Re: [rtcweb] Resolving RTP/SDES question in Paris
Roman Shpount <roman@telurix.com> Fri, 23 March 2012 17:14 UTC
Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B19221F8602 for <rtcweb@ietfa.amsl.com>; Fri, 23 Mar 2012 10:14:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.805
X-Spam-Level:
X-Spam-Status: No, score=-2.805 tagged_above=-999 required=5 tests=[AWL=0.171, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sAhiVQjuxa-7 for <rtcweb@ietfa.amsl.com>; Fri, 23 Mar 2012 10:14:31 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 121F121F858B for <rtcweb@ietf.org>; Fri, 23 Mar 2012 10:14:30 -0700 (PDT)
Received: by yenm5 with SMTP id m5so3262903yen.31 for <rtcweb@ietf.org>; Fri, 23 Mar 2012 10:14:25 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=gExAO6g7+v85B5l+005RkrAP+W/nxh8lYL/l1r956ss=; b=m8vacbFPZiwUR0wKt3eQagS0IgIzuoT8X3POkizVZ9305hc5bYb+XnkLDBZPk6ScLc BM83wjJEky1ilODTzfbkb1ufBjx0EQItvKZOL41eBXf/oc7GYglw1BDELXyVfhmAdAuI HDxEyqVUavu9/0+nkoDpxQvff/CRYUhGB0bkawCz5kLhMBV+99W5p17Is2QNSrCjHQ+g M0hT5vUxnHr4seMsWCb4JnpJeV+XFCF9zmMXNiwmVxC+wglKZmEq44LLVdjkQYLB7NDt 43gk2Ox1khOtScBVaf1Q4OcOZMfzYM/ZtLqq9Zl4b9+km83G3FxHbm5UI6DYknSnkVBq lwSg==
Received: by 10.236.173.195 with SMTP id v43mr13309098yhl.40.1332522865645; Fri, 23 Mar 2012 10:14:25 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id i7sm11011060ani.17.2012.03.23.10.14.23 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 23 Mar 2012 10:14:24 -0700 (PDT)
Received: by ggmi1 with SMTP id i1so3276564ggm.31 for <rtcweb@ietf.org>; Fri, 23 Mar 2012 10:14:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.135.40 with SMTP id pp8mr30833380pbb.13.1332522862750; Fri, 23 Mar 2012 10:14:22 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Fri, 23 Mar 2012 10:14:22 -0700 (PDT)
In-Reply-To: <13C620B3-1297-4212-B61C-5643E08E9748@acmepacket.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <4F64FE98.3070605@alcatel-lucent.com> <4F685ED9.2050109@alvestrand.no> <CAD5OKxsVp7px9bHAgxgdqPMxRgppcVUDKt8JHBhyq9qqW3pAMg@mail.gmail.com> <4F68A4CC.9090306@alvestrand.no> <CAD5OKxuiApLKRASc2YuBfkM_8h8wGDPPQ3TdOYGum2yauidA5A@mail.gmail.com> <4F6AECC6.8020004@alvestrand.no> <CAD5OKxsSUeMFYXZMZVqQFWdeEB=30HJuJ=mP9GaYkksBmp1mOA@mail.gmail.com> <CABkgnnW3AyREj9T2zDzJf64Bhjdfc1K8-ebZe-V0a-tbiTYEpw@mail.gmail.com> <CAD5OKxswXun5nVhKcN2oXkTdr-wKuOB7PhbXgdGSE4RexhTd3A@mail.gmail.com> <CABkgnnUZgtgEWZvYiyxDVNsDRDNsdr30Pd38cZeR18UB1Z04mw@mail.gmail.com> <CAD5OKxuLY2hZVqmna_GmpcBdFbZiP6ybKTJ19DN4f25mabLTrg@mail.gmail.com> <CA+9kkMDFEmJVuZu_BCBvU34YbWB-0CCR7SbKt-3PF=XV0vs3JQ@mail.gmail.com> <CAD5OKxu=JPJyWWPii=t8JGKAKTqVvB5JFQJ-jBBnXmiK4xpPEQ@mail.gmail.com> <CA+9kkMALJW2H5bM9yiykfBUqWoZifkZWpve=ih+ors1u9mz=7A@mail.gmail.com> <CAD5OKxva=zm0NUwUE0mhaEOmrDYCvtn3kP701NeRbiBRKhPFJQ@mail.gmail.com> <13C620B3-1297-4212-B61C-5643E08E9748@acmepacket.com>
Date: Fri, 23 Mar 2012 13:14:22 -0400
Message-ID: <CAD5OKxt_i2eJ1hK6tR7aKUt4T+6sitfxdMaBfN-ASR6-UPRE2A@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Hadriel Kaplan <HKaplan@acmepacket.com>
Content-Type: multipart/alternative; boundary="047d7b10d17be3aa9b04bbec2761"
X-Gm-Message-State: ALoCoQkkR3eP6aDSX+mq0Vza/51PVgG1mAPycKBlIUDWKUQXineJHhkyO7+Sv13kBmZxYBJn8K/7
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2012 17:14:35 -0000
inline On Fri, Mar 23, 2012 at 12:29 AM, Hadriel Kaplan <HKaplan@acmepacket.com>wrote: > comments inline… > > On Mar 22, 2012, at 9:31 PM, Roman Shpount wrote: > > > I would say that this activity would be covered by: > > Did you mean to have a #1 before #2 below? Your email was missing a #1. > > No, I did not mean to have #1 before #2 and #3. I was quoting the exact language in the chapter definition that should cover the activity related to WebRTC specific proxy. > > 2. Define a security model that describes the security and privacy > > goals and specifies the security protocol mechanisms necessary > > to achieve those goals. > > We've got that: > http://tools.ietf.org/html/draft-ietf-rtcweb-security > http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch > > These documents do not cover scenario when organization forces all the traffic to go through HTTP proxy to enforce its communication policy. > 3. Define the solution - protocols and API requirements - for > > firewall and NAT traversal. > > We've got that, though not in one doc: > http://tools.ietf.org/html/draft-ietf-rtcweb-overview > http://tools.ietf.org/html/draft-ietf-rtcweb-use-cases-and-requirements > http://tools.ietf.org/html/draft-ietf-rtcweb-jsep > > Once again, these documents do not cover scenario when organization forces all the traffic to go through HTTP proxy. In such cases WebRTC simply will not work. At best, we can advise such