IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Justin Uberti <juberti@google.com> Fri, 17 July 2015 23:10 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08EF81A8BB1 for <rtcweb@ietfa.amsl.com>; Fri, 17 Jul 2015 16:10:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nx3sNpMEG3Oo for <rtcweb@ietfa.amsl.com>; Fri, 17 Jul 2015 16:10:17 -0700 (PDT)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 500B91A8A0E for <rtcweb@ietf.org>; Fri, 17 Jul 2015 16:10:17 -0700 (PDT)
Received: by ietj16 with SMTP id j16so86719074iet.0 for <rtcweb@ietf.org>; Fri, 17 Jul 2015 16:10:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=eqLrDKgx2Nn8QmL9ZTnP80LQjASd7dt7fem7adrF1EE=; b=YXjPDnAK5rOSX5HMkLIeJDDuUhfIlJ4ko2BHZBmDYIjIBOI0SHPpgw9MmKaXxXKBo+ LPcY5tr4m1r/QncprB6UcgEyKhhYfOPjPBExXndGxQRljrPaLkuNB7Po+JKMIfsPfDn+ W+LBxN9yI7hHlu5LlJ3sRzmKuh2TPoJRWQALA0EkV/tPx/SU3y6Y9+MbuvsZH/W7eBHy bT3nfwm6RocXdiTFFrhy5Aeo1y+kUaJ5KpYWeLJlMtkumsYWLqZ+6rmRKhnZ22tzlS+R GPorMUMLreFk6I/jLCxOik7fVfjkkv9ahUlX+BmIe39bRQh4R9JfsEkzLfg2L0jQPpVJ dZ8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=eqLrDKgx2Nn8QmL9ZTnP80LQjASd7dt7fem7adrF1EE=; b=Q04H96kkouPmKJPIUWlG5KtwBixzeKL7joVFv7gsc6+iT9kMdYXY+hm4yTaifdsMr5 jECx9b2yKxesDtiWDR++gBJagobB8G6MzmOZ4A19S5LsFTl+2mcEK5k4y7z1v9V+VqV0 m4ZLEpBpaBLEQxx+om8wIGDxHYwWD4bnleJPLqHrq7MiycpoJrlE+qepWafxN56oFobc IbRMRfNA135YFZmHPSW9HGlN1WDTRS7l9Zre5kMCquuy0dzA0ScPyclcBug1SvatgFgg c//bBVlxqEoLgwMKltHE6IStBz02tPQjz3DI34pP12P6DziL587OTc6IDjfD89cAk3WR YNAA==
X-Gm-Message-State: ALoCoQkU3tiUY5Zplx2KTaJadNP3DHkOpzZENJ4DUhN0thSdmsiWu5bPY+ZRtd4xldnU34a1FT+x
X-Received: by 10.50.102.7 with SMTP id fk7mr922363igb.49.1437174616655; Fri, 17 Jul 2015 16:10:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.32.233 with HTTP; Fri, 17 Jul 2015 16:09:56 -0700 (PDT)
In-Reply-To: <55A9860D.8030903@gmail.com>
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CAOJ7v-0UBGtP0-atxP7X4OTj-H6Lost5o42aAS65mA6CEqcQsw@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com> <55A96DA3.1040907@gmail.com> <CAOJ7v-1ui7349NzK6NZNRHPbnHWZajctk4cDgMKqRZSv47EYdA@mail.gmail.com> <55A9860D.8030903@gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Fri, 17 Jul 2015 16:09:56 -0700
Message-ID: <CAOJ7v-3LGd32rnpFVW_U0s3+iVaJXsL4vt_YAo=cyp6YyOArdw@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b10c87181c0df051b1a4a2c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/Bxn_rq8qjzBe7aADYo5BGWTgNEM>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2015 23:10:19 -0000

On Fri, Jul 17, 2015 at 3:47 PM, Sergio Garcia Murillo <
sergio.garcia.murillo@gmail.com> wrote:

>  On 17/07/2015 23:41, Justin Uberti wrote:
>
>
>
> On Fri, Jul 17, 2015 at 2:03 PM, Sergio Garcia Murillo <
> <sergio.garcia.murillo@gmail.com>sergio.garcia.murillo@gmail.com> wrote:
>
>>  Hi Justin,
>>
>> Thanks for pointing that out, can you point me were in RFC5245 is that
>> behavior described? I fail to find it.
>>
>> The only references I found about multihoming are about HOST candidates,
>> performing connectivity checks and priorization of candidates, but I cannot
>> find a reference on sending STUN request to the TURN/STUN server via all
>> the available interfaces in order to retrieve the server reflexive
>> candidates that is where the leak is originating. Please correct me again
>> if I am wrong.
>>
>
>  Section 2.1, paragraphs 2 and 3 talks about getting all interfaces, and
> then getting STUN and TURN candidates from said interfaces.
>
>
> That was the ones I was looking at, but my understanding of them is
> different:
>
>    If an agent is multihomed, it obtains a candidate from each IP
>    address.  Depending on the location of the PEER (the other agent in
>    the session) on the IP network relative to the agent, the agent may
>    be reachable by the peer through one or more of those IP addresses.
>    Consider, for example, an agent that has a local IP address on a
>    private net 10 network (I1), and a second connected to the public
>    Internet (I2).  A candidate from I1 will be directly reachable when
>    communicating with a peer on the same private net 10 network, while a
>    candidate from I2 will be directly reachable when communicating with
>    a peer on the public Internet.  Rather than trying to guess which IP
>    address will work prior to sending an offer, the offering agent
>    includes both candidates in its offer.
>
> Here, what I understand is that they are talking about Host ICE candidates, an then, yes, one per interface, no issue here (If my understanding of the leak problem is correct).
>
>
Agreed.

>    Next, the agent uses STUN or TURN to obtain additional candidates.
>    These come in two flavors: translated addresses on the public side of
>    a NAT (SERVER REFLEXIVE CANDIDATES) and addresses on TURN servers
>    (RELAYED CANDIDATES).  When TURN servers are utilized, both types of
>    candidates are obtained from the TURN server.  If only STUN servers
>    are utilized, only server reflexive candidates are obtained from
>    them.  The relationship of these candidates to the host candidate is
>    shown in Figure 2.  In this figure, both types of candidates are
>    discovered using TURN.  In the figure, the notation X:x means IP
>    address X and UDP port x.
>
> In this one is talking about getting server reflexive and relay candidates, but in no way I see that the stun server should be contacted by all the interfaces or overriding default routing from OS.
>
>
It is pretty clear from the diagram on page 10 that for each host candidate
X:x, the agent will gather a srflx candidate X1':x1' and relay candidate
Y:y. This is also spelled out in the text underneath the diagram:

   When the agent sends the TURN Allocate request from IP address and
   port X:x, the NAT (assuming there is one) will create a binding
   X1':x1', mapping this server reflexive candidate to the host
   candidate X:x.

Ergo, one tries to gather srflx and relay candidates for each host
candidate X:x.

v2.23.0 | Report a Bug | By Email