IETF Logo Mail Archive

Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt> (WebRTC Data Channels) to Proposed Standard

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Sat, 11 October 2014 15:06 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EBF81A6EFC for <rtcweb@ietfa.amsl.com>; Sat, 11 Oct 2014 08:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.337
X-Spam-Level:
X-Spam-Status: No, score=-2.337 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.786, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1WXXCa3kzygY for <rtcweb@ietfa.amsl.com>; Sat, 11 Oct 2014 08:06:02 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 974AC1A6EFB for <rtcweb@ietf.org>; Sat, 11 Oct 2014 08:06:02 -0700 (PDT)
Received: from [192.168.1.104] (p508F1388.dip0.t-ipconnect.de [80.143.19.136]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id C2D161C0E96E9; Sat, 11 Oct 2014 17:05:59 +0200 (CEST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <1DE35922-E890-40C2-87E9-C8C12235920E@phonefromhere.com>
Date: Sat, 11 Oct 2014 17:05:58 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <E53B9B7E-37F0-495C-B1BA-DE0A48AC6D73@lurchi.franken.de>
References: <20141010004836.12666.88765.idtracker@ietfa.amsl.com> <91953101b2634ec69d14e120ea62d929@CY1PR0501MB1579.namprd05.prod.outlook.com> <CABkgnnWE7czWqi4vQRb5d50N2k95joc_Zcvw6w6g7SOjU9b+9g@mail.gmail.com> <03a3bbbc282b4e6d88d587931b46b5f8@CY1PR0501MB1579.namprd05.prod.outlook.com> <57B40110-2F21-4893-B77C-54F46D18567F@lurchi.franken.de> <1DE35922-E890-40C2-87E9-C8C12235920E@phonefromhere.com>
To: tim panton <tim@phonefromhere.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/Q-z9WVewFv0CtALSm1FD75VeMRc
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt> (WebRTC Data Channels) to Proposed Standard
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Oct 2014 15:06:06 -0000

On 11 Oct 2014, at 11:59, tim panton <tim@phonefromhere.com> wrote:

> 
> On 11 Oct 2014, at 08:41, Michael Tuexen <Michael.Tuexen@lurchi.franken.de> wrote:
> 
>> On 11 Oct 2014, at 09:21, Wyss, Felix <Felix.Wyss@inin.com> wrote:
>> 
>>> I'm not looking at this in terms of MitM attacks but for topologies where we want to have back-to-back WebRTC sessions going through a legitimate middlebox.  That middlebox passes the media and data between these sessions while recording and/or performing analytics on it.  Requiring the 
>> So doesn't it terminate the DTLS connections of both peers?
> 
> Yes, it does. I think the worry is that the middle box may end up as DTLS server to both legs.
And why can't the middle box avoid this?
> That leaves both endpoints as DTLS clients. This then breaks the odd-even split and risks the endpoints allocating
> the same stream numbers.
I think "risks" is the wrong term here. I guess they will run into this almost always.

Best regards
Michael
> 
> For this to happen you have to have a middle box that offers actpass to both endpoints, agrees to passive 
> on both legs and then proceeds to terminate the DTLS but bridge the SCTP. Which only works if it also
> re-writes the signalling fingerprints ‘correctly' too.
> 
> Tim.
> 
> 
>> 
>> Best regards
>> Michael
>>> middlebox to worry about how the two endpoints might pick SCTP stream identifiers and possibly having to map or rewrite them unnecessarily complicates their implementation.  
>>> 
>>> IMHO from the perspective of the data channels, the DTLS layer should be an opaque tunnel ("bump in the stack") that passes packets between endpoints.  The DTLS role of an endpoint that emerges during connection establishment should not be relevant to the operation of the data channels.  Hence my concerns about the abstraction leak.  
>>> 
>>> Thanks,
>>> --Felix
>>> 
>>>> -----Original Message-----
>>>> From: Martin Thomson [mailto:martin.thomson@gmail.com]
>>>> Sent: Friday, October 10, 2014 16:34
>>>> To: Wyss, Felix
>>>> Cc: rtcweb@ietf.org
>>>> Subject: Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt>
>>>> (WebRTC Data Channels) to Proposed Standard
>>>> 
>>>> On 10 October 2014 12:11, Wyss, Felix <Felix.Wyss@inin.com> wrote:
>>>>> I feel it would be better to explicitly require that applications are
>>>> responsible for identifier collision avoidance instead of allowing them to rely
>>>> on the DTLS roles.
>>>> 
>>>> Are you suggesting that we might want to consider the effect of a MitM
>>>> attack on the robustness of this?
>>> _______________________________________________
>>> rtcweb mailing list
>>> rtcweb@ietf.org
>>> https://www.ietf.org/mailman/listinfo/rtcweb
>>> 
>> 
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.23.0 | Report a Bug | By Email