idnits 2.17.1 draft-ietf-rtcweb-ip-handling-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 1 instance of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2, 2019) is 1760 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5389 (Obsoleted by RFC 8489) ** Obsolete normative reference: RFC 5766 (Obsoleted by RFC 8656) == Outdated reference: A later version (-20) exists of draft-ietf-rtcweb-security-arch-18 -- Obsolete informational reference (is this intentional?): RFC 4941 (Obsoleted by RFC 8981) -- Obsolete informational reference (is this intentional?): RFC 7230 (Obsoleted by RFC 9110, RFC 9112) Summary: 2 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Uberti 3 Internet-Draft Google 4 Intended status: Standards Track July 2, 2019 5 Expires: January 3, 2020 7 WebRTC IP Address Handling Requirements 8 draft-ietf-rtcweb-ip-handling-12 10 Abstract 12 This document provides information and requirements for how IP 13 addresses should be handled by WebRTC implementations. 15 Status of This Memo 17 This Internet-Draft is submitted in full conformance with the 18 provisions of BCP 78 and BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF). Note that other groups may also distribute 22 working documents as Internet-Drafts. The list of current Internet- 23 Drafts is at https://datatracker.ietf.org/drafts/current/. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 This Internet-Draft will expire on January 3, 2020. 32 Copyright Notice 34 Copyright (c) 2019 IETF Trust and the persons identified as the 35 document authors. All rights reserved. 37 This document is subject to BCP 78 and the IETF Trust's Legal 38 Provisions Relating to IETF Documents 39 (https://trustee.ietf.org/license-info) in effect on the date of 40 publication of this document. Please review these documents 41 carefully, as they describe your rights and restrictions with respect 42 to this document. Code Components extracted from this document must 43 include Simplified BSD License text as described in Section 4.e of 44 the Trust Legal Provisions and are provided without warranty as 45 described in the Simplified BSD License. 47 Table of Contents 49 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 50 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 2 51 3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 2 52 4. Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 5. Detailed Design . . . . . . . . . . . . . . . . . . . . . . . 5 54 5.1. Principles . . . . . . . . . . . . . . . . . . . . . . . 5 55 5.2. Modes and Recommendations . . . . . . . . . . . . . . . . 5 56 6. Implementation Guidance . . . . . . . . . . . . . . . . . . . 7 57 6.1. Ensuring Normal Routing . . . . . . . . . . . . . . . . . 7 58 6.2. Determining Associated Local Addresses . . . . . . . . . 7 59 7. Application Guidance . . . . . . . . . . . . . . . . . . . . 8 60 8. Security Considerations . . . . . . . . . . . . . . . . . . . 8 61 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 62 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8 63 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 64 11.1. Normative References . . . . . . . . . . . . . . . . . . 8 65 11.2. Informative References . . . . . . . . . . . . . . . . . 9 66 Appendix A. Change log . . . . . . . . . . . . . . . . . . . . . 10 67 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12 69 1. Introduction 71 One of WebRTC's key features is its support of peer-to-peer 72 connections. However, when establishing such a connection, which 73 involves connection attempts from various IP addresses, WebRTC may 74 allow a web application to learn additional information about the 75 user compared to an application that only uses the Hypertext Transfer 76 Protocol (HTTP) [RFC7230]. This may be problematic in certain cases. 77 This document summarizes the concerns, and makes recommendations on 78 how WebRTC implementations should best handle the tradeoff between 79 privacy and media performance. 81 2. Terminology 83 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 84 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 85 "OPTIONAL" in this document are to be interpreted as described in BCP 86 14 [RFC2119][RFC8174] when, and only when, they appear in all 87 capitals, as shown here. 89 3. Problem Statement 91 In order to establish a peer-to-peer connection, WebRTC 92 implementations use Interactive Connectivity Establishment (ICE) 93 [RFC8445], which attempts to discover multiple IP addresses using 94 techniques such as Session Traversal Utilities for NAT (STUN) 96 [RFC5389] and Traversal Using Relays around NAT (TURN) [RFC5766], and 97 then checks the connectivity of each local-address-remote-address 98 pair in order to select the best one. The addresses that are 99 collected usually consist of an endpoint's private physical or 100 virtual addresses and its public Internet addresses. 