IETF Logo Mail Archive

Re: [rtcweb] Resolving RTP/SDES question in Paris

Iñaki Baz Castillo <ibc@aliax.net> Fri, 16 March 2012 22:55 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A64021F85D6 for <rtcweb@ietfa.amsl.com>; Fri, 16 Mar 2012 15:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uKaRPoBZExXG for <rtcweb@ietfa.amsl.com>; Fri, 16 Mar 2012 15:55:21 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 6118421F85D5 for <rtcweb@ietf.org>; Fri, 16 Mar 2012 15:55:21 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so255797vbb.31 for <rtcweb@ietf.org>; Fri, 16 Mar 2012 15:55:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=rRcTcK+CedU1Q7dlPS1JHDhL3eZ1g9Ab3fgsLXtKHxg=; b=alwNhLocMP4BjL54al5EzijfGMyV7mcjy5oa/MvkI5XcrR9o7QjY7jfOz4duVOVYT/ c2+qYhhp1dQ8IPFEA6NLnrOp8pMFrEdmvGshb7QOCrzrtZp622MdmuFgFzBVTabbHLCg JEk6qZGjh7vn50NwViM/rjhNj59P8AfsiXua3Qfvm5kijkf2IMmtZAOd+i8jX8Dpi7Wr WXGFeKJxv+rLaQehxRxLsvSO52dSfHOe4UZC52OZ9fqvxH+raCiT4NpsQ6mJ6z1Mk+At q0NdwEXdtUP3aUU28tU0RfqhwM62vvV/Nf3DAn1f3sHYB9h5aJJw8YVlW+vlFIhyXAG6 1XHQ==
Received: by 10.220.151.77 with SMTP id b13mr1139848vcw.44.1331938520555; Fri, 16 Mar 2012 15:55:20 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.165.162 with HTTP; Fri, 16 Mar 2012 15:55:00 -0700 (PDT)
In-Reply-To: <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Fri, 16 Mar 2012 23:55:00 +0100
Message-ID: <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com>
To: "Ravindran, Parthasarathi" <pravindran@sonusnet.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmGow/lfQoKUgAoKp/HlxlKpKxUH/rbbqMiExZ1r+VhI5VIZhDFJZfgqsSNDuh2UjjMRnJk
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Mar 2012 22:55:22 -0000

2012/3/16 Ravindran, Parthasarathi <pravindran@sonusnet.com>:
> As I mentioned in earlier mail thread (http://www.ietf.org/mail-archive/web/rtcweb/current/msg03148.html), RTP has to be supported by RTCWeb client with local user consent.

Well, that's your opinnion, not a MUST (or not yet).



> To clarify why RTP is not harmful in some usage, VPN access of intranet RTCWeb client in public internet usecase is as follows:
>
> Usecase details: Enterprise employee Alice access enterprise (HTTP & WebRTC compliant) intranet with VPN connection using Airport WiFi internet connection, Alice will have the mechanism to call another employee Bob in the same enterprise using WebRTC session and the session between Alice and bob will be plain RTP in VPN network.
>
> Security aspect: Here, accessing (HTTP) intranet browsing today is safe even though Alice is using Airport Wifi internet connection as he has VPN connection (IPSec) and no dependency on HTTPS. In the same way, WebRTC mechanism should not mandate for SRTP-DTLS in media and MUST allow RTP.  The local user consent (configuration) is required to restrict this usage by Dr Evil website.


To clarify why RTP *is* harmful in *common* usages:

Usecase details: An user in an airport using an open WiFi connection
and accesing to a social web page implementing WebRTC for calls
between web users and between web users and PSTN numbers. And not, the
user does not use a VPN to connect to a social web. The user calls to
a PSTN number (since the contact he wants to call to is not currently
online in the web). The call is established with a SIP PSTN gateway
which does not implement SRTP but just RTP.

Security aspect: Plain RTP is negotiated so anyone in the airport can
spoof the media. A good reason to state "WebRTC mechanism MUST mandate
for SRTP and MUST NOT allow plain RTP, since the security aspect
depends on the service provider (and there are tons of irresponsible
service providers out there in Internet).



> The local user consent (configuration) is required to restrict this usage by Dr Evil website.

Giving the security responsability to end users as a configurable
option is not a good idea. The world would be much better if the
browsers would not allow plain HTTP, but it's not possible to change
the WWW requeriments and mandate HTTPS given the ammount of plain HTTP
deployments. In contrast, WebRTC does not exist yet so *now* is the
moment to mandate security.


Regards.



-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email