idnits 2.17.1 draft-ietf-rtcweb-ip-handling-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 1, 2018) is 2219 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 4941 (Obsoleted by RFC 8981) -- Obsolete informational reference (is this intentional?): RFC 5245 (Obsoleted by RFC 8445, RFC 8839) -- Obsolete informational reference (is this intentional?): RFC 5389 (Obsoleted by RFC 8489) -- Obsolete informational reference (is this intentional?): RFC 5766 (Obsoleted by RFC 8656) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) Summary: 0 errors (**), 0 flaws (~~), 3 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Uberti 3 Internet-Draft Google 4 Intended status: Standards Track G. Shieh 5 Expires: September 2, 2018 Facebook 6 March 1, 2018 8 WebRTC IP Address Handling Requirements 9 draft-ietf-rtcweb-ip-handling-06 11 Abstract 13 This document provides information and requirements for how IP 14 addresses should be handled by WebRTC implementations. 16 Status of This Memo 18 This Internet-Draft is submitted in full conformance with the 19 provisions of BCP 78 and BCP 79. 21 Internet-Drafts are working documents of the Internet Engineering 22 Task Force (IETF). Note that other groups may also distribute 23 working documents as Internet-Drafts. The list of current Internet- 24 Drafts is at https://datatracker.ietf.org/drafts/current/. 26 Internet-Drafts are draft documents valid for a maximum of six months 27 and may be updated, replaced, or obsoleted by other documents at any 28 time. It is inappropriate to use Internet-Drafts as reference 29 material or to cite them other than as "work in progress." 31 This Internet-Draft will expire on September 2, 2018. 33 Copyright Notice 35 Copyright (c) 2018 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (https://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 51 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 52 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 2 53 4. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 54 5. Detailed Design . . . . . . . . . . . . . . . . . . . . . . . 4 55 5.1. Principles . . . . . . . . . . . . . . . . . . . . . . . 4 56 5.2. Modes and Recommendations . . . . . . . . . . . . . . . . 5 57 6. Implementation Guidance . . . . . . . . . . . . . . . . . . . 6 58 6.1. Ensuring Normal Routing . . . . . . . . . . . . . . . . . 6 59 6.2. Determining Host Candidates . . . . . . . . . . . . . . . 6 60 7. Application Guidance . . . . . . . . . . . . . . . . . . . . 7 61 8. Security Considerations . . . . . . . . . . . . . . . . . . . 7 62 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 63 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 64 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 65 11.1. Normative References . . . . . . . . . . . . . . . . . . 8 66 11.2. Informative References . . . . . . . . . . . . . . . . . 8 67 Appendix A. Change log . . . . . . . . . . . . . . . . . . . . . 9 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 70 1. Introduction 72 One of WebRTC's key features is its support of peer-to-peer 73 connections. However, when establishing such a connection, which 74 involves connection attempts from various IP addresses, WebRTC may 75 allow a web application to learn additional information about the 76 user compared to an application that only uses the Hypertext Transfer 77 Protocol (HTTP) [RFC7230]. This may be problematic in certain cases. 78 This document summarizes the concerns, and makes recommendations on 79 how WebRTC implementations should best handle the tradeoff between 80 privacy and media performance. 82 2. Terminology 84 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 85 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 86 document are to be interpreted as described in [RFC2119]. 88 3. Problem Statement 90 In order to establish a peer-to-peer connection, WebRTC 91 implementations use Interactive Connectivity Establishment (ICE) 92 [RFC5245], which attempts to discover multiple IP addresses using 93 techniques such as Session Traversal Utilities for NAT (STUN) 94 [RFC5389] and Traversal Using Relays around NAT (TURN) [RFC5766], and 95 then checks the connectivity of each local-address-remote-address 96 pair in order to select the best one. The addresses that are 97 collected usually consist of an endpoint's private physical/virtual 98 addresses and its public Internet addresses. 