[Docs] [txt|pdf] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 RFC 5898

MMUSIC Working Group                                        F. Andreasen
Internet-Draft                                             Cisco Systems
Intended status: Standards Track                            G. Camarillo
Expires: September 5, 2010                                      Ericsson
                                                                 D. Oran
                                                                 D. Wing
                                                           Cisco Systems
                                                           March 4, 2010


Connectivity Preconditions for Session Description Protocol (SDP) Media
                                Streams
              draft-ietf-mmusic-connectivity-precon-07.txt

Abstract

   This document defines a new connectivity precondition for the Session
   Description Protocol (SDP) precondition framework.  A connectivity
   precondition can be used to delay session establishment or
   modification until media stream connectivity has been successfully
   verified.  The method of verification may vary depending on the type
   of transport used for the media.  For unreliable datagram transports
   such as UDP, verification involves probing the stream with data or
   control packets.  For reliable connection-oriented transports such as
   TCP, verification can be achieved simply by successful connection
   establishment or by probing the connection with data or control
   packets, depending on the situation.

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.



Andreasen, et al.       Expires September 5, 2010               [Page 1]


Internet-Draft          Connectivity Precondition             March 2010


   This Internet-Draft will expire on September 5, 2010.

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the BSD License.

   This document may contain material from IETF Documents or IETF
   Contributions published or made publicly available before November
   10, 2008.  The person(s) controlling the copyright in some of this
   material may not have granted the IETF Trust the right to allow
   modifications of such material outside the IETF Standards Process.
   Without obtaining an adequate license from the person(s) controlling
   the copyright in such materials, this document may not be modified
   outside the IETF Standards Process, and derivative works of it may
   not be created outside the IETF Standards Process, except to format
   it for publication as an RFC or to translate it into languages other
   than English.























Andreasen, et al.       Expires September 5, 2010               [Page 2]


Internet-Draft          Connectivity Precondition             March 2010


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  4
   3.  Connectivity Precondition Definition . . . . . . . . . . . . .  4
     3.1.  Syntax . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     3.2.  Operational Semantics  . . . . . . . . . . . . . . . . . .  5
     3.3.  Status Type  . . . . . . . . . . . . . . . . . . . . . . .  5
     3.4.  Direction Tag  . . . . . . . . . . . . . . . . . . . . . .  5
     3.5.  Precondition Strength  . . . . . . . . . . . . . . . . . .  6
   4.  Verifying Connectivity . . . . . . . . . . . . . . . . . . . .  7
     4.1.  Media Stream to Dialog Correlation . . . . . . . . . . . .  7
     4.2.  Explicit Connectivity Verification Mechanisms  . . . . . .  8
     4.3.  Verifying Connectivity for Connection-Oriented
           Transports . . . . . . . . . . . . . . . . . . . . . . . .  9
   5.  Connectivity and Other Precondition Types  . . . . . . . . . . 10
   6.  Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
   7.  Security Considerations  . . . . . . . . . . . . . . . . . . . 15
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 16
   9.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
     9.1.  Normative References . . . . . . . . . . . . . . . . . . . 16
     9.2.  Informative References . . . . . . . . . . . . . . . . . . 17
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17




























Andreasen, et al.       Expires September 5, 2010               [Page 3]


Internet-Draft          Connectivity Precondition             March 2010


1.  Introduction

   The concept of a Session Description Protocol (SDP) [RFC4566]
   precondition in the Session Initiation Protocol (SIP) [RFC3261] is
   defined in RFC 3312 [RFC3312] (updated by RFC 4032 [RFC4032]).  A
   precondition is a condition that has to be satisfied for a given
   media stream in order for session establishment or modification to
   proceed.  When the precondition is not met, session progress is
   delayed until the precondition is satisfied or the session
   establishment fails.  For example, RFC 3312 [RFC3312] defines the
   Quality of Service precondition, which is used to ensure availability
   of network resources prior to establishing a session (i.e., prior to
   starting alerting the callee).

