Re: [rtcweb] consent freshness and ICE-lite

Bernard Aboba <> Tue, 17 July 2012 06:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E41E911E80BD for <>; Mon, 16 Jul 2012 23:11:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -101.727
X-Spam-Status: No, score=-101.727 tagged_above=-999 required=5 tests=[AWL=-0.525, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DVqAaBhmJO9S for <>; Mon, 16 Jul 2012 23:11:44 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id C9E5811E80B7 for <>; Mon, 16 Jul 2012 23:11:43 -0700 (PDT)
Received: from BLU401-EAS427 ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Mon, 16 Jul 2012 23:12:30 -0700
X-Originating-IP: []
X-Originating-Email: []
Message-ID: <BLU401-EAS427580C5793EC88085DA83093DB0@phx.gbl>
References: <> <BLU401-EAS266337B57B89CAB7E5E2D3893DB0@phx.gbl> <>
Content-Transfer-Encoding: 7bit
From: Bernard Aboba <>
Content-Type: multipart/alternative; boundary="Apple-Mail-EAD7C932-A9AD-4FBD-925F-35942A13A7E0"
In-Reply-To: <>
Date: Mon, 16 Jul 2012 23:16:44 -0700
To: "Muthu Arul Mozhi Perumal (mperumal)" <>
MIME-Version: 1.0 (1.0)
X-OriginalArrivalTime: 17 Jul 2012 06:12:30.0331 (UTC) FILETIME=[259BDCB0:01CD63E3]
Cc: "" <>
Subject: Re: [rtcweb] consent freshness and ICE-lite
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Jul 2012 06:11:45 -0000

Since it's a gateway not a browser, presumably it doesn't support JavaScript.  So there is no "application"  an attacker can run on the gateway, there is just (static) gateway code.

On Jul 16, 2012, at 22:43, "Muthu Arul Mozhi Perumal (mperumal)" <> wrote:

> Right, consent is requested by the sender and granted by the receiver. While one side has granted consent for receiving on a candidate pair, the other side could have revoked it. So consent verification/freshness is unilateral.
> A gateway/browser implementing ICE-lite will only be able to grant consent to send, but will not be able to request consent. So, a malicious application can use it for sending unwanted traffic.
> Liveness determines continued connectivity on a candidate pair. Since the networks paths can be asymmetric, both ends need to perform the liveness test.
> Muthu
> From: [] On Behalf Of Bernard Aboba
> Sent: Tuesday, July 17, 2012 9:03 AM
> To: Ejzak, Richard P (Richard)
> Cc:
> Subject: Re: [rtcweb] consent freshness and ICE-lite
> Consent freshness and liveness is used to assure a browser that the recipient has authorized it to 
> send media and that it is still there. So if a gateway wants to receive, answer Binding Requests 
> sent to it.  
> If a gateway is on the public Internet, supports ICE lite and does not send a Binding Request 
> to a browser, but does implement RFC 6263, then NAT bindings can be kept alive and media 
> should still flow.  So I think this is viable.
> On Jul 16, 2012, at 18:13, "Ejzak, Richard P (Richard)" <> wrote:
> Sections 4.2, 4.4 and 5.3 of draft-ietf-rtcweb-security-arch-03.txt have text that seems to be contradictory.  In particular, 5.3 requires support of ICE-lite at server gateways but each endpoint is described as sending ICE binding requests for ICE consent verification in 4.2 (which is it?).  4.4 also requires RTCWeb implementations to perform periodic binding requests to verify consent freshness.  Is a server gateway an RTCWeb implementation subject to this requirement?  I thought that one of the reasons the WG decided to use binding requests instead of binding indications to allow bilateral consent initiated by a single endpoint (in particular, so that an RTCWeb browser could interoperate with either a server gateway implementing ICE-lite or a non-RTCWeb endpoint not implementing the RTCWeb consent freshness procedures in such a way that only the RTCWeb browser needed to send periodic binding requests to maintain bilateral consent freshness).
> Does a binding request provide unilateral or bilateral consent verification/freshness?
> Is a server gateway implementing ICE-lite required to send ICE binding requests anyway for consent verification and/or consent freshness, or is it sufficient for such an implementation to indicate its own consent by just responding to received binding requests?
> Do we care about compatibility with ICE compliant endpoints that do not use binding requests for consent freshness?
> Does a browser treat a response to a binding request the same as a received binding request for consent freshness?
> It would be helpful to have clear answers to these questions in the security architecture document.
> Thanks,
> Richard Ejzak
> _______________________________________________
> rtcweb mailing list