IETF Logo Mail Archive

Re: [rtcweb] [tram] TURN permissions for private ips

Justin Uberti <juberti@google.com> Fri, 07 August 2015 00:01 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 590DF1B3D74 for <rtcweb@ietfa.amsl.com>; Thu, 6 Aug 2015 17:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oGXVssupG-Ms for <rtcweb@ietfa.amsl.com>; Thu, 6 Aug 2015 17:01:24 -0700 (PDT)
Received: from mail-vk0-x233.google.com (mail-vk0-x233.google.com [IPv6:2607:f8b0:400c:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2CADE1B3D7D for <rtcweb@ietf.org>; Thu, 6 Aug 2015 17:01:24 -0700 (PDT)
Received: by vkhl6 with SMTP id l6so32999949vkh.1 for <rtcweb@ietf.org>; Thu, 06 Aug 2015 17:01:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=+jvOtPiCLesNSSM3LOjkJIqc2tv5/rdaGiTjAxd/OXQ=; b=Z12dJog1Bt5k4sEN9+FjGIcjd7bQHCSQb+RSOmLSVIzRXGaEBTEdB71HQX5Jtnt4JD rsoWu8GGRDLZ3GNONa2L0Cw+SC1YPMMKbGIXuQ2wnFPulbPIFX0ZWgHJUuRseLkwdOF4 i5gZTKJp+0+O5WWxqGk8beCxNwgT3W3nQQltST6qNrw9iPHQrRnQHCNENyGPCIDhyCG7 0A41bi1Ndx5oyuObGU/CQa6xjLWn3bcgPWxkURiX89vXrO3T4zninA3cY4IeRxqEt1Pt RvwuhLkcnSLSdfEXE+N5/QO6zcdtB5MwniJRHc5CVPc//TgcY6pg9Lk3Um/x2v2Sw8VI LSrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=+jvOtPiCLesNSSM3LOjkJIqc2tv5/rdaGiTjAxd/OXQ=; b=cCuo2L6TI87kpbk2yMIFG49DKjMEzKwrivML9VO4zlKukM+4LSmpogoQxD6aEyq1nh taq5tTcMmJjDy2BplRW46YjQZoJReDq1ume3kfz2P7k56k/qN1w8VgxniIpxjsvQTZyv ka+3dJtXNTtaEyuY15NlsSkGZ869kOVfvneKeUNoi9uM2+fO7+uPzKb0oENLn9rouzCj OdUBGhnn4BkL6wgpB6aMKKLyeOCuf0zkHMtzuz4T/9m9RL6iaq4mzSsHllZv5srZwbgb bxByEbFbcxQuGgTlTyGkiczaQESlbXr1LzMJDOh6vUcurslFmpCbH6edGNWbvbdx0y++ 91Qw==
X-Gm-Message-State: ALoCoQlLdKBQu94P/yXS3hVZvPuYi/g18eTujICXxKtPReD0ZQyWH48WpAeV4HJBP/Zk4ZgoDSKT
X-Received: by 10.52.186.72 with SMTP id fi8mr5242407vdc.19.1438905683283; Thu, 06 Aug 2015 17:01:23 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.31.191.87 with HTTP; Thu, 6 Aug 2015 17:01:03 -0700 (PDT)
In-Reply-To: <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com>
References: <20150805130607.20844.70680.idtracker@ietfa.amsl.com> <CABcZeBMWVU9a1_e_47qddA04WhXG55QYzFA=dTrYgi+DuLQhKA@mail.gmail.com> <55C24293.5000603@cs.tcd.ie> <55C24C09.8020404@goodadvice.pages.de> <55C256C8.80606@jive.com> <CAOJ7v-3hyFhHiFq4eujLznXtehkUSxZati8YZ23o-RPLH=J5zg@mail.gmail.com> <F144FF61-AAC6-4E0A-B08E-0E3F9B487F1B@vidyo.com> <CAOJ7v-0Z4fmWjVaeiAJh=rpYPjUsk_k8_=g8CrecAZQWtRG1AQ@mail.gmail.com> <CABkgnnXubczrXpR+YHeF1+zNrNoPNMH_XdB1+pCAGZ9LQn0UXw@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Thu, 06 Aug 2015 17:01:03 -0700
Message-ID: <CAOJ7v-2PaLr8XLdVxfPY=YYzeQuoj49qypUTUr=wdbmSiMZO7A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="bcaec548a8211e4346051cad56b4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/xdG3AM9bA0abMEe_ZTIQXBL60VM>
Cc: Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>, "tram@ietf.org" <tram@ietf.org>, mmusic <mmusic@ietf.org>
Subject: Re: [rtcweb] [tram] TURN permissions for private ips
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Aug 2015 00:01:25 -0000

On Thu, Aug 6, 2015 at 1:51 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 6 August 2015 at 13:08, Justin Uberti <juberti@google.com> wrote:
> > I think that we should be able to avoid pairing candidates obtained from
> > application TURN servers with RFC 1918 addresses. The app/browser clearly
> > knows which is which.
>
> I'm concerned here that if we let the application choose, we lose the
> defence we were looking to gain.  I think that perhaps 1918 pairing
> could be restricted to TURN servers that are configured/discovered,
> "proxy"-style.
>

Sorry, that is what I was trying to say. The browser knows which turn
servers are "proxies" vs app servers, and can apply the 1918 filtering on
the pairings from the candidates from the app TURN server.

Agree with your enumeration of concerns as well. Also #5, they consume
bandwidth (at least from client to TURN server), which affects maximum
check rate in some cases.

v2.23.0 | Report a Bug | By Email