Re: [rtcweb] Requiring ICE for RTC calls
Cameron Byrne <cb.list6@gmail.com> Mon, 26 September 2011 15:00 UTC
Return-Path: <cb.list6@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3687F21F8DE3 for <rtcweb@ietfa.amsl.com>; Mon, 26 Sep 2011 08:00:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.88
X-Spam-Level:
X-Spam-Status: No, score=-2.88 tagged_above=-999 required=5 tests=[AWL=-0.522, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tv1CT1JgdTh0 for <rtcweb@ietfa.amsl.com>; Mon, 26 Sep 2011 08:00:41 -0700 (PDT)
Received: from mail-pz0-f50.google.com (mail-pz0-f50.google.com [209.85.210.50]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5BC21F8CF7 for <rtcweb@ietf.org>; Mon, 26 Sep 2011 08:00:41 -0700 (PDT)
Received: by pzk37 with SMTP id 37so15859107pzk.9 for <rtcweb@ietf.org>; Mon, 26 Sep 2011 08:03:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zgGahYTYcjm5wM+vBvEEb+E5k1ubPDAxf7am8+88t+U=; b=ZkDrByy6D/lDcNNx7xNTlsSYPX9RlckYGRGmVOe1WMS4NpRtbsG2vTMZZrJVR5ixLb q105vBSNc9OFR9Ac5EHNxmIvN/6973NMjTKM0vRJqziy9cWQEZhSQ5J8fk7aLqKgpk/M NfEmVIRQgAgBmT53uz/0YXrkHtWINche/dZ4Y=
MIME-Version: 1.0
Received: by 10.68.39.230 with SMTP id s6mr30381331pbk.81.1317049403064; Mon, 26 Sep 2011 08:03:23 -0700 (PDT)
Received: by 10.142.89.1 with HTTP; Mon, 26 Sep 2011 08:03:23 -0700 (PDT)
Received: by 10.142.89.1 with HTTP; Mon, 26 Sep 2011 08:03:23 -0700 (PDT)
In-Reply-To: <CAD5OKxvWX0d9w6EHgBAgrSiwHcKOPw5uBE_TGcafHrVWuiJhXg@mail.gmail.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CAD5OKxvWX0d9w6EHgBAgrSiwHcKOPw5uBE_TGcafHrVWuiJhXg@mail.gmail.com>
Date: Mon, 26 Sep 2011 08:03:23 -0700
Message-ID: <CAD6AjGQek03GadcsOdcNeMPnVVk9QWRi5YF-3p_kEJvJZ4gj_Q@mail.gmail.com>
From: Cameron Byrne <cb.list6@gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: multipart/alternative; boundary="bcaec520f415d23fc604add9756a"
Cc: Randell Jesup <randell-ietf@jesup.org>, rtcweb@ietf.org
Subject: Re: [rtcweb] Requiring ICE for RTC calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 15:00:42 -0000
On Sep 26, 2011 7:52 AM, "Roman Shpount" <roman@telurix.com> wrote: > > PSTN carriers today almost always run SBCs. At the same time I have not seen an SBC from any major US carrier with firmware newer the 2 years old. I've never seen an SBC in carrier deployment that currently supports ICE or SRTP. > > Bottom line, no carriers currently support ICE or SRTP. If we create the market requirements for them to support ICE and SRTP, it will take them 3-5 years to add such support. If we have anybody from SBC manufacturing companies or carriers who can provide evidence to the opposite, I would love to hear from them. In any case, it would be prudent to provide a way to use current non-ICE, non-SRTP with RTC. > _____________ > Roman Shpount > I am with a mobile carrier that does FMC and we have products that use SRTP to an SBC today. I don't know about ICE, but I think your projection is clearly not true. If other carriers delay, I am glad to take their business. Cameron > > > On Mon, Sep 26, 2011 at 10:45 AM, Cameron Byrne <cb.list6@gmail.com> wrote: >> >> >> On Sep 26, 2011 7:30 AM, "Roman Shpount" <roman@telurix.com> wrote: >> > >> > I think requiring ICE in RTC is not only unfortunate, it will make it impossible to connect to PSTN without media gateway. If we complete this specification, and phone carriers decide that there is a business case for them to support RTC clients directly, it will take them 3-5 years to implement ICE in SBC. From what I've seen major carriers run SBC firmware which is normally 2-3 years old. If we add time it takes to implement ICE in SBC, plus time it will take PSTN provider to verify and test the feature, we are easily looking into 5 year time frame. >> > >> > Since we need to have user confirmation to start a media call anyway, and since this is not going to be any different from what SIP clients are currently doing, it would make sense to allow a plain non-ICE, non-SRTP call. >> > >> > Finally, ICE specification are desinged to interop with non-ICE end points. We will need to change ICE to accomplish what you are doing. >> > >> >> Maybe I misundersatnd you, but the PSTN carriers today and in the future will always run an SBC because that is their security policy. >> >> Regarding firmware, they react to market needs and timing. >> >> Cb >> >> _____________ >> > Roman Shpount >> > >> > >> > On Mon, Sep 26, 2011 at 1:23 AM, Randell Jesup <randell-ietf@jesup.org> wrote: >> >> >> >> On 9/22/2011 4:37 PM, Cullen Jennings wrote: >> >>> >> >>> On Sep 22, 2011, at 2:04 PM, Christer Holmberg wrote: >> >>> >> >>>> If so, what is your assumption then regarding ICE? That the SIP nodes will support ICE, or that the browser will be allowed to communicate with the SIP nodes without enabling ICE? >> >>> >> >>> I see no way of solving the security problems without having ICE or something more or less like it. Therefore, I'm working on the assumption that it will only work if the SIP side supports ICE, or is front ended by a SBC with media GW that does ICE. In the short term, there will be some devices that don't do ICE but SIP devices are increasingly having ICE added. Particularly SIP devices that are internet facing because the need for NAT traversal. >> >>> >> >>> I find requiring ICE to be a very unfortunate assumption to have to make - obviously it reduces the number of legacy voip devices WebRTC devices can talk to without an SBC but I don't see any way around this limitation. Allowing web browsers inside the firewall to send packets to an arbitrary address that is inside the firewall with no validation that address speaks RTP is not acceptable. >> >> >> >> >> >> I agree we can't solve the security issue with permission to send with the >> >> current threat model without ICE or some equivalent. >> >> >> >> There is another option that may help with some of the use cases (I've mentioned >> >> this before in the discussion on screensharing, among others). For a number >> >> of the use cases security is an impassible problem with the current threat model. >> >> Those use cases generally involve replacing cases where an existing desktop >> >> install or plugin was used (webex, screensharing, vnc, SIP softclient, Skype, etc). >> >> Those cases all currently involve the user implicitly giving these apps total >> >> or close to code that could do pretty much anything on the user's computer, >> >> and are also often the "ongoing usage" authentication cases. >> >> >> >> The only mitigating safety of the external app/plugin model is that they're typically >> >> signed and go through the platforms software-install procedure, cert-showing, UACs, etc. >> >> >> >> Currently people are trying to work out the HTML5 "installed" webapp security model; >> >> if that's far enough along we may be able to piggyback off that. I'm looking into it. >> >> >> >> >> >> -- >> >> Randell Jesup >> >> randell-ietf@jesup.org >> >> >> >> _______________________________________________ >> >> rtcweb mailing list >> >> rtcweb@ietf.org >> >> https://www.ietf.org/mailman/listinfo/rtcweb >> > >> > >> > >> > _______________________________________________ >> > rtcweb mailing list >> > rtcweb@ietf.org >> > https://www.ietf.org/mailman/listinfo/rtcweb >> > > >
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Cameron Byrne
- [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Cameron Byrne
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Matthew Kaufman
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Matthew Kaufman
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Ravindran Parthasarathi
- Re: [rtcweb] Requiring ICE for RTC calls Bernard Aboba
- Re: [rtcweb] Requiring ICE for RTC calls Tim Panton
- Re: [rtcweb] Requiring ICE for RTC calls Justin Uberti
- Re: [rtcweb] Requiring ICE for RTC calls Saúl Ibarra Corretgé
- [rtcweb] RFC 5245 interpretation (Re: Requiring I… Harald Alvestrand
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Justin Uberti
- Re: [rtcweb] RFC 5245 interpretation (Re: Requiri… Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Matthew Kaufman
