Re: [rtcweb] IP handling: Using mDNS names for host candidates
Lennart Grahl <lennart.grahl@gmail.com> Tue, 12 June 2018 11:15 UTC
Return-Path: <lennart.grahl@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA443130E1C for <rtcweb@ietfa.amsl.com>; Tue, 12 Jun 2018 04:15:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2-jE8mteTvE for <rtcweb@ietfa.amsl.com>; Tue, 12 Jun 2018 04:15:10 -0700 (PDT)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BD36130E13 for <rtcweb@ietf.org>; Tue, 12 Jun 2018 04:15:10 -0700 (PDT)
Received: by mail-wm0-x233.google.com with SMTP id v131-v6so22512982wma.1 for <rtcweb@ietf.org>; Tue, 12 Jun 2018 04:15:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=owd603Xr6Df/78kgF6TGDJaLJAoH6xQEqt3IpKYoCuI=; b=fFAe5Rhe6oZW79QDfx8tr4k7eT24/4AVmzSjDxTg/rqEbesyNpMomiWIF+TSw8Huva 71+iIitenimleIjIsmhRIuZRo0keHIbWVzzqswSjsxNBhB3WrlgViOuyzeGbFsN3iItt ZatEvj10uPmgqlH7R2XjVdoxDKfDsvUWL+VkCvgoAhzI6FiFg4MiZ/CmmCBLYf8A1Spm Ft+yAzYjtwQqbsn1q1wB4JtvofJ2zrPQrScXz/XRzdTxM4Pa1SNV9z9LlgBzYjMSbaBX OU9mQYlS/pI33JeXcCBekt4eAqwn/tZGVVd8lNE3F4cUOa8Qkw+PKv+0vaVygqJKUvhT zPtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt:cc :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=owd603Xr6Df/78kgF6TGDJaLJAoH6xQEqt3IpKYoCuI=; b=gvml37v1o95Z8PitADW1SwHrMZNC4okjRW/YThZi7k38skg1vaMbtDmPheMwQeSx3o OouLBahHP4H1wcSUyaxHMVGk1sg2aHp2rh45zJNZZjJ+oTtymv2B232YJoALiiVYTpc5 LpjmUKfizqtiQ5C6gjazC1w7tvUVG7TYWdGsrF8zPWDLqgbtixWoblQpZwFIGvPEIZtk PNgPbMVrQ9W1zNgWmaRpjHu3RsA44dR4uICCycbgS/JqQvKhzc24tw5kTgqU4AVOy6Ow roUY/M8depYUko6wc885Xwcw15Xoez47kmqecVXCTqMmNSvElmhe50mYjpW4MaDXuyce AD6Q==
X-Gm-Message-State: APt69E1tHDJDRY2uj8adZ1Jc79V5d9QNQtuFThMWyuQH+8BxFLp21OKg /ZpMcvVKm6iUHfd5NuNoqZU=
X-Google-Smtp-Source: ADUXVKIyeVqLSy8JmRqyj2o/8tzRFIbwERRfaVnSq8+WAUzESoHdX7nT3+IFePnO/JcBqPQmmYS57g==
X-Received: by 2002:a1c:6fce:: with SMTP id c75-v6mr1786585wmi.83.1528802108233; Tue, 12 Jun 2018 04:15:08 -0700 (PDT)
Received: from ?IPv6:2003:cd:6f1f:4900:c556:a374:c7f2:7e61? (p200300CD6F1F4900C556A374C7F27E61.dip0.t-ipconnect.de. [2003:cd:6f1f:4900:c556:a374:c7f2:7e61]) by smtp.gmail.com with ESMTPSA id b204-v6sm286227wmh.22.2018.06.12.04.15.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Jun 2018 04:15:07 -0700 (PDT)
To: rtcweb@ietf.org
References: <CAOJ7v-2FQ3yfyfmFY8MT17nTFUvsNyixKuXXeT-Rq7zVQKBMnA@mail.gmail.com>
