Re: [rtcweb] STUN for keep-alive - RTCP-less applications

Harald Alvestrand <harald@alvestrand.no> Sat, 24 September 2011 16:02 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED5BB21F8678 for <rtcweb@ietfa.amsl.com>; Sat, 24 Sep 2011 09:02:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.211
X-Spam-Level:
X-Spam-Status: No, score=-109.211 tagged_above=-999 required=5 tests=[AWL=1.088, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PyJH+BIsL-lk for <rtcweb@ietfa.amsl.com>; Sat, 24 Sep 2011 09:02:22 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 0614921F85A1 for <rtcweb@ietf.org>; Sat, 24 Sep 2011 09:02:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 0B41C39E0E7; Sat, 24 Sep 2011 18:04:59 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdUlHGccx8Zh; Sat, 24 Sep 2011 18:04:58 +0200 (CEST)
Received: from [192.168.0.14] (c213-89-141-213.bredband.comhem.se [213.89.141.213]) by eikenes.alvestrand.no (Postfix) with ESMTPS id 2F85F39E082; Sat, 24 Sep 2011 18:04:58 +0200 (CEST)
Message-ID: <4E7DFFAA.2040306@alvestrand.no>
Date: Sat, 24 Sep 2011 18:04:58 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.21) Gecko/20110831 Thunderbird/3.1.13
MIME-Version: 1.0
To: =?UTF-8?B?ScOxYWtpIEJheiBDYXN0aWxsbw==?= <ibc@aliax.net>
References: <7F2072F1E0DE894DA4B517B93C6A05852233EDB21D@ESESSCMS0356.eemea.ericsson.se> <092401cc749b$8fd64940$af82dbc0$@com> <CABcZeBPgRD6kb2gg=m9NckSa1wrzwzJS6527nYqFG34b0cjfgQ@mail.gmail.com> <4E765E4A.3050801@alvestrand.no> <7532C74D-D0D7-474D-80C7-61C07E9290AA@edvina.net> <7D7982AF-7478-4AFD-9F39-ED04A43FEF53@edvina.net> <673BCA71-B624-4DCA-B681-7012E6F9D202@acmepacket.com> <4E799E18.30000@ericsson.com> <855B9078-A81F-45D9-B12F-46CC46C15B60@acmepacket.com> <4E79D5DF.4050402@ericsson.com> <68121E70-4363-47F8-8761-23728C56D003@acmepacket.com> <9348BF4A-8674-4888-9DDC-C734FB935A28@csperkins.org> <7B9A57BB-A585-487D-9655-D835C527059B@acmepacket.com> <4E7AE83E.9090508@ericsson.com> <CALiegfmxjP5ojZeAoz6sYUkKwE7XOtTSGJAOydbX+sm23hrwjg@mail.gmail.com> <7DEACFFC-8AF3-4450-8844-FF6E187AE4D2@edvina.net> <CALiegf=5OPFjvn8WaJq_38OKuGkCed4-M0JTEKJczcCvkAj2YA@mail.gmail.com> <4E7DF923.1070308@alvestrand.no> <CALiegfn-c6EN6K880ZAJLd7r3NcxjPnqAh=W28JMY6FPLXaHeg@mail.gmail.com>
In-Reply-To: <CALiegfn-c6EN6K880ZAJLd7r3NcxjPnqAh=W28JMY6FPLXaHeg@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] STUN for keep-alive - RTCP-less applications
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2011 16:02:23 -0000

On 09/24/2011 05:54 PM, Iñaki Baz Castillo wrote:
> 2011/9/24 Harald Alvestrand<harald@alvestrand.no>;:
>> On 09/24/2011 03:37 PM, Iñaki Baz Castillo wrote:
>>> Hi. I dont mean that security decisions are taken by the final user, but
>>> by the service provider. If it is a local intranet or the users access the
>>> intranet via a secure vpn, security can be relaxed ans the site provider
>>> could determine that plain rtp is allowed.
>>>
>> Remember that in the RTCWEB context, the service provider (the provider of
>> the Javascript and the Web service) is presumed malicious.
> But the user would *always* be asked for permission before
> starting/accepting a media session, right? The same as it occurs with
> Flash applications asking for micro/webcam usage. Such prompt should
> be standarized by RTCweb and should let the user know the security
> aspects of the offer:
>
> -------------------
> The web site www.domain.org asks you for permissions to start a
> audio/[video] session using your micro and web cam.
> Audio/video communication is not required to be encripted/secured.
>
> Do you accept?
>
> [ yes ]  [ no ]
> ------------------
Are we on the same subject line?

In the context we are talking about here (RTCP-less RTP flows), the 
prompt would have to be:

-----------
The web site www.domain.org wishes to send media to some other place on 
the Internet, and to set the option that allows it to communicate 
without using congestion control being available. You have no way of 
figuring out where the packets are going, whether this will cause harm 
to you, your network or anything else between here and there.

Do you accept?

[ yes ] [ no ]
----------
(note that if we want to include the place stuff is going to in the 
prompt, the prompt has to pop up AFTER we've established the call, and 
pop up again every time the transport addres is renegotiated.)

Does this seem reasonable?

>