Re: [rtcweb] CNAMEs and multiple peer connections

Justin Uberti <juberti@google.com> Thu, 20 March 2014 00:23 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7F31A084D for <rtcweb@ietfa.amsl.com>; Wed, 19 Mar 2014 17:23:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.925
X-Spam-Level:
X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xVNK762kt4Qp for <rtcweb@ietfa.amsl.com>; Wed, 19 Mar 2014 17:23:39 -0700 (PDT)
Received: from mail-ve0-x22e.google.com (mail-ve0-x22e.google.com [IPv6:2607:f8b0:400c:c01::22e]) by ietfa.amsl.com (Postfix) with ESMTP id DC51A1A0821 for <rtcweb@ietf.org>; Wed, 19 Mar 2014 17:23:38 -0700 (PDT)
Received: by mail-ve0-f174.google.com with SMTP id oz11so110677veb.5 for <rtcweb@ietf.org>; Wed, 19 Mar 2014 17:23:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=FjYxp1uSjuVfE+im2O0MQfWI2be0LBTzgTyyoGlOrPk=; b=UbJCHTqzKXykhpZB0XJqquiJSs9wz/kD7efdjaf8TYkHdcj2HGB7LU8rBK4Ysvsuz3 /Hp8UJY3AIo6YCJPaRm7kFtA+8v+FV5TEvRIVfAbR0pli2KmpJK8/hlPXOZ5toc9ORRY cC+t/IMOG24mBSsMUN26O2mbjEnSarkaeDkBn/TB9N4meVaBAdAkDbd3XVyYEuE3uOw8 2Nd+1E1SkqTFGFPAQ5tmCMsMF5w2blwHibVpPzfO9C9iwABXYM09aEhqvRBbsSTxZuzL DE86R4ztklBRjeW1Ybw9DDS3919dYg3WI3nbHnd+V5ZhFjvVD15meApdw8Lu2Gk5I2EJ Ggjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=FjYxp1uSjuVfE+im2O0MQfWI2be0LBTzgTyyoGlOrPk=; b=OFjLY6ayJXAN2b13cBTX77NdGFutxn20IJ/eTy/7ZX6Yoox3zUjmrseScf0RnfL6RW U1IJRjmOLO2QrDyeV7SLtUas5auUOTxrmY1HRXbIkP4mL26ANVLqLWNBKmD2fdd5fsGc mAC9Avu/KIR17JSbutcSyLQuYSwAgmgPJs/rYBXAY7MZ+BfaK01o0yQlI9NgxM11qMsn sHxKYHnYBg79dD/Ik7eTGvu6/o+fntVHn5+4IO3fymO1AOvRnO1M+WrnHijy92CdpLHV eVjEykdrjRL82XqYzWvV12LY47rbdaJWyboz0vuzHsSE5/Njs9El863s75p+ehJR2fvb OWyw==
X-Gm-Message-State: ALoCoQlVdsqHqz7UL+D+0mCB4QwERfvv2erKwscvt13D8a/b3FGTkggA4ENT6khnBilIp2vQ+qbNcd+i8I65Iywra9Ular2JDybvILSC3MexzQbNQJLsnw9T6cX9O8uvU46QL+aGshMAeVoLTKb1laSmEWFb0PSTMJJ5VeDYwPbiUHRkWxgR52RUQ2Ko0a0vdml2VBTPWIsb
X-Received: by 10.220.83.4 with SMTP id d4mr917163vcl.39.1395275009867; Wed, 19 Mar 2014 17:23:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.26.43 with HTTP; Wed, 19 Mar 2014 17:23:09 -0700 (PDT)
In-Reply-To: <5326CE9F.6060008@ericsson.com>
References: <CABkgnnWGQ7GtKd33iF-RNbkeAyqKYshaPDDB=sAh5o-izKichQ@mail.gmail.com> <53171C20.3020001@ericsson.com> <CABkgnnWWoCLKga7RDEmS1kDOuBPaiKaJ+_yj6-yPRSV8LVc=2A@mail.gmail.com> <CAOJ7v-1J=F-MNnBS96gt3_BXyoQB6jTCoHp0MTEBC-nWrF-BhA@mail.gmail.com> <CABkgnnWQbtKYTuvUyMiCaEijv3KVydR8sxGXZep08B4EQXArxA@mail.gmail.com> <531DD807.9090602@ericsson.com> <CABkgnnVscHB6_weLkxHunQxLue7g-WvBwO-P_CW6eEU_JYqVuw@mail.gmail.com> <53201AEF.6090501@ericsson.com> <CABkgnnX16mOUOCmQ3wgQ2AV8o5WNXpCjVi-Rhr+ASWQ2LPzA-w@mail.gmail.com> <5322BF2E.3060608@ericsson.com> <CAOJ7v-3NFiR4yXRoscWQ5Oh7ohiM+fD=YJBp2Q-rdA_Azu9gZA@mail.gmail.com> <5326CE9F.6060008@ericsson.com>
From: Justin Uberti <juberti@google.com>
Date: Wed, 19 Mar 2014 17:23:09 -0700
Message-ID: <CAOJ7v-1SBQUWQd4eorKL2VTacZXoQ6UGYv24KSmZM8-hhGz8tA@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: multipart/alternative; boundary=e89a8f92190653db7204f4fec737
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/KJa9IqZ9PnVfiP7uEKHXJ64F530
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] CNAMEs and multiple peer connections
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 00:23:41 -0000

Good point. So CNAME is perhaps the most important in terms of linkability,
but DTLS certificate and also IPv6 address may allow linkage by some
network elements.


On Mon, Mar 17, 2014 at 3:29 AM, Magnus Westerlund <
magnus.westerlund@ericsson.com> wrote:

> On 2014-03-14 17:44, Justin Uberti wrote:
>
> >
> > At an implementation level, one could imagine at least 3 policies for
> > generating CNAMEs:
> > a) per-session (i.e. per-PeerConnection)
> > b) per-page (i.e. shared between all PCs on a page)
> > c) per-page, persistent (i.e. shared between all PCs on a page,
> > including across page loads)
> >
> > While we seem to agree that a) is the right solution for CNAMEs, it is
> > worth pointing out that we (Chrome) are currently doing c) for DTLS
> > certificates, to avoid performance problems with cert generation at page
> > load. Ergo, this linkability concern already exists, and I don't think
> > it is easy to solve it in the default case. There have been some
> > proposals to allow generation/storage of unique certs to prevent this
> > linkability, but this will require app input.
> >
> > Ergo, we might want to match the DTLS behavior (i.e. generate unique
> > CNAMEs only when the certs are unique), to ensure we treat linkability
> > consistently.
>
> Actually, the DTLS cert and the CNAME is actually not equivalent when it
> comes to visibility scope. The DTLS is show only to the DTLS peer, i.e.
> the address at the other end of a peer connection. The CNAME in cases of
> SFM or RTP mixer based using CSRC lists type of RTP middleboxes, can
> result in the CNAME being forward to all participants in the same
> multi-party conference.
>
> Cheers
>
> Magnus Westerlund
>
> ----------------------------------------------------------------------
> Services, Media and Network features, Ericsson Research EAB/TXM
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Färögatan 6                 | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
>
>