Re: Restrict local UDP ports in browser "advanded settings" from Iñaki Baz Castillo on 2013-10-15 (public-webrtc@w3.org from October 2013)

From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Tue, 15 Oct 2013 08:14:50 +0200
To: Harald Alvestrand <harald@alvestrand.no>
Cc: "public-webrtc@w3.org" <public-webrtc@w3.org>
Message-ID: <CALiegfkS=A5_tQaOwumNXe5thy_=Gri9RGj1dbSLs++jy=PiOw@mail.gmail.com>

2013/10/14 Harald Alvestrand <harald@alvestrand.no>:
> On 10/14/2013 06:34 AM, Iñaki Baz Castillo wrote:
>
> Hi,
>
> I have public IP in my computer which runs some UDP daemons (i.e. a
> SIP server). I don't want to expose such a SIP server to all the world
> so I set iptables to block incoming UDP traffic (unless it is in
> response to UDP traffic send from my computer to the exact origin of
> the incoming one).
>
> The problem is that with WebRTC I must be able to listen in any local
> UDP port, and thus I cannot set iptables.
>
>
>> WebRTC initialization should always begin with an ICE packet coming from
>> your computer.
>> Doesn't it work to set "related" for UDP?
>>
>> http://www.iptables.info/en/connection-state.html#UDPCONNECTIONS shows some
>> description (and says that the default timeout is 180 seconds, which should
>> be enough for WebRTC's choice of keepalives).


Hi Harald, perhaps I did not explain well. Let me expose a REAL case:

- Alice's browser with public IP.

- Bob's browser behind NAT.

- Alice runs a SIP server in its computer, and blocks incoming UDP
traffic to port 5060 unless it comes for some trusted IPs.

- So Alice does not want to expose its UDP 5060 to all the world.

- Alice neither wants to expose all its UDP ports to the world, but
just 10000-10100 for WebRTC, and leave others for other purposes.


Now imagine that Alice blocks all the incoming UDP traffic (yes I
know, it would not block the "related" incoming traffic):

- Alice and Bob start ICE stuff.

- Alice cannot reach Bob (behind NAT).

- Bob cannot reach Alice (iptables).

- No ICE success.


This is, it seems that WebRTC is made by assuming that all the
browsers are behind NAT. That is not true, and will be even less true
when IPv6 arrives. And people with public IP should not just leave all
the UDP ports open (because there is people running UDP services in
personal computers).

And thus, the need for rtp-port-min and rtp-port-max in browser settings.

Regards.



-- 
Iñaki Baz Castillo
<ibc@aliax.net>

Received on Tuesday, 15 October 2013 06:15:37 UTC