MMUSIC Working Group G. Camarillo Internet-Draft Ericsson Expires: November 5, 2005 May 4, 2005 Session Description Protocol (SDP) Format for Binary Floor Control Protocol (BFCP) Streams draft-ietf-mmusic-sdp-bfcp-01.txt Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on November 5, 2005. Copyright Notice Copyright (C) The Internet Society (2005). Abstract This document specifies how to describe BFCP streams in SDP session descriptions. User agents using the offer/answer model to establish BFCP streams use this format in their offers and their answers. Camarillo Expires November 5, 2005 [Page 1]
Internet-Draft BFCP May 2005 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Fields in the m Line . . . . . . . . . . . . . . . . . . . . . 3 4. Floor Control Server Determination . . . . . . . . . . . . . . 4 5. The 'confid' and 'userid' SDP Attributes . . . . . . . . . . . 4 6. Association between Streams and Floors . . . . . . . . . . . . 5 7. TCP Connection Management . . . . . . . . . . . . . . . . . . 5 8. Authentication . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1 Mutual Authentication Using Certificates and TLS . . . . . 6 8.2 Client Authentication at the BFCP Level . . . . . . . . . 7 8.2.1 Generating a Shared Secret . . . . . . . . . . . . . . 7 8.2.2 The 'nonce' Attribute . . . . . . . . . . . . . . . . 8 9. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 9.1 Example Using TLS . . . . . . . . . . . . . . . . . . . . 8 9.2 Example Using the 'crypto' Attribute . . . . . . . . . . . 9 10. Security Considerations . . . . . . . . . . . . . . . . . . 10 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 10 11.1 Registration of the 'TCP/BFCP' and 'TCP/TLS/BFCP' SDP 'proto' values . . . . . . . . . . . . . . . . . . . . . . 11 11.2 Registration of the SDP 'confid' Attribute . . . . . . . . 11 11.3 Registration of the SDP 'userid' Attribute . . . . . . . . 11 11.4 Registration of the SDP 'floorid' Attribute . . . . . . . 12 11.5 Registration of the SDP 'nonce' Attribute . . . . . . . . 12 11.6 Registration of the crypto-suites for 'TCP/BFCP' . . . . . 13 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 13 13. Normative References . . . . . . . . . . . . . . . . . . . . 13 Author's Address . . . . . . . . . . . . . . . . . . . . . . . 14 Intellectual Property and Copyright Statements . . . . . . . . 15 Camarillo Expires November 5, 2005 [Page 2]
Internet-Draft BFCP May 2005 1. Introduction As discussed in the BFCP (Binary Floor Control Protocol) specification [8], a given BFCP client needs a set of data in order to establish a BFCP connection to a floor control server. These data include the transport address of the server, the conference identifier, and the user identifier. One way for clients to obtain this information consists of using an offer/answer [5] exchange. This document specifies how to encode this information in the SDP session descriptions which are part of an offer/answer exchange. User agents typically use the offer/answer model to establish a number of media streams of different types. Following this model, a BFCP connection is described as any other media stream by using an SDP 'm' line, possibly followed by a number of attributes encoded in 'a' lines. 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119 [2] and indicate requirement levels for compliant implementations. 3. Fields in the m Line According to the SDP specification [11], the 'm'line format is the following: m=<media> <port> <transport> <fmt> ... The media field MUST have a value of "application". The port field is set following the rules in [7]. Depending on the value of the 'setup' attribute (disccused in Section 7), the port field contains the port the remote endpoint will initiate its TCP connection to, or is irrelevant (i.e., the endpoint will initiate the connection towards the remote endpoint) and should be set to a value of 9, which is the discard port. Since BFCP only runs on top of TCP, the port is always a TCP port. A port field value of zero has the standard SDP meaning (i.e., rejection of the media stream). We define two new values for the transport field: TCP/BFCP and TCP/ TLS/BFCP. The former is used when BFCP runs directly on top of TCP and the latter is used when BFCP runs on top of TLS, which in turn Camarillo Expires November 5, 2005 [Page 3]
