IETF Logo Mail Archive

Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt> (WebRTC Data Channels) to Proposed Standard

Harald Alvestrand <harald@alvestrand.no> Sun, 12 October 2014 10:18 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D6A91A8A50 for <rtcweb@ietfa.amsl.com>; Sun, 12 Oct 2014 03:18:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.086
X-Spam-Level:
X-Spam-Status: No, score=-2.086 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_57=0.6, RP_MATCHES_RCVD=-0.786] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7b_OIMgZIyn for <rtcweb@ietfa.amsl.com>; Sun, 12 Oct 2014 03:18:27 -0700 (PDT)
Received: from mork.alvestrand.no (mork.alvestrand.no [158.38.152.117]) by ietfa.amsl.com (Postfix) with ESMTP id 475C11A8A4D for <rtcweb@ietf.org>; Sun, 12 Oct 2014 03:18:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mork.alvestrand.no (Postfix) with ESMTP id 667B77C4026 for <rtcweb@ietf.org>; Sun, 12 Oct 2014 12:18:26 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at alvestrand.no
Received: from mork.alvestrand.no ([127.0.0.1]) by localhost (mork.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Iwfyz4lPMRQ for <rtcweb@ietf.org>; Sun, 12 Oct 2014 12:18:25 +0200 (CEST)
Received: from [172.30.42.116] (c-58f0e555.03-217-73746f1.cust.bredbandsbolaget.se [85.229.240.88]) by mork.alvestrand.no (Postfix) with ESMTPSA id 75AE17C39A0 for <rtcweb@ietf.org>; Sun, 12 Oct 2014 12:18:25 +0200 (CEST)
Message-ID: <543A5570.7060208@alvestrand.no>
Date: Sun, 12 Oct 2014 12:18:24 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <20141010004836.12666.88765.idtracker@ietfa.amsl.com> <91953101b2634ec69d14e120ea62d929@CY1PR0501MB1579.namprd05.prod.outlook.com> <CABkgnnWE7czWqi4vQRb5d50N2k95joc_Zcvw6w6g7SOjU9b+9g@mail.gmail.com> <03a3bbbc282b4e6d88d587931b46b5f8@CY1PR0501MB1579.namprd05.prod.outlook.com> <57B40110-2F21-4893-B77C-54F46D18567F@lurchi.franken.de> <1DE35922-E890-40C2-87E9-C8C12235920E@phonefromhere.com> <E53B9B7E-37F0-495C-B1BA-DE0A48AC6D73@lurchi.franken.de> <abdfd3ef58dd40028e8d5e2248b5a995@CY1PR0501MB1579.namprd05.prod.outlook.com>
In-Reply-To: <abdfd3ef58dd40028e8d5e2248b5a995@CY1PR0501MB1579.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/f63AZLMsKQegGvs9Wuayfr9tCxw
Subject: Re: [rtcweb] Last Call: <draft-ietf-rtcweb-data-channel-12.txt> (WebRTC Data Channels) to Proposed Standard
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Oct 2014 10:18:30 -0000

Given that the middle box has to:

- decrypt and encrypt all packets (because the keys are different)
- assert its own identity towards both endpoints (because otherwise DTLS
doesn't work)
- be trusted by both endpoints (otherwise it's a MITM attack by definition)
- manage SCTP congestion control independently on the two legs (because
that's how SCTP works)

I don't see the reshuffling of packets between channel numbers to be an
excessive *additional* burden.

The kind of "middle box" that "just shuffles bits" while doing something
to them or with them in addition doesn't exist in the WebRTC context.


On 10/11/2014 06:58 PM, Wyss, Felix wrote:
>>> Yes, it does. I think the worry is that the middle box may end up as DTLS server to both legs.
>> And why can't the middle box avoid this?
> How can it if it is the offerer on both legs?  From RFC#5763, section 5 (page 10): "The endpoint that is the offerer MUST use the setup attribute value of setup:actpass and be prepared to receive a client_hello before it receives the answer."
>
> The answerer thus gets to pick whether it is the client or server.  As mentioned in my original message, the answerer picking client is desirable as it can speed up the DTLS negotiation.  So almost invariably the middlebox will be DTLS server on both legs.
>
>
>>> That leaves both endpoints as DTLS clients. This then breaks the
>>> odd-even split and risks the endpoints allocating the same stream numbers.
>> I think "risks" is the wrong term here. I guess they will run into this almost always.
> Not necessarily if the endpoints draw their IDs at random.  That makes this particularly problematic as everything may appear to work fine but then fail intermittently in the field due to collisions.  
>
> --Felix
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb


-- 
Surveillance is pervasive. Go Dark.

v2.23.0 | Report a Bug | By Email