Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt

Bernard Aboba <> Tue, 20 August 2013 06:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E28B11E81B1 for <>; Mon, 19 Aug 2013 23:02:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vfSOL-nBFdSV for <>; Mon, 19 Aug 2013 23:02:38 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8025E11E80E0 for <>; Mon, 19 Aug 2013 23:02:27 -0700 (PDT)
Received: from BLU169-W11 ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Mon, 19 Aug 2013 23:02:26 -0700
X-TMN: [mrs7pGlzCq44Iv9maCWUBx5njascNVnv]
X-Originating-Email: []
Message-ID: <BLU169-W11E1423497EE1A503309E793430@phx.gbl>
Content-Type: multipart/alternative; boundary="_b10acb0d-b3b6-4d64-9d0f-f1447bab1147_"
From: Bernard Aboba <>
To: Dan Wing <>, Harald Alvestrand <>
Date: Mon, 19 Aug 2013 23:02:25 -0700
Importance: Normal
In-Reply-To: <>
References: <>, <>, <>
MIME-Version: 1.0
X-OriginalArrivalTime: 20 Aug 2013 06:02:26.0506 (UTC) FILETIME=[D885BAA0:01CE9D6A]
Cc: "" <>
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-transports-00.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Aug 2013 06:02:44 -0000

Dan Wing said:
> Section 2.2,
>   "In order to deal with firewalls that block all UDP traffic, TURN over
>    TCP MUST be supported.  (QUESTION: What about ICE-TCP?)"
> ICE-TCP allows direct peer-to-peer communications using TCP, without a TURN server doing TCP-to-UDP interworking.  I would say the industry has less experience with ICE-TCP than with ICE or with TURN-over-TCP, and because of the less experience and because ICE-TCP is arguably an *optimization*, I would say ICE-TCP is a MAY.  It can't be a MUST-level requirement, at least by my threshold for MUST which is that interoperability is harmed or interoperability is impossible.
[BA]  While ICE-TCP will only eliminate the need for TURN over TCP in a fraction of NAT usage cases, the benefits can be substantial in the situations where it does work (and is needed).  The most popular uses of ICE-TCP so far are for things like P2P chat (e.g. MSRP), application sharing and RTP over TCP.  Given that WebRTC  could implement MSRP over the data channel, and could handle screen sharing via RTP over UDP,  the case probably needs to be made based on TURN-less conveyance of RTP over TCP (probably in a consumer scenario only, since for enterprise the TURN server would most likely be needed for firewall traversal reasons).  It's definitely not a MUST, and probably not a SHOULD either for WebRTC.  
> Most -- but not all -- of the security obtained with TURN over TLS is achieved with TURN REST (draft-uberti-behave-turn-rest and draft-uberti-rtcweb-turn-rest).  I think the working group should consider if TURN REST satisfies the requirements, or if TURN over TLS is really, really necessary.
[BA] Not sure I follow this.   TURN over TLS provides confidentiality for the relay addresses and also some firewall traversal benefits.  TURN REST is trying to solve a different problem entirely (e.g. misuse of TURN credentials).  Personally, I don't think TURN REST really minimizes the risk to the extent necessary, since time limiting the credentials alone won't necessarily stop an ingenious (and greedy) thief.  As an example, when hackers gain control of a PBX they can run up shocking bills in a very short period of time, and even if TURN charges are minimal, you'd be surprised at what Internet miscreants can do with stolen credentials within a 24 hour period.  So to my mind, TURN REST needs some additional bolstering to limit the potential financial liability, such as bandwidth limits.