  "actpass".  Alternatively, the offerer MAY assign the SDP "setup"
  attribute with a value of "active" or "passive".  The offerer MUST
  NOT assign an SDP "setup" attribute with a "holdconn" value.

Standard SHOULD/MAY problem: MAY is not an alternative to SHOULD; MAY is entirely optional.

In order to resolve this, let me first ask *why* the offerer SHOULD set "setup" to "actpass", under what conditions might the offerer need to use "active" or "passive" instead, and what are the consequences of doing that?

-------------------------

RESPONSE:
Setting the value to "actpass" allows the terminating endpoint to determine the TLS role, ie which endpoint will send ClientHello.

"active" or "passive" is used if the offerer, for whatever reason, insists on being either the sender (TLS client) or receiver (TLS server) of the ClientHello.

In order to solve the SHOULD/MAY problem, I suggest the following modified text:

        The offerer SHOULD assign the SDP "setup" attribute with a value of
        "actpass", unless it insists on being either the sender or receiver of the
        DTLS ClientHello message, in which case it can use either a value of
        "active" (sender of ClientHello) or "passive" (receiver of ClientHello).

---------------------------------------------------

-- Section 5.2.2 --

  The UA MUST demultiplex packets arriving on the IP address and port
  associated with the DTLS association, e.g. as follows:

I'm not sure what the "e.g. as follows" is saying.  Are the two bullets meant to be one example how how one might demultiplex the packets, and there are also other ways one might do it?  Are the two bullets a suggested way, or just an example?  Or is there some other sense that I'm not seeing? 

-------------------------

RESPONSE:
The idea is to mandate support of the mechanism described in the document, but to not prevent usage of alternative future mechanisms.

I agree that the current text is a little confusing, so I suggest the following modified text:

        "The UA MUST support the following mechanism for
        demultiplexing packets arriving on the IP address and
        port associated with the DTLS association:"

        o  If the value of the first byte of the packet is 0 or 1, then the
        packet is STUN.
        o  If the value of the first byte of the packet is between 20 and 63
        (inclusive), the packet is DTLS."

---------------------------------------------------

Very, very small, tiny point, which you can completely ignore if you like: "SHALL" and "MUST" mean exactly the same thing, and I always find it preferable to use one or the other, consistently.  You mostly use "MUST", but in Sections 3, 5.1, and 5.2.2 you have one instance each of "SHALL".  I mildly, mildly suggest that you change those three to "MUST", to be consistent.

-------------------------

RESPONSE:
I agree with you, and I am happy to replace SHALL with MUST.

---------------------------------------------------

-- Section 4.4 --

  When the offerer receives an SDP answer and, if the offerer ends up
  being active it MUST initiate a DTLS handshake by sending a DTLS
  ClientHello message on the negotiated media stream, towards the IP
  address and port of the answerer.

That reads oddly to me, mostly, I think, because of the "and, if" bit.  Maybe you just need to delete the comma and the "if".  Alternatively, you could delete "and".

-------------------------

RESPONSE:
I suggest to remove "and".

        "When the offerer receives an SDP answer, if the offerer ends up
        being active it MUST initiate a DTLS handshake by sending a DTLS
        ClientHello message on the negotiated media stream, towards the IP
        address and port of the answerer."

---------------------------------------------------

-- Section 5.3 --

  After the DTLS handshake caused by rekeying has completed, because of
  possible packet reordering on the wire, packets protected by the
  previous set of keys can arrive.

That sentence seems awkward because things come in an odd order -- kind of backward.  May I suggest this?:

NEW
  During rekeying, packets protected by the previous set of keys can
  arrive after the DTLS handshake caused by rekeying has completed,
  because packets can be reordered on the wire.
END

-------------------------

RESPONSE:
Looks good. I'll update as suggested.