From: Lennart Grahl <lennart.grahl@gmail.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lennart.grahl@gmail.com; prefer-encrypt=mutual; keydata= xsBNBFMHjy4BCADZR/nHk6jzDsEA2+dPG13NiXyBl34TtChDsZekZyO5jBgwslLgHVksQxlS 79n1lvVH0MxcI8SFifwLAAIjMfukNLGPAjEyJEQhQVpfXxkJXyZgncM2Wq+nlVCDZTiZLg/E 6jJP1zx9vB7sf5dWaB/Dt0YDHLM86EcDChQur9lrJk9K0Jiwt27Oo3B4FFfIOaVNUXgnRPbr Vw1/+O2jLg87Fsib9LP7Ghyv0Z2/VV7wJ4NLsLmIu60vcZVDYDOvcQRH4FZ76VBvlmlO+2TL 5L6yZLGgXS9GZyF3QXKAwhYqu5ouWEOUgXHch5deryjbENanimj4ntZQmF1nkxSZayk9ABEB AAHNJ0xlbm5hcnQgR3JhaGwgPGxlbm5hcnQuZ3JhaGxAZ21haWwuY29tPsLAfwQTAQIAKQUC UwePLgIbIwUJCWYBgAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEPmPvtEEgqumkk0H /2dMGPa9VmgR0kmr2inGODWuCy4WXNUxeEMfY/Hob/8Ou50os6iK35TQI9WtvvlAq23aIvoJ +1OjnqekgKmavPoQ0Uf1h2LegiQNKpDGC6/S33SLitQoQyELyJCU5Ato9lIL0AzpLvr+8UaF plWbPB4Z0GfZGBQSyp0Dmdeb00sld378m9qXHByJfHjPGiDFY+el1talbCuxS87+SvwIvM05 5m1/ceJbZDjx3trvgzbSQOHMT82/Hva7cSyVAch7mJc/lIq2Q0hjoZlD9nqS6gVJ9PQnEW8z dAXXVvBoy9DtomH18jimq+xUxeBwiFRB64gZx3Yyo1CKgULzeWaQ/qfOwE0EUwePLgEIAKP+ Dw5Ow5QuITKcI+ooXZAOBCBOitdsAGrGAEORjv1VyYU1jvjNb07UlRWmpjtaZsQoC2DwfEJy OaBphhErkOVEHCvetfBq8aJ718on4A49XwyQZeyh521BvLQUj0VY5D1iTYzgNVr4Ic39duH/ 00b489Wf9sM7TwzONJOCR5pSKUzYfGUIfQIJRc4tbzOM+bzSknLwbYAWRraOstbRjf2+V3pf 46mzv8tteLnsMm91qshFUwiBfeMNZiKAM3eid80ghlEbQo5J07FOrqK1GxqMi8LQT/oA5lpu +BB6UzGP5nQ5fip95zAq3vu+Iasz1DWj6F1HkHDEHfdtVpTAN70AEQEAAcLAZQQYAQIADwUC UwePLgIbDAUJCWYBgAAKCRD5j77RBIKrpihiCACQq7ARCPSzDrtUcq3uTdP+fMHp8YCYD4UD fdt3vcw4a5JESaknUcWi7CbQrdcLT7iIFYa3pk5I8w4n2lH29uUTWwt9boDtdYkBY5a4Rg+m Z9ndsLh0fHdZM6BXv/6gWMMdGbV5+xcV0FDcXZIlHLZIriDgeZQR3cDEa9lFWUYrI9KKmdoq ngaND7jPZaMCyvn9VDOAGBWxg49gQV/x1d+DiIyMbF9J+ya4YqaSZtu2y/H03eVCawmI6SMH UzdOo+Yqen3Udcdur0KnWMUOP3FIdjgxaPoIEKfFTBy7n8rlzrrTzyrv5Gouusxj0JHMwvuh ixK1bmVy/XYqoG0TVwBt
Cc: Justin Uberti <juberti=40google.com@dmarc.ietf.org>, yfablet@apple.com
Message-ID: <436903fe-1ec7-e595-7733-0cc2f9c3a53d@gmail.com>
Date: Tue, 12 Jun 2018 13:15:06 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-2FQ3yfyfmFY8MT17nTFUvsNyixKuXXeT-Rq7zVQKBMnA@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-GB
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/TyEFLNd8nJw2BZ-Q2cdhhYEeLd8>
Subject: Re: [rtcweb] IP handling: Using mDNS names for host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jun 2018 11:15:17 -0000
On 12.06.2018 02:40, Justin Uberti wrote:
> The Safari team has come up with a clever approach to avoid disclosing
> private IP addresses for host candidates. As discussed in this WebKit bug
> <https://bugs.webkit.org/show_bug.cgi?id=174500>, the technique works as
> follows:
>
> 1. Register a random UUID-based mDNS name when ICE gathering starts
> 2. Replace the private IP address by a "{UUID}.local" string in each
> host candidate (and set raddr to 0.0.0.0 for other candidates)
> 3. The other party will do mDNS resolution on any candidate having a
> .local suffix, similar to how hostnames in candidates are handled in RFC
> 5245, Section 15.1.