102 These addresses are provided to the web application so that they can 103 be communicated to the remote endpoint for its checks. This allows 104 the application to learn more about the local network configuration 105 than it would from a typical HTTP scenario, in which the web server 106 would only see a single public Internet address, i.e., the address 107 from which the HTTP request was sent. 109 The information revealed falls into three categories: 111 1. If the client is multihomed, additional public IP addresses for 112 the client can be learned. In particular, if the client tries to 113 hide its physical location through a Virtual Private Network 114 (VPN), and the VPN and local OS support routing over multiple 115 interfaces (a "split-tunnel" VPN), WebRTC can discover not only 116 the public address for the VPN, but also the ISP public address 117 over which the VPN is running. 119 2. If the client is behind a Network Address Translator (NAT), the 120 client's private IP addresses, often [RFC1918] addresses, can be 121 learned. 123 3. If the client is behind a proxy (a client-configured "classical 124 application proxy", as defined in [RFC1919], Section 3), but 125 direct access to the Internet is permitted, WebRTC's STUN checks 126 will bypass the proxy and reveal the public IP address of the 127 client. This concern also applies to the "enterprise TURN 128 server" scenario described in [RFC7478], Section 2.3.5.1, if, as 129 above, direct Internet access is permitted. However, when the 130 term "proxy" is used in this document, it is always in reference 131 to an [RFC1919] proxy server. 133 Of these three concerns, the first is the most significant, because 134 for some users, the purpose of using a VPN is for anonymity. 135 However, different VPN users will have different needs, and some VPN 136 users (e.g., corporate VPN users) may in fact prefer WebRTC to send 137 media traffic directly, i.e., not through the VPN. 139 The second concern is less significant but valid nonetheless. The 140 core issue is that web applications can learn about addresses that 141 are not exposed to the internet; typically these address are IPv4, 142 but they can also be IPv6, as in the case of NAT64 [RFC6146]. While 143 disclosure of the [RFC4941] IPv6 addresses recommended by 145 [I-D.ietf-rtcweb-transports] is fairly benign due to their 146 intentionally short lifetimes, IPv4 addresses present some 147 challenges. Although private IPv4 addresses often contain minimal 148 entropy (e.g., 192.168.0.2, a fairly common address), in the worst 149 case, they can contain 24 bits of entropy with an indefinite 150 lifetime. As such, they can be a fairly significant fingerprinting 151 surface. In addition, intranet web sites can be attacked more easily 152 when their IPv4 address range is externally known. 154 Private IP addresses can also act as an identifier that allows web 155 applications running in isolated browsing contexts (e.g., normal and 156 private browsing) to learn that they are running on the same device. 157 This could allow the application sessions to be correlated, defeating 158 some of the privacy protections provided by isolation. It should be 159 noted that private addresses are just one potential mechanism for 160 this correlation and this is an area for further study. 162 The third concern is the least common, as proxy administrators can 163 already control this behavior through organizational firewall policy, 164 and generally, forcing WebRTC traffic through a proxy server will 165 have negative effects on both the proxy and on media quality. 167 Note also that these concerns predate WebRTC; Adobe Flash Player has 168 provided similar functionality since the introduction of Real-Time 169 Media Flow Protocol (RTMFP) support [RFC7016] in 2008. 171 4. Goals 173 WebRTC's support of secure peer-to-peer connections facilitates 174 deployment of decentralized systems, which can have privacy benefits. 175 As a result, blunt solutions that disable WebRTC or make it 176 significantly harder to use are undesirable. This document takes a 177 more nuanced approach, with the following goals: 179 o Provide a framework for understanding the problem so that controls 180 might be provided to make different tradeoffs regarding 181 performance and privacy concerns with WebRTC. 