100 These addresses are exposed upwards to the web application, so that 101 they can be communicated to the remote endpoint for its checks. This 102 allows the application to learn more about the local network 103 configuration than it would from a typical HTTP scenario, in which 104 the web server would only see a single public Internet address, i.e., 105 the address from which the HTTP request was sent. 107 The information revealed falls into three categories: 109 1. If the client is multihomed, additional public IP addresses for 110 the client can be learned. In particular, if the client tries to 111 hide its physical location through a Virtual Private Network 112 (VPN), and the VPN and local OS support routing over multiple 113 interfaces (a "split-tunnel" VPN), WebRTC will discover not only 114 the public address for the VPN, but also the ISP public address 115 over which the VPN is running. 117 2. If the client is behind a Network Address Translator (NAT), the 118 client's private IP addresses, often [RFC1918] addresses, can be 119 learned. 121 3. If the client is behind a proxy (a client-configured "classical 122 application proxy", as defined in [RFC1919], Section 3), but 123 direct access to the Internet is also supported, WebRTC's STUN 124 checks will bypass the proxy and reveal the public IP address of 125 the client. 127 Of these three concerns, #1 is the most significant, because for some 128 users, the purpose of using a VPN is for anonymity. However, 129 different VPN users will have different needs, and some VPN users 130 (e.g., corporate VPN users) may in fact prefer WebRTC to send media 131 traffic directly, i.e., not through the VPN. 133 #2 is considered to be a less significant concern, given that the 134 local address values often contain minimal information (e.g., 135 192.168.0.2), or have built-in privacy protection (e.g., the 136 [RFC4941] IPv6 addresses recommended by 137 [I-D.ietf-rtcweb-transports]). 139 #3 is the least common concern, as proxy administrators can already 140 control this behavior through organizational firewall policy, and 141 generally, forcing WebRTC traffic through a proxy server will have 142 negative effects on both the proxy and on media quality. 144 Note also that these concerns predate WebRTC; Adobe Flash Player has 145 provided similar functionality since the introduction of RTMFP 146 [RFC7016] in 2008. 148 4. Goals 150 WebRTC's support of secure peer-to-peer connections facilitates 151 deployment of decentralized systems, which can have privacy benefits. 152 As a result, we want to avoid blunt solutions that disable WebRTC or 153 make it significantly harder to use. This document takes a more 154 nuanced approach, with the following goals: 156 o Provide a framework for understanding the problem so that controls 157 might be provided to make different tradeoffs regarding 158 performance and privacy concerns with WebRTC. 160 o Using that framework, define settings that enable peer-to-peer 161 communications, each with a different balance between performance 162 and privacy. 164 o Finally, provide recommendations for default settings that provide 165 reasonable performance without also exposing addressing 166 information in a way that might violate user expectations. 168 5. Detailed Design 170 5.1. Principles 172 The key principles for our framework are stated below: 174 1. By default, WebRTC traffic should follow typical IP routing, 175 i.e., WebRTC should use the same interface used for HTTP traffic, 176 and only the system's 'typical' public addresses should be 177 visible to the application. However, in the interest of optimal 178 media quality, it should be possible to enable WebRTC to make use 179 of all network interfaces to determine the ideal route. 181 2. By default, WebRTC should be able to negotiate direct peer-to- 182 peer connections between endpoints (i.e., without traversing a 183 NAT or relay server), by providing a minimal set of local IP 184 addresses to the application for use in the ICE process. This 185 ensures that applications that need true peer-to-peer routing for 186 bandwidth or latency reasons can operate successfully. However, 187 it should be possible to suppress these addresses (with the 188 resultant impact on direct connections) if desired. 190 3. By default, WebRTC traffic should not be sent through proxy 191 servers, due to the media quality problems associated with 192 sending WebRTC traffic over TCP, which is almost always used when 193 communicating with proxies, as well as proxy performance issues 194 that may result from proxying WebRTC's long-lived, high-bandwidth 195 connections. However, it should be possible to force WebRTC to 196 send its traffic through a configured proxy if desired. 198 5.2. Modes and Recommendations 200 Based on these ideas, we define four specific modes of WebRTC 201 behavior, reflecting different media quality/privacy tradeoffs: 203 Mode 1: Enumerate all addresses: WebRTC MUST use all network 204 interfaces to attempt communication with STUN servers, TURN 205 servers, or peers. This will converge on the best media 206 path, and is ideal when media performance is the highest 207 priority, but it discloses the most information. 