Internet-Draft BFCP May 2005 runs on top of TCP. The fmt (format) list is ignored for BFCP. The fmt list of BFCP m lines SHOULD contain a single "*" character. The following is an example of an m line for a BFCP connection: m=application 20000 TCP/TLS/BFCP * 4. Floor Control Server Determination The 'confid' and the 'userid' attributes are used by a floor control server to provide a client with a conference ID and a user ID. In the context of an offer/answer exchange, the entity including these attributes is the floor control server. The most common scenario consists of a client establishing a BFCP stream with a floor control server. In this case, there is only one floor control server (the offerer or the answerer). However, there are scenarios where both the offerer and the answerer are both clients and floor control servers. For example, in a two-party session that involves an audio stream and a shared whiteboard, one party acts as the floor control server for the audio stream and the other acts as the floor control server for the shared whiteboard. In such a case, both the offerer and the answerer would include the 'confid' and the 'userid' attributes in their respective session descriptions. 5. The 'confid' and 'userid' SDP Attributes We define the 'confid' and the 'userid' SDP media-level attributes. These attributes attributes are used by a floor control server to provide a client with a conference ID and a user ID respectively. Their Augmented BNF syntax [3] is: confid-attribute = "a=confid: " conference-id conference-id = token userid-attribute = "a=userid: " user-id user-id = token The confid and the userid attributes carry the integer representation of a conference ID and a user ID respectively. Endpoints which use the offer/answer model to establish BFCP connections MUST support the confid and the userid attributes. A Camarillo Expires November 5, 2005 [Page 4]
Internet-Draft BFCP May 2005 floor control server acting as an offerer or as an answerers SHOULD include these attributes in its session descriptions. 6. Association between Streams and Floors We define the floorid SDP media-level attribute. Its Augmented BNF syntax [3] is: floor-id-attribute = "a=floorid:" token [" mstrm:" token *(SP token)] The floorid attribute is used in BFCP 'm' lines. It defines a floor identifier and, possibly, associates it with one or more media streams. The token representing the floor ID is the integer representation of the Floor ID to be used in BFCP. The token representing the media stream is a pointer to the media stream, which is identified by an SDP label attribute [9] Endpoints which use the offer/answer model to establish BFCP connections MUST support the 'floorid' and the 'label' attributes. A floor control server acting as an offerer or as an answerer SHOULD include these attributes in its session descriptions. 7. TCP Connection Management The management of the TCP connection used to transport BFCP is performed using the 'setup' and 'connection' attributes as defined in [7]. The setup attribute indicates which of the endpoints (client or floor control server) initiates the TCP connection. The 'connection' attribute handles TCP connection reestablishment. The BFCP specification [8] describes a number of situations when the TCP connection between a client and the floor control server needs to be reestablished. However, that specification does not describe the reestablishment process because this process depends on how the connection was established in the first place. BFCP entities using the offer/answer model follow the following rules. When the existing TCP connection is reseted following the rules in [8], the client SHOULD generate an offer towards the floor control server in order to reestablish the connection. If a TCP connection cannot deliver a BFCP message and times out, the entity that attempted to send the message (i.e., the one that detected the TCP timeout) SHOULD generate an offer in order to reestablish the TCP connection. Camarillo Expires November 5, 2005 [Page 5]
