Re: [rtcweb] STUN for keep-alive - RTCP-less applications

Hadriel Kaplan <> Wed, 21 September 2011 08:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 72D5B21F8C0C for <>; Wed, 21 Sep 2011 01:59:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.523
X-Spam-Status: No, score=-2.523 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JcXJQ+BcYKRP for <>; Wed, 21 Sep 2011 01:59:51 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id CB14121F8BF8 for <>; Wed, 21 Sep 2011 01:59:50 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Wed, 21 Sep 2011 05:02:16 -0400
Received: from ([]) by ([]) with mapi id 14.01.0270.001; Wed, 21 Sep 2011 05:02:16 -0400
From: Hadriel Kaplan <>
To: Magnus Westerlund <>
Thread-Topic: [rtcweb] STUN for keep-alive - RTCP-less applications
Thread-Index: AQHMeD0o3MP/2iiGskyr4mcVoApBAA==
Date: Wed, 21 Sep 2011 09:02:16 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <092401cc749b$8fd64940$af82dbc0$@com> <> <> <> <2B265ADC-44C3-48CC-95A6-B90ED6E42FA7@acme> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "<>" <>
Subject: Re: [rtcweb] STUN for keep-alive - RTCP-less applications
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 21 Sep 2011 08:59:51 -0000

On Sep 21, 2011, at 4:19 AM, Magnus Westerlund wrote:

> If I interpret this correctly, you are arguing that an RTCWEB
> implementation shall support a remote end-point that doesn't support RTCP.

Yes, although we could make that allowance/exception for audio only - in fact, G.711 only if it comes down to it.

Ultimately there is no indication in SIP/SDP that an device does not support RTCP.  So what would you have the Rtcweb browser do?  Once it starts sending media if it doesn't receive RTCP within time X then terminate the session automatically?  Would users be ok with that?

> I see congestion control for media as a MUST have due to the attack
> vector that exist in RTCWEB implementations. A Webservice that has
> sufficient amount of users visiting it can create additional
> PeerConnections beyond what is necessary for the service that is the
> front. These additional PeerConnections can be used to create traffic
> load over selected paths in the Internet by selecting a good pairs of
> peers to establish these overload streams. If there is no congestion
> control, or at least isn't reasonably fair sharing it could push large
> amount of other traffic out of the way on the paths selected by the
> attacker to be targeted.

If I understand your concern correctly, you're worried about the case of a malicious site controlling unsuspecting users as a botnet, making calls to each other and flooding the network paths between?

That can happen anyway: all ends are under control of the malicious site, so ICE will succeed... and even if the media layer starts throttling itself in a few seconds, the script can just keep creating/destroying PeerConnections, feeding new SDP to trigger port number changes, etc. And do so for video and audio and data channels concurrently or intermixed.