IETF Logo Mail Archive

Re: [rtcweb] Please require user consent for data channels

Justin Uberti <juberti@google.com> Sat, 18 July 2015 00:20 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E471A0BE8 for <rtcweb@ietfa.amsl.com>; Fri, 17 Jul 2015 17:20:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.788
X-Spam-Level:
X-Spam-Status: No, score=-0.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_24=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PrPAZdi06DHG for <rtcweb@ietfa.amsl.com>; Fri, 17 Jul 2015 17:19:58 -0700 (PDT)
Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFAF21A0AC8 for <rtcweb@ietf.org>; Fri, 17 Jul 2015 17:19:58 -0700 (PDT)
Received: by iebmu5 with SMTP id mu5so87013104ieb.1 for <rtcweb@ietf.org>; Fri, 17 Jul 2015 17:19:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=WEaWtq8Yr4zrYFuHAbAlidR7y3W0MTqwOWKsuu3b1So=; b=IZA+mEdZVALQqa19QhHqbOy05pSkXecIV+RycWp/cnxBzCp1QHwm2OYS4oMbQ3ULdo joOGdOdK+fyyNpSjlomkv4eECc2odSRshyYwCaU3KqNfu12EosfVkYyH8WRekvvVi9PN HLPZWDUHyL6hxX2oSKtEONYriz0hfc1nliMa5OagX8th60r/kPYAfS6T7b71X5Uec7gc EdCoEQZ5w2Ire32ekp+qS9TYjcaKjgMXgCBhcWRo70SIYMA/TrqfWiLJ+quc+Rrrynkr gKwxUlFx/W5QUgRwPXmkecWzHxjDfRnqbNd3+fY6yih9TahFAgR6OEtR2+eW6vrJIBMg gVxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=WEaWtq8Yr4zrYFuHAbAlidR7y3W0MTqwOWKsuu3b1So=; b=RIhCAU7yOXx5sAqEvOVly67UKe45Ik324S0ZXsfiRPa3nDfpcIbrbcyRJRIsq7aPI2 ZPdQoqx4Hp6OEwcRsg6w3oKnFD8vlhDaUjCkbGKbORoIZUcOq9Y7/HS/DsWuhIy3G5FI MaX59Usj8XjwigqPKqmPRpfN1ARba2Ol09Qoo3SSRGWCfHQrLiFcp/QLryffdqFgMGTX K3ssicz+/rxyuPxPWWy3z+2tro4esZFRmJxRj19Dr4RyGHhXDuTCFFK9CcX/YH1RtJot WGsiJUkn92MOjdHBSzxMyPdrQpgENMVhTeQE9F8ZeUcI7yYbbC+5ZILDNPvRhm9OJ7LN JcdQ==
X-Gm-Message-State: ALoCoQnmBSLPKyqQNAb6yZqNwLS+lFz3uERq4tWv6dntB5TuuajwYKDY/uUwLFzgth8RPIzPlZWW
X-Received: by 10.50.7.104 with SMTP id i8mr193729iga.50.1437178798065; Fri, 17 Jul 2015 17:19:58 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.32.233 with HTTP; Fri, 17 Jul 2015 17:19:38 -0700 (PDT)
In-Reply-To: <55A99148.1040105@gmail.com>
References: <CA+65OspMD_PVjk0BXh7t4LtjmFDcDatoeNjFQOO_OVtC-Br+OA@mail.gmail.com> <CAOJ7v-0UBGtP0-atxP7X4OTj-H6Lost5o42aAS65mA6CEqcQsw@mail.gmail.com> <CA+65OsrhXHK+cRAFLCZFt+34vr8eRhj+CN3DgznUBfSwmWYggw@mail.gmail.com> <CAOJ7v-24VCW6kkn7LOLkqZzhYEU0r=nmd_F7Zns1rnyqKN6xAg@mail.gmail.com> <55A95364.2070806@gmail.com> <CAOJ7v-3t9BQabR2e4EHs4G0Sec4sU9DFC2aiSXXYrat+an+RYg@mail.gmail.com> <55A96DA3.1040907@gmail.com> <CAOJ7v-1ui7349NzK6NZNRHPbnHWZajctk4cDgMKqRZSv47EYdA@mail.gmail.com> <55A9860D.8030903@gmail.com> <CAOJ7v-3LGd32rnpFVW_U0s3+iVaJXsL4vt_YAo=cyp6YyOArdw@mail.gmail.com> <55A99148.1040105@gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Fri, 17 Jul 2015 17:19:38 -0700
Message-ID: <CAOJ7v-1cB47793yH+-mWrdU9rNqX=+HadZpbRf3PezXspqLm1A@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Content-Type: multipart/alternative; boundary="089e01183ebcbcf6d0051b1b431a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/aHVEf8d0T13r2pThpmld2gxgRsk>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Please require user consent for data channels
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Jul 2015 00:20:00 -0000

On Fri, Jul 17, 2015 at 4:35 PM, Sergio Garcia Murillo <
sergio.garcia.murillo@gmail.com> wrote:

> On 18/07/2015 1:09, Justin Uberti wrote:
>
>>     Next, the agent uses STUN or TURN to obtain additional candidates.
>>     These come in two flavors: translated addresses on the public side of
>>     a NAT (SERVER REFLEXIVE CANDIDATES) and addresses on TURN servers
>>     (RELAYED CANDIDATES).  When TURN servers are utilized, both types of
>>     candidates are obtained from the TURN server.  If only STUN servers
>>     are utilized, only server reflexive candidates are obtained from
>>     them.  The relationship of these candidates to the host candidate is
>>     shown in Figure 2.  In this figure, both types of candidates are
>>     discovered using TURN.  In the figure, the notation X:x means IP
>>     address X and UDP port x.
>>
>> In this one is talking about getting server reflexive and relay
>> candidates, but in no way I see that the stun server should be contacted by
>> all the interfaces or overriding default routing from OS.
>>
>> It is pretty clear from the diagram on page 10 that for each host
>> candidate X:x, the agent will gather a srflx candidate X1':x1' and relay
>> candidate Y:y. This is also spelled out in the text underneath the diagram:
>>
>>    When the agent sends the TURN Allocate request from IP address and
>>    port X:x, the NAT (assuming there is one) will create a binding
>>    X1':x1', mapping this server reflexive candidate to the host
>>    candidate X:x.
>>
>> Ergo, one tries to gather srflx and relay candidates for each host
>> candidate X:x.
>>
>
> Agree, for each HOST candidate, it should send a STUN request to the turn
> server from that IP:port. But shouldn't the VPN configuration prevent the
> non-VPN-host-candidate STUN request to be sent via the non-VPN-interface?
> (i.e. applying default route based on dest?)
>

Replying to Sergio:

Typically with a VPN, the non-VPN interface is locked down so it only has a
single route: to the VPN server. However, split tunnel VPNs allow the
non-VPN interface to route to other addresses (possibly, for performance
reasons), so in this case, the non-VPN-host-candidate STUN request will be
sent successfully from the non-VPN interface.

Sometimes this will be desirable: imagine someone working from home who
wants to connect to their corp VPN, but wants to have their video
conferencing traffic not go through the VPN. Sometimes this will not be
desirable, i.e. when the VPN is being used for privacy. This makes picking
a perfect default setting difficult, although we have some ideas that we
are exploring.

v2.23.0 | Report a Bug | By Email