Re: [rtcweb] [tram] TURN permissions for private ips
Justin Uberti <juberti@google.com> Thu, 13 August 2015 23:22 UTC
Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46E051ACEC1 for <rtcweb@ietfa.amsl.com>; Thu, 13 Aug 2015 16:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qy-R1V63cBRz for <rtcweb@ietfa.amsl.com>; Thu, 13 Aug 2015 16:22:56 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A541ACEBB for <rtcweb@ietf.org>; Thu, 13 Aug 2015 16:22:54 -0700 (PDT)
Received: by vkfi73 with SMTP id i73so24068224vkf.2 for <rtcweb@ietf.org>; Thu, 13 Aug 2015 16:22:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=9+hGRRBfb5OinAaa5UBLca7nPDvPQquRQppVQGa8STw=; b=O2bNnwaRPqiv1SbpxmPS1psYgAbAaMPbMb6yk5sULP4gV5qLIv++ZYhLchha+cq4Wv c8uveFpH4nPDhYOTD3vQX8eK8vwU3DX3T7C7OY/Rs3O7c8zyaWgTk4rAcGo5mIkD/Kgg fKcjXq5HTxNFH4jWR2hhfDZK0ptIN62xHRIYIyI9UiMB6vyusmTukKa9k4aibQA6TcXz /ghd4e1GpRd/MOB61Z+FCPVn/7VRo2L2YcCXZk9EpIuB6ZB7FdOduzBD6VUfyxBY3YrX 5cTAKeqy60AK2pNzsBRuk+1iyLPi0opnwTUf1g/TdiyCCp3bavyrGgW74rx559JTgk9Q aVGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=9+hGRRBfb5OinAaa5UBLca7nPDvPQquRQppVQGa8STw=; b=lJSq7ogvUWWLKalcygoRU7uNqPjnJ4aykxFZaoMI+qtT+N5qsCwcqJGuOkyg6yrFpQ zRe5g7OvpqU0M4QziVGW4rfFOTpvgTO2xl+MpuKmd/gOLbyyha060gyx48WzTkVdcjTH /J/wgZM+M4rTvuzaCkIniegBw8HFAD0Pf2rMwTkSKLZgi3PKEAcmCCQfCntBkMrJIIZ+ 4Q6CSBGkM+NrjkVy0DlaLp3sVOJofHw7up7DaRFzRuqi6oa4qmGr/FCRpHrbCo35BF7m 9emSdUusPAXFHcnOnh50F2duKYfjBuOSDTsrSK+ik3tzjI5d0OtC7cFPd5noFpWUk1fX ddRg==
X-Gm-Message-State: ALoCoQl5Tt7RHovO/OTcoYKsjHD2AcGltiBOl5YCXbx27TmFkcI2DyBSc3IFPxgWf/HASthS/0O/
X-Received: by 10.52.116.67 with SMTP id ju3mr50119033vdb.66.1439508173584; Thu, 13 Aug 2015 16:22:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.191.87 with HTTP; Thu, 13 Aug 2015 16:22:34 -0700 (PDT)
In-Reply-To: <CAPvvaaJYGQKzH+93wAUzsuSwCgNx5i5FwRKUU2aOStSd47eTiA@mail.gmail.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com> <CAOJ7v-0Z4fmWjVaeiAJh=rpYPjUsk_k8_=g8CrecAZQWtRG1AQ@mail.gmail.com> <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com> <CAOJ7v-2PaLr8XLdVxfPY=YYzeQuoj49qypUTUr=wdbmSiMZO7A@mail.gmail.com> <CAPvvaaK9xxxfmVOjE_UtX_Z6RzLe3RjR-Q=55F_Mp-9X1Li0Sg@mail.gmail.com> <3F10035A-70A4-46AE-AB44-4499541AC7C6@cisco.com> <CAPvvaaJYGQKzH+93wAUzsuSwCgNx5i5FwRKUU2aOStSd47eTiA@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Thu, 13 Aug 2015 16:22:34 -0700
Message-ID: <CAOJ7v-2=+CtkhHJ0A2K1=Ba7ALi1ni=t_o-aWZ-oOKi+zCbHwg@mail.gmail.com>
To: Emil Ivov <emcho@jitsi.org>
Content-Type: multipart/alternative; boundary="bcaec548aa5956a37e051d399d4b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/1Asb78G8AXZcT9Sx7JXw3FlJd70>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>, mmusic <mmusic@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2015 23:22:58 -0000
For now I think we will follow the suggestion of letting the server enforce this policy, and return 403 in the case where the target IP would be considered unreachable by the server. Chrome will also need to be updated to actually do the right thing on this 403... On Tue, Aug 11, 2015 at 6:32 AM, Emil Ivov <emcho@jitsi.org> wrote: > Hey Pal, > > On Fri, Aug 7, 2015 at 2:47 AM, Pal Martinsen (palmarti) > <palmarti@cisco.com> wrote: > > > > On 07 Aug 2015, at 02:11, Emil Ivov <emcho@jitsi.org> wrote: > > > > On Thu, Aug 6, 2015 at 5:01 PM, Justin Uberti <juberti@google.com> > wrote: > > > > > > > > On Thu, Aug 6, 2015 at 1:51 