Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt
"Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com> Wed, 17 July 2013 08:46 UTC
Return-Path: <mperumal@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 833E021F9D87 for <rtcweb@ietfa.amsl.com>; Wed, 17 Jul 2013 01:46:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.449
X-Spam-Level:
X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=0.150, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iXXoS0ELQuTS for <rtcweb@ietfa.amsl.com>; Wed, 17 Jul 2013 01:46:08 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id EC58F21F9D2C for <rtcweb@ietf.org>; Wed, 17 Jul 2013 01:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6628; q=dns/txt; s=iport; t=1374050765; x=1375260365; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=l2Y4NqohyGMHgUOBnwJCREoUL6sUiIFPfvKU2c72weM=; b=UA1vGmDiogVfBJZqc5RTuoRKTsJGCjXBP65SuevWfvq9zxDsxB2JHTOV 90UjB682/lsGxZ+YWZU5Dc4LMULP2XNp81ZTFI48v85yBsZfAv7sQCadU VgE4Pa7+1JHzzIrecBeCUa1ZUnsgYeQI4E5oPglCQumm03ja6F/TqHngQ 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgkFAPBX5lGtJV2b/2dsb2JhbABagwY0T8I4gQ4WdIIjAQEBBAEBAWsLDAQCAQgRBAEBCx0HJwsUCAEIAgQOBQiICAy1MwSPPTEHBoMGbgOIb6A6gVmBOYIo
X-IronPort-AV: E=Sophos;i="4.89,683,1367971200"; d="scan'208";a="235806496"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-2.cisco.com with ESMTP; 17 Jul 2013 08:46:03 +0000
Received: from xhc-rcd-x03.cisco.com (xhc-rcd-x03.cisco.com [173.37.183.77]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r6H8k2Yf027070 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 17 Jul 2013 08:46:02 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.192]) by xhc-rcd-x03.cisco.com ([173.37.183.77]) with mapi id 14.02.0318.004; Wed, 17 Jul 2013 03:46:02 -0500
From: "Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com>
To: "Avasarala, Ranjit (NSN - IN/Bangalore)" <ranjit.avasarala@nsn.com>
Thread-Topic: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt
Thread-Index: AQHOgiT6JQEMzVPeD0imnIi9kp/qUZloXWjAgAAJRoCAAAceUIAAG3TA
Date: Wed, 17 Jul 2013 08:46:02 +0000
Message-ID: <E721D8C6A2E1544DB2DEBC313AF54DE22419BC0C@xmb-rcd-x02.cisco.com>
References: <20130715173816.18605.12504.idtracker@ietfa.amsl.com> <E721D8C6A2E1544DB2DEBC313AF54DE224198182@xmb-rcd-x02.cisco.com> <51E513BF.2040405@viagenie.ca> <E721D8C6A2E1544DB2DEBC313AF54DE224199A15@xmb-rcd-x02.cisco.com> <51E536C1.1080507@viagenie.ca> <E721D8C6A2E1544DB2DEBC313AF54DE224199D69@xmb-rcd-x02.cisco.com> <51E544BC.6000608@viagenie.ca> <E54AEADE791D51469F45E7FBB9643915090BC6@SGSIMBX001.nsn-intra.net> <E721D8C6A2E1544DB2DEBC313AF54DE22419B715@xmb-rcd-x02.cisco.com> <E54AEADE791D51469F45E7FBB9643915090BF4@SGSIMBX001.nsn-intra.net>
In-Reply-To: <E54AEADE791D51469F45E7FBB9643915090BF4@SGSIMBX001.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [72.163.208.222]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jul 2013 08:46:13 -0000
|If many public STUN servers and call servers that implement STUN or ICElite |functionalities, are not expected to support I should have said they have no role to play. It is similar to peer-to-peer ICE connectivity checks -- those checks don't go through public STUN or call servers at all. The difference between ICE connectivity checks and consent freshness checks is that the former is performed before session establishment and the later is performed after session establishment. |then who would have interest to support this functionality? RTCWEB browsers and browser-like platforms. |Ideally getting consent for receiving traffic or call should be part of signaling. |I do not think using STUN is appropriate. ICE already does that. You think it is inappropriate? Muthu |-----Original Message----- |From: Avasarala, Ranjit (NSN - IN/Bangalore) [mailto:ranjit.avasarala@nsn.com] |Sent: Wednesday, July 17, 2013 12:16 PM |To: Muthu Arul Mozhi Perumal (mperumal) |Cc: rtcweb@ietf.org |Subject: RE: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt | |Hi Muthu | |If many public STUN servers and call servers that implement STUN or ICElite functionalities, are not |expected to support, then who would have interest to support this functionality? Ideally getting |consent for receiving traffic or call should be part of signaling. I do not think using STUN is |appropriate. | |Regards |Ranjit | | | | |-----Original Message----- |From: ext Muthu Arul Mozhi Perumal (mperumal) [mailto:mperumal@cisco.com] |Sent: Wednesday, July 17, 2013 12:07 PM |To: Avasarala, Ranjit (NSN - IN/Bangalore) |Cc: rtcweb@ietf.org; behave@ietf.org |Subject: RE: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt | |Ranjit, | ||Many publicly available STUN servers or those that are part of Call servers ||may not support this. | |Public STUN servers and call servers are not expected to support this. | ||Can't there be some other neutral mechanism to query peer's consent - through ||signaling? | |No. That signaling between the JS and the web server could be anything (SIP or XMPP or proprietary or |whatever) and the browser has no control over it. | |Muthu | ||-----Original Message----- ||From: Avasarala, Ranjit (NSN - IN/Bangalore) [mailto:ranjit.avasarala@nsn.com] ||Sent: Wednesday, July 17, 2013 11:19 AM ||To: Muthu Arul Mozhi Perumal (mperumal) ||Cc: rtcweb@ietf.org; behave@ietf.org ||Subject: RE: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt || ||Hi Muthu || ||Though using STUN request/response may be good for querying about consent, I feel it is overloading ||the functionality of STUN. Many publicly available STUN servers or those that are part of Call |servers ||may not support this. || ||Can't there be some other neutral mechanism to query peer's consent - through signaling? || || ||Regards ||Ranjit || || || ||-----Original Message----- ||From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf Of ext Simon Perreault ||Sent: Tuesday, July 16, 2013 6:34 PM ||To: Muthu Arul Mozhi Perumal (mperumal) ||Cc: rtcweb@ietf.org; behave@ietf.org ||Subject: Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt || ||Le 2013-07-16 14:43, Muthu Arul Mozhi Perumal (mperumal) a écrit : ||> |> |> Liveness timer: If no packets have been received on the local port in ||> |> |> Tr seconds, the WebRTC browser MUST inform the JavaScript that ||> |> |> connectivity has been lost. The JavaScript application will use this ||> |> |> notification however it desires (e.g., cease transmitting to the ||> |> |> remote peer, provide a notification to the user, etc.). ||> |> | ||> |> |This seems to me like it will not fulfill the goal set in the abstract: ||> |> |"to ensure that a malicious JavaScript cannot use the browser as a ||> |> |platform for launching attacks". If the JavaScript is free to ignore the ||> |> |notification from the browser, then it has no security benefits. If you ||> |> |want to reach that goal, the browser needs to forcefully stop transmitting. ||> |> ||> |> That goal is fulfilled by the consent checks -- the browser would stop transmitting everything |on ||> |that candidate pair, including liveness checks, if there is a consent failure. ||> | ||> |That's not what the draft says. It says that the browser "notifies" the ||> |JS app. It needs to say that the browser MUST stop sending. ||> ||> No. That section is about liveness check and its intention is just notify the JavaScript of a ||potential connectivity loss. It is when the consent check fails the browser actually stops sending ||everything. Does the draft need more text on the distinction between consent and liveness tests? || ||Ah! No, you're right, and the text is already perfectly clear about ||this. No need to change. I was just confused. || ||> |> |> When not actively sending traffic on a nominated candidate pair, ||> |> |> performing consent freshness does not serve any purpose from a ||> |> |> security perspective. ||> |> | ||> |> |I don't understand what this means. Why is the "security perspective" ||> |> |important here? Aren't we concerned about keepalives? ||> |> ||> |> You mean one could use keepalives (Binding indications) for launching attacks, so consent ||freshness ||> |would be required for sending them as well? ||> | ||> |No. ||> | ||> |This is a section about keepalives. I just don't understand this ||> |sentence, and I don't understand why it talks about security. ||> ||> Ok, let me elaborate: ||> - Consent freshness is not necessary when the browser is not sending any ||> traffic on a candidate pair. ||> - If the browser is not performing consent freshness on a candidate pair ||> for the above reason, it performs ICE keepalives (or RTP keepalives) to ||> refresh NAT bindings. ||> ||> Of course, the browser could continue performing consent freshness even when it is not sending any ||other traffic on that candidate pair and skip ICE keepalives. || ||Ah, ok I understand with your explanation. It makes sense. There should ||be a way to reformulate the text to make it clearer. || ||Thanks, ||Simon ||_______________________________________________ ||rtcweb mailing list ||rtcweb@ietf.org ||https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] FW: I-D Action: draft-muthu-behave-conse… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Simon Perreault
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Simon Perreault
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Avasarala, Ranjit (NSN - IN/Bangalore)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Avasarala, Ranjit (NSN - IN/Bangalore)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Eric Rescorla
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Avasarala, Ranjit (NSN - IN/Bangalore)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Simon Perreault
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Eric Rescorla
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Avasarala, Ranjit (NSN - IN/Bangalore)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu… Avasarala, Ranjit (NSN - IN/Bangalore)