   SIP sessions are typically established in order to setup one or more
   media streams.  Even though a media stream may be negotiated
   successfully through an SDP offer-answer exchange, the actual media
   stream itself may fail.  For example, when there is one or more
   Network Address Translators (NATs) or firewalls in the media path,
   the media stream may not be received by the far end.  In cases where
   the media is carried over a connection-oriented transport such as TCP
   [RFC0793], the connection-establishment procedures may fail.  The
   connectivity precondition defined in this document ensures that
   session progress is delayed until media stream connectivity has been
   verified.

   The connectivity precondition type defined in this document follows
   the guidelines provided in RFC 4032 [RFC4032] to extend the SIP
   preconditions framework.


2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


3.  Connectivity Precondition Definition

3.1.  Syntax

   The connectivity precondition type is defined by the string "conn"
   and hence we modify the grammar found in RFC 3312 [RFC3312] and RFC
   5027 [RFC5027] as follows:






Andreasen, et al.       Expires September 5, 2010               [Page 4]


Internet-Draft          Connectivity Precondition             March 2010


      precondition-type = "conn" / "sec" / "qos" / token

   This precondition tag is registered with the IANA in Section 8.

3.2.  Operational Semantics

   According to RFC 4032 [RFC4032], documents defining new precondition
   types need to describe the behavior of UAs (User Agents) from the
   moment session establishment is suspended due to a set of
   preconditions, until it is resumed when these preconditions are met.
   An entity that wishes to delay session establishment or modification
   until media stream connectivity has been established uses this
   precondition-type in an offer.  When a mandatory connectivity
   precondition is received in an offer, session establishment or
   modification is delayed until the connectivity precondition has been
   met (i.e., until media stream connectivity has been established in
   the desired direction or directions).  The delay of session
   establishment defined here implies that alerting of the called party
   does not occur until the precondition has been satisfied.

   Packets may be both sent and received on the media streams in
   question.  However, such packets SHOULD be limited to packets that
   are necessary to verify connectivity between the two endpoints
   involved on the media stream.  That is, the underlying media stream
   SHOULD NOT be cut through.  For example, ICE connectivity checks
   [I-D.ietf-mmusic-ice] and TCP SYN and ACK packets can be exchanged on
   media streams that support them as a way of verifying connectivity.

   Some media streams are described by a single 'm' line but,
   nevertheless, involve multiple addresses.  For example, RFC 5109
   [RFC5109] specifies how to send FEC (Forward Error Correction)
   information as a separate stream (the address for the FEC stream is
   provided in an 'a=fmtp' line).  When a media stream consists of
   multiple destination addresses, connectivity to all of them MUST be
   verified in order for the precondition to be met.

3.3.  Status Type

   RFC 3312 [RFC3312] defines support for two kinds of status types,
   namely segmented and end-to-end.  The connectivity precondition-type
   defined here MUST be used with the end-to-end status type; use of the
   segmented status type is undefined.

3.4.  Direction Tag

   The direction attributes defined in RFC 3312 [RFC3312] are
   interpreted as follows:




Andreasen, et al.       Expires September 5, 2010               [Page 5]


Internet-Draft          Connectivity Precondition             March 2010


   o  send: the party that generated the session description is sending
      packets on the media stream to the other party, and the other
      party has received at least one of those packets.  That is, there
      is connectivity in the forward (sending) direction.

   o  recv: the other party is sending packets on the media stream to
      the party that generated the session description, and this party
      has received at least one of those packets.  That is, there is
      connectivity in the backwards (receiving) direction.

   o  sendrecv: both the send and recv conditions hold.

   Note that a "send" connectivity precondition from the offerer's point
   of view corresponds to a "recv" connectivity precondition from the
   answerer's point of view, and vice versa.  If media stream
   connectivity in both directions is required before session
   establishment or modification continues, the desired status needs to
   be set to "sendrecv".

