MMUSIC
Internet Engineering Task Force (IETF)                          A. Begen
Internet-Draft
Request for Comments: 7197                                         Cisco
Intended status:
Category: Standards Track                                         Y. Cai
Expires: June 6, 2014
ISSN: 2070-1721                                                Microsoft
                                                                   H. Ou
                                                                   Cisco
                                                        December 3, 2013

   Delayed
                                                              April 2014

    Duplication Delay Attribute in the Session Description Protocol
                draft-ietf-mmusic-delayed-duplication-03

Abstract

   A straightforward approach to provide protection against packet
   losses due to network outages with a longest duration of T time units
   is to duplicate the original packets and send each copy separated in
   time by at least T time units.  This approach is commonly referred to
   as Time-shifted Redundancy, Temporal Redundancy "time-shifted redundancy", "temporal redundancy", or simply Delayed
   Duplication.
   "delayed duplication".  This document defines an attribute to
   indicate the presence of temporally redundant media streams and the
   duplication delay in the Session Description Protocol.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents an Internet Standards Track document.

   This document is a product of the Internet Engineering Task Force
   (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list  It represents the consensus of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid the IETF community.  It has
   received public review and has been approved for a maximum publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   Internet Standards is available in Section 2 of RFC 5741.

   Information about the current status of six months this document, any errata,
   and how to provide feedback on it may be updated, replaced, or obsoleted by other documents obtained at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on June 6, 2014.
   http://www.rfc-editor.org/info/rfc7197.

Copyright Notice

   Copyright (c) 2013 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1. Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2 ....................................................2
   2. Requirements Notation . . . . . . . . . . . . . . . . . . . .   4 ...........................................4
   3. The 'duplication-delay' Attribute . . . . . . . . . . . . . .   4 ...............................5
   4. SDP Examples  . . . . . . . . . . . . . . . . . . . . . . . .   5 ....................................................6
   5. Security Considerations . . . . . . . . . . . . . . . . . . .   7 .........................................7
   6. IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8 .............................................8
      6.1. Registration of SDP Attributes  . . . . . . . . . . . . .   8 .............................9
   7. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9 ................................................9
   8. References  . . . . . . . . . . . . . . . . . . . . . . . . .   9 ......................................................9
      8.1. Normative References  . . . . . . . . . . . . . . . . . .   9 .......................................9
      8.2. Informative References  . . . . . . . . . . . . . . . . .   9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  10 ....................................10

1.  Introduction

   Inside an IP network, packet delivery may be interrupted due to
   failure of a physical link, interface interface, or device failure. device.  To reduce the
   impact of such interruptions, some networks are built in a resilient
   manner, allowing for multiple alternative paths between two
   endpoints.  However, if there is no resiliency in the network or the
   failure happens in a non-resilient part of the network, a temporary
   outage will occur (i.e., packets will get dropped) lasting dropped).  The outage will
   last until network reconvergence takes place (i.e., until
   connectivity is restored restored) around the failure (which is called network
   reconvergence). failure.  Typically, network
   reconvergence takes between tens and hundreds of milliseconds milliseconds,
   depending on the size and features of the network.

   There are a number of network-reconvergence technologies available
   today
   today, such as IP Fast Convergence, MPLS Traffic Engineering Fast
   Reroute
   Reroute, and Multicast Only Fast Reroute.  These technologies can be
   augmented by different types of application-layer loss-repair methods
   such as Forward Error Correction (FEC), retransmission, temporal
   redundancy
   redundancy, and spatial redundancy to minimize (and sometimes totally
   eliminate) the impact of outages.  Each combination has its distinct
   requirements in terms of bandwidth consumption and results in a
   different network complexity.  Thus, a network operator has to
   carefully consider what combination to deploy for different parts of
   a network (e.g., core vs. edge).  A detailed overview of network-
   convergence technologies and loss-repair methods is provided in
   [IC2011].

   One of the loss-repair methods is temporal redundancy, also known as
   delayed duplication.  A media sender using this method transmits an
   original source packet and transmits its duplicate after a certain
   delay following the original transmission.  If a network outage hits
   the original transmission, the expectation is that the second
   transmission arrives at the receiver (with a high probability).
   Alternatively, the second transmission may be hit by an outage and so
   gets dropped, and the original transmission completes successfully.
   On the receiver side,
   Also, both transmissions can also arrive and on the receiver side; in that
   case, the receiver (or the node that does the duplicate suppression)
   needs to identify the duplicate packets and discard them
   appropriately, thereby producing a duplicate-free stream.