---------------------------------------------------

-- Section 6 --

  The standard DTLS strategy for authenticating the communicating
  parties is to give the server (and optionally the client) a PKIX
  [RFC5280] certificate.  The client then verifies the certificate and
  checks that the name in the certificate matches the server's domain
  name.  This works because there are a relatively small number of
  servers with well-defined names; a situation that does not usually
  occur in the VoIP context.

I don't follow the last sentence.  I don't understand why there are relatively few servers that have well defined names.  I don't see why that's important with respect to how authentication by cert validation works.  And I don't get how this relates to VoIP.  Can you explain, please?

-------------------------

RESPONSE:
We borrowed the text from RFC 5763.

However, I agree that the VoIP text is confusing, and suggest the following modified text:

        "The standard DTLS strategy for authenticating the communicating
        parties is to give the server (and optionally the client) a PKIX
        [RFC5280] certificate.  The client then verifies the certificate and
        checks that the name in the certificate matches the server's domain
        name.  This works because there are a relatively small number of
        servers and the cost for issuing and deploying PKIX certificates can
        be justified. Issuing and deploying PKIX certificates to all clients is
        not realistic in most deployment scenarios."

---------------------------------------------------

[Ballot discuss]
I have two small things I'd like to discuss, which should be easy to sort out:

-- Section 4.2 --

  The offerer SHOULD assign the SDP "setup" attribute with a value of
  "actpass".  Alternatively, the offerer MAY assign the SDP "setup"
  attribute with a value of "active" or "passive".  The offerer MUST
  NOT assign an SDP "setup" attribute with a "holdconn" value.

Standard SHOULD/MAY problem: MAY is not an alternative to SHOULD; MAY is entirely optional.

In order to resolve this, let me first ask *why* the offerer SHOULD set "setup" to "actpass", under what conditions might the offerer need to use "active" or "passive" instead, and what are the consequences of doing that?

-- Section 5.2.2 --

  The UA MUST demultiplex packets arriving on the IP address and port
  associated with the DTLS association, e.g. as follows:

I'm not sure what the "e.g. as follows" is saying.  Are the two bullets meant to be one example how how one might demultiplex the packets, and there are also other ways one might do it?  Are the two bullets a suggested way, or just an example?  Or is there some other sense that I'm not seeing?  (And what if the first byte of the packet is between 2 and 19?)

[Ballot comment]
Very, very small, tiny point, which you can completely ignore if you like: "SHALL" and "MUST" mean exactly the same thing, and I always find it preferable to use one or the other, consistently.  You mostly use "MUST", but in Sections 3, 5.1, and 5.2.2 you have one instance each of "SHALL".  I mildly, mildly suggest that you change those three to "MUST", to be consistent.

-- Section 4.4 --

  When the offerer receives an SDP answer and, if the offerer ends up
  being active it MUST initiate a DTLS handshake by sending a DTLS
  ClientHello message on the negotiated media stream, towards the IP
  address and port of the answerer.

That reads oddly to me, mostly, I think, because of the "and, if" bit.  Maybe you just need to delete the comma and the "if".  Alternatively, you could delete "and".

-- Section 5.3 --

  After the DTLS handshake caused by rekeying has completed, because of
  possible packet reordering on the wire, packets protected by the
  previous set of keys can arrive.

That sentence seems awkward because things come in an odd order -- kind of backward.  May I suggest this?:

NEW
  During rekeying, packets protected by the previous set of keys can
  arrive after the DTLS handshake caused by rekeying has completed,
  because packets can be reordered on the wire.
END

-- Section 6 --

  The standard DTLS strategy for authenticating the communicating
  parties is to give the server (and optionally the client) a PKIX
  [RFC5280] certificate.  The client then verifies the certificate and
  checks that the name in the certificate matches the server's domain
  name.  This works because there are a relatively small number of
  servers with well-defined names; a situation that does not usually
  occur in the VoIP context.

I don't follow the last sentence.  I don't understand why there are relatively few servers that have well defined names.  I don't see why that's important with respect to how authentication by cert validation works.  And I don't get how this relates to VoIP.  Can you explain, please?

