IETF Logo Mail Archive

Re: [rtcweb] [tram] TURN permissions for private ips

Jonathan Lennox <jonathan@vidyo.com> Thu, 06 August 2015 21:09 UTC

Return-Path: <jonathan@vidyo.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E851A8843; Thu, 6 Aug 2015 14:09:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2WZykYQ-I9N; Thu, 6 Aug 2015 14:09:00 -0700 (PDT)
Received: from mx0a-00198e01.pphosted.com (mx0a-00198e01.pphosted.com [67.231.149.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D49191A87C7; Thu, 6 Aug 2015 14:09:00 -0700 (PDT)
Received: from pps.filterd (m0073109.ppops.net [127.0.0.1]) by mx0a-00198e01.pphosted.com (8.15.0.59/8.14.7) with SMTP id t76L6Jfk013010; Thu, 6 Aug 2015 17:08:56 -0400
Received: from mail.vidyo.com ([162.209.16.214]) by mx0a-00198e01.pphosted.com with ESMTP id 1w1e1wjchw-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Thu, 06 Aug 2015 17:08:56 -0400
Received: from 492132-EXCH1.vidyo.com ([fe80::50:56ff:fe85:4f77]) by 492133-EXCH2.vidyo.com ([fe80::50:56ff:fe85:6b62%13]) with mapi id 14.03.0195.001; Thu, 6 Aug 2015 16:08:55 -0500
From: Jonathan Lennox <jonathan@vidyo.com>
To: Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [rtcweb] [tram] TURN permissions for private ips
Thread-Index: AQHQ0Im5K1zUyQsgpEy93n8RXczXUZ3/yvCA
Date: Thu, 06 Aug 2015 21:08:55 +0000
Message-ID: <A200625B-5402-41A8-9940-988AE1774123@vidyo.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com> <CAOJ7v-0Z4fmWjVaeiAJh=rpYPjUsk_k8_=g8CrecAZQWtRG1AQ@mail.gmail.com> <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com>
In-Reply-To: <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [198.200.77.253]
Content-Type: text/plain; charset="utf-8"
Content-ID: <EE6A961593343843814BE7518D31094D@vidyo.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-08-06_11:2015-08-06,2015-08-06,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1506180000 definitions=main-1508060327
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/G18uQQKe6A6yETL0WR3TeJMdEeI>
Cc: mmusic <mmusic@ietf.org>, "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 21:09:01 -0000

> On Aug 6, 2015, at 4:51 PM, Martin Thomson <martin.thomson@gmail.com> wrote:
> 
> On 6 August 2015 at 13:08, Justin Uberti <juberti@google.com> wrote:
>> I think that we should be able to avoid pairing candidates obtained from
>> application TURN servers with RFC 1918 addresses. The app/browser clearly
>> knows which is which.
> 
> I'm concerned here that if we let the application choose, we lose the
> defence we were looking to gain.  I think that perhaps 1918 pairing
> could be restricted to TURN servers that are configured/discovered,
> "proxy"-style.

What is the threat model/concern here?  Are you trying to save 20 ms for the connectivity check, or are you concerned that the remote candidates are visible on the wire and to the turn server?

Obviously, local and remote candidates are always visible to an application, so this isn’t a circumstance where worrying about hostile applications is particularly relevant.

I can certainly imagine corporate WebRTC applications with an application-configured TURN server in a DMZ.  Another example might be a cloud service which wants all its traffic to come in through a single port, so it configures all applications to connect to it through a TURN port and uses RFC 1918 addresses internally.

v2.23.0 | Report a Bug | By Email