   Delayed duplication can be used in a variety of multimedia
   applications where there is sufficient bandwidth for the duplicated
   traffic and the application can tolerate the introduced delay.
   However, it must be used with care care, since it might easily result in a
   new series of denial-of-service attacks.  Delayed duplication is
   harmful in cases where the primary cause of packet loss is
   congestion, rather than a network outage due to a temporary link or
   network element failure.  Duplication should only be used by
   endpoints that want to protect against network failures; protection
   against congestion must be achieved through other means means, as
   duplication will only make congestion only worse.

   One particular use case for delayed duplication is to improve the
   reliability of real-time video feeds inside a core IP network where
   bandwidth is plentiful and maximum reliability (preferably zero loss)
   is desired [IC2011].  Compared to other redundancy approaches such as
   FEC [RFC6363] and redundant data encoding (e.g., [RFC2198]), delayed
   duplication is easy to implement implement, since it does not require any
   special type of encoding or decoding.

   For duplicate suppression, the receiver has to be able to identify
   the identical packets.  This is straightforward for media packets
   that carry one or more unique identifiers such as the sequence number
   field in the RTP header [RFC3550].  In non-RTP applications, the
   receiver can use unique sequence numbers if available or other
   alternative approaches to compare the incoming packets and discard
   the duplicate ones.

   This specification introduces a new Session Description Protocol
   (SDP) [RFC4566] attribute for applications/services using the delayed
   duplication method to indicate the relative delay for each additional
   duplication.  The attribute is used with the Duplication Grouping
   Semantics duplication grouping
   semantics defined in [I-D.ietf-mmusic-duplication-grouping]. [RFC7104].

   This specification does not explain how to select the duplication
   delay that a sender should use, which use; the selection technique depends on
   the underlying network and the reconvergence technologies used inside this
   such a network.  This specification does not explain how the receiver
   should suppress the duplicate packets and merge the incoming streams
   to produce a loss-free and duplication-free output stream (a process
   commonly called stream merging), "stream merging"), either.  An application or a
   transport service that will use the delayed duplication method must
   determine its own rules about stream merging.

   In practice, more than two redundant streams are unlikely to be used used,
   since the additional delay and increased overhead are not easily
   justified.  However, we define the new attribute in a general way so
   that it could be used with more than two redundant streams (i.e.,
   multiple duplications), if needed.  While the primary focus in this
   specification is the RTP-based transport, the new attribute is
   applicable to both RTP and non-RTP streams.  Protocol issues and
   details on duplicating RTP streams are presented in
   [I-D.ietf-avtext-rtp-duplication]. [RFC7198].

2.  Requirements Notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   [RFC2119].

3.  The 'duplication-delay' Attribute

   The following ABNF [RFC5234] syntax formally describes the
   'duplication-delay' attribute:

      delaying-attribute     = "a=duplication-delay:" periods CRLF
      periods                = period *( SP period)
      period                 = 1*DIGIT ; in milliseconds

        Figure 1:

             ABNF syntax Syntax for the 'duplication-delay' attribute Attribute

   The 'duplication-delay' attribute is defined as both a media-level
   and session-level attribute.  It specifies the relative delay with
   respect to the previous transmission of each duplication in
   milliseconds (ms) at the time of transmission.  The following rules
   apply:

   o  If used as a media-level attribute, it MUST be used with the
      'ssrc-group' attribute and "DUP" grouping semantics as defined in
      [I-D.ietf-mmusic-duplication-grouping].
      [RFC7104].  When used as a media-
      level media-level attribute, the relative
      delay value(s) it specifies SHALL apply to every Synchronization
      Source (SSRC)-based duplication grouping in the same media
      description.  In other words, one cannot specify different
      duplication delay values to for different duplication groups in the
      same media description.

   o  If used as a session-level attribute, it MUST be used with 'group'
      attribute and "DUP" grouping semantics as defined in
      [I-D.ietf-mmusic-duplication-grouping]. [RFC7104].
      When used as a session-
      level session-level attribute, the relative delay
      value(s) it specifies SHALL apply to every duplication grouping in
      the same SDP description.  In other words, one cannot specify
      different duplication delay values to for different duplication
      groups in the same SDP description.  If one needs to specify
      different duplication delay values for different duplication
      groups, then one MUST use different SDP descriptions for each or
      MUST use the 'duplication-
      delay' 'duplication-delay' attribute at the media level.  In
      that case, the 'duplication-
      delay' 'duplication-delay' attribute MUST NOT be used at
      the session level.

   o  For offer/answer model considerations, refer to
      [I-D.ietf-mmusic-duplication-grouping]. [RFC7104].