183 o Using that framework, define settings that enable peer-to-peer 184 communications, each with a different balance between performance 185 and privacy. 187 o Finally, provide recommendations for default settings that provide 188 reasonable performance without also exposing addressing 189 information in a way that might violate user expectations. 191 5. Detailed Design 193 5.1. Principles 195 The key principles for our framework are stated below: 197 1. By default, WebRTC traffic should follow typical IP routing, 198 i.e., WebRTC should use the same interface used for HTTP traffic, 199 and only the system's 'typical' public addresses (or those of an 200 enterprise TURN server, if present) should be visible to the 201 application. However, in the interest of optimal media quality, 202 it should be possible to enable WebRTC to make use of all network 203 interfaces to determine the ideal route. 205 2. By default, WebRTC should be able to negotiate direct peer-to- 206 peer connections between endpoints (i.e., without traversing a 207 NAT or relay server) when such connections are possible. This 208 ensures that applications that need true peer-to-peer routing for 209 bandwidth or latency reasons can operate successfully. 211 3. It should be possible to configure WebRTC to not disclose private 212 local IP addresses, to avoid the issues associated with web 213 applications learning such addresses. This document does not 214 require this to be the default state, as there is no currently 215 defined mechanism that can satisfy this requirement as well as 216 the aforementioned requirement to allow direct peer-to-peer 217 connections. 219 4. By default, WebRTC traffic should not be sent through proxy 220 servers, due to the media quality problems associated with 221 sending WebRTC traffic over TCP, which is almost always used when 222 communicating with such proxies, as well as proxy performance 223 issues that may result from proxying WebRTC's long-lived, high- 224 bandwidth connections. However, it should be possible to force 225 WebRTC to send its traffic through a configured proxy if desired. 227 5.2. Modes and Recommendations 229 Based on these ideas, we define four specific modes of WebRTC 230 behavior, reflecting different media quality/privacy tradeoffs: 232 Mode 1: Enumerate all addresses: WebRTC MUST use all network 233 interfaces to attempt communication with STUN servers, TURN 234 servers, or peers. This will converge on the best media 235 path, and is ideal when media performance is the highest 236 priority, but it discloses the most information. 238 Mode 2: Default route + associated local addresses: WebRTC MUST 239 follow the kernel routing table rules, which will typically 240 cause media packets to take the same route as the 241 application's HTTP traffic. If an enterprise TURN server is 242 present, the preferred route MUST be through this TURN 243 server. Once an interface has been chosen, the private IPv4 244 and IPv6 addresses associated with this interface MUST be 245 discovered and provided to the application as host 246 candidates. This ensures that direct connections can still 247 be established in this mode. 249 Mode 3: Default route only: This is the the same as Mode 2, except 250 that the associated private addresses MUST NOT be provided; 251 the only IP addresses gathered are those discovered via 252 mechanisms like STUN and TURN (on the default route). This 253 may cause traffic to hairpin through a NAT, fall back to an 254 application TURN server, or fail altogether, with resulting 255 quality implications. 257 Mode 4: Force proxy: This is the same as Mode 3, but when the 258 application's HTTP traffic is sent through a proxy, WebRTC 259 media traffic MUST also be proxied. If the proxy does not 260 support UDP (as is the case for all HTTP and most SOCKS 261 [RFC1928] proxies), or the WebRTC implementation does not 262 support UDP proxying, the use of UDP will be disabled, and 263 TCP will be used to send and receive media through the 264 proxy. Use of TCP will result in reduced media quality, in 265 addition to any performance considerations associated with 266 sending all WebRTC media through the proxy server. 268 Mode 1 MUST NOT be used unless user consent has been provided. The 269 details of this consent are left to the implementation; one potential 270 mechanism is to tie this consent to getUserMedia (device permissions) 271 consent, described in [I-D.ietf-rtcweb-security-arch], Section 6.2. 272 Alternatively, implementations can provide a specific mechanism to 273 obtain user consent. 