[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Additional use cases? (Re: Plan for moving forward)

To: "'Lakshminath Dondeti'" <ldondeti@xxxxxxxxxxxx>, "'Eric Rescorla'" <ekr@xxxxxxxxxxxxxxxxxxxx>
Subject: RE: Additional use cases? (Re: Plan for moving forward)
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Tue, 12 Jun 2007 16:14:53 -0700
Authentication-results: sj-dkim-4; header.From=dwing@xxxxxxxxx; dkim=pass (s ig from cisco.com/sjdkim4002 verified; );
Cc: "'Jonathan Rosenberg'" <jdrosen@xxxxxxxxx>, "'Hannes Tschofenig'" <Hannes.Tschofenig@xxxxxxx>, "'Francois Audet'" <audet@xxxxxxxxxx>, <ietf-rtpsec@xxxxxxx>, "'Sam Hartman'" <hartmans-ietf@xxxxxxx>, "'Tim Polk'" <tim.polk@xxxxxxxx>, <jon.peterson@xxxxxxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3022; t=1181690095; x=1182554095; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20RE=3A=20Additional=20use=20cases?=20(Re=3A=20Plan=20for=20mov ing=20forward) |Sender:=20; bh=dR4Agu0x9t8STTHSWSE42s+BzB7I5N/lCHtc6C+4k7s=; b=Inivl7tYCAEmHXOCvCuC/SK+WxkpKTuy7wP+7YQIOM0ihfuC0T2l7H47jPm/b7VKErEyilku 3/xpl9MEqHz02lFaT2iu4lak9mxhd+Y+AQweqGuW2b1W7hoIQ62upSmr;
In-reply-to: <466F2220.4030908@xxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: AcetQ3RcQb+Z5MCYSkq01a+V4hW3zwAAe0Kw

> Interesting ...  I wondered about the reasoning of multiple 
> serverhellos.  Is the argument that multiple clienthellos are alright 
> since that amounts to lower overhead than multiple 
> serverhellos (if the expected response is HelloVerifyRequest, 
> then the overhead might be similar)? 

The client instantiates its state prior to sending a ClientHello,
and the server instantiates its state when it receives a ClientHello.

If a client were to send a ClientHello in an Invite, and the call
forked, and the client received a bunch of ServerHellos, it wouldn't
be doing DTLS anymore because the client would instantate new state 
for each of those ServerHellos that arrive (and complete the DTLS 
handshake with each of those).

> But that seems to optimize for the forking use case and 
> ignores other use cases.

That = the existing DTLS-SRTP specifications?

I don't see how they are optimized for forking and de-optimized
for the non-forking case.  Do you mean it's much too expensive
for the originator (who may have to deal with a bunch of forked
endpoints) than you'd like?  Or do you mean it's not efficient
over-the-wire (bandwidth?).

> Why is the ClientHello going out-of-band a problem?

In addition to the problem of forking causing multiple ServerHellos,
you'd have to prevent your DTLS implementation from sending its
ClientHello over the wire, grab its data and stick it into a
SIP header or into the SDP or wherever you were thinking it would
go.  Not hard, but not beautiful, either.

> As to why to do this: it seems to allow the use case I was 
> talking about

The use case where someone dials a number and proves their identity
using a PIN?  One thing you mentioned at the bottom of your first
email http://www.imc.org/ietf-rtpsec/mail-archive/msg00751.html is
that "priority call placement use case is similar"; however, it
isn't -- IEPREP isn't requiring someone to connect to a remote
gateway, prove their identity to that remote gateway, and someone
pull that authentication and authorization 'back' into the 
originating network.  The trouble with such an approach is how
you'd get the access to perform that connection to that remote
resource in order to initiate that authorization in the first
place -- the phone system is overloaded and the more components
of it you involve the more likely you'll find overload.

> and Dan was making a case for it too earlier 
> today.

In my email related to directionality?  That was only an idea
to avoid the SDP for directionality.

-d

> regards,
> Lakshminath
> 
> On 6/12/2007 12:46 PM, Eric Rescorla wrote:
> > At Tue, 12 Jun 2007 12:39:47 -0700,
> > Lakshminath Dondeti wrote:
> >> Right.  So, why not do it?
> > 
> > Because it involves a number of changes in the DTLS model (having
> > one message happen out of band, having one clienthello elicit
> > multiple serverhellos, etc.) and nobody has described a compelling
> > reason to do this.
> > 
> > -Ekr
> >

Follow-Ups:
- Re: Additional use cases? (Re: Plan for moving forward)
  - From: Lakshminath Dondeti

References:
- Re: Additional use cases? (Re: Plan for moving forward)
  - From: Lakshminath Dondeti

Prev by Date: Re: Additional use cases? (Re: Plan for moving forward)
Next by Date: Re: Additional use cases? (Re: Plan for moving forward)
Previous by thread: Re: Additional use cases? (Re: Plan for moving forward)
Next by thread: Re: Additional use cases? (Re: Plan for moving forward)
Index(es):
- Date
- Thread