Internet-Draft BFCP May 2005 Endpoints which use the offer/answer model to establish BFCP connections MUST support the 'setup' and the 'connection' attributes. 8. Authentication When a BFCP connection is established using the offer/answer model, it is assumed that the offerer and the answerer authenticate each other using some mechanism. Once this mutual authentication takes place, all the offerer and the answerer need to make sure is that the entity they are receiving BFCP messages from is the same as the one that generated the previous offer or answer. When SIP is used to perform an offer/answer exchange, the initial mutual authentication takes place at the SIP level. Additionally, SIP uses S/MIME to provide an integrity protected channel with optional confidentiality for the offer/answer exchange. BFCP takes advantage of this integrity protected offer/answer exchange to perform authentication. Within the offer/answer exchange, the offerer and the answerer exchange the fingerprints of their self- signed certificates. These self-signed certificates are then used to establish the TLS connection that will carry BFCP traffic between the offerer and the answerer. Of course, certificates signed by a certificate authority known to both parties can also be used. Section 8.1 describes mutual authentication using certificates and TLS, which is the RECOMMENDED mechanism to perform mutual authentication. BFCP also provides a digest mechanism based on a shared secret to provide client authentication in situations where TLS is not used for some reason. Section 8.2 describes how to set up this mechanism using an offer/answer model. Note that when mutual authentication is performed using TLS, it is not necessary to use this digest mechanism. 8.1 Mutual Authentication Using Certificates and TLS BFCP clients and floor control servers follow the rules in [10] regarding certificate choice and presentation. This implies that unless a 'fingerprint' attribute is included in the session description, the certificate provided at the TLS-level must be signed by a certificate authority known to other party. Endpoints which use the offer/answer model to establish BFCP connections MUST support the 'fingerprint' attribute and SHOULD include it in their session descriptions. When TLS is used, once the underlaying TCP connection is established, the answerer acts as the TLS server regardless of its role (passive or active) in the TCP establishment procedure. Camarillo Expires November 5, 2005 [Page 6]
Internet-Draft BFCP May 2005 8.2 Client Authentication at the BFCP Level Digest authentication in BFCP is based on a shared secret between the client and the floor control server. Section 8.2.1 describes how to set up such a secret using an encrypted offer/answer exchange. Section 8.2.2 describes how a floor control server can provide a client with an initial nonce. 8.2.1 Generating a Shared Secret This section describes how to generate a shared secret between a client and a floor control server using SDP security descriptions and the SDP 'crypto' attribute [12]. The following is the format of the 'crypto' attribute as defined in [12]: a=crypto:<tag> <crypto-suite> <key-params> [<session-params>] The use of the tag field is specified in [12]. The possible values for the crypto-suite field are defined within the context of a transport; TCP/BFCP in our case. Within the context of TCP/BFCP, we define the following value for the crypto-suite field: +-----------+-----------------+ | Value | BFCP Identifier | +-----------+-----------------+ | HMAC-SHA1 | 0 | +-----------+-----------------+ Table 1: Values for the crypto-suite field in TCP/BFCP The IANA registry for Digest Algorithms in BFCP contains references to the specifications that describe the usage of each digest algorithm (identified by its BFCP identifier) in BFCP. The key-params field SHOULD use the 'inline' key method followed by a base64-encoded [6] unguessable secret [1]. The use of the optional session-params field is for further study. The following is an example of a 'crypto' attribute: Camarillo Expires November 5, 2005 [Page 7]
Internet-Draft BFCP May 2005 a=crypto:1 HMAC-SHA1 inline:c2hhcmVkLXNlY3JldA== The use of the 'crypto' attribute in an offer/answer exchange is described in [12]. Additionally, when this attribute is used with BFCP streams, the answerer MUST use the same value in the key-params field as the one received in the offer. Endpoints MAY use other mechanisms (including out-of-band mechanisms) to generate a shared secret. However, if the mechanism described in this section is used, the session descriptions MUST be encrypted. 