4.  SDP Examples

   In the first example below, the multicast stream consists of two RTP
   streams, each duplicated once, resulting in two sets of two-stream
   groups.  The same duplication delay of 100 ms is applied to each
   grouping.  The first set's streams have SSRCs of 1000 and 1010 1010, and
   the second set's streams have SSRCs of 1020 and 1030.

      v=0
      o=ali 1122334455 1122334466 IN IP4 dup.example.com
      s=Delayed Duplication
      t=0 0
      m=video 30000 RTP/AVP 100 101
      c=IN IP4 233.252.0.1/127
      a=source-filter:incl IN IP4 233.252.0.1 198.51.100.1
      a=rtpmap:100 MP2T/90000
      a=ssrc:1000 cname:ch1a@example.com
      a=ssrc:1010 cname:ch1a@example.com
      a=ssrc-group:DUP 1000 1010
      a=rtpmap:101 MP2T/90000
      a=ssrc:1020 cname:ch1b@example.com
      a=ssrc:1030 cname:ch1b@example.com
      a=ssrc-group:DUP 1020 1030
      a=duplication-delay:100
      a=mid:Ch1

   Note that in actual use, SSRC values, which are random 32-bit
   numbers, could be much larger than the ones shown in this example.

   In the second example below, the multicast stream is duplicated
   twice.  50 ms after the original transmission, the first duplicate is
   transmitted
   transmitted, and 100 ms after that, the second duplicate is
   transmitted.  In other words, the same packet is transmitted three
   times over a period of 150 ms.

      v=0
      o=ali 1122334455 1122334466 IN IP4 dup.example.com
      s=Delayed Duplication
      t=0 0
      m=video 30000 RTP/AVP 100
      c=IN IP4 233.252.0.1/127
      a=source-filter:incl IN IP4 233.252.0.1 198.51.100.1
      a=rtpmap:100 MP2T/90000
      a=ssrc:1000 cname:ch1c@example.com
      a=ssrc:1010 cname:ch1c@example.com
      a=ssrc:1020 cname:ch1c@example.com
      a=ssrc-group:DUP 1000 1010 1020
      a=duplication-delay:50 100
      a=mid:Ch1

   In the third example below, the multicast UDP stream is duplicated
   with a duplication delay of 50 ms.  Redundant streams are sent in
   separate source-specific multicast (SSM) sessions sessions, so the receiving
   host has to join both SSM sessions if it wants to receive both
   streams.

      v=0
      o=ali 1122334455 1122334466 IN IP4 dup.example.com
      s=Delayed Duplication
      t=0 0
      a=group:DUP S1a S1b
      a=duplication-delay:50
      m=audio 30000 udp mp4
      c=IN IP4 233.252.0.1/127
      a=source-filter:incl IN IP4 233.252.0.1 198.51.100.1
      a=mid:S1a
      m=audio 40000 udp mp4
      c=IN IP4 233.252.0.2/127
      a=source-filter:incl IN IP4 233.252.0.2 198.51.100.1
      a=mid:S1b

5.  Security Considerations

   The 'duplication-delay' attribute is not believed to introduce any
   significant security risk to multimedia applications.  A malevolent
   third party could use this attribute to misguide the receiver(s)
   about the duplication delays and/or the number of redundant streams.
   For example, if the malevolent third party increases the value of the
   duplication delay, the receiver(s) will unnecessarily incur a longer
   delay
   delay, since they will have to wait for the entire period.  Or, if
   the duplication delay is reduced by the malevolent third party, the
   receiver(s) might not wait long enough for the duplicated
   transmission and incur unnecessary packet losses.  However, these
   require intercepting and rewriting the packets carrying the SDP
   description; and if an interceptor can do that, many more attacks are
   also possible.

   In order to avoid attacks of this sort, the SDP description needs to
   be integrity protected and provided with source authentication.  This
   can, for example, be achieved on an end-to-end basis using S/MIME
   [RFC5652] [RFC5751] when SDP is used in a signaling packet using MIME
   types (application/sdp).  Alternatively, HTTPS [RFC2818] or the
   authentication method in the Session Announcement Protocol (SAP)
   [RFC2974] could be used as well.

   Another security risk is due to possible software misconfiguration or
   a software bug where a large number of duplicates could be
   unwillingly signaled in the 'duplication-delay' attribute.
   Similarly, an attacker can use this attribute to start a denial-of-
   service attack by signaling and sending too many duplicated streams.
   In applications where this attribute is to be used, it is a good
   practice to put a hard limit both on both the number of duplicate streams
   and the total delay introduced due to duplication duplication, regardless of what
   the SDP description specifies.