>
> This technique is relevant to the IP handling document, as it addresses one
> of the lesser problems (private IP disclosure) from the overall problem
> statement. While I don't think this will have a large impact on the
> document, including the default mode selection, incorporating this
> technique would result in some moderate changes:
>
> - Section 5.1 would mention concealing private IPs in the default case
> as an explicit goal.
> - In Section 6, Mode 2 would change from handling out private IPs to
> handing out mDNS names.
IMHO that would create a large gap between mode 1 and 2. Instead, I
would suggest using mDNS *in addition* to mode 2 and 3. For mode 2 this
would mean that only the default private IP is being transmitted but all
other interfaces are hidden by UUID-based hostnames. For mode 3, all
private IPs are hidden by UUID-based hostnames.
> - This document would have to describe the technique or point to another
> document that describes the technique. mmusic-ice-sip-sdp, Section 4.1
> <https://tools.ietf.org/html/draft-ietf-mmusic-ice-sip-sdp-20#section-4.1>
> seems
> like a good option, as it already covers how to handle DNS names in ICE
> candidates.
Since this will be useful for ORTC as well, I would not tie that to an
SDP-specific document.
> This is a significant improvement and I think we will want to incorporate
> this suggestion. Is this something we could do as part of this WGLC, or
> should we look for another option?
I haven't seen a better solution than mDNS so far to prevent IPs from
leaking and I would appreciate having this to fix the following issues:
- Allowing browsers to use stricter modes by default without significant
drawbacks,
- establishing direct connections even in case no "consent" has been
given because the devices are in fact in the same network segment (with
the exception of mode 4), and
- use cases where gUM cannot be applied and no other way of expressing
consent has been provided (which is the status quo).
Cheers
Lennart
- Re: [rtcweb] IP handling: Using mDNS names for ho… Matthew Kaufman
- Re: [rtcweb] IP handling: Using mDNS names for ho… youenn fablet
- Re: [rtcweb] IP handling: Using mDNS names for ho… Harald Alvestrand
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Harald Alvestrand
- Re: [rtcweb] IP handling: Using mDNS names for ho… Cullen Jennings
- Re: [rtcweb] IP handling: Using mDNS names for ho… T H Panton
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Cullen Jennings
- Re: [rtcweb] IP handling: Using mDNS names for ho… Joseph Lorenzo Hall
- Re: [rtcweb] IP handling: Using mDNS names for ho… Lennart Grahl
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Lennart Grahl
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Adam Roach
- [rtcweb] IP handling: Using mDNS names for host c… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Eric Rescorla
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… youenn fablet
- Re: [rtcweb] IP handling: Using mDNS names for ho… Eric Rescorla
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… youenn fablet
- Re: [rtcweb] IP handling: Using mDNS names for ho… westhawk
- Re: [rtcweb] IP handling: Using mDNS names for ho… westhawk
- Re: [rtcweb] IP handling: Using mDNS names for ho… youenn fablet
- Re: [rtcweb] IP handling: Using mDNS names for ho… Ted Hardie
- Re: [rtcweb] IP handling: Using mDNS names for ho… Peter Thatcher
- Re: [rtcweb] IP handling: Using mDNS names for ho… Bernard Aboba
- Re: [rtcweb] IP handling: Using mDNS names for ho… Ted Hardie
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… youenn fablet
- Re: [rtcweb] IP handling: Using mDNS names for ho… Christer Holmberg
- Re: [rtcweb] IP handling: Using mDNS names for ho… Justin Uberti
- Re: [rtcweb] IP handling: Using mDNS names for ho… Christer Holmberg