3.5.  Precondition Strength

   Connectivity preconditions may have a strength-tag of either
   "mandatory" or "optional".

   When a mandatory connectivity precondition is offered and the
   answerer cannot satisfy the connectivity precondition (e.g., because
   the offer does not include parameters that enable connectivity to be
   verified without media cut through) the offer MUST be rejected as
   described in RFC 3312 [RFC3312].

   When an optional connectivity precondition is offered, the answerer
   MUST generate its answer SDP as soon as possible.  Since session
   progress is not delayed in this case, it is not known whether the
   associated media streams will have connectivity.  If the answerer
   wants to delay session progress until connectivity has been verified,
   the answerer MUST increase the strength of the connectivity
   precondition by using a strength-tag of "mandatory" in the answer.

   Note that use of a "mandatory" precondition requires the presence of
   a SIP "Require" header with the option tag "precondition".  Any SIP
   UA that does not support a mandatory precondition will reject such
   requests.  To get around this issue, an optional connectivity
   precondition and the SIP "Supported" header with the option tag
   "precondition" can be used instead.

   Offers with connectivity preconditions in re-INVITEs or UPDATEs
   follow the rules given in Section 6 of RFC 3312 [RFC3312].  That is:




Andreasen, et al.       Expires September 5, 2010               [Page 6]


Internet-Draft          Connectivity Precondition             March 2010


      "Both user agents SHOULD continue using the old session parameters
      until all the mandatory preconditions are met.  At that moment,
      the user agents can begin using the new session parameters."


4.  Verifying Connectivity

   Media stream connectivity is ascertained by use of a connectivity
   verification mechanism between the media endpoints.  A connectivity
   verification mechanism may be an explicit mechanism, such as ICE
   [I-D.ietf-mmusic-ice] or ICE TCP [I-D.ietf-mmusic-ice-tcp], or it may
   be an implicit mechanism, such as TCP.  Explicit mechanisms provide
   specifications for when connectivity between two endpoints using an
   offer/answer exchange is ascertained, whereas implicit mechanisms do
   not.  The verification mechanism is negotiated as part of the normal
   offer/answer exchange, however it is not identified explicitly.  More
   than one mechanism may be negotiated, but the offerer and answerer
   need not use the same.  The following rules guide which connectivity
   verification mechanism to use:


   1.  if an explicit connectivity verification mechanism (e.g., ICE) is
       negotiated, the precondition is met when the mechanism verifies
       connectivity successfully, otherwise

   2.  if a connection-oriented transport (e.g., TCP) is negotiated, the
       precondition is met when the connection is established, otherwise

   3.  if an implicit verification mechanism is provided by the
       transport itself or the media stream data using the transport,
       the precondition is met when the mechanism verifies connectivity
       successfully, otherwise

   4.  connectivity cannot be verified reliably and the connectivity
       precondition will never be satisfied if requested.

   This document does not mandate any particular connectivity
   verification mechanism; however, in the following, we provide
   additional considerations for verification mechanisms.

4.1.  Media Stream to Dialog Correlation

   SIP and SDP do not provide any inherent capabilities for associating
   an incoming media stream packet with a particular dialog.  Thus, when
   an offerer is trying to ascertain connectivity, and an incoming media
   stream packet is received, the offerer may not know which dialog had
   its "recv" connectivity verified.  Explicit connectivity verification
   mechanisms therefore typically provide a means to correlate the media



Andreasen, et al.       Expires September 5, 2010               [Page 7]


Internet-Draft          Connectivity Precondition             March 2010


   stream, whose connectivity is being verified, with a particular SIP
   dialog.  However, some connectivity verification mechanisms may not
   provide such a correlation.  In the absence of a dialog-to-media-
   stream correlation mechanism (e.g., ICE), a UAS (User Agent Server)
   MUST NOT require the offerer to confirm a connectivity precondition.

