Re: [rtcweb] UDP transport problem

Randell Jesup <> Fri, 14 February 2014 10:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id AC7E91A01FB for <>; Fri, 14 Feb 2014 02:20:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Mt5JxWQmo_22 for <>; Fri, 14 Feb 2014 02:20:54 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 659B61A01C3 for <>; Fri, 14 Feb 2014 02:20:54 -0800 (PST)
Received: from [] (port=52638 helo=[]) by with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.82) (envelope-from <>) id 1WEFt6-000ECl-HX for; Fri, 14 Feb 2014 04:20:52 -0600
Message-ID: <>
Date: Fri, 14 Feb 2014 02:20:54 -0800
From: Randell Jesup <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Thunderbird/27.0
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Get-Message-Sender-Via: authenticated_id:
Subject: Re: [rtcweb] UDP transport problem
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 14 Feb 2014 10:20:57 -0000

On 2/12/2014 10:06 PM, Cb B wrote:
> For about a year now, i have been very concerned about IPv4 UDP.  It
> has been increasingly associated with DDoS traffic [1], to the point
> that the protocol's reputation is akin to IPv4 PING in 2003 (widely
> blocked).  The material point here is that IPv4 UDP is being
> indiscriminately blocked and policed in access networks.  This is not
> something access networks are wantonly electing to do. This decision
> is made in the heat of the moment to restore service to customers and
> networks who are overrun with attack traffic [2].  And it is not
> simply DNS, NTP, and chargen for simple filtering.
> My suggestion is that draft-ietf-rtcweb-transports be updated to
> include SCTP as a transport type option.  I understand that SCTP is
> not supported on Windows (tm) and most NATs.

Side note: it would be ironic to end up using 

> In general, we may find
> that TURN / TRAM is a required local trust anchor in access networks,
> just as local ISP-administered SMTP servers in access networks are
> frequently required relay points since access networks block SMTP. [3]

I certainly understand the reason for concern; but the idea that UDP 
would become limited to TURN-mediated is frightening and depressing (and 
whose TURN and how does the ISP know it's TURN-mediated unless it's an 

One significant piece of the value proposition of WebRTC is that through 
use of ICE (and TURN) it will usually bypass the need for relays, 
significantly improving media quality (delay), dramatically cutting the 
cost of operation for services, easing deployment, and avoiding a number 
of levels of control/ability-to-block/etc.

It's especially depressing in that we put significant effort into 
reducing the likelihood that WebRTC could be used for DDoS attacks.

I will note that blocking UDP (or massively-rate-limiting it) will have 
all sorts of nasty effects on all forms of VoIP.  TCP-entrained VoIP can 
evade that, but at a serious cost to call quality.  Surely the operators 
know this.

> This UDP concern is not an issue for IPv6, since IPv6 is not, as of
> yet, been associated with these massive attacks.  And when i say
> massive, i mean massive [4].  And because of the scale and risk,
> access networks are simply clamping IPv4 UDP throughput and moving on
> and not looking back.

Can the DNS amplification attack be used to hit any ports other than 
53?  Can clamps be limited to port 53

> I  understand predicting the demise of UDP is not a popular opinion in
> the IETF.  But as a network operator, and stakeholder in the internet
> / ietf / webrtc, i am hoping to share this information so that you all
> can make well informed protocol decisions.

Thank you

Randell Jesup