IETF Logo Mail Archive

Re: [MMUSIC] [tram] [rtcweb] TURN permissions for private ips

Jonathan Lennox <jonathan@vidyo.com> Thu, 06 August 2015 14:15 UTC

Return-Path: <jonathan@vidyo.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8485F1A0368; Thu, 6 Aug 2015 07:15:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.266
X-Spam-Level:
X-Spam-Status: No, score=-2.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLXjGNd_vlBb; Thu, 6 Aug 2015 07:15:07 -0700 (PDT)
Received: from mx0b-00198e01.pphosted.com (mx0b-00198e01.pphosted.com [67.231.157.197]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 292F51A002C; Thu, 6 Aug 2015 07:15:07 -0700 (PDT)
Received: from pps.filterd (m0073110.ppops.net [127.0.0.1]) by mx0b-00198e01.pphosted.com (8.15.0.59/8.14.7) with SMTP id t76EAawV022509; Thu, 6 Aug 2015 10:15:01 -0400
Received: from mail.vidyo.com ([162.209.16.214]) by mx0b-00198e01.pphosted.com with ESMTP id 1w0h0utqxb-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 06 Aug 2015 10:15:00 -0400
Received: from 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77]) by 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62%13]) with mapi id 14.03.0195.001; Thu, 6 Aug 2015 09:14:59 -0500
From: Jonathan Lennox <jonathan@vidyo.com>
To: Justin Uberti <juberti@google.com>
Thread-Topic: [tram] [rtcweb] TURN permissions for private ips
Thread-Index: AQHQ0FCLNCYkZhS0BUWVw9lyF0GfpZ3/V78A
Date: Thu, 06 Aug 2015 14:14:59 +0000
Message-ID: <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com>
In-Reply-To: <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [198.200.77.253]
Content-Type: multipart/alternative; boundary="_000_F144FF61AAC64E0AB08E0E3F9B487F1Bvidyocom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-06_08:2015-08-06,2015-08-06,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1506180000 definitions=main-1508060236
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/N1Gy1QvmJ8of0gOi-fMr6WSAuK8>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] [tram] [rtcweb] TURN permissions for private ips
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 14:15:10 -0000

On Aug 5, 2015, at 5:35 PM, Justin Uberti <juberti@google.com<mailto:juberti@google.com>> wrote:

On Wed, Aug 5, 2015 at 11:32 AM, Simon Perreault <sperreault@jive.com<mailto:sperreault@jive.com>> wrote:
Le 2015-08-05 13:46, Philipp Hancke a écrit :
> If a peer sends candidates with IP addresses from the private space,
> permissions for those are created at the TURN server. Potentially not
> utilising transport encryption even.
>
> I doubt those candidates ever work, so from a privacy point of view it
> seems that clients should not create those permissions in the first
> place. And ICE should probably not try to create pairs.

It's not up to the client to determine what addresses might not might
not work for a given TURN server. There are lots of weird NAT
configurations out there that play games with RFC1918 addresses and can
easily trick clients into doing the wrong thing.

I am somewhat sympathetic to that, but given that there is measurable downside here - extra candidate pairs that take time to check - can you supply a concrete example of where the client choosing not to pair a TURN candidate with a RFC1918 address would cause a problem?

This is really an ICE question, not a TURN question, so adding MMUSIC.

Clearly, if your TURN server is actually on the public internet, pairing RFC1918 address with its candidates won’t do any good.  However, there can be scenarios where you have a TURN server sitting in a DMZ or the like, where it can actually route to RFC 1918 addresses.  I suspect this will be relevant in the various scenarios where the TURN server is topologically equivalent to a web proxy.

As I recall from the discussions around the development of ICE, there are actually a fair number of networks out there which have public IPv4 and RFC1918 addresses directly routable to each other. The examples I remember came about as a result of corporate mergers, where one of the pre-merger companies was using their public address space internally, and the other wasn’t.

v2.23.0 | Report a Bug | By Email