Re: [rtcweb] SIP MUST NOT be used in browser?[was RE: Remote recording - RTC-Web client acting as SIPREC session recording client]

Matthew Kaufman <matthew.kaufman@skype.net> Tue, 06 September 2011 21:14 UTC

Return-Path: <matthew.kaufman@skype.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE2D21F8E2A for <rtcweb@ietfa.amsl.com>; Tue, 6 Sep 2011 14:14:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.017
X-Spam-Level:
X-Spam-Status: No, score=-5.017 tagged_above=-999 required=5 tests=[AWL=1.582, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AqxBs0pPewd5 for <rtcweb@ietfa.amsl.com>; Tue, 6 Sep 2011 14:14:43 -0700 (PDT)
Received: from mx.skype.net (mx.skype.net [78.141.177.88]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2A921F8E22 for <rtcweb@ietf.org>; Tue, 6 Sep 2011 14:14:43 -0700 (PDT)
Received: from mx.skype.net (localhost [127.0.0.1]) by mx.skype.net (Postfix) with ESMTP id 4B6FF16F5; Tue, 6 Sep 2011 23:16:28 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=skype.net; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=mx; bh=lZt7Q7cIBhaOU/ PlC5MbiBlBgFk=; b=YMga/+QbsQdIvAWWSc4bu4wbYp8glyixFXHooD5fXkQftp t/Ox+i5p4PwxkkVIRoehaVvaPGwpEJVO2IeGjiubhPgdDpseM3/Iu9M/dIXyIbt/ ZaNzMZtLZAkciQbqgpbQzSMG0kzRz4cTW+t1s1e/MNzbYJKxpa8/M9xnGJArA=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=skype.net; h=message-id:date:from :mime-version:to:cc:subject:references:in-reply-to:content-type: content-transfer-encoding; q=dns; s=mx; b=l+hSBDpPvqrNCkQdWD34hV 4pdL2PMw5rPXLtzA/mwdEl/BUDExcGQNCwtR1T0Vil4Jn1d0kTFgz++rOtSLafY3 7lkMkyHNsQWVuX+onwtVy6yD3o43DzXnrQU6q93nRhuHAZr3NDd+BvTVtUZZZgeX nwxidawGLo2790Sr7DWF0=
Received: from zimbra.skype.net (zimbra.skype.net [78.141.177.82]) by mx.skype.net (Postfix) with ESMTP id 40A5B7F6; Tue, 6 Sep 2011 23:16:28 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by zimbra.skype.net (Postfix) with ESMTP id 096ED350800F; Tue, 6 Sep 2011 23:16:28 +0200 (CEST)
X-Virus-Scanned: amavisd-new at lu2-zimbra.skype.net
Received: from zimbra.skype.net ([127.0.0.1]) by localhost (zimbra.skype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c3jXIG2fHiXj; Tue, 6 Sep 2011 23:16:27 +0200 (CEST)
Received: from Matthew-Kaufman-Air.local (50-0-2-20.static.sonic.net [50.0.2.20]) by zimbra.skype.net (Postfix) with ESMTPSA id 112DE3508008; Tue, 6 Sep 2011 23:16:25 +0200 (CEST)
Message-ID: <4E668DA8.8050104@skype.net>
Date: Tue, 06 Sep 2011 14:16:24 -0700
From: Matthew Kaufman <matthew.kaufman@skype.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
To: Ravindran Parthasarathi <pravindran@sonusnet.com>
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <89177AB2-F721-47E4-8471-2180EDA10615@voxeo.com> <A444A0F8084434499206E78C106220CA0B00FDB34D@MCHP058A.global-ad.net> <496EE152-41F2-49AB-A136-05735FE5A9F9@voxeo.com><101C6067BEC68246B0C3F6843BCCC1E31018BF6BE2@MCHP058A.global-ad.net> <4E540FE2.7020605@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF5106423F@sonusinmail02.sonusnet.com> <4E6595E7.7060503@skype.net> <4E661C83.5000103@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF510F086B@sonusinmail02.sonusnet.com> <4E666926.8050705@skype.net> <43A0D702-1D1F-4B4E-B8E6-C9F1A06E3F8A@edvina.net> <2E239D6FCD033C4BAF15F386A979BF510F086C@sonusinmail02.sonusnet.com>
In-Reply-To: <2E239D6FCD033C4BAF15F386A979BF510F086C@sonusinmail02.sonusnet.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SIP MUST NOT be used in browser?[was RE: Remote recording - RTC-Web client acting as SIPREC session recording client]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2011 21:14:44 -0000

On 9/6/11 12:02 PM, Ravindran Parthasarathi wrote:
> Matthew,
>
> <snip>>>  And there's some security reasons that I'd rather you tunnel it
> over
>> HTTP rather than opening up your ability to send UDP packets to port
>> 5060.
>> SIP runs on TCP and TLS ports too.</snip>
> In case one port opening (80) will not create security issue but how
> opening two ports (80&  5060) will cause security issue? Could you
> please explain the security reason between port 80 for HTTP and 5060 for
> SIP

There has been a whole lot of work regarding what browsers do and don't 
do over HTTP. (Think: cross site access, what headers can be controlled 
from script, etc.) We would be forced to reinvent all of this for a 
reduced-functionality SIP in order to get the same protections. (Should 
a browser that runs Javascript loaded from www.evil.com be able to send 
SIP INVITE to addresses inside your firewall?)

And there is a whole lot of infrastructure that allows organizations to 
safely allow HTTP to pass in and out of their infrastructure.
>
> Please read inline for further comments.
>
> Thanks
> Partha
>
>> -----Original Message-----
>> From: Olle E. Johansson [mailto:oej@edvina.net]
>> Sent: Wednesday, September 07, 2011 12:17 AM
>> To: Matthew Kaufman
>> Cc: Ravindran Parthasarathi; rtcweb@ietf.org
>> Subject: Re: [rtcweb] SIP MUST NOT be used in browser?[was RE: Remote
>> recording - RTC-Web client acting as SIPREC session recording client]
>>
>>
>> 6 sep 2011 kl. 20:40 skrev Matthew Kaufman:
>>
>>> On 9/6/11 11:36 AM, Ravindran Parthasarathi wrote:
>>>> Matthew,
>>>>
>>>> Even in case of SIP, there is no need of standardization in case it
>> is within single webserver(skype). SIP supports x-header or proprietary
>> header to extend the way you want it for providing innovative
>> functionality.
>>> Not if SIP is baked in to the browser it doesn't. If the browser
>> implements a SIP phone in native code, I have no way of adding "x-
>> header" or anything else. I live with the functionality provided by the
>> browser.
>> That's an implementation detail. One can easily add an API call to add
>> headers on the outbound INVITE.
> [Partha] My understanding is same as olle. Javascript API MUST provide
> the mechanism to add proprietary SIP headers or else I agree with you
> that solution is useless.

Not nearly sufficient as I stated before. The problem is the semantics 
of all the existing SIP messages and headers, not whether or not you can 
add more.

Matthew Kaufman