275 In cases where user consent has not been obtained, Mode 2 SHOULD be 276 used. 278 These defaults provide a reasonable tradeoff that permits trusted 279 WebRTC applications to achieve optimal network performance, but gives 280 applications without consent (e.g., 1-way streaming or data channel 281 applications) only the minimum information needed to achieve direct 282 connections, as defined in Mode 2. However, implementations MAY 283 choose stricter modes if desired, e.g., if a user indicates they want 284 all WebRTC traffic to follow the default route. 286 Future documents may define additional modes and/or update the 287 recommended default modes. 289 Note that the suggested defaults can still be used even for 290 organizations that want all external WebRTC traffic to traverse a 291 proxy or enterprise TURN server, simply by setting an organizational 292 firewall policy that allows WebRTC traffic to only leave through the 293 proxy or TURN server. This provides a way to ensure the proxy or 294 TURN server is used for any external traffic, but still allows direct 295 connections (and, in the proxy case, avoids the performance issues 296 associated with forcing media through said proxy) for intra- 297 organization traffic. 299 6. Implementation Guidance 301 This section provides guidance to WebRTC implementations on how to 302 implement the policies described above. 304 6.1. Ensuring Normal Routing 306 When trying to follow typical IP routing, as required by Modes 2 and 307 3, the simplest approach is to bind() the sockets used for peer-to- 308 peer connections to the wildcard addresses (0.0.0.0 for IPv4, :: for 309 IPv6), which allows the OS to route WebRTC traffic the same way as it 310 would HTTP traffic. STUN and TURN will work as usual, and host 311 candidates can still be determined as mentioned below. 313 6.2. Determining Associated Local Addresses 315 When binding to a wildcard address, some extra work is needed to 316 determine the associated local address required by Mode 2, which we 317 define as the source address that would be used for any packets sent 318 to the web application host (assuming that UDP and TCP get the same 319 routing treatment). Use of the web application host as a destination 320 ensures the right source address is selected, regardless of where the 321 application resides (e.g., on an intranet). 323 First, the appropriate remote IPv4/IPv6 address is obtained by 324 resolving the host component of the web application URI [RFC3986]. 325 If the client is behind a proxy and cannot resolve these IPs via DNS, 326 the address of the proxy can be used instead. Or, if the web 327 application was loaded from a file:// URI [RFC8089], rather than over 328 the network, the implementation can fall back to a well-known DNS 329 name or IP address. 331 Once a suitable remote IP has been determined, the implementation can 332 create a UDP socket, bind() it to the appropriate wildcard address, 333 and then connect() to the remote IP. Generally, this results in the 334 socket being assigned a local address based on the kernel routing 335 table, without sending any packets over the network. 337 Finally, the socket can be queried using getsockname() or the 338 equivalent to determine the appropriate local address. 340 7. Application Guidance 342 The recommendations mentioned in this document may cause certain 343 WebRTC applications to malfunction. In order to be robust in all 344 scenarios, the following guidelines are provided for applications: 346 o Applications SHOULD deploy a TURN server with support for both UDP 347 and TCP connections to the server. This ensures that connectivity 348 can still be established, even when Mode 3 or 4 are in use, 349 assuming the TURN server can be reached. 351 o Applications SHOULD detect when they don't have access to the full 352 set of ICE candidates by checking for the presence of host 353 candidates. If no host candidates are present, Mode 3 or 4 above 354 is in use; this knowledge can be useful for diagnostic purposes. 356 8. Security Considerations 358 This document describes several potential privacy and security 359 concerns associated with WebRTC peer-to-peer connections, and 360 provides mechanisms and recommendations for WebRTC implementations to 361 address these concerns. 363 9. IANA Considerations 365 This document requires no actions from IANA. 367 10. Acknowledgements 369 Several people provided input into this document, including Bernard 370 Aboba, Harald Alvestrand, Youenn Fablet, Ted Hardie, Matthew 371 Kaufmann, Eric Rescorla, Adam Roach, and Martin Thomson. 373 11. References 375 11.1. Normative References 377 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 378 Requirement Levels", BCP 14, RFC 2119, 379 DOI 10.17487/RFC2119, March 1997, 380 . 