IETF Logo Mail Archive

Re: [rtcweb] No a=ice-lite in JSEP-04

Harald Alvestrand <harald@alvestrand.no> Thu, 03 October 2013 17:58 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1183721F8546 for <rtcweb@ietfa.amsl.com>; Thu, 3 Oct 2013 10:58:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.598
X-Spam-Level:
X-Spam-Status: No, score=-110.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g32zQroOe90i for <rtcweb@ietfa.amsl.com>; Thu, 3 Oct 2013 10:58:28 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id F128711E8133 for <rtcweb@ietf.org>; Thu, 3 Oct 2013 10:43:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 9B07739E27D for <rtcweb@ietf.org>; Thu, 3 Oct 2013 19:43:36 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nY42oCuEa1+O for <rtcweb@ietf.org>; Thu, 3 Oct 2013 19:43:35 +0200 (CEST)
Received: from [172.19.6.255] (unknown [216.239.45.95]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 9478E39E222 for <rtcweb@ietf.org>; Thu, 3 Oct 2013 19:43:34 +0200 (CEST)
Message-ID: <524DACC4.8060901@alvestrand.no>
Date: Thu, 03 Oct 2013 19:43:32 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <56C2F665D49E0341B9DF5938005ACDF811144C@DEMUMBX005.nsn-intra.net> <CALiegfn+u-LD=W1S2te6UB1+u6yd7xAbpKO_U=qUEsD-aWv6cw@mail.gmail.com> <CAOJ7v-2UHjitspwzJ_nzdDXwN_ZoVAk=86O98khhhoOdAtVhiA@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B1C4B37B8@ESESSMB209.ericsson.se> <2F515906-BEC6-4ACA-BF2B-172E6ADBDAF1@phonefromhere.com> <CALiegf=EmbKX7KPffa79eDn4zFxuZBkNFNsh-aX-iTecob7v6Q@mail.gmail.com> <54B5DF36-6BEE-4FA4-ACA1-D4912F9A49AB@nostrum.com>, <524D94E0.7020801@matthew.at>, <7594FB04B1934943A5C02806D1A2204B1C4B3AEC@ESESSMB209.ericsson.se> <7594FB04B1934943A5C02806D1A2204B1C4B3C06@ESESSMB209.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B1C4B3C06@ESESSMB209.ericsson.se>
X-Enigmail-Version: 1.5.2
Content-Type: multipart/alternative; boundary="------------010000050403030206050709"
Subject: Re: [rtcweb] No a=ice-lite in JSEP-04
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Oct 2013 17:58:40 -0000

On 10/03/2013 06:48 PM, Christer Holmberg wrote:
>
> What I think we DO need to say (eventhough someone may think it's
> obvious) , in the continous consent spec, is that ICE-lite entities do
> not send cc STUN requests.
>

Hm. If correct: What are the consequences of that?

It seems to me that the entity sending cc STUN requests is the one
asking for permission (although I may have misremembered something). So
this means that if there are no cc STUN requests coming from the
ice-lite end, the ice-lite end is neither requesting permission to
contine to send, nor is it going to stop sending when the WebRTC end
tries to revoke permission.

With the security guarantees we've been trying to work in here, where
it's safe to execute Javascript because there's a limit to how much
damage you can do with it.... I reach this conclusion:

Entities that implement the WebRTC API, and allow others' Javascript to
access that API (for brevity's sake, let's call them "browsers", even
though W3C tends to call them "UAs") MUST NOT implement ice-lite. No
matter whether they have a public IP address or not; if they implement
ice-lite, they can't offer the security guarantees we want.

Entities that don't offer an API that allows third parties to start
connections from it (for brevity, "non-browsers") have to be taken over
in other ways in order to perform an attack anyway, in which case all
the WebRTC guarantees are shot - so there's no harm in allowing them to
implement ice-lite.


>  
>
> Regards,
>
>  
>
> Christer
>
>  
>
> ------------------------------------------------------------------------
> *From:* rtcweb-bounces@ietf.org [rtcweb-bounces@ietf.org] on behalf of
> Christer Holmberg [christer.holmberg@ericsson.com]
> *Sent:* Thursday, 03 October 2013 7:30 PM
> *To:* Matthew Kaufman; rtcweb@ietf.org
> *Subject:* Re: [rtcweb] No a=ice-lite in JSEP-04
>
> Hi,
>
>  
>
> Do we really need to say more than the ICE RFC already says? I think
> it explains when ICE-lite is appropriate, and when it isn't.
>
>  
>
> Regards,
>
>  
>
> Christer
>
>  
>
>  
>
> ------------------------------------------------------------------------
> *From:* rtcweb-bounces@ietf.org [rtcweb-bounces@ietf.org] on behalf of
> Matthew Kaufman [matthew@matthew.at]
> *Sent:* Thursday, 03 October 2013 7:01 PM
> *To:* rtcweb@ietf.org
> *Subject:* Re: [rtcweb] No a=ice-lite in JSEP-04
>
> On 10/3/2013 7:53 AM, Adam Roach wrote:
> > On Oct 3, 2013, at 9:31, Iñaki Baz Castillo <ibc@aliax.net> wrote:
> >
> >> If I implement my own WebRTC stack in a smartphone app, am I
> disallowed to do ICE-lite in my side??
> > I would hope so, yes. The chance that your smartphone app would have
> any hope if working if it did ice lite are as close to zero as to make
> no difference.
> >
> > The fact that implementors apparently don't see this as an obvious
> fact tells me that we need pretty strong language around this
> prohibition, and "browser" is clearly too narrow a scope.
> >
> >
>
> The spec should say that:
> 1. The prohibition on sending media prior to completing a STUN
> connectivity test is a MUST
> 2. A full ICE implementation is a SHOULD
>
> If I'm building a system with clients at one end and gateways with
> public addresses at the other, a full ICE implementation isn't required
> anywhere in order to make calls through those gateways. But keeping the
> browser from being able to spew media at something that hasn't consented
> *is* required.
>
> Matthew Kaufman
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb


-- 
Surveillance is pervasive. Go Dark.

v2.23.0 | Report a Bug | By Email