IETF Logo Mail Archive

Re: [rtcweb] I-D Action: draft-ietf-rtcweb-stun-consent-freshness-08.txt - Some additional questions

Martin Thomson <martin.thomson@gmail.com> Thu, 20 November 2014 07:19 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D62ED1A009E for <rtcweb@ietfa.amsl.com>; Wed, 19 Nov 2014 23:19:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvUKA5Ixq1ga for <rtcweb@ietfa.amsl.com>; Wed, 19 Nov 2014 23:19:21 -0800 (PST)
Received: from mail-ob0-x235.google.com (mail-ob0-x235.google.com [IPv6:2607:f8b0:4003:c01::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B82F91A0099 for <rtcweb@ietf.org>; Wed, 19 Nov 2014 23:19:21 -0800 (PST)
Received: by mail-ob0-f181.google.com with SMTP id gq1so1762391obb.40 for <rtcweb@ietf.org>; Wed, 19 Nov 2014 23:19:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2fxtnqFpH2LYEWz1er6qCExvQvZTp3N/bAhvEkLUSjw=; b=HobaEP0+j0ovSTxEW1wz9OWOs66z/EyYh8iMjZvvHj1TOp8BXM4HMVYtoO8bufxCmD 2SRd0Y/WeU0Evxy1QHC9+1uEzWE/6XXA64sN1jY94/G+rut8XCmwJsv/aaDFNB6VeTSg Avh6gayY4ub1MyR/hGgwSV+KZ2mpFqPTXbgya2txBpqb7A//OixAg6prfGt63ExZdgSg G7l8M8V7Xf3THxBi5/aL+0g5ZqfirD1hNOEuTTUKlsxasiF7Npgb6Lr2XOSyx0OGHyvY tTjAUn3NPA7JOEA9e8VmjruJoac7+NMTuRR2+qzirrb4z8Ir9ujIOmil9tHjkVyLgD0W S5fg==
MIME-Version: 1.0
X-Received: by 10.182.102.37 with SMTP id fl5mr40631003obb.24.1416467961017; Wed, 19 Nov 2014 23:19:21 -0800 (PST)
Received: by 10.202.115.4 with HTTP; Wed, 19 Nov 2014 23:19:20 -0800 (PST)
Received: by 10.202.115.4 with HTTP; Wed, 19 Nov 2014 23:19:20 -0800 (PST)
In-Reply-To: <D0936AAE.19A4C%rmohanr@cisco.com>
References: <7594FB04B1934943A5C02806D1A2204B1D4CE861@ESESSMB209.ericsson.se> <D0898477.19024%rmohanr@cisco.com> <7594FB04B1934943A5C02806D1A2204B1D525F52@ESESSMB209.ericsson.se> <D0936AAE.19A4C%rmohanr@cisco.com>
Date: Wed, 19 Nov 2014 23:19:20 -0800
Message-ID: <CABkgnnU-Cxj5CUR-BQM9o-FeOCWWdOqcViWovwBDV_sdcVTi-Q@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "Ram Mohan R (rmohanr)" <rmohanr@cisco.com>
Content-Type: multipart/alternative; boundary="089e0149d172a6fa95050845253f"
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/vX3vCFDRj4U9gjJHCRgaqQ1E9p4
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] I-D Action: draft-ietf-rtcweb-stun-consent-freshness-08.txt - Some additional questions
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 07:19:24 -0000

It is really hard following these threads, but it looks like this is being
over-thought.

"This document defines what it takes to obtain, maintain, and lose consent
to send. Consent to send applies to a single 5-tuple. What applications
choose to do with this information is not described in this document."

Add that to the introduction perhaps. We run the risk of expanding scope
otherwise.

As for the question of re-acquisition of consent, I think that we should
keep it simple. For this:

"After consent is lost for any reason, the same ICE credentials MUST NOT be
used on the affected 5-tuple again. That means that a new session, or an
ICE restart at least, is needed to obtain consent to send."

Better to keep the rule simple, and we don't want to leave an option open
for a packet-drop-based attack here.

And one more thing ...

On Nov 19, 2014 6:41 PM, "Ram Mohan R (rmohanr)" <rmohanr@cisco.com> wrote:
> >>>
> >>>There IS text saying:
> >>>
> >>>     "An endpoint that is not sending any application data does not
need to
> >>>     maintain consent.  However, the endpoint needs to ensure its NAT
or
> >>>     firewall mappings persist which can be done using keepalive or
other
> >>>     techniques (see Section 10 of [RFC5245] and see [RFC6263])."
> >>>
> >>>However, that seems to be more related to cases where I don't intend to
> >>>send application data to begin with.
> >>>
> >>>So, perhaps the text above can be modified, to clarify that keepalives
> >>>etc will still be sent if consent expires.

I think that we should consider akeep alive as application data, and
subject to to rules of consent.

The text should note that firewall and NAT bindings could be lost, instead.

v2.23.0 | Report a Bug | By Email