Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1000E11E81F4 for ; Tue, 20 Aug 2013 02:36:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.449 X-Spam-Level: X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BNryh0MIxoYB for ; Tue, 20 Aug 2013 02:36:20 -0700 (PDT) Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 7A1C111E8128 for ; Tue, 20 Aug 2013 02:36:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3116; q=dns/txt; s=iport; t=1376991380; x=1378200980; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=J3VYXd3B6p+ZJDOCht6ifke4+BeEin2fKb05jQ6msLc=; b=YElF1CDBivKUfq+Y6yVwuB0XcSnHa4Wr4MQhgVJDirx6GnYEBmSyfcqa WnQBw6adFiBHW3rfzpyJnDFhgNsArlZDlKQyuoY9pzfFNcz7LcD88ZSHX cyFpZL6LYW4PHXhLDhmufOpg1Brp+cdjfZonbnGI5HE5jyK9Kx+zpoV7t A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgoFAFc4E1KtJV2a/2dsb2JhbABagwU1Ub9TgSMWdIIkAQEBAwFsCgMFCwIBCBEEAQELHQcyFAkIAgQBDQUIiAIGDKwSjx6BDTEHgxt3A4h1ixiFBJAogxyBaUE X-IronPort-AV: E=Sophos;i="4.89,919,1367971200"; d="scan'208";a="249347659" Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-7.cisco.com with ESMTP; 20 Aug 2013 09:36:03 +0000 Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r7K9a2HG024974 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 20 Aug 2013 09:36:02 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.8]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.02.0318.004; Tue, 20 Aug 2013 04:36:01 -0500 From: "Tirumaleswar Reddy (tireddy)" To: Bernard Aboba , "Dan Wing (dwing)" , Harald Alvestrand Thread-Topic: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt Thread-Index: AQHOnQACPiyyHuYBZE+f9i52g6QhP5mdXbuAgAAhmwCAAHAqgP//wRxQ Date: Tue, 20 Aug 2013 09:36:01 +0000 Message-ID: <913383AAA69FF945B8F946018B75898A1902EBFA@xmb-rcd-x10.cisco.com> References: <20130819171507.30712.24757.idtracker@ietfa.amsl.com>, <52128C29.4040402@alvestrand.no>, In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [173.39.66.217] Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "rtcweb@ietf.org" Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 09:36:51 -0000 From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf Of= Bernard Aboba Sent: Tuesday, August 20, 2013 11:32 AM To: Dan Wing (dwing); Harald Alvestrand Cc: rtcweb@ietf.org Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt Dan Wing said: > Section 2.2, > "In order to deal with firewalls that block all UDP traffic, TURN over > TCP MUST be supported. (QUESTION: What about ICE-TCP?)" >=20 > ICE-TCP allows direct peer-to-peer communications using TCP, without a TU= RN server doing TCP-to-UDP interworking. I would say the industry has less = experience with ICE-TCP than with ICE or with TURN-over-TCP, and because of= the less experience and because ICE-TCP is arguably an *optimization*, I w= ould say ICE-TCP is a MAY. It can't be a MUST-level requirement, at least b= y my threshold for MUST which is that interoperability is harmed or interop= erability is impossible. [BA] =A0While ICE-TCP will only eliminate the need for TURN over TCP in a f= raction of NAT usage cases, the benefits can be substantial in the situatio= ns where it does work (and is needed). =A0The most popular uses of ICE-TCP = so far are for things like P2P chat (e.g. MSRP), application sharing and RT= P over TCP. =A0Given that WebRTC =A0could implement MSRP over the data chan= nel, and could handle screen sharing via RTP over UDP, =A0the case probably= needs to be made based on TURN-less conveyance of RTP over TCP (probably i= n a consumer scenario only, since for enterprise the TURN server would most= likely be needed for firewall traversal reasons). =A0 [TR] Firewall traversal problems in Enterprise can also be resolved by usin= g PCP-controlled Firewall without the need for TURN server and is discussed= in sections 3.1, 3.2 of draft http://tools.ietf.org/html/draft-penno-rtcwe= b-pcp-00=20 --Tiru. It's definitely not a MUST, and probably not a SHOULD either for WebRTC. = =A0 > Most -- but not all -- of the security obtained with TURN over TLS is ach= ieved with TURN REST (draft-uberti-behave-turn-rest and draft-uberti-rtcweb= -turn-rest). I think the working group should consider if TURN REST satisfi= es the requirements, or if TURN over TLS is really, really necessary. [BA] Not sure I follow this. =A0 TURN over TLS provides confidentiality for= the relay addresses and also some firewall traversal benefits. =A0TURN RES= T is trying to solve a different problem entirely (e.g. misuse of TURN cred= entials). =A0Personally, I don't think TURN REST really minimizes the risk = to the extent necessary, since time limiting the credentials alone won't ne= cessarily stop an ingenious (and greedy) thief. =A0As an example, when hack= ers gain control of a PBX they can run up shocking bills in a very short pe= riod of time, and even if TURN charges are minimal, you'd be surprised at w= hat Internet miscreants can do with stolen credentials within a 24 hour per= iod. =A0So to my mind, TURN REST needs some additional bolstering to limit = the potential financial liability, such as bandwidth limits.=A0