Re: [rtcweb] Security issue: consent refresh
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 01 November 2011 14:34 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4310B11E80F9 for <rtcweb@ietfa.amsl.com>; Tue, 1 Nov 2011 07:34:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.566
X-Spam-Level:
X-Spam-Status: No, score=-106.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPxaJTBzqICW for <rtcweb@ietfa.amsl.com>; Tue, 1 Nov 2011 07:34:20 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id 15AB311E809C for <rtcweb@ietf.org>; Tue, 1 Nov 2011 07:34:19 -0700 (PDT)
X-AuditID: c1b4fb3d-b7c26ae0000035b9-3a-4eb0036abdb2
Received: from esessmw0197.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 60.74.13753.B6300BE4; Tue, 1 Nov 2011 15:34:19 +0100 (CET)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0197.eemea.ericsson.se (153.88.115.88) with Microsoft SMTP Server id 8.3.137.0; Tue, 1 Nov 2011 15:34:18 +0100
Message-ID: <4EB00369.3020908@ericsson.com>
Date: Tue, 01 Nov 2011 15:34:17 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <3FACD0E9-449A-4897-8997-F76B5A41A34E@acmepacket.com>, <4EAA7B02.4010400@ericsson.com>, <2308DE02-0E63-4CCF-8889-F2E79204C7AF@acmepacket.com> <BLU152-W43CF37AEAAABA865489C1393D60@phx.gbl>
In-Reply-To: <BLU152-W43CF37AEAAABA865489C1393D60@phx.gbl>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Security issue: consent refresh
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2011 14:34:21 -0000
On 2011-10-31 14:22, Bernard Aboba wrote: >> If there is a MitM physically on the path between the Browser and the > peer, such a MitM can keep the RTP flowing even if we used RTCP, >>because it could fake RTCP. (and such a MitM can keep TCP and SCTP > going too, fwiw) > > > [BA] Agree with Hadriel that forcing an IWF to "manufacture" RTCP is a > bad idea, and that the focus should be on an off-path attacker. > > Also agree that we need "continuing consent" and can't rely on a "source > quench" approach which has proven unworkable in other > contexts. There are situations where a receiver might have "gone away" > for one reason or another, or where the receiver is being > overwhelmed, where it might not have the ability or context to tell the > sender to stop. For example, if key state has been lost, > putting out a secured "Bye" may not be possible. > If we uses ICE initially then the implementation support for ICE connectivity checks must exist in the interworking gateway. So I agree that is likely the simplest, even if that code is going to be continuously executed instead of only at startup for each session. However, we still have a pretty big issue to figure out when it comes to legacy devices and that is congestion/rate control. We are going to need it, and I really wonder if we can make exceptions to this at all. And if the legacy device don't implement even basic RTCP then this is a real issue. We added some text in the new version of WebRTC's usage of RTP document. https://datatracker.ietf.org/doc/draft-ietf-rtcweb-rtp-usage/ 8.3. Legacy Interop Limitations Congestion control interoperability with most type of legacy devices, even using an translator could be difficult. There are numerous reasons for this: No RTCP Support: There exist legacy implementations that does not even implement RTCP at all. Thus no feedback at all is provided. RTP/AVP Minimal RTCP Interval of 5s: RTP [RFC3550] under the RTP/AVP profile specifies a recommended minimal fixed interval of 5 seconds. Sending RTCP report blocks as seldom as 5 seconds makes it very difficult for a sender to use these reports and react to any congestion event. RTP/AVP Scaled Minimal Interval: If a legacy device uses the scaled minimal RTCP compound interval, the "RECOMMENDED value for the reduced minimum in seconds is 360 divided by the session bandwidth in kilobits/second" ([RFC3550], section 6.2). The minimal interval drops below a second, still several times the RTT in almost all paths in the Internet, when the session bandwidht becomes 360 kbps. A session bandwidth of 1 Mbps still has a minimal interval of 360 ms. Thus, with the exception for rather high bandwidth sessions, getting frequent enough RTCP Report Blocks to report on the order of the RTT is very difficult as long as the legacy device uses the RTP/AVP profile. RTP/AVPF Supporting Legacy Device: If a legacy device supports RTP/ AVPF, then that enables negotation of important parameters for frequent reporting, such as the "trr-int" parameter, and the possibility that the end-point supports some useful feedback format for congestion control purpose such as TMMBR [RFC5104]. It has been suggested on the RTCWEB mailing list that if interoperating with really limited legacy devices an WebRTC end-point may not send more than 64 kbps of media streams, to avoid it causing massive congestion on most paths in the Internet when communicating with a legacy node not providing sufficient feedback for effective congestion control. This warrants further discussion as there is clearly a number of link layers that don't even provide that amount of bit-rate consistently, and that assumes no competing traffic. We need to discuss if there is a reasonable way to resolve this or if this puts as strict or even stricter requirements then to support ICE. Cheers Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [rtcweb] Security issue: consent refresh Hadriel Kaplan
- Re: [rtcweb] Security issue: consent refresh Magnus Westerlund
- Re: [rtcweb] Security issue: consent refresh Hadriel Kaplan
- Re: [rtcweb] Security issue: consent refresh Bernard Aboba
- Re: [rtcweb] Security issue: consent refresh Magnus Westerlund
- Re: [rtcweb] Security issue: consent refresh Randell Jesup