382 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 383 Resource Identifier (URI): Generic Syntax", STD 66, 384 RFC 3986, DOI 10.17487/RFC3986, January 2005, 385 . 387 [RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing, 388 "Session Traversal Utilities for NAT (STUN)", RFC 5389, 389 DOI 10.17487/RFC5389, October 2008, 390 . 392 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using 393 Relays around NAT (TURN): Relay Extensions to Session 394 Traversal Utilities for NAT (STUN)", RFC 5766, 395 DOI 10.17487/RFC5766, April 2010, 396 . 398 [RFC8089] Kerwin, M., "The "file" URI Scheme", RFC 8089, 399 DOI 10.17487/RFC8089, February 2017, 400 . 402 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 403 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 404 May 2017, . 406 [RFC8445] Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive 407 Connectivity Establishment (ICE): A Protocol for Network 408 Address Translator (NAT) Traversal", RFC 8445, 409 DOI 10.17487/RFC8445, July 2018, 410 . 412 11.2. Informative References 414 [I-D.ietf-rtcweb-security-arch] 415 Rescorla, E., "WebRTC Security Architecture", draft-ietf- 416 rtcweb-security-arch-18 (work in progress), February 2019. 418 [I-D.ietf-rtcweb-transports] 419 Alvestrand, H., "Transports for WebRTC", draft-ietf- 420 rtcweb-transports-17 (work in progress), October 2016. 422 [RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot, G., 423 and E. Lear, "Address Allocation for Private Internets", 424 BCP 5, RFC 1918, DOI 10.17487/RFC1918, February 1996, 425 . 427 [RFC1919] Chatel, M., "Classical versus Transparent IP Proxies", 428 RFC 1919, DOI 10.17487/RFC1919, March 1996, 429 . 431 [RFC1928] Leech, M., Ganis, M., Lee, Y., Kuris, R., Koblas, D., and 432 L. Jones, "SOCKS Protocol Version 5", RFC 1928, 433 DOI 10.17487/RFC1928, March 1996, 434 . 436 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 437 Extensions for Stateless Address Autoconfiguration in 438 IPv6", RFC 4941, DOI 10.17487/RFC4941, September 2007, 439 . 441 [RFC6146] Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful 442 NAT64: Network Address and Protocol Translation from IPv6 443 Clients to IPv4 Servers", RFC 6146, DOI 10.17487/RFC6146, 444 April 2011, . 446 [RFC7016] Thornburgh, M., "Adobe's Secure Real-Time Media Flow 447 Protocol", RFC 7016, DOI 10.17487/RFC7016, November 2013, 448 . 450 [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer 451 Protocol (HTTP/1.1): Message Syntax and Routing", 452 RFC 7230, DOI 10.17487/RFC7230, June 2014, 453 . 455 [RFC7478] Holmberg, C., Hakansson, S., and G. Eriksson, "Web Real- 456 Time Communication Use Cases and Requirements", RFC 7478, 457 DOI 10.17487/RFC7478, March 2015, 458 . 460 Appendix A. Change log 462 Changes in draft -12: 464 o Editorial updates from IETF LC review. 466 Changes in draft -11: 468 o Editorial updates from AD review. 470 Changes in draft -10: 472 o Incorporate feedback from IETF 102 on the problem space. 474 o Note that future versions of the document may define new modes. 476 Changes in draft -09: 478 o Fixed confusing text regarding enterprise TURN servers. 480 Changes in draft -08: 482 o Discuss how enterprise TURN servers should be handled. 484 Changes in draft -07: 486 o Clarify consent guidance. 488 Changes in draft -06: 490 o Clarify recommendations. 492 o Split implementation guidance into two sections. 494 Changes in draft -05: 496 o Separated framework definition from implementation techniques. 498 o Removed RETURN references. 500 o Use origin when determining local IPs, rather than a well-known 501 IP. 503 Changes in draft -04: 505 o Rewording and cleanup in abstract, intro, and problem statement. 507 o Added 2119 boilerplate. 509 o Fixed weird reference spacing. 511 o Expanded acronyms on first use. 513 o Removed 8.8.8.8 mention. 515 o Removed mention of future browser considerations. 517 Changes in draft -03: 519 o Clarified when to use which modes. 521 o Added 2119 qualifiers to make normative statements. 523 o Defined 'proxy'. 525 o Mentioned split tunnels in problem statement. 527 Changes in draft -02: 529 o Recommendations -> Requirements 531 o Updated text regarding consent. 533 Changes in draft -01: 535 o Incorporated feedback from Adam Roach; changes to discussion of 536 cam/mic permission, as well as use of proxies, and various 537 editorial changes. 539 o Added several more references. 541 Changes in draft -00: 543 o Published as WG draft. 545 Author's Address 547 Justin Uberti 548 Google 549 747 6th St S 550 Kirkland, WA 98033 551 USA 553 Email: justin@uberti.name