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-mmusic-udptl-dtls-07.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

IANA's reviewer has the following comments/questions:

IANA understands that, upon approval of this document, there is a single action which IANA must complete.

in the proto subregistry of the Session Description Protocol (SDP) Parameters registry at

http://www.iana.org/assignments/sdp-parameters/

a single new value is to be added as follows:

Type: proto
SDP Name: UDP/TLS/UDPTL
Reference: [ RFC-to-be ]

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (UDP Transport Layer (UDPTL) over Datagram Transport Layer Security (DTLS)) to Proposed Standard


The IESG has received a request from the Multiparty Multimedia Session
Control WG (mmusic) to consider the following document:
- 'UDP Transport Layer (UDPTL) over Datagram Transport Layer Security
  (DTLS)'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2014-06-10. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document specifies how the UDP Transport Layer (UDPTL) protocol,
  the predominant transport protocol for T.38 fax, can be transported
  over the Datagram Transport Layer Security (DTLS) protocol, how the
  usage of UDPTL over DTLS is indicated in the Session Description
  Protocol (SDP), and how UDPTL over DTLS is negotiated in a session
  established using the Session Initiation Protocol (SIP).




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-mmusic-udptl-dtls/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-mmusic-udptl-dtls/ballot/


No IPR declarations have been submitted directly on this I-D.

As required by RFC 4858, this is the current template for the Document
Shepherd Write-Up.

Changes are expected over time. This version is dated 24 February 2012.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

Proposed Standard. The Intended Status is shown as "Standards Track" on the front page.  The document defines a new transport protocol for SDP, and per RFC 4566, this should be done by a Standards Track RFC.


(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary

  Relevant content can frequently be found in the abstract
  and/or introduction of the document. If not, this may be
  an indication that there are deficiencies in the abstract
  or introduction.


The document specifies how the UDP Transport Layer (UDPTL) protocol,
the predominant transport protocol for T.38 fax, can be transported
over the Datagram Transport Layer Security (DTLS) protocol, how the
usage of UDPTL over DTLS is indicated in the Session Description
Protocol (SDP), and how UDPTL over DTLS is negotiated in a session
established using the Session Initiation Protocol (SIP).


Working Group Summary

  Was there anything in WG process that is worth noting? For
  example, was there controversy about particular points or
  were there decisions where the consensus was particularly
  rough?


There has been no controversy on the document. On the contrary in fact with both quick WG interest and adoption as well as review and finalization.


Document Quality

  Are there existing implementations of the protocol? Have a
  significant number of vendors indicated their plan to
  implement the specification? Are there any reviewers that
  merit special mention as having done a thorough review,
  e.g., one that resulted in important changes or a
  conclusion that the document had no substantive issues? If
  there was a MIB Doctor, Media Type or other expert review,
  what was its course (briefly)? In the case of a Media Type
  review, on what date was the request posted?

There are no known implementations of the protocol, however it has been adopted by 3GPP. There are no new Media Types, MIBs, etc. and hence no special reviews.



Personnel

  Who is the Document Shepherd? Who is the Responsible Area
  Director?


Flemming Andreasen is the Document Shepherd
Alissa Cooper is the Responsible AD




(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

The Document Shepherd has reviewed the last 3 versions of the document in detail. The document is considered of good quality at this point.


(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed? 

No such concerns.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

No such review is needed.


(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

No specific concerns or issues.

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

There are no IPR disclosures for the document and all 3 document authors have confirmed they are not aware of any IPR.


(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

No IPR disclosure.


(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

Several people have indicated support for the document and several people have reviewed it.



(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

No threats of appeal or discontent.


(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

The document has been checked and no nits found.


(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

Does not apply.


(13) Have all references within this document been identified as
either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

There are no such references


(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

No change to existing RFCs

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

The IANA considerations have been reviewed for consistency and compliance with the requirements in SDP (RFC 4566).


(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

There are no new registries

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.


There is no formal language in the document.