IETF Logo Mail Archive

Re: [rtcweb] [tram] TURN permissions for private ips

Cullen Jennings <fluffy@iii.ca> Fri, 14 August 2015 15:39 UTC

Return-Path: <fluffy@iii.ca>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9915E1ACD46 for <rtcweb@ietfa.amsl.com>; Fri, 14 Aug 2015 08:39:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYrD0GB-5Gc9 for <rtcweb@ietfa.amsl.com>; Fri, 14 Aug 2015 08:39:41 -0700 (PDT)
Received: from smtp89.ord1c.emailsrvr.com (smtp89.ord1c.emailsrvr.com [108.166.43.89]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12EE41ACD3C for <rtcweb@ietf.org>; Fri, 14 Aug 2015 08:39:41 -0700 (PDT)
Received: from smtp12.relay.ord1c.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp12.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 4B2AE380340; Fri, 14 Aug 2015 11:39:40 -0400 (EDT)
Received: by smtp12.relay.ord1c.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id A5A8E3803DA; Fri, 14 Aug 2015 11:39:38 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [172.20.10.2] ([UNAVAILABLE]. [209.52.88.8]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.4.2); Fri, 14 Aug 2015 15:39:39 GMT
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
Content-Type: text/plain; charset="utf-8"
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com>
Date: Fri, 14 Aug 2015 08:39:37 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <CA9F86E1-5CE6-4E08-85CA-7EB727759516@iii.ca>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com>
To: Jonathan Lennox <jonathan@vidyo.com>
X-Mailer: Apple Mail (2.2102)
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/tL999t7xolDeCWYsbv6c1Tk8frM>
Cc: mmusic <mmusic@ietf.org>, "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2015 15:39:42 -0000

> On Aug 6, 2015, at 7:14 AM, Jonathan Lennox <jonathan@vidyo.com> wrote:
> 
> 
>> On Aug 5, 2015, at 5:35 PM, Justin Uberti <juberti@google.com> wrote:
>> 
>> On Wed, Aug 5, 2015 at 11:32 AM, Simon Perreault <sperreault@jive.com> wrote:
>> Le 2015-08-05 13:46, Philipp Hancke a écrit :
>> > If a peer sends candidates with IP addresses from the private space,
>> > permissions for those are created at the TURN server. Potentially not
>> > utilising transport encryption even.
>> >
>> > I doubt those candidates ever work, so from a privacy point of view it
>> > seems that clients should not create those permissions in the first
>> > place. And ICE should probably not try to create pairs.
>> 
>> It's not up to the client to determine what addresses might not might
>> not work for a given TURN server. There are lots of weird NAT
>> configurations out there that play games with RFC1918 addresses and can
>> easily trick clients into doing the wrong thing.
>> 
>> I am somewhat sympathetic to that, but given that there is measurable downside here - extra candidate pairs that take time to check - can you supply a concrete example of where the client choosing not to pair a TURN candidate with a RFC1918 address would cause a problem?
> 
> This is really an ICE question, not a TURN question, so adding MMUSIC.
> 
> Clearly, if your TURN server is actually on the public internet, pairing RFC1918 address with its candidates won’t do any good.  However, there can be scenarios where you have a TURN server sitting in a DMZ or the like, where it can actually route to RFC 1918 addresses.  I suspect this will be relevant in the various scenarios where the TURN server is topologically equivalent to a web proxy. 
> 
> As I recall from the discussions around the development of ICE, there are actually a fair number of networks out there which have public IPv4 and RFC1918 addresses directly routable to each other. The examples I remember came about as a result of corporate mergers, where one of the pre-merger companies was using their public address space internally, and the other wasn’t.
> 

Some SPs are putting all their customers behind CGN (carrier grade NAT) and then looking at running cloud data centers where other people can rent servers (AWS style) where those servers have public IPs and at the same time they are directly routable to the all the NATed clients. That allows you to run media servers (STUN, TURN, Conferences MCU / Switches, caches etc) that have a low latency connectivity to the SP's customers endpoints. Note the customers's themselves often deploy an additional layer of residential NAT. 

So scenarios like this might be getting more common ....

v2.23.0 | Report a Bug | By Email