On Sep 27, 2009, at 2:10 PM, Eric Rescorla wrote:
No, this doesn't sound right. The idea here is that ICE provides a fast connectivity check and then you only establish TLS/DTLS connections over the single channel that ICE successfully establishes. If you do things the other way (TLS first, then ICE), then you end up trying to establish a zillion independent (D)TLS connections (which would be really slow even if it worked, which it won't) and then running ICE, which is pointless since you can't establish a (D)TLS connection unless you have two-way connectivity.
This is literarily a few lines of code I have to change to run non- encrypted ICE. This isn't very clear in the draft because the MUST's pertaining to DTLS and TLS seem to overlap the ICE implementation. This resolves the topic since rfc5389 and DTLS aren't used in conjunction in the draft.
Thanks for the clarification on that, Julian
-Ekr
_______________________________________________ P2PSIP mailing list [email protected] https://www.ietf.org/mailman/listinfo/p2psip
