IETF Logo Mail Archive

Re: [rtcweb] IP handling: Using mDNS names for host candidates

Lennart Grahl <lennart.grahl@gmail.com> Tue, 12 June 2018 16:34 UTC

Return-Path: <lennart.grahl@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90A21130EDB for <rtcweb@ietfa.amsl.com>; Tue, 12 Jun 2018 09:34:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h96dTJqkgasA for <rtcweb@ietfa.amsl.com>; Tue, 12 Jun 2018 09:34:27 -0700 (PDT)
Received: from mail-wr0-x233.google.com (mail-wr0-x233.google.com [IPv6:2a00:1450:400c:c0c::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8684D129C6B for <rtcweb@ietf.org>; Tue, 12 Jun 2018 09:34:26 -0700 (PDT)
Received: by mail-wr0-x233.google.com with SMTP id f16-v6so24781861wrm.3 for <rtcweb@ietf.org>; Tue, 12 Jun 2018 09:34:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=b265TlYZgVwuGFn3DHbbQVwbp4SLEIOkG36nzOK16G8=; b=JbuwuXrDap+nJtAy+YTJ8x6RUGulHp6fsLwSOZASc3mcSDDCBQLJyO60wUAO8S0DK0 b0MTGA7w5LI2i5HtziS31gevQivESI/jN/Srk2ByE7flcM6H5mHlMeX6dW8YDFFE4p2+ DHGUxPK8kAeZ/NaM1/SY+XPKmizEVNE4xFu3kdbjEwxoNxSBz3R2Wnvptb8/ynFw79Jv XOSZ2JP+3ey1otMYORSjwf1NvRXcT/VAd+YgOLGY7wlKYfvptnXM4WRM/9N/3wL/oI7I hSZAeK7VEyA8Ao8v0r2qvZanrf3p9q162dOOTOzKbwBC/rxrYx73JWc0YkcdyPveHgiF OWCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=b265TlYZgVwuGFn3DHbbQVwbp4SLEIOkG36nzOK16G8=; b=IESWa16kcLOxcbqYipkx0vNTWxQq5XJZTwcHXVgGKGPaMLxrHG9A/K/B74Z1pMoeFB TnY+jtjlRvesp9Vh9sDuFRLFc7SxEhSSvJ/8WTUIybbfbdhi04GvA2p9dEsKQL4IIJH4 k19jm8Bzxs1sJ7AyH9J9clUL5TzbGIw2sOgYQAD1osqHHa1YOk+cNp4uFHmkufrBTvkJ /icwp3gy3qDnUz8lKQHKdWJSofabxazn7XzkQRYaBPg0ScPnm1Z009Jj67+UfyFqfENP ix28Yz3oHBFghbqglc9LwuO5O2senQ3Stt1C6fbnINZwuA5ClVTfKOy6bObBhHRUBa+o +/YQ==
X-Gm-Message-State: APt69E00r0F11MKBFovWni5kAR1PK59AEKkYHDgfvOk9BwggtZ2ZjD54 0dZ0/ejjkorJFNGQxsHkFt4=
X-Google-Smtp-Source: ADUXVKJpnsUadzJPPNQeLV0jWndDp+Zes2WVumlPs4uw8JNPXqkA6lO+wFQUktxzYR0IWvb13/t32Q==
X-Received: by 2002:adf:ef4f:: with SMTP id c15-v6mr824242wrp.182.1528821265105; Tue, 12 Jun 2018 09:34:25 -0700 (PDT)
Received: from ?IPv6:2003:cd:6f1f:4900:c556:a374:c7f2:7e61? (p200300CD6F1F4900C556A374C7F27E61.dip0.t-ipconnect.de. [2003:cd:6f1f:4900:c556:a374:c7f2:7e61]) by smtp.gmail.com with ESMTPSA id b190-v6sm1345160wma.24.2018.06.12.09.34.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jun 2018 09:34:24 -0700 (PDT)
To: Justin Uberti <juberti@google.com>