4.2.  Explicit Connectivity Verification Mechanisms

   Explicit connectivity verification mechanisms typically use probe
   traffic with some sort of feedback to inform the sender whether
   reception was successful.  Below we provide two examples of such
   mechanisms, and how they are used with connectivity preconditions:

   Interactive Connectivity Establishment (ICE) [I-D.ietf-mmusic-ice]
   provides one or more candidate addresses in signaling between the
   offerer and the answerer and then uses STUN Binding Requests to
   determine which pairs of candidate addresses have connectivity.  Each
   STUN Binding Request contains a password which is communicated in the
   SDP as well; this enables correlation between STUN Binding Requests
   and candidate addresses for a particular media stream.  It also
   provides correlation with a particular SIP dialog.

   ICE implementations may be either Full or Lite (see
   [I-D.ietf-mmusic-ice]).  Full implementations generate and respond to
   STUN Binding Requests, whereas Lite implementations only respond to
   them.  With ICE, one side is a controlling agent, and the other side
   is a controlled agent.  A Full implementation can take on either
   role, whereas a Lite implementation can only be a controlled agent.
   The controlling agent decides which valid candidate to use and
   informs the controlled agent of it by identifying the pair as the
   nominated pair.  This leads to the following connectivity
   precondition rules:


   o  A Full implementation ascertains both "send" and "recv"
      connectivity when it operates as a STUN client and has sent a STUN
      Binding Request that resulted in a successful check for all the
      components of the media stream (as defined further in ICE).

   o  A Full or a Lite implementation ascertains "recv" connectivity
      when it operates as a STUN server and has received a STUN Binding
      Request that resulted in a successful response for all the
      components of the media stream (as defined further in ICE).

   o  A Lite implementation ascertains "send" and "recv" connectivity
      when the controlling agent has informed it of the nominated pair
      for all the components of the media stream.




Andreasen, et al.       Expires September 5, 2010               [Page 8]


Internet-Draft          Connectivity Precondition             March 2010


   A simpler and slightly more delay-prone alternative to the above
   rules is for all ICE implementations to ascertain "send" and "recv"
   connectivity for a media stream when the ICE state for that media
   stream has moved to Completed.

   Note that there is never a need for the answerer to request
   confirmation of the connectivity precondition when using ICE: the
   answerer can determine the status locally.  Also note, that when ICE
   is used to verify connectivity preconditions, the precondition is not
   satisfied until connectivity has been verified for all the component
   transport addresses used by the media stream.  For example, with an
   RTP-based media stream where RTCP is not suppressed, connectivity
   MUST be ascertained for both RTP and RTCP; this is a tightening of
   the general operational semantics provided in Section 3.2, which is
   imposed by ICE.  Finally, it should be noted, that although
   connectivity has been ascertained, a new offer/answer exchange may be
   required before media can flow (per ICE).

   The above are merely examples of explicit connectivity verification
   mechanisms.  Other techniques can be used as well.  It is however
   RECOMMENDED that ICE be supported by entities that support
   connectivity preconditions.  Use of ICE has the benefit of working
   for all media streams (not just RTP) as well as facilitate NAT and
   firewall traversal, which may otherwise interfere with connectivity.
   Furthermore, the ICE recommendation provides a baseline to ensure
   that all entities that require probe traffic to support the
   connectivity preconditions have a common way of ascertaining
   connectivity.

4.3.  Verifying Connectivity for Connection-Oriented Transports

   Connection-oriented transport protocols generally provide an implicit
   connectivity verification mechanism.  Connection establishment
   involves sending traffic in both directions thereby verifying
   connectivity at the transport protocol level.  When a three-way (or
   more) handshake for connection establishment succeeds, bi-directional
   communication is confirmed and both the "send" and "recv"
   preconditions are satisfied whether requested or not.  In the case of
   TCP for example, once the TCP three-way handshake has completed (SYN,
   SYN-ACK, ACK), the TCP connection is established and data can be sent
   and received by either party (i.e., both a send and a receive
   connectivity precondition has been satisfied).  SCTP [RFC4960]
   connections have similar semantics as TCP and SHOULD be treated the
   same.

