Re: [rtcweb] Security issue: consent refresh

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 01 November 2011 14:34 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4310B11E80F9 for <rtcweb@ietfa.amsl.com>; Tue, 1 Nov 2011 07:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.566
X-Spam-Level:
X-Spam-Status: No, score=-106.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPxaJTBzqICW for <rtcweb@ietfa.amsl.com>; Tue, 1 Nov 2011 07:34:20 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id 15AB311E809C for <rtcweb@ietf.org>; Tue, 1 Nov 2011 07:34:19 -0700 (PDT)
X-AuditID: c1b4fb3d-b7c26ae0000035b9-3a-4eb0036abdb2
Received: from esessmw0197.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 60.74.13753.B6300BE4; Tue, 1 Nov 2011 15:34:19 +0100 (CET)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0197.eemea.ericsson.se (153.88.115.88) with Microsoft SMTP Server id 8.3.137.0; Tue, 1 Nov 2011 15:34:18 +0100
Message-ID: <4EB00369.3020908@ericsson.com>
Date: Tue, 1 Nov 2011 15:34:17 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <3FACD0E9-449A-4897-8997-F76B5A41A34E@acmepacket.com>, <4EAA7B02.4010400@ericsson.com>, <2308DE02-0E63-4CCF-8889-F2E79204C7AF@acmepacket.com> <BLU152-W43CF37AEAAABA865489C1393D60@phx.gbl>
In-Reply-To: <BLU152-W43CF37AEAAABA865489C1393D60@phx.gbl>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Security issue: consent refresh
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2011 14:34:21 -0000

On 2011-10-31 14:22, Bernard Aboba wrote:

>> If there is a MitM physically on the path between the Browser and the
> peer, such a MitM can keep the RTP flowing even if we used RTCP,
>>because it could fake RTCP. (and such a MitM can keep TCP and SCTP
> going too, fwiw)
> 
> 
> [BA] Agree with Hadriel that forcing an IWF to "manufacture" RTCP is a
> bad idea, and that the focus should be on an off-path attacker.
> 
> Also agree that we need "continuing consent" and can't rely on a "source
> quench" approach which has proven unworkable in other
> contexts. There are situations where a receiver might have "gone away"
> for one reason or another, or where the receiver is being
> overwhelmed, where it might not have the ability or context to tell the
> sender to stop.  For example, if key state has been lost,
> putting out a secured "Bye" may not be possible.
> 

If we uses ICE initially then the implementation support for ICE
connectivity checks must exist in the interworking gateway. So I agree
that is likely the simplest, even if that code is going to be
continuously executed instead of only at startup for each session.

However, we still have a pretty big issue to figure out when it comes to
legacy devices and that is congestion/rate control. We are going to need
it, and I really wonder if we can make exceptions to this at all. And if
the legacy device don't implement even basic RTCP then this is a real
issue.

We added some text in the new version of WebRTC's usage of RTP document.
https://datatracker.ietf.org/doc/draft-ietf-rtcweb-rtp-usage/

8.3.  Legacy Interop Limitations

   Congestion control interoperability with most type of legacy devices,
   even using an translator could be difficult.  There are numerous
   reasons for this:

   No RTCP Support:  There exist legacy implementations that does not
      even implement RTCP at all.  Thus no feedback at all is provided.

   RTP/AVP Minimal RTCP Interval of 5s:  RTP [RFC3550] under the RTP/AVP
      profile specifies a recommended minimal fixed interval of 5
      seconds.  Sending RTCP report blocks as seldom as 5 seconds makes
      it very difficult for a sender to use these reports and react to
      any congestion event.

   RTP/AVP Scaled Minimal Interval:  If a legacy device uses the scaled
      minimal RTCP compound interval, the "RECOMMENDED value for the
      reduced minimum in seconds is 360 divided by the session bandwidth
      in kilobits/second" ([RFC3550], section 6.2).  The minimal
      interval drops below a second, still several times the RTT in
      almost all paths in the Internet, when the session bandwidht
      becomes 360 kbps.  A session bandwidth of 1 Mbps still has a
      minimal interval of 360 ms.  Thus, with the exception for rather
      high bandwidth sessions, getting frequent enough RTCP Report
      Blocks to report on the order of the RTT is very difficult as long
      as the legacy device uses the RTP/AVP profile.

   RTP/AVPF Supporting Legacy Device:  If a legacy device supports RTP/
      AVPF, then that enables negotation of important parameters for
      frequent reporting, such as the "trr-int" parameter, and the
      possibility that the end-point supports some useful feedback
      format for congestion control purpose such as TMMBR [RFC5104].

   It has been suggested on the RTCWEB mailing list that if
   interoperating with really limited legacy devices an WebRTC end-point
   may not send more than 64 kbps of media streams, to avoid it causing
   massive congestion on most paths in the Internet when communicating
   with a legacy node not providing sufficient feedback for effective
   congestion control.  This warrants further discussion as there is
   clearly a number of link layers that don't even provide that amount
   of bit-rate consistently, and that assumes no competing traffic.

We need to discuss if there is a reasonable way to resolve this or if
this puts as strict or even stricter requirements then to support ICE.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------