8.2.2 The 'nonce' Attribute We define the SDP media-level 'nonce' attribute. Its Augmented BNF syntax [3] is: nonce-attribute = "a=nonce: " nonce-value nonce-value = token The 'nonce' attribute carries the integer representation of the nonce to be used by the client in its next BFCP message (typically the first message from the client) towards the floor control server. This is an optimization so that the client does not need to generate an initial BFCP message only to have it rejected by the floor control server with an Error response containing a nonce. Endpoints which use the offer/answer model to establish BFCP connections SHOULD support the 'nonce' attribute. A floor control server acting as an offerer or as an answerers MAY include this attribute in its session descriptions. 9. Examples For the purpose of brevity, the main portion of the session description is omitted in the examples, which only show 'm' lines and their attributes. 9.1 Example Using TLS The following is an example of an offer sent by a conference server to a client. Camarillo Expires November 5, 2005 [Page 8]
Internet-Draft BFCP May 2005 m=application 20000 TCP/TLS/BFCP * a=setup:passive a=connection:new a=fingerprint:SHA-1 \ 4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB a=confid:4321 a=userid:1234 a=floorid:1 m-stream:10 a=floorid:2 m-stream:11 m=audio 20000 RTP/AVP 0 a=label:10 m=video 30000 RTP/AVP 31 a=label:11 Note that due to RFC formatting conventions, this document splits SDP across lines whose content would exceed 72 characters. A backslash character marks where this line folding has taken place. This backslash and its trailing CRLF and whitespace would not appear in actual SDP content. The following is the answer returned by the user. m=application 9 TCP/TLS/BFCP * a=setup:active a=connection:new m=audio 25000 RTP/AVP 0 m=video 35000 RTP/AVP 31 9.2 Example Using the 'crypto' Attribute The following is an example of an offer sent by a conference server to a client. In this case, TLS is not used to perform mutual authentication. The 'crypto' attribute is used to generate a shared secret between the client and the floor control server. Camarillo Expires November 5, 2005 [Page 9]
Internet-Draft BFCP May 2005 m=application 20000 TCP/BFCP * a=setup:passive a=connection:new a=crypto:1 HMAC-SHA1 inline:c2hhcmVkLXNlY3JldA== a=nonce:5736 a=confid:4321 a=userid:1234 a=floorid:1 m-stream:10 a=floorid:2 m-stream:11 m=audio 20000 RTP/AVP 0 a=label:10 m=video 30000 RTP/AVP 31 a=label:11 The following is the answer returned by the participant. m=application 9 TCP/BFCP * a=setup:active a=connection:new a=crypto:1 HMAC-SHA1 inline:c2hhcmVkLXNlY3JldA== m=audio 25000 RTP/AVP 0 m=video 35000 RTP/AVP 31 10. Security Considerations The BFCP [8], SDP [11], and the offer/answer [5] specifications discuss security issues related to BFCP, SDP, and the offer/answer respectively. In addition, [7] and [10] discuss security issues related to the establishment of TCP and TLS connections using an offer/answer model. An issue which is discussed in the previous specifications and is of particular importance for this specification relates to the usage of the SDP 'crypto' attribute to generate shared secrets. When the 'crypto' attribute is used, the session description carrying it must be encrypted, as specified in Section 8.2.1. Otherwise, an attacker could get access to the shared secret and impersonate the client. For session descriptions carried in SIP [4], S/MIME is the natural choice to provide such end-to-end encryption. Other applications MAY use different encryption mechanisms. 11. IANA Considerations The following sections instruct the IANA to perform a set of actions. Camarillo Expires November 5, 2005 [Page 10]
Internet-Draft BFCP May 2005 11.1 Registration of the 'TCP/BFCP' and 'TCP/TLS/BFCP' SDP 'proto' values This section instructs the IANA to register the following two new values for the SDP 'proto' field under the Session Description Protocol (SDP) Parameters registry: +--------------+-----------+ | Value | Reference | +--------------+-----------+ | TCP/BFCP | RFCxxxx | | TCP/TLS/BFCP | RFCxxxx | +--------------+-----------+ Table 2: Values for the SDP 'proto' field [Note to the RFC editor: please, replace RFCxxxx with the RFC number that this document will be assigned.] 11.2 Registration of the SDP 'confid' Attribute This section instructs the IANA to register the following SDP att- field under the Session Description Protocol (SDP) Parameters registry: Contact name: Gonzalo.Camarillo@ericsson.com Attribute name: confid Type of attribute Media level Subject to charset: No Purpose of attribute: The 'confid' attribute carries the integer representation of a Conference ID. Allowed attribute values: A token 11.3 Registration of the SDP 'userid' Attribute This section instructs the IANA to register the following SDP att- field under the Session Description Protocol (SDP) Parameters registry: Camarillo Expires November 5, 2005 [Page 11]