   Since this mechanism causes duplication of media packets, if those
   packets are also cryptographically protected, protected (e.g., encrypted) then
   such duplication could act as an accelerator if any million-message Million Message
   [RFC3218] or similar Lucky13 attack such as Lucky 13 [Lucky13] exists against
   the security mechanism that is in use.  Such acceleration could turn
   an otherwise infeasible attack into one that is practical, practical; however,
   assuming that the amount of duplication is small and that such weak
   or broken security mechanisms should really not be used, the overall
   security impact of the duplication should be minimal.  If  If, however, a bad-actor
   bad actor were in control of the SDP but did not have access to the
   keying material used for media, then such a bad actor could
   potentially use the SDP to cause the media handling to use a weak or
   broken mechanism with a lot of duplication, in which case the
   duplication could be significant.  Deployments where the SDP is
   controlled by an actor who should not have access to the media keying-material keying
   material should therefore be cautious in their use of this
   duplication mechanism.

   If this mechanism were used in conjunction with SDES a source description
   (SDES) and if the key being used for media protection is derived from
   a human-memorable or otherwise dictionary-attackable secret, then the
   duplication done here could allow for a more efficient dictionary
   attack against the media.  The right countermeasure is to use proper keying, or
   keying or, if using
   SDES an SDES, to ensure that the keys used are not
   dictionary-attackable.

6.  IANA Considerations

   The following contact information shall be used for all registrations the registration
   in this document:

      Ali Begen
      abegen@cisco.com

   Note to the RFC Editor: In the following, replace "XXXX" with the
   number of this document prior to publication as an RFC.

6.1.  Registration of SDP Attributes

   This document registers a new attribute name in SDP.

      SDP Attribute ("att-field"):

         Attribute name:     duplication-delay
         Long form:          Duplication delay for temporally redundant
                             streams
         Type of name:       att-field
         Type of attribute:  Media or session level
         Subject to charset: No
         Purpose:            Specifies the relative duplication delay(s)
                             for redundant stream(s)
         Reference:          [RFCXXXX]          [RFC7197]
         Values:             See [RFCXXXX] [RFC7197]

7.  Acknowledgements

   Authors

   The authors would like to thank Colin Perkins and Perkins, Paul Kyzivat Kyzivat, and
   Stephen Farrell for their suggestions and reviews.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC4566]  Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
              Description Protocol", RFC 4566, July 2006.

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
              Jacobson, "RTP: A Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, July 2003.

   [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008.

   [I-D.ietf-mmusic-duplication-grouping]

   [RFC7104]  Begen, A., Cai, Y., and H. Ou, "Duplication Grouping
              Semantics in the Session Description Protocol", draft-
              ietf-mmusic-duplication-grouping-04 (work in progress),
              November 2013. RFC 7104,
              January 2014.

8.2.  Informative References

   [RFC6363]  Watson, M., Begen, A., and V. Roca, "Forward Error
              Correction (FEC) Framework", RFC 6363, October 2011.

   [RFC2198]  Perkins, C., Kouvelas, I., Hodson, O., Hardman, V.,
              Handley, M., Bolot, J., Vega-Garcia, A., and S. Fosse-
              Parisis, "RTP Payload for Redundant Audio Data", RFC 2198,
              September 1997.

   [I-D.ietf-avtext-rtp-duplication]

   [RFC7198]  Begen, A. and C. Perkins, "Duplicating RTP Streams",
              draft-ietf-avtext-rtp-duplication-04 (work in progress),
              October 2013.
              RFC 7198, April 2014.

   [IC2011]   Evans, J., Begen, A., Greengrass, J., and C. Filsfils,
              "Toward Lossless Video Transport, Transport", IEEE Internet
              Computing,
              vol. 15/6, Vol. 15, No. 6, pp. 48-57", 48-57, November 2011.

   [RFC5652]  Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
              RFC 5652, September 2009.

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, January 2010.

   [RFC2818]  Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.

   [RFC2974]  Handley, M., Perkins, C., and E. Whelan, "Session
              Announcement Protocol", RFC 2974, October 2000.

   [RFC3218]  Rescorla, E., "Preventing the Million Message Attack on
              Cryptographic Message Syntax", RFC 3218, January 2002.

   [Lucky13]  AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking
              the TLS and DTLS Record Protocols", IEEE Symposium on
              Security and Privacy, May 2013,
              <http://ieeexplore.ieee.org/
              xpl/articleDetails.jsp?tp=&arnumber=6547131
              &queryText%3DLucky+Thirteen>.

Authors' Addresses

   Ali Begen
   Cisco
   181 Bay Street
   Toronto, ON  M5J 2T3
   Canada

   Email:

   EMail: abegen@cisco.com

   Yiqun Cai
   Microsoft
   1065 La Avenida
   Mountain View, CA  94043
   USA

   Email:

   EMail: yiqunc@microsoft.com

   Heidi Ou
   Cisco
   170 W. Tasman Dr.
   San Jose, CA  95134
   USA

   Email:

   EMail: hou@cisco.com