Cc: RTCWeb IETF <rtcweb@ietf.org>, yfablet@apple.com
References: <CAOJ7v-2FQ3yfyfmFY8MT17nTFUvsNyixKuXXeT-Rq7zVQKBMnA@mail.gmail.com> <436903fe-1ec7-e595-7733-0cc2f9c3a53d@gmail.com> <CAOJ7v-0Wk2O=mE_Dtyu3h=EargHNAdQpmk9J6pLm65icLQEiCw@mail.gmail.com>
From: Lennart Grahl <lennart.grahl@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lennart.grahl@gmail.com; prefer-encrypt=mutual; keydata= xsBNBFMHjy4BCADZR/nHk6jzDsEA2+dPG13NiXyBl34TtChDsZekZyO5jBgwslLgHVksQxlS 79n1lvVH0MxcI8SFifwLAAIjMfukNLGPAjEyJEQhQVpfXxkJXyZgncM2Wq+nlVCDZTiZLg/E 6jJP1zx9vB7sf5dWaB/Dt0YDHLM86EcDChQur9lrJk9K0Jiwt27Oo3B4FFfIOaVNUXgnRPbr Vw1/+O2jLg87Fsib9LP7Ghyv0Z2/VV7wJ4NLsLmIu60vcZVDYDOvcQRH4FZ76VBvlmlO+2TL 5L6yZLGgXS9GZyF3QXKAwhYqu5ouWEOUgXHch5deryjbENanimj4ntZQmF1nkxSZayk9ABEB AAHNJ0xlbm5hcnQgR3JhaGwgPGxlbm5hcnQuZ3JhaGxAZ21haWwuY29tPsLAfwQTAQIAKQUC UwePLgIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPmPvtEEgqumkk0H /2dMGPa9VmgR0kmr2inGODWuCy4WXNUxeEMfY/Hob/8Ou50os6iK35TQI9WtvvlAq23aIvoJ +1OjnqekgKmavPoQ0Uf1h2LegiQNKpDGC6/S33SLitQoQyELyJCU5Ato9lIL0AzpLvr+8UaF plWbPB4Z0GfZGBQSyp0Dmdeb00sld378m9qXHByJfHjPGiDFY+el1talbCuxS87+SvwIvM05 5m1/ceJbZDjx3trvgzbSQOHMT82/Hva7cSyVAch7mJc/lIq2Q0hjoZlD9nqS6gVJ9PQnEW8z dAXXVvBoy9DtomH18jimq+xUxeBwiFRB64gZx3Yyo1CKgULzeWaQ/qfOwE0EUwePLgEIAKP+ Dw5Ow5QuITKcI+ooXZAOBCBOitdsAGrGAEORjv1VyYU1jvjNb07UlRWmpjtaZsQoC2DwfEJy OaBphhErkOVEHCvetfBq8aJ718on4A49XwyQZeyh521BvLQUj0VY5D1iTYzgNVr4Ic39duH/ 00b489Wf9sM7TwzONJOCR5pSKUzYfGUIfQIJRc4tbzOM+bzSknLwbYAWRraOstbRjf2+V3pf 46mzv8tteLnsMm91qshFUwiBfeMNZiKAM3eid80ghlEbQo5J07FOrqK1GxqMi8LQT/oA5lpu +BB6UzGP5nQ5fip95zAq3vu+Iasz1DWj6F1HkHDEHfdtVpTAN70AEQEAAcLAZQQYAQIADwUC UwePLgIbDAUJCWYBgAAKCRD5j77RBIKrpihiCACQq7ARCPSzDrtUcq3uTdP+fMHp8YCYD4UD fdt3vcw4a5JESaknUcWi7CbQrdcLT7iIFYa3pk5I8w4n2lH29uUTWwt9boDtdYkBY5a4Rg+m Z9ndsLh0fHdZM6BXv/6gWMMdGbV5+xcV0FDcXZIlHLZIriDgeZQR3cDEa9lFWUYrI9KKmdoq ngaND7jPZaMCyvn9VDOAGBWxg49gQV/x1d+DiIyMbF9J+ya4YqaSZtu2y/H03eVCawmI6SMH UzdOo+Yqen3Udcdur0KnWMUOP3FIdjgxaPoIEKfFTBy7n8rlzrrTzyrv5Gouusxj0JHMwvuh ixK1bmVy/XYqoG0TVwBt
Message-ID: <a5f4a43e-58ad-41af-6748-9ec0bdf52b18@gmail.com>
Date: Tue, 12 Jun 2018 18:34:23 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-0Wk2O=mE_Dtyu3h=EargHNAdQpmk9J6pLm65icLQEiCw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/0LpOTujPC-kdtu4CR1lYqKVk_ZQ>
Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 16:34:36 -0000

