IETF Logo Mail Archive

Re: [rtcweb] What is consent?

Eric Rescorla <ekr@rtfm.com> Tue, 11 September 2012 16:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D162221F865B for <rtcweb@ietfa.amsl.com>; Tue, 11 Sep 2012 09:23:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A+2Zw4NeXBLN for <rtcweb@ietfa.amsl.com>; Tue, 11 Sep 2012 09:23:18 -0700 (PDT)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id BB36321F8535 for <rtcweb@ietf.org>; Tue, 11 Sep 2012 09:23:17 -0700 (PDT)
Received: by eekb45 with SMTP id b45so627835eek.31 for <rtcweb@ietf.org>; Tue, 11 Sep 2012 09:23:17 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:x-gm-message-state; bh=Lw0qR2VCSbPLrJJfSxNoh3McLiX43ZHadqYlirFo4tE=; b=Xd/n/+XdRG87wiBMoG55HM6THIAzKDT1gibXsxHJbiu6+TBlR0NMumBSQPjjUR6ow9 NGSefZdWyxu4Q2WyApIL0alddxxXBZOK5oNtRZxZgbEd94JUpKRy3Nmw2mikiBF65STU rK/3LXdlLkmaGn9dxoVmcgNhhmLLXJRgO9DXXDaSQ9p5Px1UFTd8n0t+npca/oabVc0k iNq08dYGw1iNwgybPjDYY8o1W0CtwkmhqH0cdFbFAVHLL3caMfY4lnZoJyOw0fUGu8VN saSkiw4jB46zQxvLvnnwf1UogJTs+7k2X2cIiox1uy8vtx6C8tPlHqzPNBTJ9CoVOy7j w/OQ==
Received: by 10.14.224.4 with SMTP id w4mr26734241eep.21.1347380596923; Tue, 11 Sep 2012 09:23:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.14.187.10 with HTTP; Tue, 11 Sep 2012 09:22:36 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <CABkgnnUNhka8OJsiNCV5iOvU_cGyvt_y8=DN6qnud3Xr-dy1iQ@mail.gmail.com>
References: <CABkgnnXAPZ5BN=CUwYdEpHKbCLBxctqpONL==QWf_WwgrNEK_A@mail.gmail.com> <CABcZeBNnoQwJu1MYSW=6q6pkrgXSPSUtVyOsngrPP6b8GaegdQ@mail.gmail.com> <CABkgnnUNhka8OJsiNCV5iOvU_cGyvt_y8=DN6qnud3Xr-dy1iQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 11 Sep 2012 09:22:36 -0700
Message-ID: <CABcZeBNddHgHnkZ5b2N4i-np3WuY51f6WHkBdT5mHBsieLMDow@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQk/O9bwDRRDy1N9qfRQol82bosxM2C98dGf0jZsK+Hl6bE93XYLGE+ciUTRIv7kjn9Pc3wF
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] What is consent?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2012 16:23:19 -0000

On Tue, Sep 11, 2012 at 9:09 AM, Martin Thomson
<martin.thomson@gmail.com> wrote:
> Clearly, I did miss something.  Obviously, this relates to the bit in
> ICE where it requires that the STUN backward compatibility measures
> are not used.
>
> But it didn't really answer my question.
>
> Clearly, an RFC 3489 STUN server will not pass this basic test.  That
> means that we can safely exclude servers like stunserver.org from the
> set of consenting peers.
>
> I suspect that for practical reasons we have to tolerate missing
> MESSAGE-INTEGRITY and FINGERPRINT.  That means we can at least use old
> servers to collect server reflexive addresses.  For those old servers
> it's trivial to use the absence of either parameter as an indication
> that they do not provide consent.
>
> But the question stands: for STUN servers that are 5389 compliant,
> what distinguishes the STUN server from a consenting peer?
>
> --Martin
>
> p.s. I reached my conclusion for the following reasons:
> 1. Section 7.1.3.2 of RFC 5245, which I presumed to be
> complete...which it is, sort of.
> 2. MESSAGE-INTEGRITY is only of questionable utility in the response
> if you assume that the server is ignoring requests that don't have a
> valid MESSAGE-INTEGRITY.

I'm really not following this.

Responses from the server need to *contain* the MESSAGE-INTEGRITY
field and otherwise are not taken as evidence of consent. This field can
only be generated by a server that has the ICE credentials. So, obviously,
a legacy STUN server won't generate that.

-Ekr

v2.23.0 | Report a Bug | By Email