Internet-Draft BFCP May 2005 Contact name: Gonzalo.Camarillo@ericsson.com Attribute name: userid Type of attribute Media level Subject to charset: No Purpose of attribute: The 'userid' attribute carries the integer representation of a User ID. Allowed attribute values: A token 11.4 Registration of the SDP 'floorid' Attribute This section instructs the IANA to register the following SDP att- field under the Session Description Protocol (SDP) Parameters registry: Contact name: Gonzalo.Camarillo@ericsson.com Attribute name: floorid Type of attribute Media level Subject to charset: No Purpose of attribute: The 'floorid' attribute associates a floor with one or more media streams. Allowed attribute values: Tokens 11.5 Registration of the SDP 'nonce' Attribute This section instructs the IANA to register the following SDP att- field under the Session Description Protocol (SDP) Parameters registry: Contact name: Gonzalo.Camarillo@ericsson.com Attribute name: nonce Type of attribute Media level Camarillo Expires November 5, 2005 [Page 12]
Internet-Draft BFCP May 2005 Subject to charset: No Purpose of attribute: The 'nonce' attribute carried a nonce to be used in the media stream (e.g., in the BFCP connection). Allowed attribute values: A token 11.6 Registration of the crypto-suites for 'TCP/BFCP' This section instructs the IANA to register the 'TCP/BFCP' media transport under the SDP Security Description registry. The key methods supported is "inline". The reference for the SDP security description for 'TCP/BFCP' is this document. The following crypto-suite needs to be registered under the 'TCP/ BFCP' transport: +-----------+-----------------+ | Value | BFCP Identifier | +-----------+-----------------+ | HMAC-SHA1 | 0 | +-----------+-----------------+ Table 3: Values for the crypto-suite field in TCP/BFCP The IANA registry for Digest Algorithms in BFCP contains references to the specifications that describe the usage of each digest algorithm (identified by its BFCP identifier) in BFCP. At this point, there are no session parameters defined for the 'TCP/ BFCP' media transport. Consequently, the IANA does not need to create a session parameter subregistry under 'TCP/BFCP'. 12. Acknowledgments Joerg Ott, Keith Drage, Alan Johnston, and Eric Rescorla provided useful ideas for this document. 13. Normative References [1] Eastlake, D., Crocker, S., and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994. [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [3] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997. Camarillo Expires November 5, 2005 [Page 13]
Internet-Draft BFCP May 2005 [4] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [5] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 3264, June 2002. [6] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 3548, July 2003. [7] Yon, D., "Connection-Oriented Media Transport in the Session Description Protocol (SDP)", draft-ietf-mmusic-sdp-comedia-10 (work in progress), November 2004. [8] Camarillo, G., "The Binary Floor Control Protocol (BFCP)", draft-ietf-xcon-bfcp-03 (work in progress), January 2005. [9] Levin, O. and G. Camarillo, "The SDP (Session Description Protocol) Label Attribute", draft-levin-mmmusic-sdp-media-label-00 (work in progress), July 2004. [10] Lennox, J., "Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)", draft-ietf-mmusic-comedia-tls-02 (work in progress), October 2004. [11] Handley, M., "SDP: Session Description Protocol", draft-ietf-mmusic-sdp-new-24 (work in progress), February 2005. [12] Andreasen, F., Baugher, M., and D. Wing, "Session Description Protocol Security Descriptions for Media Streams", draft-ietf-mmusic-sdescriptions-09 (work in progress), February 2005. Author's Address Gonzalo Camarillo Ericsson Hirsalantie 11 Jorvas 02420 Finland Email: Gonzalo.Camarillo@ericsson.com Camarillo Expires November 5, 2005 [Page 14]
Internet-Draft BFCP May 2005 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2005). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Camarillo Expires November 5, 2005 [Page 15]
