Re: [rtcweb] I-D Action: draft-ietf-rtcweb-security-00.txt

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 22 September 2011 12:43 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C684521F8C54 for <rtcweb@ietfa.amsl.com>; Thu, 22 Sep 2011 05:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.524
X-Spam-Level:
X-Spam-Status: No, score=-106.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K0WKJ05lJCkG for <rtcweb@ietfa.amsl.com>; Thu, 22 Sep 2011 05:43:04 -0700 (PDT)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by ietfa.amsl.com (Postfix) with ESMTP id A142021F8C4F for <rtcweb@ietf.org>; Thu, 22 Sep 2011 05:43:03 -0700 (PDT)
X-AuditID: c1b4fb39-b7bfdae000005125-a1-4e7b2deecb43
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 1E.5E.20773.EED2B7E4; Thu, 22 Sep 2011 14:45:34 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0184.eemea.ericsson.se (153.88.115.82) with Microsoft SMTP Server id 8.3.137.0; Thu, 22 Sep 2011 14:45:34 +0200
Message-ID: <4E7B2DDB.903@ericsson.com>
Date: Thu, 22 Sep 2011 14:45:15 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: "rtcweb@ietf.org" <rtcweb@ietf.org>, EKR <ekr@rtfm.com>
References: <20110922075433.17483.59128.idtracker@ietfa.amsl.com>
In-Reply-To: <20110922075433.17483.59128.idtracker@ietfa.amsl.com>
X-Enigmail-Version: 1.3.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-security-00.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Sep 2011 12:43:05 -0000

Hi EKR,

(As an individual)

Thanks for posting the draft.

I am missing a few security issues that I think should be considered.

1. The attempt to overload the links in an domain by concentrating
traffic on the domain by choosing peer-pairs. Not that I think there is
any real protection against this other than limit the flows to their
"fair" share.

2. Configuring RTCP or other automatically sent traffic to high
bit-rates. Especially under conditions where continued consent can't be
determined.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------