Re: [rtcweb] Requiring ICE for RTC calls

Eric Rescorla <ekr@rtfm.com> Tue, 27 September 2011 18:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38EDE21F8CED for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 11:57:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.9
X-Spam-Level:
X-Spam-Status: No, score=-102.9 tagged_above=-999 required=5 tests=[AWL=0.076, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id soZmXY1+G2rV for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 11:56:59 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by ietfa.amsl.com (Postfix) with ESMTP id D9C2421F8CF4 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 11:56:58 -0700 (PDT)
Received: by wyh21 with SMTP id 21so6059749wyh.31 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 11:59:44 -0700 (PDT)
Received: by 10.227.201.133 with SMTP id fa5mr8097706wbb.91.1317149984352; Tue, 27 Sep 2011 11:59:44 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.227.196.83 with HTTP; Tue, 27 Sep 2011 11:59:04 -0700 (PDT)
In-Reply-To: <2E239D6FCD033C4BAF15F386A979BF510F1120@sonusinmail02.sonusnet.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com> <BLU152-W62B7F2AC3F0D5B6E277CB993F00@phx.gbl> <CAD5OKxt=P3jg9N0weFUZLvUYQxyeXa+9YMtpc8wn7osuPQmTpg@mail.gmail.com> <CAD5OKxtVCgiFV_iAYd1w0uZZcS5+gsixOHJ0jGN=0CMdq++kdg@mail.gmail.com> <CAOJ7v-3PrnNyesL+x-mto9Q9djjiJ13QZHXCiGfY1mv3nubrqQ@mail.gmail.com> <CAD5OKxsKTHCuBQdUnGQtGfF7NmZZExLe9Q9B9cNR=483neuHPQ@mail.gmail.com> <CAOJ7v-1rzdmviAnGknVZmrU_TDNoC3NmWd1g6iyx0WzZ4xB3Pw@mail.gmail.com> <4E820825.9090101@skype.net> <CAD5OKxvmKi3Py0gNcTdREdfS07hA-=f6L+u8KKVgSWztMft9kQ@mail.gmail.com> <2E239D6FCD033C4BAF15F386A979BF510F1120@sonusinmail02.sonusnet.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 27 Sep 2011 11:59:04 -0700
Message-ID: <CABcZeBMi6bs9XLeDEjgANa4V2s-6niH6B+bheVu_e3aFz1LJEQ@mail.gmail.com>
To: Ravindran Parthasarathi <pravindran@sonusnet.com>
Content-Type: multipart/alternative; boundary=0015174c40aaeeebb704adf0e052
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Requiring ICE for RTC calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 18:57:00 -0000

On Tue, Sep 27, 2011 at 11:55 AM, Ravindran Parthasarathi <
pravindran@sonusnet.com> wrote:

>  Hi Roman,****
>
> ** **
>
> RTCWeb application within Enterprise looks the reasonable argument for not
> mandating ICE & SRTP in RTCWeb browser  because Enterprise shall be
> visualized as single reachable private network with no NAT & SRTP
> requirement. ICE & SRTP are overhead within Enterprise.****
>
>
Setting aside the question of whether SRTP is useful within an enterprise,
remember that ICE is being used here for consent verification as well
as NAT traversal. Consent verification is more important, not less,
when the user's machine is in an enterprise environment, because
failure to verify consent can result in firewall traversal by the attacker.

-Ekr


>
In case I understand you correctly, RTCWeb API should provide the mechanism
> to include ICE & SRTP on the need basis.****
>
> ** **
>
> Thanks****
>
> Partha****
>
> ** **
>
>  ****
>
> ** **
>
> *From:* rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] *On
> Behalf Of *Roman Shpount
> *Sent:* Wednesday, September 28, 2011 12:08 AM
> *To:* Matthew Kaufman
> *Cc:* rtcweb@ietf.org
>
> *Subject:* Re: [rtcweb] Requiring ICE for RTC calls****
>
>  ** **
>
> What about intranet applications that would want to locally call existing
> IP phones within the same enterprise? Should we force them to go through a
> media gateway as well or should we allow to overwrite this using a policy?
>
>
> As far as SRTP is concerned, once again we should at least provide a local
> policy. Otherwise it would be a real problem to test and debug this.
> _____________
> Roman Shpount
>
> ****
>
>  On Tue, Sep 27, 2011 at 1:30 PM, Matthew Kaufman <
> matthew.kaufman@skype.net> wrote:****
>
> On 9/27/11 10:01 AM, Justin Uberti wrote:****
>
> Neither Google Voice nor Skype (both fairly popular services) send raw RTP
> directly from the client to a PSTN terminator. ****
>
> ** **
>
> True.****
>
> ** **
>
> I can't speak for Skype, but Google Voice uses a media gateway for the
> quality-related reasons I mentioned earlier.****
>
> ** **
>
> I can't speak for Skype either, but this is a good guess.****
>
> ** **
>
>
> Since these large-scale services can deploy media gateways, it's clear that
> this is not a significant impediment.****
>
> ** **
>
> Agree. I'm not at all sure what the argument is that we need
> existing-PSTN-gateway-compatible RTP (without SRTP or ICE). If there is
> demand, these gateways will be upgraded to support RTCWeb. If there is not,
> service providers can run intermediate gateways.
>
> Matthew Kaufman****
>
> ** **
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
>