Re: [rtcweb] I-D Action: draft-ietf-rtcweb-security-00.txt

Eric Rescorla <ekr@rtfm.com> Thu, 22 September 2011 14:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE7F221F8CBF for <rtcweb@ietfa.amsl.com>; Thu, 22 Sep 2011 07:06:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.907
X-Spam-Level:
X-Spam-Status: No, score=-102.907 tagged_above=-999 required=5 tests=[AWL=0.070, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FRNHysQ9+S13 for <rtcweb@ietfa.amsl.com>; Thu, 22 Sep 2011 07:06:13 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id DD4CA21F8C9D for <rtcweb@ietf.org>; Thu, 22 Sep 2011 07:06:12 -0700 (PDT)
Received: by wyh21 with SMTP id 21so855921wyh.31 for <rtcweb@ietf.org>; Thu, 22 Sep 2011 07:08:43 -0700 (PDT)
Received: by 10.227.3.15 with SMTP id 15mr714873wbl.33.1316700523230; Thu, 22 Sep 2011 07:08:43 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.151.205 with HTTP; Thu, 22 Sep 2011 07:08:23 -0700 (PDT)
In-Reply-To: <4E7B2DDB.903@ericsson.com>
References: <20110922075433.17483.59128.idtracker@ietfa.amsl.com> <4E7B2DDB.903@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 22 Sep 2011 07:08:23 -0700
Message-ID: <CABcZeBNz9kEHnDeZOUSqB4P9pf9OVP57h-it59PqegVnV9+dCQ@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-security-00.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2011 14:06:13 -0000

Thanks. for pointing these out. I will add them to my TODO list to write up.



On Thu, Sep 22, 2011 at 5:45 AM, Magnus Westerlund
<magnus.westerlund@ericsson.com> wrote:
> Hi EKR,
>
> (As an individual)
>
> Thanks for posting the draft.
>
> I am missing a few security issues that I think should be considered.
>
> 1. The attempt to overload the links in an domain by concentrating
> traffic on the domain by choosing peer-pairs. Not that I think there is
> any real protection against this other than limit the flows to their
> "fair" share.
>
> 2. Configuring RTCP or other automatically sent traffic to high
> bit-rates. Especially under conditions where continued consent can't be
> determined.
>
> Cheers
>
> Magnus Westerlund
>
> ----------------------------------------------------------------------
> Multimedia Technologies, Ericsson Research EAB/TVM
> ----------------------------------------------------------------------
> Ericsson AB                | Phone  +46 10 7148287
> Färögatan 6                | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
>
>