On 12.06.2018 17:39, Justin Uberti wrote:
> On Tue, Jun 12, 2018 at 4:15 AM Lennart Grahl <lennart.grahl@gmail.com>
> wrote:
> 
>> On 12.06.2018 02:40, Justin Uberti wrote:
>>> The Safari team has come up with a clever approach to avoid disclosing
>>> private IP addresses for host candidates. As discussed in this WebKit bug
>>> <https://bugs.webkit.org/show_bug.cgi?id=174500>, the technique works as
>>> follows:
>>>
>>>    1. Register a random UUID-based mDNS name when ICE gathering starts
>>>    2. Replace the private IP address by a "{UUID}.local" string in each
>>>    host candidate (and set raddr to 0.0.0.0 for other candidates)
>>>    3. The other party will do mDNS resolution on any candidate having a
>>>    .local suffix, similar to how hostnames in candidates are handled in
>> RFC
>>>    5245, Section 15.1.
>>>
>>> This technique is relevant to the IP handling document, as it addresses
>> one
>>> of the lesser problems (private IP disclosure) from the overall problem
>>> statement. While I don't think this will have a large impact on the
>>> document, including the default mode selection, incorporating this
>>> technique would result in some moderate changes:
>>>
>>>    - Section 5.1 would mention concealing private IPs in the default case
>>>    as an explicit goal.
>>>    - In Section 6, Mode 2 would change from handling out private IPs to
>>>    handing out mDNS names.
>>
>> IMHO that would create a large gap between mode 1 and 2. Instead, I
>> would suggest using mDNS *in addition* to mode 2 and 3. For mode 2 this
>> would mean that only the default private IP is being transmitted but all
>> other interfaces are hidden by UUID-based hostnames. For mode 3, all
>> private IPs are hidden by UUID-based hostnames.
>>
> 
> I don't see a clear benefit of doing that. If you have the mDNS hostnames,
> you don't need the private IPs.
> 
> Or, looking at it a different way, if mode 3 is as you describe, why would
> we ever use mode 2

Mode 2 with mDNS hostnames exclusively would only work when the devices
are in the same network segment. Anything that stops multicast would
require the use of a STUN server. That makes mode 2 a lot less powerful.

Whereas mode 2 as of today and with my suggestion does work without a
STUN server, even if you are not in the same network segment. Think of
IPv6 global addresses or corporate networks with several private
networks. And exposing an IP is still useful for establishing a
connection with an implementation that doesn't support mDNS (not even
resolving).

> 
>>
>>>    - This document would have to describe the technique or point to
>> another
>>>    document that describes the technique. mmusic-ice-sip-sdp, Section 4.1
>>>    <
>> https://tools.ietf.org/html/draft-ietf-mmusic-ice-sip-sdp-20#section-4.1>
>>> seems
>>>    like a good option, as it already covers how to handle DNS names in
>> ICE
>>>    candidates.
>>
>> Since this will be useful for ORTC as well, I would not tie that to an
>> SDP-specific document.
>>
> 
> ORTC already depends on this document (it explains ICE restarts, amongst
> other things), so I don't see this as an issue. The nice thing about this
> document is that it's nearing last call, but we still have time to make
> edits like the ones suggested.

Fair enough.

Cheers
Lennart

v2.23.0 | Report a Bug | By Email