   When a connection-oriented transport is part of an offer, it may be
   passive, active, or active/passive [RFC4145].  When it is passive,
   the offerer expects the answerer to initiate the connection



Andreasen, et al.       Expires September 5, 2010               [Page 9]


Internet-Draft          Connectivity Precondition             March 2010


   establishment, and when it is active, the offerer wants to initiate
   the connection establishment.  When it is active/passive, the
   answerer decides.  As noted earlier, lack of a media-stream-to-dialog
   correlation mechanism can make it difficult to guarantee with whom
   connectivity has been ascertained.  When the offerer takes on the
   passive role, the offerer will not necessarily know which SIP dialog
   originated an incoming connection request.  If the offerer instead is
   active, this problem is avoided.


5.  Connectivity and Other Precondition Types

   The role of a connectivity precondition is to ascertain media stream
   connectivity before establishing or modifying a session.  The
   underlying intent is for the two parties to be able to exchange media
   packets successfully.  Connectivity by itself however may not fully
   satisfy this.  Quality of Service for example may be required for the
   media stream; this can be addressed by use of the "qos" precondition
   defined in RFC 3312 [RFC3312].  Similarly, successful security
   parameter negotiation may be another prerequisite; this can be
   addressed by use of the "sec" precondition defined in RFC 5027
   [RFC5027].


6.  Examples

   The first example uses the connectivity precondition with TCP in the
   context of a session involving a wireless access medium.  Both UAs
   use a radio access network that does not allow them to send any data
   (not even a TCP SYN) until a radio bearer has been setup for the
   connection.  Figure 1 shows the message flow of this example (the
   required PRACK transaction has been omitted for clarity):



















Andreasen, et al.       Expires September 5, 2010              [Page 10]


Internet-Draft          Connectivity Precondition             March 2010


               A                                    B
               |  INVITE                            |
               |  a=curr:conn e2e none              |
               |  a=des:conn mandatory e2e sendrecv |
               |  a=setup:holdconn                  |
               |----------------------------------->|
               |                                    |
               |  183 Session Progress              |
               |  a=curr:conn e2e none              |
               |  a=des:conn mandatory e2e sendrecv |
               |  a=setup:holdconn                  |
               |<-----------------------------------|
               |                                    |
               |  UPDATE                            |
               |  a=curr:conn e2e none              |
               |  a=des:conn mandatory e2e sendrecv |
     A's radio |  a=setup:actpass                   |
     bearer is +----------------------------------->|
     up        |                                    |
               |  200 OK                            |
               |  a=curr:conn e2e none              |
               |  a=des:conn mandatory e2e sendrecv |
               |  a=setup:active                    |
               |<-----------------------------------|
               |                                    |
               |                                    |
               |                                    |
               |                                    | B's radio
               |<---TCP Connection Establishment--->+ bearer is up
               |                                    | B sends TCP SYN
               |                                    |
               |                                    |
               |  180 Ringing                       | TCP connection
               |<-----------------------------------+ is up
               |                                    | B alerts the user
               |                                    |

          Figure 1: Message flow with two types of preconditions

   A sends an INVITE requesting connection-establishment preconditions.
   The setup attribute in the offer is set to holdconn [RFC4145] because
   A cannot send or receive any data before setting up a radio bearer
   for the connection.

   B agrees to use the connectivity precondition by sending a 183
   (Session Progress) response.  The setup attribute in the answer is
   also set to holdconn because B, like A, cannot send or receive any
   data before setting up a radio bearer for the connection.



Andreasen, et al.       Expires September 5, 2010              [Page 11]


Internet-Draft          Connectivity Precondition             March 2010


   When A's radio bearer is ready, A sends an UPDATE to B with a setup
   attribute with a value of actpass.  This attribute indicates that A
   can perform an active or a passive TCP open.  A is letting B choose
   which endpoint will initiate the connection.

