IETF Logo Mail Archive

Re: [MMUSIC] [rtcweb] [tram] TURN permissions for private ips

Martin Thomson <martin.thomson@gmail.com> Thu, 06 August 2015 21:36 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E1751A894E; Thu, 6 Aug 2015 14:36:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jzt4Ho5fRqMO; Thu, 6 Aug 2015 14:36:34 -0700 (PDT)
Received: from mail-la0-x22a.google.com (mail-la0-x22a.google.com [IPv6:2a00:1450:4010:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A5F61A8951; Thu, 6 Aug 2015 14:36:34 -0700 (PDT)
Received: by labjt7 with SMTP id jt7so39479784lab.0; Thu, 06 Aug 2015 14:36:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=6oakczvHVMr/nD3LkUJmJrDW6l0K9fzkG/FFurHHiNk=; b=bm8j2EeTScXDjLzgHq+Wq4/Vd8YDdrRMVbPhlvcAdRhfLWiVmsKgMO9pi0rg80UtoS /V6Zp1EZK3Lk0GYH022BnoDwzphpYhRRmKV95Cbekfkt3oPPgTJ+UoTPigbl1FJXIjCr GGQsEjd/XKf4pDBw9pFILaSanu7BpH4lyrKoFkqLM3JGvokF9xpkJtqYm5CLur2++XuE MBrGKsVr78dYVWeFcl0MyAL6HoHAAZ2EhE1gMwuYhJTPQ/afSvyfGrWeykqLMeun4HU8 h2SMB0KODFeC2EtMV1kbcabJQ127onsUNseNwDeLcUlcdRlkSjMMIrfiaSrU8ssG42WO mPwQ==
MIME-Version: 1.0
X-Received: by 10.152.121.4 with SMTP id lg4mr4374404lab.112.1438896989786; Thu, 06 Aug 2015 14:36:29 -0700 (PDT)
Received: by 10.25.197.87 with HTTP; Thu, 6 Aug 2015 14:36:29 -0700 (PDT)
In-Reply-To: <A200625B-5402-41A8-9940-988AE1774123@vidyo.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com> <CAOJ7v-0Z4fmWjVaeiAJh=rpYPjUsk_k8_=g8CrecAZQWtRG1AQ@mail.gmail.com> <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com> <A200625B-5402-41A8-9940-988AE1774123@vidyo.com>
Date: Thu, 06 Aug 2015 14:36:29 -0700
Message-ID: <CABkgnnVGZAqgJeHnpoJCt5m3necLp6uuU-JBiwtJFb=7igRZwg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Jonathan Lennox <jonathan@vidyo.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/2oQHJ4a5tZXATAD_cM5-YZVZF-M>
Cc: mmusic <mmusic@ietf.org>, "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [MMUSIC] [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 21:36:36 -0000

On 6 August 2015 at 14:08, Jonathan Lennox <jonathan@vidyo.com> wrote:
> What is the threat model/concern here?  Are you trying to save 20 ms for the connectivity check, or are you concerned that the remote candidates are visible on the wire and to the turn server?


Well, perhaps I'd missed the point of the thread, but my understanding
was that attempting to pair TURN candidates with private address
ranges had several negative characteristics:

1. they are unlikely to work
2. they expose the 1918 address to the TURN server
3. they expose the 1918 address to others (depending on whether DTLS
is used to the TURN server and how far a check toward that address
actually makes it through the network)
4. they consume a check slot

Obviously, a lot of this hinges on the first point. If there is a
reasonable chance that the pairing works, then maybe the other costs
can be borne.

v2.23.0 | Report a Bug | By Email