Re: [rtcweb] SIP Glare - Re: Minimal SDP negotiation mechanism

Randell Jesup <> Mon, 26 September 2011 05:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C22221F84FD for <>; Sun, 25 Sep 2011 22:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.961
X-Spam-Status: No, score=-1.961 tagged_above=-999 required=5 tests=[AWL=-0.602, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PDMJouPTVfW2 for <>; Sun, 25 Sep 2011 22:24:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9591D21F84FC for <>; Sun, 25 Sep 2011 22:24:49 -0700 (PDT)
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <>) id 1R83j0-0004Kj-4J for; Mon, 26 Sep 2011 00:27:30 -0500
Message-ID: <>
Date: Mon, 26 Sep 2011 01:23:51 -0400
From: Randell Jesup <>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain -
Subject: Re: [rtcweb] SIP Glare - Re: Minimal SDP negotiation mechanism
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 26 Sep 2011 05:24:50 -0000

On 9/22/2011 4:37 PM, Cullen Jennings wrote:
> On Sep 22, 2011, at 2:04 PM, Christer Holmberg wrote:
>> If so, what is your assumption then regarding ICE? That the SIP nodes 
>> will support ICE, or that the browser will be allowed to communicate 
>> with the SIP nodes without enabling ICE? 
> I see no way of solving the security problems without having ICE or something more or less like it. Therefore, I'm working on the assumption that it will only work if the SIP side supports ICE, or is front ended by a SBC with media GW that does ICE. In the short term, there will be some devices that don't do ICE but SIP devices are increasingly having ICE added. Particularly SIP devices that are internet facing because the need for NAT traversal.
> I find requiring ICE to be a very unfortunate assumption to have to make - obviously it reduces the number of legacy voip devices WebRTC devices can talk to without an SBC but I don't see any way around this limitation. Allowing web browsers inside the firewall to send packets to an arbitrary address that is inside the firewall with no validation that address speaks RTP is not acceptable.

I agree we can't solve the security issue with permission to send with the
current threat model without ICE or some equivalent.

There is another option that may help with some of the use cases (I've mentioned
this before in the discussion on screensharing, among others).  For a number
of the use cases security is an impassible problem with the current threat model.
Those use cases generally involve replacing cases where an existing desktop
install or plugin was used (webex, screensharing, vnc, SIP softclient, Skype, etc).
Those cases all currently involve the user implicitly giving these apps total
or close to code that could do pretty much anything on the user's computer,
and are also often the "ongoing usage" authentication cases.

The only mitigating safety of the external app/plugin model is that they're typically
signed and go through the platforms software-install procedure, cert-showing, UACs, etc.

Currently people are trying to work out the HTML5 "installed" webapp security model;
if that's far enough along we may be able to piggyback off that.   I'm looking into it.

Randell Jesup