- From: Glenn Maynard <glenn@zewt.org>
- Date: Wed, 23 Mar 2011 19:06:16 -0400
On Wed, Mar 23, 2011 at 6:25 PM, Harald Alvestrand <harald at alvestrand.no>wrote: > The STUN server is used to obtain your own "public" IP address, for > constructing candidate lists. > The STUN server is not involved in the ICE handshake. > The STUN server is not. I believe the STUN *protocol* (packet format), however, is. See RFC5245 section 2.2 "Connectivity Checks". On Wed, Mar 23, 2011 at 6:43 PM, Ian Hickson <ian at hixie.ch> wrote: > directly. The concern is presumably about whether the TURN server, the > remote peer, and the page origin can collude to cause the browser to > attack the victim directly. >From a *cursory* (an hour or so) examination of the ICE and STUN protocols, it appears that even if the web server, STUN/TURN server(s) and a remote peer are hostile, it should not be possible to convince a user's browser (via its ICE agent) to send packets to an arbitrary IP and port. It should only be possible to send packets to an IP which has handshaked a port via ICE. Obviously, this needs to be confirmed by an expert in these protocols. *If* that's accurate, does that remove the masking requirement? 16 bytes per packet is significant overhead to pay if it's not needed. -- Glenn Maynard
Received on Wednesday, 23 March 2011 16:06:16 UTC