Re: [rtcweb] [tram] TURN permissions for private ips
Justin Uberti <juberti@google.com> Thu, 06 August 2015 20:10 UTC
Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEC581B32EC for <rtcweb@ietfa.amsl.com>; Thu, 6 Aug 2015 13:10:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jm5mvR3duNN1 for <rtcweb@ietfa.amsl.com>; Thu, 6 Aug 2015 13:10:05 -0700 (PDT)
Received: from mail-vk0-x232.google.com (mail-vk0-x232.google.com [IPv6:2607:f8b0:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D60D01A882E for <rtcweb@ietf.org>; Thu, 6 Aug 2015 13:08:43 -0700 (PDT)
Received: by vkhg129 with SMTP id g129so31009990vkh.2 for <rtcweb@ietf.org>; Thu, 06 Aug 2015 13:08:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=5JF2zEDoBMNncmCmEQZNbKUosIlo7/QbK9t7OhJdAMk=; b=jbeVQ94r7Q5Y0uqH/ecTCAOJDn3vJHcM/6Sjy3j9ZtbHlusnWGHBKKBzRjahSBMq06 Of0Dp5AuptNeDLj8U6/VPzu0xQVqd2Dm9yYO5upp9wSrFNoUqJritE21ukdoSE3oV/oj TihTktxxEOB9VrSfFL+pp2YvUtNTzKuSyEfbz6ECy6vbDtRFt3ybpcUC8y7PkoFNzKrX OlPGVRHCGQwTI5S37ImBYbJDnh5ZRga3NjIRvwiq88jaXBht3JHbrZTMpdR3dV+qO0SV OqZ27AB9R7tI6sJ3KsInUw8k83gp5Z25/0w6DBLH3sCLP8ym0EWu+tSo3p4dk16eboZ1 59DA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=5JF2zEDoBMNncmCmEQZNbKUosIlo7/QbK9t7OhJdAMk=; b=mCR1p8x8YlVGzTvvVVH5L0ZBF70pjHtbYNeDUWKF9415j6ZZ8URavwzPvLf+gkw1kX TnXVUGZDIhlU4P2M0G+Ok4EaFwlFtKUoRZa5KBAS2WK/Hq23By/mhwlJe57qxFnCvXg1 4qsFkaw2jhopVXkfJiGAWahcFxQs1qwAgwAm1aENHn5+AVbq/M59ZBEU6rt8f3aaNbBG 0n6tvko7DAkAqpb9AzS+PCoOSklC0Tsm8gIjWIr9eP9F20VOudn2fmvGVkPwy5vEkOyX 9lNe3xSiz8xuCx9cjL1ne9DLZVZF8SuRDJXMhu6lX7HUuI/KeKFL4LJR6kZNlaLhOIsh YmLg==
X-Gm-Message-State: ALoCoQmIwtbv/vy7yxorEqzaxt0yuNGeNn7U0wXTHfXtEvEUEdYFPSm/I9S0KFwYI/s7pYnUSzgg
X-Received: by 10.52.186.10 with SMTP id fg10mr4518513vdc.84.1438891722957; Thu, 06 Aug 2015 13:08:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.191.87 with HTTP; Thu, 6 Aug 2015 13:08:23 -0700 (PDT)
In-Reply-To: <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com>
From: Justin Uberti <juberti@google.com>
Date: Thu, 06 Aug 2015 13:08:23 -0700
Message-ID: <CAOJ7v-0Z4fmWjVaeiAJh=rpYPjUsk_k8_=g8CrecAZQWtRG1AQ@mail.gmail.com>
To: Jonathan Lennox <jonathan@vidyo.com>
Content-Type: multipart/alternative; boundary="bcaec54864ba04a9a9051caa16bf"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/O_LbDR7wLrFXuAv75c69TUtBcpY>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>, mmusic <mmusic@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 20:10:10 -0000
Agree regarding "proxy-like" border TURN servers. I think that a candidate obtained from this sort of TURN server should be paired with RFC 1918 addresses, but I think that we should be able to avoid pairing candidates obtained from application TURN servers with RFC 1918 addresses. The app/browser clearly knows which is which. On Thu, Aug 6, 2015 at 7:14 AM, Jonathan Lennox <jonathan@vidyo.com> wrote: > > On Aug 5, 2015, at 5:35 PM, Justin Uberti <juberti@google.com> wrote: > > On Wed, Aug 5, 2015 at 11:32 AM, Simon Perreault <sperreault@jive.com> > wrote: > >> Le 2015-08-05 13:46, Philipp Hancke a écrit : >> > If a peer sends candidates with IP addresses from the private space, >> > permissions for those are created at the TURN server. Potentially not >> > utilising transport encryption even. >> > >> > I doubt those candidates ever work, so from a privacy point of view it >> > seems that clients should not create those permissions in the first >> > place. And ICE should probably not try to create pairs. >> >> It's not up to the client to determine what addresses might not might >> not work for a given TURN server. There are lots of weird NAT >> configurations out there that play games with RFC1918 addresses and can >> easily trick clients into doing the wrong thing. >> > > I am somewhat sympathetic to that, but given that there is measurable > downside here - extra candidate pairs that take time to check - can you > supply a concrete example of where the client choosing not to pair a TURN > candidate with a RFC1918 address would cause a problem? > > > This is really an ICE question, not a TURN question, so adding MMUSIC. > > Clearly, if your TURN server is actually on the public internet, pairing > RFC1918 address with its candidates won’t do any good. However, there can > be scenarios where you have a TURN server sitting in a DMZ or the like, > where it can actually route to RFC 1918 addresses. I suspect this will be > relevant in the various scenarios where the TURN server is topologically > equivalent to a web proxy. > > As I recall from the discussions around the development of ICE, there are > actually a fair number of networks out there which have public IPv4 and > RFC1918 addresses directly routable to each other. The examples I remember > came about as a result of corporate mergers, where one of the pre-merger > companies was using their public address space internally, and the other > wasn’t. > > >
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Eric Rescorla
- [rtcweb] TURN permissions for private ips (was: R… Philipp Hancke
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Simon Perreault
- Re: [rtcweb] [tram] TURN permissions for private … Eric Rescorla
- Re: [rtcweb] [tram] TURN permissions for private … Philipp Hancke
- [rtcweb] Stephen Farrell's Discuss on draft-ietf-… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Christer Holmberg
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Xavier Marjou
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Alissa Cooper
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Jonathan Lennox
- Re: [rtcweb] [tram] TURN permissions for private … Roman Shpount
- Re: [rtcweb] [tram] TURN permissions for private … Martin Thomson
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] [tram] TURN permissions for private … Pal Martinsen (palmarti)
- Re: [rtcweb] [tram] TURN permissions for private … Emil Ivov
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Martin Thomson
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Muthu Arul Mozhi Perumal
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Ram Mohan R (rmohanr)
- Re: [rtcweb] Stephen Farrell's Discuss on draft-i… Stephen Farrell
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti
- Re: [rtcweb] [tram] TURN permissions for private … Cullen Jennings
- Re: [rtcweb] [tram] TURN permissions for private … Justin Uberti