   Since B's radio bearer is not ready yet, B chooses to be the one
   initiating the connection and indicates so with a setup attribute
   with a value of active.  At a later point, when B's radio bearer is
   ready, B initiates the TCP connection towards A.

   Once the TCP connection is established successfully, B knows the
   "sendrecv" precondition is satisfied, and B proceeds with the session
   (i.e., alerts the Callee), and sends a 180 (Ringing) response.

   The second example shows a basic SIP session establishment using SDP
   connectivity preconditions and ICE (the required PRACK transaction
   and some SDP details have been omitted for clarity).  The message
   flow for this scenario is shown in Figure 2 below.


                  A                                            B

                  |                                            |
                  |-------------(1) INVITE SDP1--------------->|
                  |                                            |
                  |<------(2) 183 Session Progress SDP2--------|
                  |                                            |
                  |<~~~~~ Connectivity check to A ~~~~~~~~~~~~~|
                  |~~~~~ Connectivity to A OK ~~~~~~~~~~~~~~~~>|
                  |                                            |
                  |~~~~~ Connectivity check to B ~~~~~~~~~~~~~>|
                  |<~~~~ Connectivity to B OK ~~~~~~~~~~~~~~~~~|
                  |                                            |
                  |-------------(3) UPDATE SDP3--------------->|
                  |                                            |
                  |<--------(4) 200 OK (UPDATE) SDP4-----------|
                  |                                            |
                  |<-------------(5) 180 Ringing---------------|
                  |                                            |
                  |                                            |

     Figure 2: Connectivity precondition with ICE Connectivity Checks

   SDP1: A includes a mandatory end-to-end connectivity precondition
   with a desired status of "sendrecv"; this will ensure media stream
   connectivity in both directions before continuing with the session
   setup.  Since media stream connectivity in either direction is
   unknown at this point, the current status is set to "none".  A's



Andreasen, et al.       Expires September 5, 2010              [Page 12]


Internet-Draft          Connectivity Precondition             March 2010


   local status table (see [RFC3312]) for the connectivity precondition
   is as follows:


       Direction |  Current | Desired Strength |  Confirm
      -----------+----------+------------------+----------
         send    |    no    |   mandatory      |    no
         recv    |    no    |   mandatory      |    no

   and the resulting offer SDP is:


   a=ice-pwd:asd88fgpdd777uzjYhagZg
   a=ice-ufrag:8hhY
   m=audio 20000 RTP/AVP 0
   c=IN IP4 192.0.2.1
   a=curr:conn e2e none
   a=des:conn mandatory e2e sendrecv
   a=candidate:1 1 UDP 2130706431 192.0.2.1 20000 typ host

   SDP2: When B receives the offer, B sees the mandatory sendrecv
   connectivity precondition.  B can ascertain connectivity to A ("send"
   from B's point of view) by use of the ICE connectivity check, however
   B wants A to inform it about connectivity in the other direction
   ("recv" from B's point of view).  B's local status table therefore
   looks as follows:


       Direction |  Current | Desired Strength |  Confirm
      -----------+----------+------------------+----------
         send    |    no    |   mandatory      |    no
         recv    |    no    |   mandatory      |    no

   Since B wants to ask A for confirmation about the "recv" (from B's
   point of view) connectivity precondition, the resulting answer SDP
   becomes:















Andreasen, et al.       Expires September 5, 2010              [Page 13]


Internet-Draft          Connectivity Precondition             March 2010


     a=ice-pwd:qrCA8800133321zF9AIj98
     a=ice-ufrag:H92p
     m=audio 30000 RTP/AVP 0
     c=IN IP4 192.0.2.4
     a=curr:conn e2e none
     a=des:conn mandatory e2e sendrecv
     a=conf:conn e2e recv
     a=candidate:1 1 UDP 2130706431 192.0.2.4 30000 typ host

   Meanwhile, B performs a successful send connectivity check to A by
   sending an ICE connectivity check packet to A and receiving the
   corresponding response.  B's local status table is updated as
   follows:


       Direction |  Current | Desired Strength |  Confirm
      -----------+----------+------------------+----------
         send    |    yes   |   mandatory      |    no
         recv    |    no    |   mandatory      |    no

   Since the "recv" connectivity precondition (from B's point of view)
   is still not satisfied, session establishment remains suspended.

