Re: [rtcweb] Requiring ICE for RTC calls

Matthew Kaufman <matthew.kaufman@skype.net> Mon, 26 September 2011 15:19 UTC

Return-Path: <matthew.kaufman@skype.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80A821F8D74 for <rtcweb@ietfa.amsl.com>; Mon, 26 Sep 2011 08:19:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.186
X-Spam-Level:
X-Spam-Status: No, score=-5.186 tagged_above=-999 required=5 tests=[AWL=1.113, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hp5RocecAhmG for <rtcweb@ietfa.amsl.com>; Mon, 26 Sep 2011 08:19:07 -0700 (PDT)
Received: from mx.skype.net (mx.skype.net [78.141.177.88]) by ietfa.amsl.com (Postfix) with ESMTP id 5A9D121F8C53 for <rtcweb@ietf.org>; Mon, 26 Sep 2011 08:19:07 -0700 (PDT)
Received: from mx.skype.net (localhost [127.0.0.1]) by mx.skype.net (Postfix) with ESMTP id 3EE6016F3; Mon, 26 Sep 2011 17:21:49 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=skype.net; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=mx; bh=WgieShguyaQMdk MtXU/UQeTve1M=; b=LgcLYo1LiW4W1wN2K/EONtDAglkZC+PdM07QvCsyZYE5q7 3DYKJ6HrDvfk4Rj01XwC6SBZl/fRiZI8MrHhPPaDb4wOzZTsmRaXmQ5j9F492oFY rKF3pswLoy3J9cFeOsiqzTf0+ZtDoSX4zd7dx99kAabzwXeuczGF/q9tzu0ZY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=skype.net; h=message-id:date:from :mime-version:to:cc:subject:references:in-reply-to:content-type: content-transfer-encoding; q=dns; s=mx; b=Nm4wPImSeLl2Cd0vGMUUcu 3hzMsociMCl4cjBW7RknCXlNeuBX6DbMCJYT0WkDt/X8dgfy5oDyy5L8fh0zW/Na z3u7DZhXMiPBIyQ+0wFjElUa7laxmvRtEXdHuOK6Kb8vYpqKq2cB9iJHja98gmF9 PrN7RAZrPaLYIhlEQoo04=
Received: from zimbra.skype.net (zimbra.skype.net [78.141.177.82]) by mx.skype.net (Postfix) with ESMTP id 3D2DF7F8; Mon, 26 Sep 2011 17:21:49 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by zimbra.skype.net (Postfix) with ESMTP id B65441672683; Mon, 26 Sep 2011 17:21:48 +0200 (CEST)
X-Virus-Scanned: amavisd-new at lu2-zimbra.skype.net
Received: from zimbra.skype.net ([127.0.0.1]) by localhost (zimbra.skype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TLTLWxFtCFae; Mon, 26 Sep 2011 17:21:48 +0200 (CEST)
Received: from [10.10.155.2] (unknown [198.202.199.254]) by zimbra.skype.net (Postfix) with ESMTPSA id 270CF1672682; Mon, 26 Sep 2011 17:21:46 +0200 (CEST)
Message-ID: <4E80984A.903@skype.net>
Date: Mon, 26 Sep 2011 08:20:42 -0700
From: Matthew Kaufman <matthew.kaufman@skype.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: =?UTF-8?B?ScOxYWtpIEJheiBDYXN0aWxsbw==?= <ibc@aliax.net>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com>
In-Reply-To: <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Cc: Randell Jesup <randell-ietf@jesup.org>, rtcweb@ietf.org
Subject: Re: [rtcweb] Requiring ICE for RTC calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2011 15:19:08 -0000

On 9/26/2011 8:15 AM, Iñaki Baz Castillo wrote:
> 2011/9/26 Cameron Byrne<cb.list6@gmail.com>om>:
>> Maybe I misundersatnd you, but the PSTN carriers today and in the future
>> will always run an SBC because that is their security policy.
> Hi. Please let's forget "SBC" and let's go to a simpler case: a PSTN
> provider that speeak SIP and RTP with clients and SIP/SS7/ISUP with
> other PSTN operators. The signaling and media conversion is done in
> PSTN gateways. Most of them, for sure, don't implement ICE neither
> SRTP.
>
> Anyhow, concerning this subject, I already proposed something in other
> thread: why couldn't the provider (the web site) tell their WebRTC
> clients wheter they shoud or not accept media sessions without ICE
> and/or SRTP?

Because that doesn't meet the security requirements.
>
> For example, a telco operator that creates a web site for allow its
> clients making PSTN calls from the web, could relax those requirements
> and don't mandate ICE/SRTP. In the other side, a social network web
> site which just allows calls between web users could mandate them.
> Such configuration could be retrieved by the WebRTC client via HTTP or
> WebSocket by standarizing a document format.

For example, an evil overlord that creates a web site for allowing its 
clients to attack systems behind a firewall could relax those 
requirements and not mandate ICE/SRTP when opening arbitrary connections 
to systems behind said firewall.

The "configuration" must be retrieved by the WebRTC client *from the 
system it will be sending traffic to*... the best format we have for 
that is to send a (rate-limited) STUN connectivity check with short-term 
credentials and see if it is replied to properly. That's how ICE works.

Matthew Kaufman