PM, Martin Thomson <martin.thomson@gmail.com > > > > wrote: > > > > > > On 6 August 2015 at 13:08, Justin Uberti <juberti@google.com> wrote: > > > > I think that we should be able to avoid pairing candidates obtained from > > application TURN servers with RFC 1918 addresses. The app/browser > > clearly > > knows which is which. > > > > > > I'm concerned here that if we let the application choose, we lose the > > defence we were looking to gain. I think that perhaps 1918 pairing > > could be restricted to TURN servers that are configured/discovered, > > "proxy"-style. > > > > > > > > Sorry, that is what I was trying to say. The browser knows which turn > > servers are "proxies" vs app servers, and can apply the 1918 filtering on > > the pairings from the candidates from the app TURN server. > > > > > > I don't think Jonathan's concerns only apply to proxies though. You > > can just as well have apps developed for specific networks and there > > is no reason to prevent those from working. > > > > Agree with your enumeration of concerns as well. Also #5, they consume > > bandwidth (at least from client to TURN server), which affects maximum > check > > rate in some cases. > > > > > > Why can't we address this by TURN servers simply refusing to create > > permissions for candidates they know they won't be able to reach? > > > > How do you reliably and simply do that without a connectivity check? > > There are a few ways a TURN server could be smart about this (e.g. > checking the routing table for local interfaces for example, or > looking into ARP tables) but ultimately they should allow for this to > be configured. > > > If the main concern is information leakage, isn’t that up to the client > to > > decide what it want to reveal to the TURN server and the remote client? > > I don't know that the main concern is leakage (see my previous mail). > I don't see how an application can be worried that the TURN server it > chose is going to find out that there's one of three NATed ranged > behind a certain IP. The TURN server had a 1 in 4 chance of guessing > that even without the app. > > That said, I am not opposed to giving JavaScript apps a way to > explicitly signal the stack not to pair certain addresses with TURN. > > I just don't want the stack to assume this. > > Emil > > > Guess what I am saying is that I think it is a good thing to have a > “thick” > > client and relatively simple network components. > > > > .-. > > Pål-Erik > > > > > > Emil > > > > -- > > https://jitsi.org > > > > _______________________________________________ > > rtcweb mailing list > > rtcweb@ietf.org > > https://www.ietf.org/mailman/listinfo/rtcweb > > > > > > > > -- > https://jitsi.org >
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- [rtcweb] TURN permissions for private ips (was: R… Philipp Hancke
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] [tram] TURN permissions for private … Eric Rescorla
- Re: [rtcweb] [tram] TURN permissions for private … Philipp Hancke
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Xavier Marjou
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Roman Shpount
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Pal Martinsen (palmarti)
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Martin Thomson
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Cullen Jennings
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti