IETF Logo Mail Archive

Re: [MMUSIC] [rtcweb] [tram] TURN permissions for private ips

Justin Uberti <juberti@google.com> Fri, 14 August 2015 20:41 UTC

Return-Path: <juberti@google.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A33C41A897A for <mmusic@ietfa.amsl.com>; Fri, 14 Aug 2015 13:41:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZi4p1CERb6Y for <mmusic@ietfa.amsl.com>; Fri, 14 Aug 2015 13:41:23 -0700 (PDT)
Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 899F51A896D for <mmusic@ietf.org>; Fri, 14 Aug 2015 13:41:21 -0700 (PDT)
Received: by vkbf67 with SMTP id f67so34058103vkb.3 for <mmusic@ietf.org>; Fri, 14 Aug 2015 13:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=5TEPXqy91DSOyt8m+GDlYRXKvLYN3rdin7uuqqIiOX0=; b=ZoyStcHF9dE9TnPxgoIdaxCQHgGwjzApozWHoKdJ6zWg54WGYiDNi1jXiSnQeTRtrR fFjZZK1+jAMaBtB+U7mh24mc4fX09y641Aalwmca595wQCvDqFzB2/trCIjXRL4crFDI F3XMFcd1MTbcjeShPrnkqIzkmKJX+MHZzelPhz9IgMK3MgEPqowP68atK4/TrsJtt38s Y/uSGe3rqBqO0cA2L0xJlrmPdss48gEtmW6I2eak70UcbX3hzZXu4zAy3nCpTt62SNnx qH8vJ5AdMV4Qz0BvY5TGV1J7oFl3VdbaY/jyHuvmzjOs19bMfOBYlA7FHCx+rHd7veUq Prog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=5TEPXqy91DSOyt8m+GDlYRXKvLYN3rdin7uuqqIiOX0=; b=BgOFwKYOpt/QMnGg2RGvKblQ2xgjsElARmPNX5hEvNNM2OT7nYjIq2wCVV2rgEvz9H X6jeWEjPliKGZDOKc1ld6D+hjyLmMCVxvJqpqP2bMxx2fkh5M/jKsnQyAj93HziU7qYh +EaCFXeLN8hAbAK9bzZXh/wMAxK4+mbkEp9HW8J06CiAKdMfRvsBt84GoX1YgnYVji+S jRRHDuyOQu03xeM3pVeQ8zQWQBzD0op68KlV3nT2/QTzh95T4IGCiZWGOHni4JkGhNXE aPcYxLGCR1hy7oAwCU0wMEMApv548QEbCRjgh26tF8+Vi2S0GXD4cDH5//U+Oo0L6bdN iLNw==
X-Gm-Message-State: ALoCoQl9s5CiqGdCpreNFcipfGb7eqFPtc9qVmd+16gh6Wt2BzMU53ZMmPnV7BO6SWWNvD+cxGfK
X-Received: by 10.52.186.72 with SMTP id fi8mr56186482vdc.19.1439584880597; Fri, 14 Aug 2015 13:41:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.191.87 with HTTP; Fri, 14 Aug 2015 13:41:00 -0700 (PDT)
In-Reply-To: <CA9F86E1-5CE6-4E08-85CA-7EB727759516@iii.ca>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com> <CA9F86E1-5CE6-4E08-85CA-7EB727759516@iii.ca>
From: Justin Uberti <juberti@google.com>
Date: Fri, 14 Aug 2015 13:41:00 -0700
Message-ID: <CAOJ7v-2U__orcQN45Vb2qHjnEj5ZUkZRddi2jxEA7VKD4k14Bw@mail.gmail.com>
To: Cullen Jennings <fluffy@iii.ca>
Content-Type: multipart/alternative; boundary="bcaec548a8216eea60051d4b7941"
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/OSkIJLBgG0vCxm5s2hvlEoBh0AA>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 20:41:24 -0000

Makes sense, although not sure that the apps will want to disclose the
private IPs of the media servers to endpoints.

Overall I think enough arguments have been made that it is safer for the
server to enforce this policy than clients, since the TURN server should be
more aware of the application topology.



On Fri, Aug 14, 2015 at 8:39 AM, Cullen Jennings <fluffy@iii.ca> wrote:

>
> > On Aug 6, 2015, at 7:14 AM, Jonathan Lennox <jonathan@vidyo.com> wrote:
> >
> >
> >> On Aug 5, 2015, at 5:35 PM, Justin Uberti <juberti@google.com> wrote:
> >>
> >> On Wed, Aug 5, 2015 at 11:32 AM, Simon Perreault <sperreault@jive.com>
> wrote:
> >> Le 2015-08-05 13:46, Philipp Hancke a écrit :
> >> > If a peer sends candidates with IP addresses from the private space,
> >> > permissions for those are created at the TURN server. Potentially not
> >> > utilising transport encryption even.
> >> >
> >> > I doubt those candidates ever work, so from a privacy point of view it
> >> > seems that clients should not create those permissions in the first
> >> > place. And ICE should probably not try to create pairs.
> >>
> >> It's not up to the client to determine what addresses might not might
> >> not work for a given TURN server. There are lots of weird NAT
> >> configurations out there that play games with RFC1918 addresses and can
> >> easily trick clients into doing the wrong thing.
> >>
> >> I am somewhat sympathetic to that, but given that there is measurable
> downside here - extra candidate pairs that take time to check - can you
> supply a concrete example of where the client choosing not to pair a TURN
> candidate with a RFC1918 address would cause a problem?
> >
> > This is really an ICE question, not a TURN question, so adding MMUSIC.
> >
> > Clearly, if your TURN server is actually on the public internet, pairing
> RFC1918 address with its candidates won’t do any good.  However, there can
> be scenarios where you have a TURN server sitting in a DMZ or the like,
> where it can actually route to RFC 1918 addresses.  I suspect this will be
> relevant in the various scenarios where the TURN server is topologically
> equivalent to a web proxy.
> >
> > As I recall from the discussions around the development of ICE, there
> are actually a fair number of networks out there which have public IPv4 and
> RFC1918 addresses directly routable to each other. The examples I remember
> came about as a result of corporate mergers, where one of the pre-merger
> companies was using their public address space internally, and the other
> wasn’t.
> >
>
> Some SPs are putting all their customers behind CGN (carrier grade NAT)
> and then looking at running cloud data centers where other people can rent
> servers (AWS style) where those servers have public IPs and at the same
> time they are directly routable to the all the NATed clients. That allows
> you to run media servers (STUN, TURN, Conferences MCU / Switches, caches
> etc) that have a low latency connectivity to the SP's customers endpoints.
> Note the customers's themselves often deploy an additional layer of
> residential NAT.
>
> So scenarios like this might be getting more common ....
>
>
>
>
>

v2.23.0 | Report a Bug | By Email