organizations to deploy their own TURN server, but this allow all traffic to traverse into public internet, not just webrtc related one, which might be undesirable. > > I do consider ability to enforce the enterprise or location > communications policy on WebRTC clients to be one of the requirements for > security and privacy. > > OK, so what you're really saying is we have #2 and #3, but you don't agree > they cover the needs, and you want more added to #2 (and ultimately #3), > right? > I think we are currently missing one of the common network deployment scenarios for web browsers, where web browsers are deployed on a network non-routable to public internet with an HTTP proxy used to allow access to the web. I believe that we should add capabilities necessary to support such deployments. > > I expect that unless ability to enforce such communication policy within > enterprises or other organizations is provided, WebRTC would be simply > disabled. > > In practical terms, I expect that an organization that enforces a > communication policy disables routing to public internet and only allows > communications via a company controlled HTTP proxy. Such setup would > effectively prevent WebRTC from operations. What I am suggesting is to > provide a complimentary protocol for inspection and modification of WebRTC > SDP messages which would allow WebRTC enabled browser to control an > enterprise edge media proxy and would allow WebRTC media traffic to > traverse the enterprise firewall and to operate in such environment. > > Well... if they really can't enforce their policies, then by definition > they *should* disable it. That's a feature, not a bug. And luckily it > *can* be disabled, which is also a feature of WebRTC. > > Having said that, I don't understand why you think an organization that > has strict monitoring policies can't monitor and enforce WebRTC traffic, > both the HTTP *and* the media/data channels. They *can* do it. It's just > not "automagic", and not cheap. But that's ok - I don't think we need to > optimize the deployment complexity or cost structure for that model. > The reason is that with custom signaling protocols implementing monitoring or enforcing policies would be very hard. BTW, this is not only and not primarily about recording traffic. This can be used to force all the traffic outside of the enterprise to be DTLS-SRTP only, but still allow DES-SRTP (or RTP if WebRTC will support it) within the enterprise network. _____________ Roman Shpount
- [rtcweb] Resolving RTP/SDES question in Paris Magnus Westerlund
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Randell Jesup
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Cameron Byrne
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ejzak, Richard P (Richard)
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Cameron Byrne
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Lorenzo Miniero
- Re: [rtcweb] Resolving RTP/SDES question in Paris Lorenzo Miniero
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Tim Panton
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Jim Barnett
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- [rtcweb] RTP-IPSec vs SRTP-DTLS [was RE: Resolvin… Ravindran, Parthasarathi
- Re: [rtcweb] RTP-IPSec vs SRTP-DTLS [was RE: Reso… Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hutton, Andrew
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- [rtcweb] Telling the user the connection is secur… Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Bernard Aboba
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Telling the user the connection is s… Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Iñaki Baz Castillo
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Eric Rescorla
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Telling the user the connection is s… Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Jim Barnett
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Igor Faynberg
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Martin Thomson
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ted Hardie
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Ravindran, Parthasarathi
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hutton, Andrew
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Dan Wing
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Hadriel Kaplan
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Richard L. Barnes
- Re: [rtcweb] Resolving RTP/SDES question in Paris Magnus Westerlund
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount
- Re: [rtcweb] Resolving RTP/SDES question in Paris Harald Alvestrand
- Re: [rtcweb] Resolving RTP/SDES question in Paris Roman Shpount