- Re: [rtcweb] RFC 5245 interpretation (Re: Requiri… Christer Holmberg
- Re: [rtcweb] Requiring ICE for RTC calls Bernard Aboba
- Re: [rtcweb] Requiring ICE for RTC calls Tim Panton
- Re: [rtcweb] Requiring ICE for RTC calls Tim Panton
- Re: [rtcweb] Requiring ICE for RTC calls Dzonatas Sol
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Bernard Aboba
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Justin Uberti
- Re: [rtcweb] Requiring ICE for RTC calls Matthew Kaufman
- Re: [rtcweb] Requiring ICE for RTC calls Matthew Kaufman
- Re: [rtcweb] RFC 5245 interpretation (Re: Requiri… Ravindran Parthasarathi
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Ravindran Parthasarathi
- Re: [rtcweb] Requiring ICE for RTC calls Eric Rescorla
- [rtcweb] Solutions sought for non-ICE RTC calls, … Harald Alvestrand
- Re: [rtcweb] Requiring ICE for RTC calls Olle E. Johansson
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Olle E. Johansson
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Cullen Jennings
- Re: [rtcweb] Requiring ICE for RTC calls Tim Panton
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Eric Rescorla
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Roman Shpount
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Eric Rescorla
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Roman Shpount
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Eric Rescorla
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Roman Shpount
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Eric Rescorla
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Matthew Kaufman
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Matthew Kaufman
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Roman Shpount
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Matthew Kaufman
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Randell Jesup
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Igor Faynberg
- [rtcweb] ICE deployment experience (Re: Solutions… Harald Alvestrand
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Cullen Jennings
- Re: [rtcweb] Requiring ICE for RTC calls Cullen Jennings
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Cullen Jennings
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Cameron Byrne
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Eric Rescorla
- Re: [rtcweb] Requiring ICE for RTC calls Harald Alvestrand
- Re: [rtcweb] Requiring ICE for RTC calls Iñaki Baz Castillo
- Re: [rtcweb] Requiring ICE for RTC calls Cullen Jennings
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Olle E. Johansson
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Olle E. Johansson
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Roman Shpount
- Re: [rtcweb] Requiring ICE for RTC calls Cullen Jennings
- Re: [rtcweb] Requiring ICE for RTC calls Hadriel Kaplan
- Re: [rtcweb] Requiring ICE for RTC calls Hadriel Kaplan
- Re: [rtcweb] Requiring ICE for RTC calls Matthew Kaufman
- Re: [rtcweb] Requiring ICE for RTC calls Richard Shockey
- Re: [rtcweb] Requiring ICE for RTC calls Hadriel Kaplan
- Re: [rtcweb] Requiring ICE for RTC calls Hadriel Kaplan
- Re: [rtcweb] Requiring ICE for RTC calls Richard Shockey
- Re: [rtcweb] Requiring ICE for RTC calls Eric Rescorla
- Re: [rtcweb] Requiring ICE for RTC calls Hadriel Kaplan
- Re: [rtcweb] Requiring ICE for RTC calls Martin J. Dürst
- Re: [rtcweb] Requiring ICE for RTC calls Harald Alvestrand
- Re: [rtcweb] SBC hardware and SHA1 Olle E. Johansson
- Re: [rtcweb] Requiring ICE for RTC calls Tim Panton
- Re: [rtcweb] SBC hardware and SHA1 Hadriel Kaplan
- Re: [rtcweb] SBC hardware and SHA1 Cameron Byrne
- Re: [rtcweb] SBC hardware and SHA1 Olle E. Johansson
- Re: [rtcweb] SBC hardware and SHA1 Olle E. Johansson
- Re: [rtcweb] SBC hardware and SHA1 Eric Rescorla
- Re: [rtcweb] SBC hardware and SHA1 Dzonatas Sol
- Re: [rtcweb] SBC hardware and SHA1 Ravindran Parthasarathi
- Re: [rtcweb] Solutions sought for non-ICE RTC cal… Saúl Ibarra Corretgé
- Re: [rtcweb] Requiring ICE for RTC calls Cullen Jennings