IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Iñaki Baz Castillo <ibc@aliax.net> Mon, 20 July 2015 13:13 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B5D1A8782 for <rtcweb@ietfa.amsl.com>; Mon, 20 Jul 2015 06:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.677
X-Spam-Level:
X-Spam-Status: No, score=-1.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uzWu3imzAmoH for <rtcweb@ietfa.amsl.com>; Mon, 20 Jul 2015 06:13:25 -0700 (PDT)
Received: from mail-yk0-f177.google.com (mail-yk0-f177.google.com [209.85.160.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DB3C1A8778 for <rtcweb@ietf.org>; Mon, 20 Jul 2015 06:13:25 -0700 (PDT)
Received: by ykdu72 with SMTP id u72so138001041ykd.2 for <rtcweb@ietf.org>; Mon, 20 Jul 2015 06:13:24 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=0omYgNFt49VLOdkyVhNq0jTn0H+9kGbaWY9Z6+5CNtg=; b=AxVtyFfrxx7D4ALlXgnBqOc4AV+Ld+2AG1lLZo+uEfWOx9loUlPNdfqs2cDptEwcce P9+bJZx+UF00L8x5XmX6r2Vmm8T8ChMIQGqYxEnhRYEta0I9coDdCFQLZnXDY6I4zPao cPQ5Oon3vpGN0jclb8gVouShedfXYm1KKexdIF9ZMy6A0680RFKdQ6tA69lIshavSUI0 RR/4GMHepEk7eseKIykCfj85HSX0f3nic2fGw4ZFAs8FlDo0JX1mKErCoVjer+XRa1CI bqLKi5GC+tyAapcgX+jx04+g0kn05Ip1EUjrw0FzHFk8aIswH8JUz7xoSkNuvrp0DHTz msRg==
X-Gm-Message-State: ALoCoQl3Go/0YF3pE6qT359cSxzD6I2G5XMjhoSq7MZEEWKp0MP6lc1tfiJ/xdJyIbfhngkUZcei
X-Received: by 10.129.79.4 with SMTP id d4mr28552217ywb.15.1437398004828; Mon, 20 Jul 2015 06:13:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.215.206 with HTTP; Mon, 20 Jul 2015 06:13:05 -0700 (PDT)
In-Reply-To: <55ACEA74.8050300@jive.com>
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com> <55A96DA3.1040907@gmail.com> <CAOJ7v-1ui7349NzK6NZNRHPbnHWZajctk4cDgMKqRZSv47EYdA@mail.gmail.com> <55A9860D.8030903@gmail.com> <CAOJ7v-3LGd32rnpFVW_U0s3+iVaJXsL4vt_YAo=cyp6YyOArdw@mail.gmail.com> <CALiegfmiS18Jux-kCgOhTKKiyGtMertj6xCegpFrox5NOf9EJg@mail.gmail.com> <CABkgnnW0Tmjqz823vKiF84_u6HasBJC7ERMYCO2HL_NPj5saTA@mail.gmail.com> <CALiegfkpbLy1QXxr-RRF0oOpVv1sWsFeab=vvC4iT4DnPtjKQw@mail.gmail.com> <CABkgnnVWcuhX2NjZgx87L+Uo6df6rEBWW73cxbaX3mu_VfHmCA@mail.gmail.com> <CALiegfkQWAn-jMrjhcDPA3rtowOPVk-S8z3c-jvjpNmjtf=3hA@mail.gmail.com> <CABkgnnWERM4oxozNCSvRf1o0Wm-d9Bjw=9B+xh_NJ+h6GfBJ6Q@mail.gmail.com> <7F818FAC-5559-4074-B1FC-EB9516A98FB7@phonefromhere.com> <55ACEA74.8050300@jive.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Mon, 20 Jul 2015 15:13:05 +0200
Message-ID: <CALiegfm6PG4cEJdWtYMOcfgLn5Z7Knf1TxoYvNDVrt4sEdQZAA@mail.gmail.com>
To: Simon Perreault <sperreault@jive.com>
Content-Type: multipart/alternative; boundary="001a114dcd807abd1c051b4e4d79"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/-6cGmRQ9BlOAO_nrYad3EtAsNt4>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 13:13:27 -0000

2015-07-20 14:32 GMT+02:00 Simon Perreault <sperreault@jive.com>:

> Le 2015-07-20 14:26, Tim Panton a écrit :
> > Gulp. Whilst I mostly see the logic - it is wholly unexpected behaviour
> > to the average sys admin.
> > Certainly not what I expected.
>
> I don't know how you can expect ICE to work otherwise.
>

It would just work. The STUN/TURN server should be reachable using the OS
configured routes, isn't it?

Please, don't argument that "otherwise it would not work" because that is
not true at all.



>
> > It strikes me that binding to all interfaces might well give a vector
> > for attackers to map out a company’s internal networks.
>
> You are sending your IP address(es) as payload so that your peer may
> connect to them.


The fact that the client announces its (probably) private VPN addresses to
the remote peer does not mean that it also reveals the associated public
reflexive IP. That just happens if the client performs STUN procedures over
that interface, which is exactly the issue being discussed (at least right
now).



> We've been doing this in various protocols for ages.
> Just take FTP for example, where data and signalling are separate. How
> is any of this different?
>

The FTP client does not override the OS routes but instead contacts both
the FTP signaling address and the FTP data address using the OS configured
routes (rather than forcing local interfaces to reach them). So yes, it is
fully different IMHO.



>
> > It also may restrict the user’s ability to manipulate which medium is
> used.
> > E.g. I’m at home and my chromebook pixel (or firefox tablet) is on wifi,
> > but I’ve left LTE enabled.
> > I (or the OS) is configured to prefer wifi wen available - but it
> > happens that for a specific peer LTE completes first.
> > So now my video call goes over LTE without my say-so and with no hint
> > this is happening  - costing me real
> > money. My only option is to completely disable LTE when I get home  (and
> > lose SMS too) ?
>
> That is a valid concern, and the answer to it is MIF.


Sorry, what does MIF stand for?



-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email