[Standards] Re: Jingle bootstrapping

Kai Vehmanen kai.vehmanen at nokia.com
Tue Mar 6 14:05:28 UTC 2007


On 05 March 2007, Thiago Camargo wrote:
>*** How this could a security issue? "the relay doesn't know 
>where your IP packet are going to come until it gets the first 
>packet". ***
>*** Actually we can request a forced relay to the media Relay 
>server ***

it means you have to authenticate that the flow of media/etc IP packets 
coming to the allocated relay port is really associated with the signaling
instance that allocated the port. This is really hard to do any other
way than with something similar to TURN. Your solution can of course 
do this already, but I'm arguing that it probably is very close to what
TURN does anyways.

>Again, in order to reliably query your public address, you 
>have to do this from the very source IP+port (and protocol -> 
>UDP for RTP) you are going to send media from. This is really 
>the only somewhat reliable way to do the query.
>*** That's exactly the way we are doing. ***

Yes, so you are in fact already using STUN (or some similar UDP protocol) 
to fetch the public address (assuming you are not sending XMPP over UDP 
from the RTP/media socket)?

>>There are reasons why the connectivity checks are 
>>authenticated in ICE - see B.4. of 
>*** That's why UDP ECHO that we use has a password and a 
>username in it.

So it is no simpler than STUN, and UDP-ECHO is really not XMPP 
either, so you are basicly reinventing STUN in a bit different way, right?
And really, STUN has been around for years (RFC3489), there are many 
open-source libraries implementing it... so why not use it?

first.surname at nokia.com (Kai Vehmanen)

More information about the Standards mailing list