209 Mode 2: Default route + associated local addresses: WebRTC MUST 210 follow the kernel routing table rules, which will typically 211 cause media packets to take the same route as the 212 application's HTTP traffic. In addition, the private IPv4 213 and IPv6 addresses associated with the kernel-chosen 214 interface MUST be discovered and provided to the 215 application. This ensures that direct connections can still 216 be established in this mode. 218 Mode 3: Default route only: This is the the same as Mode 2, except 219 that the associated private addresses MUST NOT be provided; 220 the only IP addresses gathered are those discovered via 221 mechanisms like STUN and TURN (on the default route). This 222 may cause traffic to hairpin through a NAT, fall back to an 223 application TURN server, or fail altogether, with resulting 224 quality implications. 226 Mode 4: Force proxy: This is the same as Mode 3, but all WebRTC 227 media traffic is forced through a proxy, if one is 228 configured. If the proxy does not support UDP (as is the 229 case for all HTTP and most SOCKS [RFC1928] proxies), or the 230 WebRTC implementation does not support UDP proxying, the use 231 of UDP will be disabled, and TCP will be used to send and 232 receive media through the proxy. Use of TCP will result in 233 reduced media quality, in addition to any performance 234 considerations associated with sending all WebRTC media 235 through the proxy server. 237 Mode 1 MUST only be used when user consent has been provided. The 238 details of this consent are left to the implementation; one potential 239 mechanism is to tie this consent to getUserMedia consent. 241 In cases where user consent has not been obtained, Mode 2 SHOULD be 242 used. 244 These defaults provide a reasonable tradeoff that permits trusted 245 WebRTC applications to achieve optimal network performance, but gives 246 applications without consent (e.g., 1-way streaming or data channel 247 applications) only the minimum information needed to achieve direct 248 connections, as defined in Mode 2. However, implementations MAY 249 choose stricter modes if desired, e.g., if a user indicates they want 250 all WebRTC traffic to follow the default route. 252 Note that the suggested defaults can still be used even for 253 organizations that want all external WebRTC traffic to traverse a 254 proxy, simply by setting an organizational firewall policy that 255 allows WebRTC traffic to only leave through the proxy. This provides 256 a way to ensure the proxy is used for any external traffic, but 257 avoids the performance issues associated with Mode 4 (where all media 258 is forced through said proxy) for intra-organization traffic. 260 6. Implementation Guidance 262 This section provides guidance to WebRTC implementations on how to 263 implement the policies described above. 265 6.1. Ensuring Normal Routing 267 When trying to follow typical IP routing, the simplest approach is to 268 bind the sockets used for peer-to-peer connections to the wildcard 269 addresses (0.0.0.0 for IPv4, :: for IPv6), which allows the OS to 270 route WebRTC traffic the same way as it would HTTP traffic. STUN and 271 TURN will work as usual, and host candidates can still be determined 272 as mentioned below. 274 6.2. Determining Host Candidates 276 When binding to a wildcard address, some extra work is needed to 277 determine a suitable host candidate, which we define as the source 278 address that would be used for any packets sent to the web 279 application host (assuming that UDP and TCP get the same routing). 280 Use of the web application host as a destination ensures the right 281 source address is selected, regardless of where the application 282 resides (e.g., on an intranet). 284 First, the appropriate remote IPv4/IPv6 address is obtained by 285 resolving the host component of the web application URI [RFC3986]. 286 If the client is behind a proxy and cannot resolve these IPs via DNS, 287 the address of the proxy can be used instead. Or, if the web 288 application was loaded from a file:// URI [RFC8089], rather than over 289 the network, the implementation can fall back to a well-known DNS 290 name or IP address. 292 Once a suitable remote IP has been determined, the implementation can 293 create a UDP socket, bind it to the appropriate wildcard address, and 294 tell it to connect to the remote IP. Generally, this results in the 295 socket being assigned a local address based on the kernel routing 296 table, without sending any packets over the network. 298 Finally, the socket can be queried using getsockname() or the 299 equivalent to determine the appropriate host candidate. 