IETF Logo Mail Archive

Re: [rtcweb] [tram] TURN permissions for private ips

Justin Uberti <juberti@google.com> Wed, 05 August 2015 21:36 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 728EF1AC3C4 for <rtcweb@ietfa.amsl.com>; Wed, 5 Aug 2015 14:36:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f8NP_6p4y-PQ for <rtcweb@ietfa.amsl.com>; Wed, 5 Aug 2015 14:36:13 -0700 (PDT)
Received: from mail-vk0-x232.google.com (mail-vk0-x232.google.com [IPv6:2607:f8b0:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4431F1AC3B9 for <rtcweb@ietf.org>; Wed, 5 Aug 2015 14:36:13 -0700 (PDT)
Received: by vkgc186 with SMTP id c186so20612290vkg.0 for <rtcweb@ietf.org>; Wed, 05 Aug 2015 14:36:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=b5tC5lHKMcItaxMryofU/y98YlarzuGyw1wx4eR3Ppk=; b=IG0xlO1C1gygvT7H9baDQF9f3SrutAkmEQI9vcmnLjo11woQhHu+AcJoH14DUCnaMM eYJdaxWGlQHUkZRlFerGBUDezSNnUz2pQo6y340dS5zT9mQFTLOziQvYsq11E+H3DJGU 4YTcqklFTMaNVy9O0MAi/kscPdLB8ZUglXd/8j8GcoY94h5mb0yj0ac/89jwm9b89RoC eq3u2SVJ4/EF2mjytTR5A9S1D883tX4W/IsB4rfDLWRzqXhwvX9OlfvV38HfdiCdVMLk lIANbCcY0xtKVEoxDxszcj6eCV3haPs+NrM21d5BFdpd+zHuwhBNmfQrzMc77Zxqptuh A5kg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=b5tC5lHKMcItaxMryofU/y98YlarzuGyw1wx4eR3Ppk=; b=hPPXIAPIbbhgHIW+fxpmnY3LdJ7BKlV5CbZS1haM0o6E+0NAExJAPuDUuLwp0ditn2 Ah+xWqOclm8TaO2MWkPQm8YMDHXHlrWUrorhzfkRqfjePIDsqc7JROKIoHoWFctuRlmI fSTnZwchijnjM6MO2wK9jTN7ACngJrtCat1odtc628fI4p/NHr0Cz/DZey5w85YctJS8 bwHC7kuM3AyPpLZdcn01UPTu2DSwX1IS4s0jIO8zNc3tk8LQbKnu8LAVEIgM5aIZRwVX 4HeFXl4r1KN2UqE612xuNGtLjx/Xma1oGLIy2Y2tygpwjxD9F2B0zLbVXZZCLKokp5WQ zbmA==
X-Gm-Message-State: ALoCoQm8Cm5/Zr46UVjUVwkQDLHf0NzjqMykARMj73ByXQ+59JbRUWqykGh8fOW5HGOvFbWT/sMD
X-Received: by 10.52.163.50 with SMTP id yf18mr15407103vdb.93.1438810572398; Wed, 05 Aug 2015 14:36:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.191.87 with HTTP; Wed, 5 Aug 2015 14:35:52 -0700 (PDT)
In-Reply-To: <55C256C8.80606@jive.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com>
From: Justin Uberti <juberti@google.com>
Date: Wed, 05 Aug 2015 14:35:52 -0700
Message-ID: <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com>
To: Simon Perreault <sperreault@jive.com>
Content-Type: multipart/alternative; boundary="001a11c2ce381161c7051c97316c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/aEoyEnLNQVYefbJKb7IArszc3UM>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2015 21:36:14 -0000

On Wed, Aug 5, 2015 at 11:32 AM, Simon Perreault <sperreault@jive.com>
wrote:

> Le 2015-08-05 13:46, Philipp Hancke a écrit :
> > If a peer sends candidates with IP addresses from the private space,
> > permissions for those are created at the TURN server. Potentially not
> > utilising transport encryption even.
> >
> > I doubt those candidates ever work, so from a privacy point of view it
> > seems that clients should not create those permissions in the first
> > place. And ICE should probably not try to create pairs.
>
> It's not up to the client to determine what addresses might not might
> not work for a given TURN server. There are lots of weird NAT
> configurations out there that play games with RFC1918 addresses and can
> easily trick clients into doing the wrong thing.
>

I am somewhat sympathetic to that, but given that there is measurable
downside here - extra candidate pairs that take time to check - can you
supply a concrete example of where the client choosing not to pair a TURN
candidate with a RFC1918 address would cause a problem?

v2.23.0 | Report a Bug | By Email