IETF Logo Mail Archive

Re: [rtcweb] WGLC for draft-ietf-rtcweb-ip-handling

Cullen Jennings <fluffy@iii.ca> Tue, 27 March 2018 18:18 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 410E712D77C for <rtcweb@ietfa.amsl.com>; Tue, 27 Mar 2018 11:18:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8-NB0zE-Iqdq for <rtcweb@ietfa.amsl.com>; Tue, 27 Mar 2018 11:18:22 -0700 (PDT)
Received: from smtp65.iad3a.emailsrvr.com (smtp65.iad3a.emailsrvr.com [173.203.187.65]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4083612778E for <rtcweb@ietf.org>; Tue, 27 Mar 2018 11:18:22 -0700 (PDT)
Received: from smtp33.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp33.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id AE9DF5819; Tue, 27 Mar 2018 14:18:15 -0400 (EDT)
X-Auth-ID: fluffy@iii.ca
Received: by smtp33.relay.iad3a.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 44BA157FF; Tue, 27 Mar 2018 14:18:15 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [10.1.3.91] (S0106004268479ae3.cg.shawcable.net [70.77.44.153]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:587 (trex/5.7.12); Tue, 27 Mar 2018 14:18:15 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_B8CE01B8-052A-4E95-A2AB-E99D85818E11"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <CA+9kkMDuFuBDkxFfrSFwXFMRNH_FqUKxmTRz6VjCeZLLc3XRCw@mail.gmail.com>
Date: Tue, 27 Mar 2018 12:18:13 -0600
Cc: RTCWeb IETF <rtcweb@ietf.org>
Message-Id: <6595CE27-B2FD-4F3A-B0ED-9992C49E1A4B@iii.ca>
References: <1D5B431C-801E-4F8C-8026-6BCBB72FF478@sn3rd.com> <8C7113E7-1D06-4FF4-BDD8-9F40E9C94D86@iii.ca> <CA+9kkMDuFuBDkxFfrSFwXFMRNH_FqUKxmTRz6VjCeZLLc3XRCw@mail.gmail.com>
To: Ted Hardie <ted.ietf@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/fk483uwS5dGy5v6_qJXJstsZK-U>
Subject: Re: [rtcweb] WGLC for draft-ietf-rtcweb-ip-handling
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Mar 2018 18:18:25 -0000


> On Mar 27, 2018, at 11:35 AM, Ted Hardie <ted.ietf@gmail.com> wrote:
> 
> Question as chair:
> 
> On Tue, Mar 27, 2018 at 9:57 AM, Cullen Jennings <fluffy@iii.ca <mailto:fluffy@iii.ca>> wrote:
> 
> There are several people who's opinion I deeply respect that have looked at this problem in detail. They somewhat agree the above is a problem, but they argue it is better than any alternative design. I disagree with this.The root of the problem we are trying to solve with this draft is that some VPNs are configured to send some packets over the VPN while at the same time some other packets are not sent over the VPN. If you use a VPN configured like this to try and hide your location, WebRTC can end up sending packets not over the VPN and that can reveal your location. I think the right solution to this problem is to acknowledge this is a VPN problem, not a WebRTC problem. If you are using a VPN to hide your location, do not allow that VPN to send packets outside the VPN. I will note most VPNs support this.
> 
> 
> The document's current description of this problem is:
> 
>        If the client is multihomed, additional public IP addresses for
>        the client can be learned.  In particular, if the client tries to
>        hide its physical location through a Virtual Private Network
>        (VPN), and the VPN and local OS support routing over multiple
>        interfaces (a "split-tunnel" VPN), WebRTC will discover not only
>        the public address for the VPN, but also the ISP public address
>        over which the VPN is running.
> Would adding a statement such as "Users desiring maximum privacy should avoid split-tunnel configurations when they are in control of that configuration" help?  
> 
> Ted

I think proposal along those lines had been rejected in the past by WG. The problem is we get in arguments about if it should say something like your suggestions or something more like “Users desiring location privacy must not use split-tunnel VPN configurations with WebRTC”. As you know, this is not a case of just noticing something new in WGLC, this problem and argument has been considered by the WG and I think Stephen and I are in the rough. 

I do appreciate you trying to find some middle ground here

v2.23.0 | Report a Bug | By Email