301 7. Application Guidance 303 The recommendations mentioned in this document may cause certain 304 WebRTC applications to malfunction. In order to be robust in all 305 scenarios, the following guidelines are provided for applications: 307 o Applications SHOULD deploy a TURN server with support for both UDP 308 and TCP connections to the server. This ensures that connectivity 309 can still be established, even when Mode 3 or 4 are in use, 310 assuming the TURN server can be reached. 312 o Applications SHOULD detect when they don't have access to the full 313 set of ICE candidates by checking for the presence of host 314 candidates. If no host candidates are present, Mode 3 or 4 above 315 is in use; this knowledge can be useful for diagnostic purposes. 317 8. Security Considerations 319 This document is entirely devoted to security considerations. 321 9. IANA Considerations 323 This document requires no actions from IANA. 325 10. Acknowledgements 327 Several people provided input into this document, including Bernard 328 Aboba, Harald Alvestrand, Ted Hardie, Matthew Kaufmann, Eric 329 Rescorla, Adam Roach, and Martin Thomson. 331 11. References 332 11.1. Normative References 334 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 335 Requirement Levels", BCP 14, RFC 2119, 336 DOI 10.17487/RFC2119, March 1997, 337 . 339 11.2. Informative References 341 [I-D.ietf-rtcweb-transports] 342 Alvestrand, H., "Transports for WebRTC", draft-ietf- 343 rtcweb-transports-17 (work in progress), October 2016. 345 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 346 and E. Lear, "Address Allocation for Private Internets", 347 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 348 . 350 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 351 RFC 1919, DOI 10.17487/RFC1919, March 1996, 352 . 354 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 355 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 356 DOI 10.17487/RFC1928, March 1996, 357 . 359 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 360 Resource Identifier (URI): Generic Syntax", STD 66, 361 RFC 3986, DOI 10.17487/RFC3986, January 2005, 362 . 364 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 365 Extensions for Stateless Address Autoconfiguration in 366 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 367 . 369 [RFC5245] Rosenberg, J., "Interactive Connectivity Establishment 370 (ICE): A Protocol for Network Address Translator (NAT) 371 Traversal for Offer/Answer Protocols", RFC 5245, 372 DOI 10.17487/RFC5245, April 2010, 373 . 375 [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, 376 "Session Traversal Utilities for NAT (STUN)", RFC 5389, 377 DOI 10.17487/RFC5389, October 2008, 378 . 380 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using 381 Relays around NAT (TURN): Relay Extensions to Session 382 Traversal Utilities for NAT (STUN)", RFC 5766, 383 DOI 10.17487/RFC5766, April 2010, 384 . 386 [RFC7016] Thornburgh, M., "Adobe's Secure Real-Time Media Flow 387 Protocol", RFC 7016, DOI 10.17487/RFC7016, November 2013, 388 . 390 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 391 Protocol (HTTP/1.1): Message Syntax and Routing", 392 RFC 7230, DOI 10.17487/RFC7230, June 2014, 393 . 395 [RFC8089] Kerwin, M., "The "file" URI Scheme", RFC 8089, 396 DOI 10.17487/RFC8089, February 2017, 397 . 399 Appendix A. Change log 401 Changes in draft -06: 403 o Clarify recommendations. 405 o Split implementation guidance into two sections. 407 Changes in draft -05: 409 o Separated framework definition from implementation techniques. 411 o Removed RETURN references. 413 o Use origin when determining local IPs, rather than a well-known 414 IP. 416 Changes in draft -04: 418 o Rewording and cleanup in abstract, intro, and problem statement. 420 o Added 2119 boilerplate. 422 o Fixed weird reference spacing. 424 o Expanded acronyms on first use. 426 o Removed 8.8.8.8 mention. 428 o Removed mention of future browser considerations. 430 Changes in draft -03: 432 o Clarified when to use which modes. 434 o Added 2119 qualifiers to make normative statements. 436 o Defined 'proxy'. 438 o Mentioned split tunnels in problem statement. 440 Changes in draft -02: 442 o Recommendations -> Requirements 444 o Updated text regarding consent. 446 Changes in draft -01: 448 o Incorporated feedback from Adam Roach; changes to discussion of 449 cam/mic permission, as well as use of proxies, and various 450 editorial changes. 452 o Added several more references. 454 Changes in draft -00: 456 o Published as WG draft. 458 Authors' Addresses 460 Justin Uberti 461 Google 462 747 6th St S 463 Kirkland, WA 98033 464 USA 466 Email: justin@uberti.name 468 Guo-wei Shieh 469 Facebook 470 1101 Dexter Ave 471 Seattle, WA 98109 472 USA 474 Email: guoweis@facebook.com