Re: [rtcweb] Requiring ICE for RTC calls

Matthew Kaufman <matthew.kaufman@skype.net> Tue, 27 September 2011 17:22 UTC

Return-Path: <matthew.kaufman@skype.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0226E21F8BAC for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 10:22:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.747
X-Spam-Level:
X-Spam-Status: No, score=-5.747 tagged_above=-999 required=5 tests=[AWL=0.852, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6pJVhTEEUp6 for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 10:22:44 -0700 (PDT)
Received: from mx.skype.net (mx.skype.net [78.141.177.88]) by ietfa.amsl.com (Postfix) with ESMTP id C882C21F8BAA for <rtcweb@ietf.org>; Tue, 27 Sep 2011 10:22:43 -0700 (PDT)
Received: from mx.skype.net (localhost [127.0.0.1]) by mx.skype.net (Postfix) with ESMTP id E7AC016F7; Tue, 27 Sep 2011 19:25:19 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=skype.net; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=mx; bh=HyDdtbwI+K1ywl c7C2mtnJN6gP0=; b=lY5a43VNfpwgGSvB8RTAMrHX1B2btQeu83OliP2OrLNxvr X9Gut4bZY+zHr9iN9201ADb6Oo0NFojhWmVN+5PJGiUIEfA55a6fhL9ptG0YC8O3 WR1vOloJjU3Mi5v3W/oAU9pIxynK2Y5gJ66hytUXPzWlzWBxBp7q+XK7AMaYg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=skype.net; h=message-id:date:from :mime-version:to:cc:subject:references:in-reply-to:content-type: content-transfer-encoding; q=dns; s=mx; b=tCaJCaNW7XIQgpdQevCery EZuBY764Uk0cbBHaKG+p7ppCHQKa3jCvB9iBHEqa5mIsTRH/0yVs2uqsqmhy0Idd UqjWeMnUgwHBSj5UWfus7Q+Iu/ptadOm1r0hkl9wn0JSsK/+vkLYFgpXJH1vliD+ An+vBqkDFICdKrFRAYYAw=
Received: from zimbra.skype.net (zimbra.skype.net [78.141.177.82]) by mx.skype.net (Postfix) with ESMTP id E62327F8; Tue, 27 Sep 2011 19:25:19 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by zimbra.skype.net (Postfix) with ESMTP id B93A91672681; Tue, 27 Sep 2011 19:25:19 +0200 (CEST)
X-Virus-Scanned: amavisd-new at lu2-zimbra.skype.net
Received: from zimbra.skype.net ([127.0.0.1]) by localhost (zimbra.skype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YeRaxIgdaN-p; Tue, 27 Sep 2011 19:25:19 +0200 (CEST)
Received: from Matthew-Kaufman-Air.local (50-0-2-20.static.sonic.net [50.0.2.20]) by zimbra.skype.net (Postfix) with ESMTPSA id 4DC441672682; Tue, 27 Sep 2011 19:25:17 +0200 (CEST)
Message-ID: <4E8206FB.6060208@skype.net>
Date: Tue, 27 Sep 2011 10:25:15 -0700
From: Matthew Kaufman <matthew.kaufman@skype.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: Roman Shpount <roman@telurix.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <CAD5OKxvUOadaU0dnB7-Ho9cZ92VY+4Owuhj7oKPCx9Jy1iwT1Q@mail.gmail.com> <C2DF2C51-B3F7-443D-A047-7E6FB03E6D20@phonefromhere.com> <CAD5OKxsy2eKx5Bc8iayYazSyyykZZTGx9UO7NEE=fxYYdouy0w@mail.gmail.com> <4E81E8AB.2080404@skype.net> <CAD5OKxukiZzhotpjhmH6y6XCRYsBWUjzYAUYX9bGy+n=D-V31g@mail.gmail.com>
In-Reply-To: <CAD5OKxukiZzhotpjhmH6y6XCRYsBWUjzYAUYX9bGy+n=D-V31g@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Randell Jesup <randell-ietf@jesup.org>, rtcweb@ietf.org
Subject: Re: [rtcweb] Requiring ICE for RTC calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 17:22:45 -0000

On 9/27/11 9:30 AM, Roman Shpount wrote:
> Matthew,
>
> One possible solution would be to have a slow rate RTP start, ... I do 
> realize that the problem with this that the RTP packets can be spoofed 
> to force the web end point to transmit, but this is the best solution 
> I see so far.

You are correct that an attacker can spoof RTP packets to override this 
mechanism. Thus it is not sufficient. RTCP is also not sufficient, as 
we've been through this before: 
http://www.ietf.org/mail-archive/web/rtcweb/current/msg00500.html


>
> Independently from all of this, SRTP should be optional. It does 
> present privacy concerns, but they are no different then privacy 
> concerns over HTTP.

The difference is that knowing whether your media is using SRTP or not 
is more difficult than knowing that the content was delivered over HTTPS 
or HTTP, without significantly more browser chrome.

Matthew Kaufman