IETF Logo Mail Archive

Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Fri, 22 May 2015 05:49 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88E151A913F; Thu, 21 May 2015 22:49:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QsLrjI61Isbp; Thu, 21 May 2015 22:49:00 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42CF1A9136; Thu, 21 May 2015 22:48:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18568; q=dns/txt; s=iport; t=1432273740; x=1433483340; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=vJ4mNYW+SbfCr8QlrKSDXUjlj9OI3RweYgB/XtgXx3E=; b=YQsDhG05fYTQEbOo7nNbfl54B16NiHB8+5qQkMAjisYIYIRu9NinOVjb NAenI4nRNynTHGzOEKZK4JukmNplyUa7GMLKkoUas0WyPI9y/sd/2Tg99 +mpAtJkMc9lgtSUDYjrjKy6Da3Uvg2JsfH1+f2mSFjNQmk35ELbLCUfTD E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CIBQBQwl5V/49dJa1cgkVLVF4Ggxm/EzwqCYFZhXcCHIEfOBQBAQEBAQEBgQqEIgEBAQMBIwpMEAIBCBEEAQELHQMCAgIwFAkIAgQBDQUIiBwIDa5IpBkBAQEBAQEBAQEBAQEBAQEBAQEBAQEXizqEVBYbBgGCaC+BFgWSfYQ1h38+jWKEBINZI4IKHIFSb4EDIiGBAQEBAQ
X-IronPort-AV: E=Sophos;i="5.13,474,1427760000"; d="scan'208,217";a="152470647"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-6.cisco.com with ESMTP; 22 May 2015 05:48:58 +0000
Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t4M5mwTD027377 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 22 May 2015 05:48:58 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.253]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.03.0195.001; Fri, 22 May 2015 00:48:57 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Bernard Aboba <bernard.aboba@gmail.com>, Christer Holmberg <christer.holmberg@ericsson.com>
Thread-Topic: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness
Thread-Index: AQHQk1eS1ZbgKeHyC0Cjwx+443SghJ2HY76AgABPkgCAABBlgP//u2LQ
Date: Fri, 22 May 2015 05:48:57 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A4785A0D5@xmb-rcd-x10.cisco.com>
References: <CAOW+2dsv8CVpaKoBsUvc5MGh2s3xD2J5NiXPAnFUMOhYqSmjzQ@mail.gmail.com> <CABkgnnWgpSYDjRQpk16Z0mCLietUcK1dSiNL-Y+jmFCpqan4Gg@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1D82B0F3@ESESSMB209.ericsson.se> <CAOW+2dvzE2emRPdn6_zeTZLb4+v_Urg7u50byunrccnnQ=1FpQ@mail.gmail.com>
In-Reply-To: <CAOW+2dvzE2emRPdn6_zeTZLb4+v_Urg7u50byunrccnnQ=1FpQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.37.83]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A4785A0D5xmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/UIS6xehBOgpHuMF3ti5oc-D8kx0>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2015 05:49:02 -0000

It is discussed in section 4 of the draft
<snip>
   An endpoint that is not sending any application data does not need to
   maintain consent.  However, not sending any traffic could cause NAT
   or firewall mappings to expire.  Furthermore, having one peer unable
   to send is detrimental to many protocols.  Absent better information
   about the network, if an endpoint needs to ensure its NAT or firewall
   mappings do not expire, it can be done using keepalive or other
   techniques (see Section 10 of [RFC5245]<http://tools.ietf.org/html/rfc5245#section-10> and see [RFC6263<http://tools.ietf.org/html/rfc6263>]).
</snip>

-Tiru

From: rtcweb [mailto:rtcweb-bounces@ietf.org] On Behalf Of Bernard Aboba
Sent: Friday, May 22, 2015 10:24 AM
To: Christer Holmberg
Cc: rtcweb@ietf.org; The IESG
Subject: Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness

Christer said:

"A while ago, we agreed that consent does not need to be maintained on candidate pairs that aren't currently used."

[BA] If the specification were to say that consent is required once media is sent, then this would logically follow.

That should not be seen as lost consent (i.e. if the UA wants to start sending data on the candidate pair it should not have to do ICE restart or create a  new session).

[BA] I agree. As long as it can obtain consent on the new pair (without having to update the ufrag/pwd), it should be fine.

So, consent is lost if the UA sends consent requests, and does not receive a response.

[BA] Consent is lost for that candidate pair, and that pair alone.  If connectivity checks are being done on an unused candidate pair (as advocated in Justin's nombis draft), the consent mechanism does not apply until media is sent on that pair.  So you can't revoke consent on a candidate pair if media isn't being sent on the pair.

Perhaps that is clear in the draft, but if people have a different understanding it may need to be clarified :)

[BA] I agree with your perspective, but I do think it could be made more clear in the document.

On Thu, May 21, 2015 at 8:55 PM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:
Hi,

...

>> After consent is lost for any reason, the same ICE credentials MUST
>> NOT be used on the affected 5-tuple again. That means that a new
>> session, or an ICE restart, is needed to obtain consent to send.
>>
>> [BA] The second sentence does not follow from the first. RFC 5245
>> enables sending of media once a successful ICE connectivity check has been received.
>> If multiple successful candidate pairs have been identified, why
>> should failure of consent on one candidate pair require an ICE restart
>> if another operational candidate pair exists?
>
>... is needed to obtain consent to send *on that candidate pair*.
>
>There was a long discussion about this point, the conclusion of which was "use it or lose it".  This captures that >conclusion.  I can't remember the details of the discussion, but I think that it wasn't a security concern but a >robustness one.

A while ago, we agreed that consent does not need to be maintained on candidate pairs that aren't currently used. That should not be seen as lost consent (i.e. if the UA wants to start sending data on the candidate pair it should not have to do ICE restart or create a  new session).

So, consent is lost if the UA sends consent requests, and does not receive a response. Consent is NOT lost if the UA stops sending consent requests (and therefor obviously will not receive a response).

Perhaps that is clear in the draft, but if people have a different understanding it may need to be clarified :)

Regards,

Christer

v2.23.0 | Report a Bug | By Email