IETF Logo Mail Archive

Re: [rtcweb] [tram] TURN permissions for private ips

Emil Ivov <emcho@jitsi.org> Thu, 06 August 2015 13:36 UTC

Return-Path: <emcho@sip-communicator.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4911B2F79 for <rtcweb@ietfa.amsl.com>; Thu, 6 Aug 2015 06:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ME5ezz6ZmpQ8 for <rtcweb@ietfa.amsl.com>; Thu, 6 Aug 2015 06:36:20 -0700 (PDT)
Received: from mail-oi0-f41.google.com (mail-oi0-f41.google.com [209.85.218.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70A1D1B2F89 for <rtcweb@ietf.org>; Thu, 6 Aug 2015 06:36:01 -0700 (PDT)
Received: by oihn130 with SMTP id n130so39608937oih.2 for <rtcweb@ietf.org>; Thu, 06 Aug 2015 06:36:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=PkYkEnHt7lF6AuxXEN7rKon6kZVltKpL8neOf7QJMoQ=; b=hp9kw3iXm6ZP6cRsC6TAuRX8PvOpGnyApbLTzmMhm/uqf/w7O4XwwMvyMox9h7G2fr KY9JWJYr7DWUnR5uY1/SM0fYnLXN8jYkPoCEgwzMchLZg2nnyJMgzVknMLnu8J+YRvR5 toHgHMZw2M4zAW4mJUDtJ4E9vcry4A+z8dGjXRIsRAqCsUeZzioFFXtVnPjBpwqAt1Zt 9/BlaPJF1ErppAPHj6vX6uNwYmIEePWNwpGmFb097WCXXt/VoDvl676j7pDALdKSdJ3C 30grI9IFMlFOLUbM2Yb3a/gCygailbOCJB0d5on2Dd4u5ER1SbVByqG8+c0M6d5zRAwm ApFw==
X-Gm-Message-State: ALoCoQmNXSJ8opnBZ7VRXczy9RTTDH4SivUKH4IEOBcMCndAMSzRzWiL3oaVltrc9nB4ZZ7SKjE+
X-Received: by 10.202.129.70 with SMTP id c67mr1492907oid.42.1438868160871; Thu, 06 Aug 2015 06:36:00 -0700 (PDT)
Received: from mail-ob0-f177.google.com (mail-ob0-f177.google.com. [209.85.214.177]) by smtp.gmail.com with ESMTPSA id sx2sm3881986obc.0.2015.08.06.06.35.56 for <rtcweb@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 06 Aug 2015 06:35:57 -0700 (PDT)
Received: by obbop1 with SMTP id op1so55714380obb.2 for <rtcweb@ietf.org>; Thu, 06 Aug 2015 06:35:56 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.60.78.230 with SMTP id e6mr1609742oex.24.1438868156469; Thu, 06 Aug 2015 06:35:56 -0700 (PDT)
Received: by 10.76.83.167 with HTTP; Thu, 6 Aug 2015 06:35:56 -0700 (PDT)
In-Reply-To: <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com>
Date: Thu, 06 Aug 2015 06:35:56 -0700
Message-ID: <CAPvvaaJAyR5=Pmmwu6HhSip1LsDW0mXynfoP6Hd1jtvwVS9JLQ@mail.gmail.com>
From: Emil Ivov <emcho@jitsi.org>
To: Justin Uberti <juberti@google.com>
Content-Type: multipart/alternative; boundary="089e0111b2a258a449051ca4990e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/ToKsbb66-6gQs-7wnj95--kyogQ>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2015 13:36:22 -0000

On Wednesday, August 5, 2015, Justin Uberti <juberti@google.com> wrote:

>
>
> On Wed, Aug 5, 2015 at 11:32 AM, Simon Perreault <sperreault@jive.com
> <javascript:_e(%7B%7D,'cvml','sperreault@jive.com');>> wrote:
>
>> Le 2015-08-05 13:46, Philipp Hancke a écrit :
>> > If a peer sends candidates with IP addresses from the private space,
>> > permissions for those are created at the TURN server. Potentially not
>> > utilising transport encryption even.
>> >
>> > I doubt those candidates ever work, so from a privacy point of view it
>> > seems that clients should not create those permissions in the first
>> > place. And ICE should probably not try to create pairs.
>>
>> It's not up to the client to determine what addresses might not might
>> not work for a given TURN server. There are lots of weird NAT
>> configurations out there that play games with RFC1918 addresses and can
>> easily trick clients into doing the wrong thing.
>>
>
> I am somewhat sympathetic to that, but given that there is measurable
> downside here - extra candidate pairs that take time to check - can you
> supply a concrete example of where the client choosing not to pair a TURN
> candidate with a RFC1918 address would cause a problem?
>

Isn't it enough to just have a route on the TURN server to a 1918 network?
I don't know why someone would do this and what sort of DMZed configuration
it would be but if they could then I don't think clients should try to make
assumptions about the practicality of such a configuration.

It is clearly much easier for the TURN server to check whether or not it
has such a route and refuse to add the permission.

Emil


-- 
sent from my mobile

v2.23.0 | Report a Bug | By Email