Re: [rtcweb] Resolving RTP/SDES question in Paris

Magnus Westerlund <> Tue, 10 April 2012 09:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 747BC21F878E for <>; Tue, 10 Apr 2012 02:44:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.206
X-Spam-Status: No, score=-106.206 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rbaEWjPhS-w9 for <>; Tue, 10 Apr 2012 02:44:22 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0ADAE11E8076 for <>; Tue, 10 Apr 2012 02:44:21 -0700 (PDT)
X-AuditID: c1b4fb2d-b7b76ae0000063d8-e4-4f8400ef0f14
Received: from (Unknown_Domain []) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client did not present a certificate) by (Symantec Mail Security) with SMTP id 82.D3.25560.FE0048F4; Tue, 10 Apr 2012 11:44:15 +0200 (CEST)
Received: from [] ( by ( with Microsoft SMTP Server id; Tue, 10 Apr 2012 11:44:14 +0200
Message-ID: <>
Date: Tue, 10 Apr 2012 11:44:08 +0200
From: Magnus Westerlund <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20120327 Thunderbird/11.0.1
MIME-Version: 1.0
To: Roman Shpount <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> < >
In-Reply-To: <>
X-Enigmail-Version: 1.4
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "<>" <>
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Apr 2012 09:44:23 -0000

On 2012-03-29 08:20, Roman Shpount wrote:
> On Fri, Mar 23, 2012 at 2:39 PM, Harald Alvestrand <
> <>> wrote:
>     __
>     It seems to me that you are arguing that the scenarios in section
>     4.1 of the use cases document do not cover that specific case, and I
>     think you are right in that; the list is:
>        The following considerations are applicable to all use cases:
>        o  Clients can be on IPv4-only
>        o  Clients can be on IPv6-only
>        o  Clients can be on dual-stack
>        o  Clients can be on wideband (10s of Mbits/sec)
>        o  Clients can be on narrowband (10s to 100s of Kbits/sec)
>        o  Clients can be on variable-media-quality networks (wireless)
>        o  Clients can be on congested networks
>        o  Clients can be on firewalled networks with no UDP allowed
>        o  Clients can be on networks with cone NAT
>        o  Clients can be on networks with symmetric NAT
>     Now, there are two ways to interpret this omission:
>     - The WG did not think of that use case when the list was created
>     - The WG does not want that use case on the list because it
>     constrains the solution space too much
>     If (re)opening this issue, I think I'd find myself in the "do not
>     want that use case" camp.
> I do not recall this use case ever being discussed on the working group,
> so I would assume the current situation is due to WG not thinking about
> this case when the list was created.


If I followed this thread I do believe that we do have a use case
description that puts in requirements for controlling how the media
traffic flows in and out of an enterprise when using WebRTC:

4.2.4.  Simple Video Communication Service, enterprise aspects  Description

   This use-case is similar to the Simple Video Communication Service
   use-case (Section 4.2.1).

   What is added is aspects when using the service in enterprises.  ICE
   is assumed in the further description of this use-case.

   An enterprise that uses a RTCWEB based web application for
   communication desires to audit all RTCWEB based application session
   used from inside the company towards any external peer.  To be able
   to do this they deploy a TURN server that straddle the boundary
   between the internal network and the external.

   The firewall will block all attempts to use STUN with an external
   destination unless they go to the enterprise auditing TURN server.
   In cases where employees are using RTCWEB applications provided by an
   external service provider they still want to have the traffic to stay
   inside their internal network and in addition not load the straddling
   TURN server, thus they deploy a STUN server allowing the RTCWEB
   client to determine its server reflexive address on the internal
   side.  Thus enabling cases where peers are both on the internal side
   to connect without the traffic leaving the internal network.  It must
   be possibele to configure the browsers used in the enterprise with
   network specific STUN and TURN servers.  This should be possible to
   achieve by autoconfiguration methods.  The RTCWEB functionality will
   need to utilize both network specific STUN and TURN resources and
   STUN and TURN servers provisioned by the web application.

My interpretation of this and the discussion I can remember is that an
enterprise would configure the browsers for their internal computers
with a TURN server sitting on the border between the inside and outside.
That way one can at least log and audit which communication that occurs
using WebRTC from the inside to the outside. The enterprise can also
select to record media flows in the TURN server.

This still leaves the question if one can get to the keys. That will
depend on the mechanism used for keying and its transport and what
methods have been put in place to capture such traffic.


Magnus Westerlund

Multimedia Technologies, Ericsson Research EAB/TVM
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: