Re: [rtcweb] Requiring ICE for RTC calls

Roman Shpount <roman@telurix.com> Mon, 26 September 2011 18:45 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1BA921F8E26 for <rtcweb@ietfa.amsl.com>; Mon, 26 Sep 2011 11:45:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.613
X-Spam-Level:
X-Spam-Status: No, score=-2.613 tagged_above=-999 required=5 tests=[AWL=0.363, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-uXYtyTVZ6Z for <rtcweb@ietfa.amsl.com>; Mon, 26 Sep 2011 11:45:20 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 9706721F8E25 for <rtcweb@ietf.org>; Mon, 26 Sep 2011 11:45:20 -0700 (PDT)
Received: by yic13 with SMTP id 13so5350463yic.31 for <rtcweb@ietf.org>; Mon, 26 Sep 2011 11:48:03 -0700 (PDT)
Received: by 10.151.28.19 with SMTP id f19mr6249123ybj.151.1317062883672; Mon, 26 Sep 2011 11:48:03 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by mx.google.com with ESMTPS id o14sm59979935ank.13.2011.09.26.11.48.02 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 26 Sep 2011 11:48:03 -0700 (PDT)
Received: by yxt33 with SMTP id 33so5678886yxt.31 for <rtcweb@ietf.org>; Mon, 26 Sep 2011 11:48:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.4.170 with SMTP id l10mr31236636pbl.3.1317062882351; Mon, 26 Sep 2011 11:48:02 -0700 (PDT)
Received: by 10.68.55.39 with HTTP; Mon, 26 Sep 2011 11:48:02 -0700 (PDT)
In-Reply-To: <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com>
Date: Mon, 26 Sep 2011 14:48:02 -0400
Message-ID: <CAD5OKxviJaGvA-0AW=sAxSYm8hL+t8Xgr+4Ma+QBL0HWmZf_6g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Ravindran Parthasarathi <pravindran@sonusnet.com>
Content-Type: multipart/alternative; boundary=bcaec5215f353fdd0c04addc99f4
Cc: Randell Jesup <randell-ietf@jesup.org>, rtcweb@ietf.org
Subject: Re: [rtcweb] Requiring ICE for RTC calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 18:45:21 -0000

You can determine that end point is not behind symmetric NAT using older
STUN specification and list discovered IP as a default contact address in
SDP, if you are not behind NAT, you can list the relayed address of the TURN
server as the default address. If you do this, together with the offer that
lists ICE candidates, you would be able to traverse NAT and communicate with
non-ICE end points.

I think discussion in this thread is not whether ICE needs to be supported
or implemented. I would say that ICE without a doubt should be supported. It
is about changing ICE specification as it stands right now, and force the
RTC end point only to communicate with end points that respond with ICE
compliant answer and complete ICE hand shake. This is actually against the
ICE specification as it is defined in RFC 5245, where answerer actually can
refuse to support ICE but still establish a call.
_____________
Roman Shpount


On Mon, Sep 26, 2011 at 2:31 PM, Ravindran Parthasarathi <
pravindran@sonusnet.com> wrote:

> I'm sort of lean towards ICE or ICElite mechanism for NAT traversal of
> media because there is no known better mechanism. In case there is known
> better mechanism, Please list out for discussion.
>
> Thanks
> Partha
>
> >-----Original Message-----
> >From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf
> >Of Matthew Kaufman
> >Sent: Monday, September 26, 2011 9:19 PM
> >To: Iñaki Baz Castillo
> >Cc: Randell Jesup; rtcweb@ietf.org
> >Subject: Re: [rtcweb] Requiring ICE for RTC calls
> >
> >On 9/26/2011 8:29 AM, Iñaki Baz Castillo wrote:
> >> 2011/9/26 Matthew Kaufman<matthew.kaufman@skype.net>et>:
> >>> For example, an evil overlord that creates a web site for allowing
> >its
> >>> clients to attack systems behind a firewall could relax those
> >requirements
> >>> and not mandate ICE/SRTP when opening arbitrary connections to
> >systems
> >>> behind said firewall.
> >>>
> >>> The "configuration" must be retrieved by the WebRTC client *from the
> >system
> >>> it will be sending traffic to*... the best format we have for that is
> >to
> >>> send a (rate-limited) STUN connectivity check with short-term
> >credentials
> >>> and see if it is replied to properly. That's how ICE works.
> >> I understand your points and I agree. That would be the perfect
> >scenario.
> >
> >That would be the only scenario that is safe enough to ship in a
> >browser.
> >
> >> But I'm worried about the price to pay for these security constrains
> >> (no interoperability with 95% of SIP-PSTN providers within next 3-5
> >> years).
> >
> >The alternative is that you don't ship anything in the browser, because
> >the browser *cannot* become an attack vector as a result of adding this
> >feature.
> >
> >And "interoperability with SIP-PSTN providers" is only relevant if you
> >are trying to turn the browser into another phone. We have enough
> >phones. What we don't have are new real-time communication experiences
> >that can only be created within this environment.
> >
> >Matthew Kaufman
> >
> >_______________________________________________
> >rtcweb mailing list
> >rtcweb@ietf.org
> >https://www.ietf.org/mailman/listinfo/rtcweb
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>