IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Sat, 18 July 2015 08:37 UTC

Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B45AF1AD277 for <rtcweb@ietfa.amsl.com>; Sat, 18 Jul 2015 01:37:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQtKXY9Vwjjg for <rtcweb@ietfa.amsl.com>; Sat, 18 Jul 2015 01:37:06 -0700 (PDT)
Received: from mail-wg0-x22a.google.com (mail-wg0-x22a.google.com [IPv6:2a00:1450:400c:c00::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 226E81AD272 for <rtcweb@ietf.org>; Sat, 18 Jul 2015 01:37:06 -0700 (PDT)
Received: by wgbcc4 with SMTP id cc4so3846027wgb.3 for <rtcweb@ietf.org>; Sat, 18 Jul 2015 01:37:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-type; bh=vdfpCWDKB34C8qI9sPfm+WSmMUhvnnY3MAz78qToXf4=; b=CSSz/ksMYBzz7J9/zeOFIBSZLzW+mHB/VY4ZmovfG4x7M0FHHWlcm6lt3SMFedSH7t PJx+omZgqVFFZMrI59Lon3fPYmG5rQcMikJHggEy9AAdZZDqlB4GwWiJWsfIBpZBAPj0 Cm7Rdfh7NxmnLYDHCVn9fzz0ZWU000OXfQqmWf++vwGloZ0X0m817kLnWMd3PKTa3yCp c7dztPua7zqu0wqlbtcAX1IQKIJzvLH9Na/A1jo33rWijcKe0dBYB9wXxTtc90H01pWY x/u4qnu+fA3ixkA0U9gNp1fzCSZlMheOf0N+0RBiN5dZ1ZOXWqj+GUqMrlcDgMSr8Diw 2Dmw==
X-Received: by 10.194.185.180 with SMTP id fd20mr35239381wjc.16.1437208624902; Sat, 18 Jul 2015 01:37:04 -0700 (PDT)
Received: from [192.168.0.193] ([95.61.111.78]) by smtp.googlemail.com with ESMTPSA id ft5sm1541047wib.4.2015.07.18.01.37.02 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 18 Jul 2015 01:37:03 -0700 (PDT)
To: Justin Uberti <juberti@google.com>
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CAOJ7v-0UBGtP0-atxP7X4OTj-H6Lost5o42aAS65mA6CEqcQsw@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com> <55A96DA3.1040907@gmail.com> <CAOJ7v-1ui7349NzK6NZNRHPbnHWZajctk4cDgMKqRZSv47EYdA@mail.gmail.com> <55A9860D.8030903@gmail.com> <CAOJ7v-3LGd32rnpFVW_U0s3+iVaJXsL4vt_YAo=cyp6YyOArdw@mail.gmail.com> <55A99148.1040105@gmail.com> <CAOJ7v-1cB47793yH+-mWrdU9rNqX=+HadZpbRf3PezXspqLm1A@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <55AA1039.7070403@gmail.com>
Date: Sat, 18 Jul 2015 10:37:13 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-1cB47793yH+-mWrdU9rNqX=+HadZpbRf3PezXspqLm1A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090907020106050703060103"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/4ehGYhsEvp0e4VuILwTyHkjyCGA>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2015 08:37:07 -0000

On 18/07/2015 2:19, Justin Uberti wrote:
>
> On Fri, Jul 17, 2015 at 4:35 PM, Sergio Garcia Murillo 
> <sergio.garcia.murillo@gmail.com 
> <mailto:sergio.garcia.murillo@gmail.com>> wrote:
>
>     On 18/07/2015 1:09, Justin Uberti wrote:
>
>     Agree, for each HOST candidate, it should send a STUN request to
>     the turn server from that IP:port. But shouldn't the VPN
>     configuration prevent the non-VPN-host-candidate STUN request to
>     be sent via the non-VPN-interface? (i.e. applying default route
>     based on dest?)
>
>
> Replying to Sergio:
>
> Typically with a VPN, the non-VPN interface is locked down so it only 
> has a single route: to the VPN server. However, split tunnel VPNs 
> allow the non-VPN interface to route to other addresses (possibly, for 
> performance reasons), so in this case, the non-VPN-host-candidate STUN 
> request will be sent successfully from the non-VPN interface.
>
> Sometimes this will be desirable: imagine someone working from home 
> who wants to connect to their corp VPN, but wants to have their video 
> conferencing traffic not go through the VPN. Sometimes this will not 
> be desirable, i.e. when the VPN is being used for privacy. This makes 
> picking a perfect default setting difficult, although we have some 
> ideas that we are exploring.

Agree, but IMHO in the case of case of split tunnels, shouldn't that 
issue be solved better if the VPN is configured with the only the routes 
to the corporate system via the VPN and leave the default route for the 
non-VPN-interface for all the other traffic?

You know that I am all for fixing connectivity issues in corp networks 
(my business depends on that!) but in this case I think the privacy of 
non-WebRTC users that has a VPN configured correctly should be more 
important than solving the issues of someone willing to do WebRTC but 
not doing enough to make it work.

Could you share the ideas in the list? As Firefox and Edge might have 
the same behavior (and issues) I think it could be interesting if we can 
get to a good common solution and add it to the security draft (if you 
have not done it already ;)

Best regards
Sergio

v2.23.0 | Report a Bug | By Email