IETF Logo Mail Archive

Re: [rtcweb] Nils comments [Was: WGLC for draft-ietf-rtcweb-ip-handling]

Nils Ohlmeier <nohlmeier@mozilla.com> Mon, 16 April 2018 22:44 UTC

Return-Path: <nohlmeier@mozilla.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABF6112AF83 for <rtcweb@ietfa.amsl.com>; Mon, 16 Apr 2018 15:44:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RkmNb9E83x52 for <rtcweb@ietfa.amsl.com>; Mon, 16 Apr 2018 15:44:34 -0700 (PDT)
Received: from mail-pl0-x232.google.com (mail-pl0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD719129C51 for <rtcweb@ietf.org>; Mon, 16 Apr 2018 15:44:33 -0700 (PDT)
Received: by mail-pl0-x232.google.com with SMTP id t22-v6so2226311plo.7 for <rtcweb@ietf.org>; Mon, 16 Apr 2018 15:44:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=mA0SQrt7wqK1xtcbtZRTuRz6LWQa79VhP7yv/QS8XY4=; b=fgJtDC4KQI5AVP5VJEnlCIOvMKWfL/MJxzKtjO1g9m2EkRysvR3JsBoO8irscUnTK6 zDo60zT9HPZ+dv35lBf8dbR5i07kwO9bMddRIR4BhkSxTonGCIA2D4RmD0KutqveEWWQ m3BvDK/8TsJoN0NIo38gCxHXvDXpaF2TEhjp8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=mA0SQrt7wqK1xtcbtZRTuRz6LWQa79VhP7yv/QS8XY4=; b=XNljhlWdcgsbyaEq5epnxni7iHvMouWPA4WRyBNNRn3+77YhnJyBFvKI2Un+2oZVHi hiBPB2LkNTmO2dJmg+wcDpAPGoLsM+XHQNI99/xUrjVTA8NhiMwUIlCuXRnL3o+JWCju /coVUFvCg0ubjiqzXXVyGCD2BbR9/GnP9sRu3kooBrUzuf2/SBr52xNq4fsNuIJ9ur/8 T4ax0eEBBtldmvUcas1ITMUqxFai85K7I37Ek4yu2F8DgqTky1AXkM3xJKJuAE1Lel8K jveLGUtYwI+HbOHiZVo3v6LS8obVb/2BiV/AXFk3iRTpw3MYBo22/2BdJlvj4386H2Ca rcew==
X-Gm-Message-State: ALQs6tCv2eoljR3Bkqvgn8oK2JvVVlcayMdXQ1vJE6OyrsILDUcRJRMW BdgMOwxzc0v4jIAVrtqRs+2cQw==
X-Google-Smtp-Source: AIpwx49AwuppCs51jEFmIRAPn+7SrVV9HzT3og2SIqKKiPrjgl6+BgnrDzguv2i8KMGqjUq7WfgcVA==
X-Received: by 2002:a17:902:9898:: with SMTP id s24-v6mr17039307plp.51.1523918673407; Mon, 16 Apr 2018 15:44:33 -0700 (PDT)
Received: from ?IPv6:2601:647:4600:3f31:f852:23b2:93cc:d900? ([2601:647:4600:3f31:f852:23b2:93cc:d900]) by smtp.gmail.com with ESMTPSA id t25sm21477474pfh.184.2018.04.16.15.44.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Apr 2018 15:44:32 -0700 (PDT)
From: Nils Ohlmeier <nohlmeier@mozilla.com>
Message-Id: <4ACBAB83-D717-402D-AEE6-0104BFEDC686@mozilla.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_2042A2D5-7D5B-4184-920A-6314DBD92DD2"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
Date: Mon, 16 Apr 2018 15:44:30 -0700
In-Reply-To: <296F0D20-F716-4C6C-8ABB-9FC21FC8189D@mozilla.com>
Cc: Sean Turner <sean@sn3rd.com>, RTCWeb IETF <rtcweb@ietf.org>
To: Justin Uberti <juberti@google.com>
References: <1D5B431C-801E-4F8C-8026-6BCBB72FF478@sn3rd.com> <F9EB7388-9E76-43E0-8C9B-61D3E50357F7@mozilla.com> <CAOJ7v-38kH4peZVVJU8itve2P+93eGaVdJ60MVcaRo3Xu86uTQ@mail.gmail.com> <296F0D20-F716-4C6C-8ABB-9FC21FC8189D@mozilla.com>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/TPtV9fpQdaRBph9HOwc6czUBOpk>
Subject: Re: [rtcweb] Nils comments [Was: WGLC for draft-ietf-rtcweb-ip-handling]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Apr 2018 22:44:35 -0000


> On Apr 16, 2018, at 15:39, Nils Ohlmeier <nohlmeier@mozilla.com> wrote:
> 
> 
>> On Apr 16, 2018, at 15:28, Justin Uberti <juberti@google.com <mailto:juberti@google.com>> wrote:
>> And lastly I think the discussions in the above bug reports have brought up the point that TURN relays might not be trustworthy either.
>> I’m assuming it’s only a matter of time until when some evil actors will provide fake TURN implementations to gather the browsers routable IP from the TURN layer.
>> Therefore I think it would make a lot more sense to specify two different modes:
>> - Mode 4: Relay only: only TURN relay candidates are gathered.
>> - Mode 5: HTTP proxy only: all WebRTC media traffic is forced through a HTTP proxy.
>>                 If no HTTP proxy is configured no candidates are gathered.
>> I realize that the process might have gotten already to far to follow this suggestion.
>> 
>> 
>> How would relay-only help here? The web application can still learn the IP directly from the TURN servers.
> 
> At least no IP addresses from your local network are exposed on the signaling path.
> Yes if you don’t trust the TURN relay this is the same as Mode 3.
> It might make a difference if one has a TURN relay configured in his/her browser (which results in the web browser ignoring the TURN relays from web application), which is not part of the web application.

A relay-only mode would also help if you don’t want to hand out your IP addresses to the others side of the PeerConnection, but you do trust the TURN server and web application.

Best
  Nils Ohlmeier

v2.23.0 | Report a Bug | By Email