IETF Logo Mail Archive

Re: [MMUSIC] [rtcweb] [tram] TURN permissions for private ips

Emil Ivov <emcho@jitsi.org> Tue, 11 August 2015 13:32 UTC

Return-Path: <emcho@sip-communicator.org>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C8A31A8A87 for <mmusic@ietfa.amsl.com>; Tue, 11 Aug 2015 06:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b381_aILbILl for <mmusic@ietfa.amsl.com>; Tue, 11 Aug 2015 06:32:36 -0700 (PDT)
Received: from mail-ob0-f179.google.com (mail-ob0-f179.google.com [209.85.214.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B7FD1A8A8B for <mmusic@ietf.org>; Tue, 11 Aug 2015 06:32:34 -0700 (PDT)
Received: by obbfr1 with SMTP id fr1so111099493obb.1 for <mmusic@ietf.org>; Tue, 11 Aug 2015 06:32:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding; bh=oBog2TBuvP1PhJ8odLGCSgBFb7+sT5hGtDUVYq1FoOU=; b=Sx95DUiZ3Lh4Y8ow3qv763zhj5jwdXtLvkiH0zkt115S47injf+0C93yO/oOzsFQ5K rAMI9NTgFoWpvxWlY57bg0ZJiJwPLSA24K+Bf3zzmtjYnvqVO7Pui7ePuNfFyH8Kgvvv LRfxa4X303SiTOYOHuDrmEghCD4ZDClh9aHbcRDf+WqMkmF0ZkwtfIibUq47aAJWPA23 XdGs+AJkmodawUb0LVj0ofF9kJtulxaWrEYS385M1uSsssdf7/KYJcOGh+aSHt6pDfYM 5Ex/67O7y8+wMw2HzKUTZj0QopiKlnIjz6OZlDmKR/0Gyqspb6iuc99k5bmP3pMVl9pL 20pg==
X-Gm-Message-State: ALoCoQkYns7ykt6WmkquiLqnEKAEwFmHFoh9LA6TeMvv2UYxYRSarXwM/JtIC2AVKHr2rO2CLBsm
X-Received: by 10.182.213.227 with SMTP id nv3mr24440495obc.10.1439299953816; Tue, 11 Aug 2015 06:32:33 -0700 (PDT)
Received: from mail-ob0-f171.google.com (mail-ob0-f171.google.com. [209.85.214.171]) by smtp.gmail.com with ESMTPSA id r3sm1633589oia.22.2015.08.11.06.32.30 for <mmusic@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Aug 2015 06:32:31 -0700 (PDT)
Received: by obnw1 with SMTP id w1so147737282obn.3 for <mmusic@ietf.org>; Tue, 11 Aug 2015 06:32:30 -0700 (PDT)
X-Received: by 10.182.215.226 with SMTP id ol2mr24296811obc.56.1439299950383; Tue, 11 Aug 2015 06:32:30 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.83.167 with HTTP; Tue, 11 Aug 2015 06:32:10 -0700 (PDT)
In-Reply-To: <3F10035A-70A4-46AE-AB44-4499541AC7C6@cisco.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com> <CAOJ7v-0Z4fmWjVaeiAJh=rpYPjUsk_k8_=g8CrecAZQWtRG1AQ@mail.gmail.com> <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com> <CAOJ7v-2PaLr8XLdVxfPY=YYzeQuoj49qypUTUr=wdbmSiMZO7A@mail.gmail.com> <CAPvvaaK9xxxfmVOjE_UtX_Z6RzLe3RjR-Q=55F_Mp-9X1Li0Sg@mail.gmail.com> <3F10035A-70A4-46AE-AB44-4499541AC7C6@cisco.com>
From: Emil Ivov <emcho@jitsi.org>
Date: Tue, 11 Aug 2015 08:32:10 -0500
Message-ID: <CAPvvaaJYGQKzH+93wAUzsuSwCgNx5i5FwRKUU2aOStSd47eTiA@mail.gmail.com>
To: "Pal Martinsen (palmarti)" <palmarti@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/mmusic/lcYyIMkX6s5_xvcal86uCe3j_oY>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 13:32:37 -0000

Hey Pal,

On Fri, Aug 7, 2015 at 2:47 AM, Pal Martinsen (palmarti)
<palmarti@cisco.com> wrote:
>
> On 07 Aug 2015, at 02:11, Emil Ivov <emcho@jitsi.org> wrote:
>
> On Thu, Aug 6, 2015 at 5:01 PM, Justin Uberti <juberti@google.com> wrote:
>
>
>
> On Thu, Aug 6, 2015 at 1:51 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>
> On 6 August 2015 at 13:08, Justin Uberti <juberti@google.com> wrote:
>
> I think that we should be able to avoid pairing candidates obtained from
> application TURN servers with RFC 1918 addresses. The app/browser
> clearly
> knows which is which.
>
>
> I'm concerned here that if we let the application choose, we lose the
> defence we were looking to gain.  I think that perhaps 1918 pairing
> could be restricted to TURN servers that are configured/discovered,
> "proxy"-style.
>
>
>
> Sorry, that is what I was trying to say. The browser knows which turn
> servers are "proxies" vs app servers, and can apply the 1918 filtering on
> the pairings from the candidates from the app TURN server.
>
>
> I don't think Jonathan's concerns only apply to proxies though. You
> can just as well have apps developed for specific networks and there
> is no reason to prevent those from working.
>
> Agree with your enumeration of concerns as well. Also #5, they consume
> bandwidth (at least from client to TURN server), which affects maximum check
> rate in some cases.
>
>
> Why can't we address this by TURN servers simply refusing to create
> permissions for candidates they know they won't be able to reach?
>
> How do you reliably and simply do that without a connectivity check?

There are a few ways a TURN server could be smart about this (e.g.
checking the routing table for local interfaces for example, or
looking into ARP tables) but ultimately they should allow for this to
be configured.

> If the main concern is information leakage, isn’t that up to the client to
> decide what it want to reveal to the TURN server and the remote client?

I don't know that the main concern is leakage (see my previous mail).
I don't see how an application can be worried that the TURN server it
chose is going to find out that there's one of three NATed ranged
behind a certain IP. The TURN server had a 1 in 4 chance of guessing
that even without the app.

That said, I am not opposed to giving JavaScript apps a way to
explicitly signal the stack not to pair certain addresses with TURN.

I just don't want the stack to assume this.

Emil

> Guess what I am saying is that I think it is a good thing to have a “thick”
> client and relatively simple network components.
>
> .-.
> Pål-Erik
>
>
> Emil
>
> --
> https://jitsi.org
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
>



-- 
https://jitsi.org

v2.23.0 | Report a Bug | By Email