Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt

Dan Wing <dwing@cisco.com> Tue, 20 August 2013 06:16 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A683111E81BF for <rtcweb@ietfa.amsl.com>; Mon, 19 Aug 2013 23:16:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.46
X-Spam-Level:
X-Spam-Status: No, score=-110.46 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMaUcD53guBt for <rtcweb@ietfa.amsl.com>; Mon, 19 Aug 2013 23:16:13 -0700 (PDT)
Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 5B91611E80D2 for <rtcweb@ietf.org>; Mon, 19 Aug 2013 23:16:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3354; q=dns/txt; s=iport; t=1376979373; x=1378188973; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=MUQ/VJg5WnMKh9RTKdQhfZhYaehFHtKALJ0Dj+jS9vg=; b=cfFNke1Au+Ij+fDufX6svrKNAlmfeklZaQPCF5KZd4SC1Qfg5Dr2tWrf uN5nc6GVhd2yWAT4sUHcE2KLzW2blS5bFqMiFh5lsIhSdCmRs9u/CD2X+ Qle0ENwX0oqi4l7SubyP3IlAXXVcFimWKQq85kReqbgoP/shlRBJ5ntk/ s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag0FALsIE1KrRDoI/2dsb2JhbABZgwWsVoEvkjSBIhZ0giQBAQEDAWwKAwULC0ZXBhMbh2MDCQWrSo1kgTqBCzMHgxt3A4ktimCBb4FohimGBIUogzwcgS0
X-IronPort-AV: E=Sophos;i="4.89,918,1367971200"; d="scan'208";a="89596087"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-2.cisco.com with ESMTP; 20 Aug 2013 06:16:11 +0000
Received: from [10.21.102.166] ([10.21.102.166]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r7K6G9hm000462; Tue, 20 Aug 2013 06:16:09 GMT
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <BLU169-W11E1423497EE1A503309E793430@phx.gbl>
Date: Mon, 19 Aug 2013 23:16:09 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A156A84B-0824-4826-8544-980916965E91@cisco.com>
References: <20130819171507.30712.24757.idtracker@ietfa.amsl.com>, <52128C29.4040402@alvestrand.no>, <EAF548B7-09BE-4C64-AC44-4EE02EFC96F7@cisco.com> <BLU169-W11E1423497EE1A503309E793430@phx.gbl>
To: Bernard Aboba <bernard_aboba@hotmail.com>
X-Mailer: Apple Mail (2.1508)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2013 06:16:18 -0000

On Aug 19, 2013, at 11:02 PM, Bernard Aboba <bernard_aboba@hotmail.com> wrote:

> Dan Wing said:
> 
> > Section 2.2,
> > "In order to deal with firewalls that block all UDP traffic, TURN over
> > TCP MUST be supported. (QUESTION: What about ICE-TCP?)"
> > 
> > ICE-TCP allows direct peer-to-peer communications using TCP, without a TURN server doing TCP-to-UDP interworking. I would say the industry has less experience with ICE-TCP than with ICE or with TURN-over-TCP, and because of the less experience and because ICE-TCP is arguably an *optimization*, I would say ICE-TCP is a MAY. It can't be a MUST-level requirement, at least by my threshold for MUST which is that interoperability is harmed or interoperability is impossible.
> 
> [BA]  While ICE-TCP will only eliminate the need for TURN over TCP in a fraction of NAT usage cases, the benefits can be substantial in the situations where it does work (and is needed).  The most popular uses of ICE-TCP so far are for things like P2P chat (e.g. MSRP), application sharing and RTP over TCP.  Given that WebRTC  could implement MSRP over the data channel, and could handle screen sharing via RTP over UDP,  the case probably needs to be made based on TURN-less conveyance of RTP over TCP (probably in a consumer scenario only, since for enterprise the TURN server would most likely be needed for firewall traversal reasons).  It's definitely not a MUST, and probably not a SHOULD either for WebRTC.  
> 
> > Most -- but not all -- of the security obtained with TURN over TLS is achieved with TURN REST (draft-uberti-behave-turn-rest and draft-uberti-rtcweb-turn-rest). I think the working group should consider if TURN REST satisfies the requirements, or if TURN over TLS is really, really necessary.
> 
> [BA] Not sure I follow this.   TURN over TLS provides confidentiality for the relay addresses and also some firewall traversal benefits.  TURN REST is trying to solve a different problem entirely (e.g. misuse of TURN credentials).  

TURN REST solves misuse of credentials and significantly reduces ability to do traffic analysis of the TURN client by someone sniffing between the TURN client and TURN server (username="dwing" sent plaintext between the TURN client and TURN server).

> Personally, I don't think TURN REST really minimizes the risk to the extent necessary, since time limiting the credentials alone won't necessarily stop an ingenious (and greedy) thief.  As an example, when hackers gain control of a PBX they can run up shocking bills in a very short period of time, and even if TURN charges are minimal, you'd be surprised at what Internet miscreants can do with stolen credentials within a 24 hour period.  So to my mind, TURN REST needs some additional bolstering to limit the potential financial liability, such as bandwidth limits. 

I expect something like a bandwidth limit is something that can be encoded into the TURN REST username that is coordinated between the WebRTC server and its cooperative TURN server.  It might be better to encode that properly, rather than by overloading bits of the username.  But perhaps a more elegant solution, rather than bandwidth limits, could be engineered.

-d