   SDP3: When A receives the answer SDP, A notes that confirmation was
   requested for B's "recv" connectivity precondition, which is the
   "send" precondition from A's point of view.  A performs a successful
   send connectivity check to B by sending an ICE connectivity check to
   B and receiving the corresponding response.  A's local status table
   becomes:


       Direction |  Current | Desired Strength |  Confirm
      -----------+----------+------------------+----------
         send    |    yes   |   mandatory      |    yes
         recv    |    no    |   mandatory      |    no

   Since B asked for confirmation about the "send" connectivity (from
   A's point of view), A now sends an UPDATE (5) to B to confirm the
   connectivity from A to B:












Andreasen, et al.       Expires September 5, 2010              [Page 14]


Internet-Draft          Connectivity Precondition             March 2010


     a=ice-pwd:asd88fgpdd777uzjYhagZg
     a=ice-ufrag:8hhY
     m=audio 20000 RTP/AVP 0
     c=IN IP4 192.0.2.1
     a=curr:conn e2e send
     a=des:conn mandatory e2e sendrecv
     a=candidate:1 1 UDP 2130706431 192.0.2.1 20000 typ host

   B has both send and recv connectivity confirmed at this point and the
   session can continue.


7.  Security Considerations

   General security considerations for preconditions are discussed in
   RFC 3312 [RFC3312] and RFC 4032 [RFC4032].  As discussed in RFC 4032
   [RFC4032], it is strongly RECOMMENDED that integrity protection be
   applied to the SDP session descriptions.  S/MIME [RFC3853]
   protection, as described in RFC 3261 [RFC3261].  When the user agent
   provides identity services (rather than the proxy server), the SIP
   identity mechanism specified in RFC 4474 [RFC4474] provides an
   alternative end-to-end integrity protection.  Additionally, the
   following security issues relate specifically to connectivity
   preconditions.

   Connectivity preconditions rely on mechanisms beyond SDP such as TCP
   [RFC0793] connection establishment, or ICE connectivity checks
   [I-D.ietf-mmusic-ice] to establish and verify connectivity between an
   offerer and an answerer.  An attacker that prevents those mechanisms
   from succeeding (e.g., by keeping ICE connectivity checks from
   arriving to their destination) can prevent media sessions from being
   established.  While this attack relates to connectivity
   preconditions, it is actually an attack against the connection
   establishment mechanisms used by the endpoints.  This attack can be
   performed in the presence or in the absence of connectivity
   preconditions.  In their presence, the whole session setup will be
   disrupted.  In their absence, only the establishment of the
   particular stream under attack will be disrupted.  This specification
   does not provide any mechanism against attackers able to block
   traffic between the endpoints involved in the session because such an
   attacker will always be able to launch DoS (Denial of Service)
   attacks.

   Instead of blocking the connectivity checks, the attacker can
   generate forged connectivity checks that would cause the endpoints to
   assume that there was connectivity when there was actually no
   connectivity.  This attack would result in a poor user's experience
   because the session would be established without all the media



Andreasen, et al.       Expires September 5, 2010              [Page 15]


Internet-Draft          Connectivity Precondition             March 2010


   streams being ready.  The same attack can be used, regardless of
   whether or not connectivity preconditions are used, to attempt to
   hijack a connection.  The forged connectivity checks would trick the
   endpoints into sending media to the wrong direction.  To prevent
   these attacks, it is RECOMMENDED that the mechanisms used to check
   connectivity are adequately secured by message authentication and
   integrity protection.  For example, Section 2.5 of
   [I-D.ietf-mmusic-ice] discusses how message integrity and data origin
   authentication are implemented in ICE connectivity checks.


