Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt

"Tirumaleswar Reddy (tireddy)" <> Tue, 20 August 2013 09:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1000E11E81F4 for <>; Tue, 20 Aug 2013 02:36:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.449
X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BNryh0MIxoYB for <>; Tue, 20 Aug 2013 02:36:20 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7A1C111E8128 for <>; Tue, 20 Aug 2013 02:36:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3116; q=dns/txt; s=iport; t=1376991380; x=1378200980; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=J3VYXd3B6p+ZJDOCht6ifke4+BeEin2fKb05jQ6msLc=; b=YElF1CDBivKUfq+Y6yVwuB0XcSnHa4Wr4MQhgVJDirx6GnYEBmSyfcqa WnQBw6adFiBHW3rfzpyJnDFhgNsArlZDlKQyuoY9pzfFNcz7LcD88ZSHX cyFpZL6LYW4PHXhLDhmufOpg1Brp+cdjfZonbnGI5HE5jyK9Kx+zpoV7t A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgoFAFc4E1KtJV2a/2dsb2JhbABagwU1Ub9TgSMWdIIkAQEBAwFsCgMFCwIBCBEEAQELHQcyFAkIAgQBDQUIiAIGDKwSjx6BDTEHgxt3A4h1ixiFBJAogxyBaUE
X-IronPort-AV: E=Sophos;i="4.89,919,1367971200"; d="scan'208";a="249347659"
Received: from ([]) by with ESMTP; 20 Aug 2013 09:36:03 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r7K9a2HG024974 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Aug 2013 09:36:02 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Tue, 20 Aug 2013 04:36:01 -0500
From: "Tirumaleswar Reddy (tireddy)" <>
To: Bernard Aboba <>, "Dan Wing (dwing)" <>, Harald Alvestrand <>
Thread-Topic: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt
Thread-Index: AQHOnQACPiyyHuYBZE+f9i52g6QhP5mdXbuAgAAhmwCAAHAqgP//wRxQ
Date: Tue, 20 Aug 2013 09:36:01 +0000
Message-ID: <>
References: <>, <>, <> <BLU169-W11E1423497EE1A503309E793430@phx.gbl>
In-Reply-To: <BLU169-W11E1423497EE1A503309E793430@phx.gbl>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Aug 2013 09:36:51 -0000

From: [] On Behalf Of Bernard Aboba
Sent: Tuesday, August 20, 2013 11:32 AM
To: Dan Wing (dwing); Harald Alvestrand
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt

Dan Wing said:

> Section 2.2,
> "In order to deal with firewalls that block all UDP traffic, TURN over
> TCP MUST be supported. (QUESTION: What about ICE-TCP?)"
> ICE-TCP allows direct peer-to-peer communications using TCP, without a TURN server doing TCP-to-UDP interworking. I would say the industry has less experience with ICE-TCP than with ICE or with TURN-over-TCP, and because of the less experience and because ICE-TCP is arguably an *optimization*, I would say ICE-TCP is a MAY. It can't be a MUST-level requirement, at least by my threshold for MUST which is that interoperability is harmed or interoperability is impossible.

[BA]  While ICE-TCP will only eliminate the need for TURN over TCP in a fraction of NAT usage cases, the benefits can be substantial in the situations where it does work (and is needed).  The most popular uses of ICE-TCP so far are for things like P2P chat (e.g. MSRP), application sharing and RTP over TCP.  Given that WebRTC  could implement MSRP over the data channel, and could handle screen sharing via RTP over UDP,  the case probably needs to be made based on TURN-less conveyance of RTP over TCP (probably in a consumer scenario only, since for enterprise the TURN server would most likely be needed for firewall traversal reasons).  

[TR] Firewall traversal problems in Enterprise can also be resolved by using PCP-controlled Firewall without the need for TURN server and is discussed in sections 3.1, 3.2 of draft 


It's definitely not a MUST, and probably not a SHOULD either for WebRTC.  

> Most -- but not all -- of the security obtained with TURN over TLS is achieved with TURN REST (draft-uberti-behave-turn-rest and draft-uberti-rtcweb-turn-rest). I think the working group should consider if TURN REST satisfies the requirements, or if TURN over TLS is really, really necessary.

[BA] Not sure I follow this.   TURN over TLS provides confidentiality for the relay addresses and also some firewall traversal benefits.  TURN REST is trying to solve a different problem entirely (e.g. misuse of TURN credentials).  Personally, I don't think TURN REST really minimizes the risk to the extent necessary, since time limiting the credentials alone won't necessarily stop an ingenious (and greedy) thief.  As an example, when hackers gain control of a PBX they can run up shocking bills in a very short period of time, and even if TURN charges are minimal, you'd be surprised at what Internet miscreants can do with stolen credentials within a 24 hour period.  So to my mind, TURN REST needs some additional bolstering to limit the potential financial liability, such as bandwidth limits.