IETF Logo Mail Archive

Re: [rtcweb] Comments on draft-ietf-rtcweb-security-06

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 25 February 2014 09:13 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C80B91A0657 for <rtcweb@ietfa.amsl.com>; Tue, 25 Feb 2014 01:13:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.952
X-Spam-Level:
X-Spam-Status: No, score=-1.952 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GmC_mC6KIPiQ for <rtcweb@ietfa.amsl.com>; Tue, 25 Feb 2014 01:13:55 -0800 (PST)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id 9B2EB1A03A4 for <rtcweb@ietf.org>; Tue, 25 Feb 2014 01:13:54 -0800 (PST)
X-AuditID: c1b4fb2d-b7f5d8e000002a7b-c0-530c5ed14db0
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id DA.E3.10875.1DE5C035; Tue, 25 Feb 2014 10:13:53 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.89) with Microsoft SMTP Server id 14.2.347.0; Tue, 25 Feb 2014 10:13:52 +0100
Message-ID: <530C5ED0.8040808@ericsson.com>
Date: Tue, 25 Feb 2014 10:13:52 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>
References: <530627C7.30906@ericsson.com> <CA+9kkMAMf2qBm4LX3ooPOW3xsBO=LEw045NWDnX3ahWBByaUQQ@mail.gmail.com> <53070996.9040707@ericsson.com> <CA+9kkMAXxx3eP2fuBU7LCtwFwgzRs7+uYpTJAoWYnEdBaTavaQ@mail.gmail.com> <CABkgnnV_SL1gxfDXHVUu1qGho5dUzx2vK4RumSnCq-FH5-zt0g@mail.gmail.com> <530B194F.4040909@ericsson.com> <CABkgnnXAphLn5uY6WmMYMGRv0j0J3LmSFBAMthcnj2oa-3T9-Q@mail.gmail.com>
In-Reply-To: <CABkgnnXAphLn5uY6WmMYMGRv0j0J3LmSFBAMthcnj2oa-3T9-Q@mail.gmail.com>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprELMWRmVeSWpSXmKPExsUyM+Jvje7FOJ5gg+UzBC2unfnHaLH2Xzu7 ReNcOwdmj52z7rJ7LFnykymAKYrLJiU1J7MstUjfLoEr40dDM3PBO6GKzv4vzA2Mi/i7GDk4 JARMJBq7ArsYOYFMMYkL99azgdhCAocYJd7dUuli5AKylzNKfJp9nh2knldAW+LmmzCQGhYB VYmjq/rZQWw2AQuJmz8awXpFBYIldh74zQhi8woISpyc+YQFxBYR0JVYdPYBWD2zgIfEtFtL WUFsYQF7iQd3nzNB7PrLJPGh+zpYM6dAoMSlF6dZIO4Ul+hpDILo1ZRo3f4bao68RPPW2cwQ N2tLNDR1sE5gFJqFZPUsJC2zkLQsYGRexciem5iZk15uuIkRGK4Ht/zW3cF46pzIIUZpDhYl cd4Pb52DhATSE0tSs1NTC1KL4otKc1KLDzEycXBKNTAG7NWO6Y+9r/VITtK6e1rO6opkq7lF WWw7xIz9PfV9LZ9cTrgceaGmyuH5UdbPet1+Ua0FZ+teTJm7YNpjy4bU29x/bH7kHU/Izb9k fGfJr3O5z8SZ+7/0NGf3tjj9n/TbL1p4k+hE+b0f9Oq+7mpIdT2V91Rhk/cShxu//li7rDzN FGz4k1eJpTgj0VCLuag4EQBjG4FZJQIAAA==
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/YwgehUhvQ81b2INgcgF8iL1FvWE
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Comments on draft-ietf-rtcweb-security-06
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 09:13:56 -0000

On 2014-02-24 19:58, Martin Thomson wrote:
> On 24 February 2014 02:05, Magnus Westerlund
> <magnus.westerlund@ericsson.com> wrote:
>> My position is that the above mitigation is unlikely to have significant
>> impact on this attack.
> 
> That was my sense too.
> 
>> There are two reasons I wanted this attack to be considered. First, it
>> provides a clear requirement on having congestion control as first level
>> mitigation.
> 
> Congestion control.  Check.
> 
>> Secondly, I think this could become a significant issue as data channel
>> PeerConnections can be opened without user consent. A malicious JS that
>> is sufficient well spread with a well working find and connect could
>> establish a large mesh of peer connections that could come close to
>> saturate each endpoints local access link, resulting in very heavy loads
>> on the network, even with congestion control. With congestion control
>> you can likely prevent congestion collapse, but you should be fully
>> capable of driving a network into a state of "mostly useless",
>> especially a network suffering from buffer bloat inside of the ingress
>> nodes.
> 
> So the concern is that even with congestion control, a single bad
> actor can use more than their "fair" share of network resources.
> 
> Sadly, this is already true on the web.
> 
> No harm in writing down the potential.  Are you looking for anything
> more than that?

No, I think the main thing is to have something to point at why
congestion control is a MUST. Secondly, at least make people aware that
this mechanism may give a malicious entity more potential for driving
traffic load where they want to cause it than some of the previous
mechanism, due to the ease of finding endpoint and keeping traffic more
localized than in other DDoS attacks. But, sure it will more difficult
to drive the targeted network into completely uselessness.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email