Return-Path: X-Original-To: rtcweb@ietfa.amsl.com Delivered-To: rtcweb@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A683111E81BF for ; Mon, 19 Aug 2013 23:16:18 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -110.46 X-Spam-Level: X-Spam-Status: No, score=-110.46 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vMaUcD53guBt for ; Mon, 19 Aug 2013 23:16:13 -0700 (PDT) Received: from mtv-iport-2.cisco.com (mtv-iport-2.cisco.com [173.36.130.13]) by ietfa.amsl.com (Postfix) with ESMTP id 5B91611E80D2 for ; Mon, 19 Aug 2013 23:16:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3354; q=dns/txt; s=iport; t=1376979373; x=1378188973; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=MUQ/VJg5WnMKh9RTKdQhfZhYaehFHtKALJ0Dj+jS9vg=; b=cfFNke1Au+Ij+fDufX6svrKNAlmfeklZaQPCF5KZd4SC1Qfg5Dr2tWrf uN5nc6GVhd2yWAT4sUHcE2KLzW2blS5bFqMiFh5lsIhSdCmRs9u/CD2X+ Qle0ENwX0oqi4l7SubyP3IlAXXVcFimWKQq85kReqbgoP/shlRBJ5ntk/ s=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: Ag0FALsIE1KrRDoI/2dsb2JhbABZgwWsVoEvkjSBIhZ0giQBAQEDAWwKAwULC0ZXBhMbh2MDCQWrSo1kgTqBCzMHgxt3A4ktimCBb4FohimGBIUogzwcgS0 X-IronPort-AV: E=Sophos;i="4.89,918,1367971200"; d="scan'208";a="89596087" Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-2.cisco.com with ESMTP; 20 Aug 2013 06:16:11 +0000 Received: from [10.21.102.166] ([10.21.102.166]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r7K6G9hm000462; Tue, 20 Aug 2013 06:16:09 GMT Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\)) From: Dan Wing In-Reply-To: Date: Mon, 19 Aug 2013 23:16:09 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20130819171507.30712.24757.idtracker@ietfa.amsl.com>, <52128C29.4040402@alvestrand.no>, To: Bernard Aboba X-Mailer: Apple Mail (2.1508) Cc: "rtcweb@ietf.org" Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt X-BeenThere: rtcweb@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Real-Time Communication in WEB-browsers working group list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Aug 2013 06:16:18 -0000 On Aug 19, 2013, at 11:02 PM, Bernard Aboba = wrote: > Dan Wing said: >=20 > > Section 2.2, > > "In order to deal with firewalls that block all UDP traffic, TURN = over > > TCP MUST be supported. (QUESTION: What about ICE-TCP?)" > >=20 > > ICE-TCP allows direct peer-to-peer communications using TCP, without = a TURN server doing TCP-to-UDP interworking. I would say the industry = has less experience with ICE-TCP than with ICE or with TURN-over-TCP, = and because of the less experience and because ICE-TCP is arguably an = *optimization*, I would say ICE-TCP is a MAY. It can't be a MUST-level = requirement, at least by my threshold for MUST which is that = interoperability is harmed or interoperability is impossible. >=20 > [BA] While ICE-TCP will only eliminate the need for TURN over TCP in = a fraction of NAT usage cases, the benefits can be substantial in the = situations where it does work (and is needed). The most popular uses of = ICE-TCP so far are for things like P2P chat (e.g. MSRP), application = sharing and RTP over TCP. Given that WebRTC could implement MSRP over = the data channel, and could handle screen sharing via RTP over UDP, the = case probably needs to be made based on TURN-less conveyance of RTP over = TCP (probably in a consumer scenario only, since for enterprise the TURN = server would most likely be needed for firewall traversal reasons). = It's definitely not a MUST, and probably not a SHOULD either for WebRTC. = =20 >=20 > > Most -- but not all -- of the security obtained with TURN over TLS = is achieved with TURN REST (draft-uberti-behave-turn-rest and = draft-uberti-rtcweb-turn-rest). I think the working group should = consider if TURN REST satisfies the requirements, or if TURN over TLS is = really, really necessary. >=20 > [BA] Not sure I follow this. TURN over TLS provides confidentiality = for the relay addresses and also some firewall traversal benefits. TURN = REST is trying to solve a different problem entirely (e.g. misuse of = TURN credentials). =20 TURN REST solves misuse of credentials and significantly reduces ability = to do traffic analysis of the TURN client by someone sniffing between = the TURN client and TURN server (username=3D"dwing" sent plaintext = between the TURN client and TURN server). > Personally, I don't think TURN REST really minimizes the risk to the = extent necessary, since time limiting the credentials alone won't = necessarily stop an ingenious (and greedy) thief. As an example, when = hackers gain control of a PBX they can run up shocking bills in a very = short period of time, and even if TURN charges are minimal, you'd be = surprised at what Internet miscreants can do with stolen credentials = within a 24 hour period. So to my mind, TURN REST needs some additional = bolstering to limit the potential financial liability, such as bandwidth = limits.=20 I expect something like a bandwidth limit is something that can be = encoded into the TURN REST username that is coordinated between the = WebRTC server and its cooperative TURN server. It might be better to = encode that properly, rather than by overloading bits of the username. = But perhaps a more elegant solution, rather than bandwidth limits, could = be engineered. -d