Re: [rtcweb] draft-jesup-rtcweb-data-00 posted

[Eric Rescorla <ekr@rtfm.com>]

On Tue, Oct 25, 2011 at 1:02 AM, Hadriel Kaplan <HKaplan@acmepacket.com> wrote:
>
> Hi Randell,
> What do you think about the following additional requirements:
>
> Req. 7: Data streams MUST provide fragmentation at a layer above UDP, such that IP-layer fragmentation does not occur no matter how large a message/buffer the Javascript application passes down to the Browser to be sent out.
>
> Req. 8: The data stream transport protocol MUST NOT encode IP addresses inside its protocol fields; doing so reveals potentially private information, and leads to failure if the address is depended upon.

I don't really understand what this means. In general, the peer has
access to your IP address
information from ICE.


> Req. 9: The data stream protocol SHOULD support unbounded-length "messages" (i.e., a virtual socket stream) at the application layer, for such things as image-file-transfer; or else it MUST support at least a maximum application-layer message size of 4GB.
>
> Req. 10: The data stream packet format/encoding MUST be such that it is impossible for a malicious Javascript to generate an application message crafted such that it could be interpreted as a native protocol over UDP - such as UPnP, RTP, SNMP, STUN, etc.

I'm not sure this is really an issue the way you raise it. It's clear
that you shouldn't be able to
generate messages that appear to be STUN or RTP but that's necessary
for demux to work
right. However, given that the other side has consented, I don't see
that confusion with
other protocols being an issue. The kind of intercepting proxies that
we found for
HTTP don't seem to be a feature of the UDP environment.

-Ekr