Re: [rtcweb] Requiring ICE for RTC calls

Roman Shpount <roman@telurix.com> Tue, 27 September 2011 20:49 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A4FD21F8BBB for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 13:49:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.475
X-Spam-Level:
X-Spam-Status: No, score=-1.475 tagged_above=-999 required=5 tests=[AWL=-0.759, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_BL_SPAMCOP_NET=1.96, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PotV5-Ys+TwW for <rtcweb@ietfa.amsl.com>; Tue, 27 Sep 2011 13:49:36 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id B61AC21F8486 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 13:49:36 -0700 (PDT)
Received: by gyd12 with SMTP id 12so6954580gyd.31 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 13:52:23 -0700 (PDT)
Received: by 10.68.26.161 with SMTP id m1mr39437058pbg.82.1317156742693; Tue, 27 Sep 2011 13:52:22 -0700 (PDT)
Received: from mail-pz0-f50.google.com (mail-pz0-f50.google.com [209.85.210.50]) by mx.google.com with ESMTPS id ji3sm148851pbc.2.2011.09.27.13.52.21 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 27 Sep 2011 13:52:22 -0700 (PDT)
Received: by pzk37 with SMTP id 37so19535068pzk.9 for <rtcweb@ietf.org>; Tue, 27 Sep 2011 13:52:21 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.4.170 with SMTP id l10mr39110174pbl.3.1317156741274; Tue, 27 Sep 2011 13:52:21 -0700 (PDT)
Received: by 10.68.55.39 with HTTP; Tue, 27 Sep 2011 13:52:21 -0700 (PDT)
In-Reply-To: <CALiegf=E+1m6YpOSeG9bBOwmw8T7X5hp+TE+HmvuXGHzxtSdYg@mail.gmail.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <2E239D6FCD033C4BAF15F386A979BF510F1087@sonusinmail02.sonusnet.com> <BLU152-W62B7F2AC3F0D5B6E277CB993F00@phx.gbl> <CAD5OKxt=P3jg9N0weFUZLvUYQxyeXa+9YMtpc8wn7osuPQmTpg@mail.gmail.com> <CAD5OKxtVCgiFV_iAYd1w0uZZcS5+gsixOHJ0jGN=0CMdq++kdg@mail.gmail.com> <84254826-C357-4FB5-810D-C453A2D1304C@phonefromhere.com> <CAD5OKxt1mn-pcWW01a1wT0yCToaL1NL5Fjt-NJbJYmx=Ygrk6Q@mail.gmail.com> <BLU152-W641047D45C0DF6A490EEF193F00@phx.gbl> <CAD5OKxtC+7oBe5Y+EGhX7f0SneGEmW0YoM9sPSXoRFjBxq0F4A@mail.gmail.com> <69C442D8-0B6E-4EC8-814E-52CDC8DB578B@edvina.net> <CALiegf=E+1m6YpOSeG9bBOwmw8T7X5hp+TE+HmvuXGHzxtSdYg@mail.gmail.com>
Date: Tue, 27 Sep 2011 16:52:21 -0400
Message-ID: <CAD5OKxu7cq_rq7GARJ2TuZ4gVzd2fxAOwQ4bHLsc03ba3RbaLQ@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: =?ISO-8859-1?Q?I=F1aki_Baz_Castillo?= <ibc@aliax.net>
Content-Type: multipart/alternative; boundary=bcaec5215f35ad5b4004adf27377
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Requiring ICE for RTC calls
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Sep 2011 20:49:37 -0000

I would reluctantly have to agree that we should by default require ICE,
since this is the only way to work around the security problems associated
with SIP. I am not sure SRTP has to be required but if ICE is required, SRTP
is an easy requirement to satisfy (if you are putting a media proxy or an
SBC upgrade for one feature, you might as well place it for two). I still
think there should be a way to disable requiring ICE and SRTP through a
local policy, but I am not sure this should be a requirement. I guess what I
am saying that requiring ICE and SRTP should be a SHOULD and not a MUST.
_____________
Roman Shpount


On Tue, Sep 27, 2011 at 4:27 PM, Iñaki Baz Castillo <ibc@aliax.net> wrote:

> 2011/9/27 Olle E. Johansson <oej@edvina.net>et>:
> > Sometimes we need to move forward. After many years of insecure calls
> having
> > issues with traversing NATs everywhere, I think enough is enough and it's
> > time to provide a better solution.
>
> I also agree. The IETF has produced lot of security specifications for
> SIP but vendors have implemented nothing (or just a few of them).
>
> SIP is mostly deployed in islands, and each island defines its own
> security constrains (usually no security at all as the island itself
> is a secure wallen garden). Rtcweb is like a new island (a very big
> island), and it will also become the island with major number of
> malicious users and site providers. So let's add all the security
> constrains we can in order to make it secure.
>
> Legacy SIP vendors/providers/manufactures should react if they want to
> offer services on top of rtcweb.
>
> --
> Iñaki Baz Castillo
> <ibc@aliax.net>
>