Re: [rtcweb] draft-schwartz-rtcweb-return
"Cullen Jennings (fluffy)" <fluffy@cisco.com> Wed, 08 April 2015 00:58 UTC
Return-Path: <fluffy@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44E501B2A66 for <rtcweb@ietfa.amsl.com>; Tue, 7 Apr 2015 17:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.511
X-Spam-Level:
X-Spam-Status: No, score=-114.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wVH4xTeinTep for <rtcweb@ietfa.amsl.com>; Tue, 7 Apr 2015 17:58:16 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD6E1B2A63 for <rtcweb@ietf.org>; Tue, 7 Apr 2015 17:58:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1499; q=dns/txt; s=iport; t=1428454696; x=1429664296; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=zvN0bejHNUj/CwJ5sSHVcW2722Tm4kg9JeQ8cVqKp9M=; b=AymOpmmMukoN3Cv7nrEBlGiU7joCV/91X1jFbt6f7u42Ihd7FF/Vxr/x 742o/JlYpWVeLFdlr1KQuey034RSiKXuQRmczDGzcWmdiDwEmj7LSVARX hr70qjZXLRbR7ULIS0J1dl9ikToLq+4JhKVlFO6UvL8+iOlazdoGffECa A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AgBQDdeyRV/5pdJa1cgwhSXAXFTIV7AoEuTAEBAQEBAX6EHgEBAQMBOj8FCwIBCBgeEDIlAgQOBQmIGQgNzAgBAQEBAQEBAQEBAQEBAQEBAQEBAQEXiyuEJA0YMweDF4EWBZB0igeBHY90g0oig29vgQNBfwEBAQ
X-IronPort-AV: E=Sophos;i="5.11,541,1422921600"; d="scan'208";a="409973107"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-7.cisco.com with ESMTP; 08 Apr 2015 00:58:15 +0000
Received: from xhc-aln-x04.cisco.com (xhc-aln-x04.cisco.com [173.36.12.78]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t380wFKS002561 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 8 Apr 2015 00:58:15 GMT
Received: from xmb-aln-x02.cisco.com ([169.254.5.130]) by xhc-aln-x04.cisco.com ([173.36.12.78]) with mapi id 14.03.0195.001; Tue, 7 Apr 2015 19:58:15 -0500
From: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
To: "rtcweb@ietf.org" <rtcweb@ietf.org>
Thread-Topic: draft-schwartz-rtcweb-return
Thread-Index: AQHQcZcXNcaRDaX+lUCRQe6Qs13tdg==
Date: Wed, 08 Apr 2015 00:58:29 +0000
Message-ID: <6042868B-57EB-4C5A-B93E-C58D846E14E4@cisco.com>
References: <9DA8307B-263C-4951-A55C-36B42D27C08B@cisco.com>
In-Reply-To: <9DA8307B-263C-4951-A55C-36B42D27C08B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.20.249.164]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0515A927655C71489A47EEE69D08AE57@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/7iGzlpnPN7yeT-yXgAoqOfEnBrI>
Subject: Re: [rtcweb] draft-schwartz-rtcweb-return
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 00:58:18 -0000
> On Mar 26, 2015, at 9:20 AM, Cullen Jennings <fluffy@cisco.com> wrote: > > I'd like to point out that the combination of ietf-tram-turn-server-discovery and draft-schwartz-rtcweb-return allow any network you are connected to more or less MITM your media and do things like rate limit it, generate analytics on who you are talking to, force your traffic through an intermediary that is in a different legal jurisdiction and so on. We discussed this after the meeting and came up with a way to resolve this concern. Benjamin has added some text to the -06 to that specifically addresses this issue http://www.ietf.org/rfcdiff?url1=draft-schwartz-rtcweb-return-05&url2=draft-schwartz-rtcweb-return-06 This completely deals with the issue I raised and with that change I support adopting this as a WG document. After adoption, I think the WG should consider if any text is needed around the issue of TURN credentials. (If you run TURN with no credentials and an attacker can spoof the IP address in UDP packets, you can end up with the TURN servers in a nasty forwarding loop that allows an huge amplification factor for an attacker trying do DOS the turn servers - this is still possible with authentication but you know who to blame. When TURN was first done with was one of the reason TURN requires auth and STUN does not). However, I believe this issue can solved and should not block adopting the draft. ) Cullen
- [rtcweb] draft-schwartz-rtcweb-return Cullen Jennings
- Re: [rtcweb] draft-schwartz-rtcweb-return Benjamin Schwartz
- Re: [rtcweb] draft-schwartz-rtcweb-return Alan Johnston
- Re: [rtcweb] draft-schwartz-rtcweb-return Justin Uberti
- Re: [rtcweb] draft-schwartz-rtcweb-return Prashanth Patil (praspati)
- Re: [rtcweb] draft-schwartz-rtcweb-return Hutton, Andrew
- Re: [rtcweb] draft-schwartz-rtcweb-return Cullen Jennings (fluffy)
- Re: [rtcweb] draft-schwartz-rtcweb-return Justin Uberti
- Re: [rtcweb] draft-schwartz-rtcweb-return Hutton, Andrew