8.  IANA Considerations

   IANA is hereby requested to register a new precondition type under
   the Precondition Types used with SIP subregistry, which is located
   under the Session Initiation Protocol (SIP) Parameters registry.


   Precondition-Type  Description                          Reference
   -----------------  -----------------------------------  ---------
   conn               Connectivity precondition            [RFCxxxx]

   [Note to the RFC Editor: replace RFCxxxx with the number assigned to
   this RFC.]


9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3261]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
              A., Peterson, J., Sparks, R., Handley, M., and E.
              Schooler, "SIP: Session Initiation Protocol", RFC 3261,
              June 2002.

   [RFC3312]  Camarillo, G., Marshall, W., and J. Rosenberg,
              "Integration of Resource Management and Session Initiation
              Protocol (SIP)", RFC 3312, October 2002.

   [RFC3853]  Peterson, J., "S/MIME Advanced Encryption Standard (AES)
              Requirement for the Session Initiation Protocol (SIP)",
              RFC 3853, July 2004.

   [RFC4032]  Camarillo, G. and P. Kyzivat, "Update to the Session
              Initiation Protocol (SIP) Preconditions Framework",



Andreasen, et al.       Expires September 5, 2010              [Page 16]


Internet-Draft          Connectivity Precondition             March 2010


              RFC 4032, March 2005.

   [RFC4474]  Peterson, J. and C. Jennings, "Enhancements for
              Authenticated Identity Management in the Session
              Initiation Protocol (SIP)", RFC 4474, August 2006.

   [RFC4566]  Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
              Description Protocol", RFC 4566, July 2006.

   [RFC5027]  Andreasen, F. and D. Wing, "Security Preconditions for
              Session Description Protocol (SDP) Media Streams",
              RFC 5027, October 2007.

   [I-D.ietf-mmusic-ice]
              Rosenberg, J., "Interactive Connectivity Establishment
              (ICE): A Protocol for Network Address Translator (NAT)
              Traversal for Offer/Answer Protocols",
              draft-ietf-mmusic-ice-19 (work in progress), October 2007.

9.2.  Informative References

   [RFC0793]  Postel, J., "Transmission Control Protocol", STD 7,
              RFC 793, September 1981.

   [RFC4145]  Yon, D. and G. Camarillo, "TCP-Based Media Transport in
              the Session Description Protocol (SDP)", RFC 4145,
              September 2005.

   [RFC4960]  Stewart, R., "Stream Control Transmission Protocol",
              RFC 4960, September 2007.

   [RFC5109]  Li, A., "RTP Payload Format for Generic Forward Error
              Correction", RFC 5109, December 2007.

   [I-D.ietf-mmusic-ice-tcp]
              Perreault, S. and J. Rosenberg, "TCP Candidates with
              Interactive Connectivity Establishment (ICE)",
              draft-ietf-mmusic-ice-tcp-08 (work in progress),
              October 2009.












Andreasen, et al.       Expires September 5, 2010              [Page 17]


Internet-Draft          Connectivity Precondition             March 2010


Authors' Addresses

   Flemming Andreasen
   Cisco Systems, Inc.
   499 Thornall Street, 8th Floor
   Edison, NJ  08837
   USA

   Email: fandreas@cisco.com


   Gonzalo Camarillo
   Ericsson
   Hirsalantie 11
   Jorvas  02420
   Finland

   Email: Gonzalo.Camarillo@ericsson.com


   David Oran
   Cisco Systems, Inc.
   7 Ladyslipper Lane
   Acton, MA  01720
   USA

   Email: oran@cisco.com


   Dan Wing
   Cisco Systems, Inc.
   170 West Tasman Drive
   San Jose, CA  95134
   USA

   Email: dwing@cisco.com















Andreasen, et al.       Expires September 5, 2010              [Page 18]


Html markup produced by rfcmarkup 1.123, available from https://tools.ietf.org/tools/rfcmarkup/