Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt

Simon Perreault <simon.perreault@viagenie.ca> Tue, 16 July 2013 13:04 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1F1821F9A1E; Tue, 16 Jul 2013 06:04:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y2jWGTIflMph; Tue, 16 Jul 2013 06:04:00 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id 60EE211E80F3; Tue, 16 Jul 2013 06:03:59 -0700 (PDT)
Received: from [IPv6:::1] (unknown [IPv6:2001:660:3001:4012:5b8:1f9e:c21b:48d7]) by jazz.viagenie.ca (Postfix) with ESMTPSA id 57898470FB; Tue, 16 Jul 2013 09:03:58 -0400 (EDT)
Message-ID: <51E544BC.6000608@viagenie.ca>
Date: Tue, 16 Jul 2013 15:03:56 +0200
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: "Muthu Arul Mozhi Perumal (mperumal)" <mperumal@cisco.com>
References: <20130715173816.18605.12504.idtracker@ietfa.amsl.com> <E721D8C6A2E1544DB2DEBC313AF54DE224198182@xmb-rcd-x02.cisco.com> <51E513BF.2040405@viagenie.ca> <E721D8C6A2E1544DB2DEBC313AF54DE224199A15@xmb-rcd-x02.cisco.com> <51E536C1.1080507@viagenie.ca> <E721D8C6A2E1544DB2DEBC313AF54DE224199D69@xmb-rcd-x02.cisco.com>
In-Reply-To: <E721D8C6A2E1544DB2DEBC313AF54DE224199D69@xmb-rcd-x02.cisco.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [rtcweb] [BEHAVE] FW: I-D Action: draft-muthu-behave-consent-freshness-04.txt
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2013 13:04:00 -0000

Le 2013-07-16 14:43, Muthu Arul Mozhi Perumal (mperumal) a écrit :
> |> |>    Liveness timer: If no packets have been received on the local port in
> |> |>    Tr seconds, the WebRTC browser MUST inform the JavaScript that
> |> |>    connectivity has been lost.  The JavaScript application will use this
> |> |>    notification however it desires (e.g., cease transmitting to the
> |> |>    remote peer, provide a notification to the user, etc.).
> |> |
> |> |This seems to me like it will not fulfill the goal set in the abstract:
> |> |"to ensure that a malicious JavaScript cannot use the browser as a
> |> |platform for launching attacks". If the JavaScript is free to ignore the
> |> |notification from the browser, then it has no security benefits. If you
> |> |want to reach that goal, the browser needs to forcefully stop transmitting.
> |>
> |> That goal is fulfilled by the consent checks -- the browser would stop transmitting everything on
> |that candidate pair, including liveness checks, if there is a consent failure.
> |
> |That's not what the draft says. It says that the browser "notifies" the
> |JS app. It needs to say that the browser MUST stop sending.
> 
> No. That section is about liveness check and its intention is just notify the JavaScript of a potential connectivity loss. It is when the consent check fails the browser actually stops sending everything. Does the draft need more text on the distinction between consent and liveness tests?

Ah! No, you're right, and the text is already perfectly clear about
this. No need to change. I was just confused.

> |> |>    When not actively sending traffic on a nominated candidate pair,
> |> |>    performing consent freshness does not serve any purpose from a
> |> |>    security perspective.
> |> |
> |> |I don't understand what this means. Why is the "security perspective"
> |> |important here? Aren't we concerned about keepalives?
> |>
> |> You mean one could use keepalives (Binding indications) for launching attacks, so consent freshness
> |would be required for sending them as well?
> |
> |No.
> |
> |This is a section about keepalives. I just don't understand this
> |sentence, and I don't understand why it talks about security.
> 
> Ok, let me elaborate:
> - Consent freshness is not necessary when the browser is not sending any 
>   traffic on a candidate pair.
> - If the browser is not performing consent freshness on a candidate pair 
>   for the above reason, it performs ICE keepalives (or RTP keepalives) to
>   refresh NAT bindings.
> 
> Of course, the browser could continue performing consent freshness even when it is not sending any other traffic on that candidate pair and skip ICE keepalives.

Ah, ok I understand with your explanation. It makes sense. There should
be a way to reformulate the text to make it clearer.

Thanks,
Simon