Re: [rtcweb] Summary of ICE discussion

Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 05 October 2011 08:06 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2A6021F8B51 for <rtcweb@ietfa.amsl.com>; Wed, 5 Oct 2011 01:06:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.482
X-Spam-Level:
X-Spam-Status: No, score=-106.482 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Uskey87VRyL for <rtcweb@ietfa.amsl.com>; Wed, 5 Oct 2011 01:06:38 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id E18E521F8B42 for <rtcweb@ietf.org>; Wed, 5 Oct 2011 01:06:32 -0700 (PDT)
X-AuditID: c1b4fb39-b7bfdae000005125-1a-4e8c10c3d1cc
Received: from esessmw0247.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 2D.29.20773.3C01C8E4; Wed, 5 Oct 2011 10:09:39 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0247.eemea.ericsson.se (153.88.115.94) with Microsoft SMTP Server id 8.3.137.0; Wed, 5 Oct 2011 10:09:33 +0200
Message-ID: <4E8C10BC.8090104@ericsson.com>
Date: Wed, 05 Oct 2011 10:09:32 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <4E8B192E.80809@ericsson.com> <CALiegfmnxO+BrfycOmL=hptBFdcEpsLeBn=zsJTX=ivKBBumWw@mail.gmail.com> <BLU152-W139AA2913C1CFFDB50726193FB0@phx.gbl> <BLU152-W2342F5823933FA1F2B9F9C93FB0@phx.gbl> <37C37EE6-3D48-4C77-A025-3207F040572B@cisco.com> <4E8BC56E.40306@skype.net> <snt0-eas2567EB3C48B254DA9E07FC693F80@phx.gbl>
In-Reply-To: <snt0-eas2567EB3C48B254DA9E07FC693F80@phx.gbl>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Summary of ICE discussion
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2011 08:06:38 -0000

Hi,

good that my summary lets us move forward.

A question on this attack. How common is it that these STUN servers use
other ports than 3478? Would a rule about that port mitigate the issue,
even if it could result in connectivity failures in cases where the NAT
external port is 3478 by chance?

In addition does these public servers use the username and password
convention from ICE? Isn't that what prevents STUN server deployed for
just determining your server reflexive candidate from actually respond
correctly to a connectivity check? As ICE do concatenate one part
generated by one peer with a part generated by the other peer I don't
see this as an issue as long as the random username fragment is
generated by the browser not the JS.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------