Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TAG Review Request: RTCIceTransport & RTCQuicTransport #296

Closed
shampson opened this issue Jul 26, 2018 · 7 comments

Comments

Projects
None yet
9 participants
@shampson
Copy link

commented Jul 26, 2018

Bonjour TAG,

I'm requesting a TAG review of:

You should also know that...

[please tell us anything you think is relevant to this review]

We'd prefer the TAG provide feedback as (please select one):

  • open issues in our Github repo for each point of feedback
  • open a single issue in our Github repo for the entire review
  • leave review feedback as a comment in this issue and @-notify [github usernames]
@hadleybeeman

This comment has been minimized.

Copy link

commented Sep 4, 2018

Hi! Thanks for this. It would help us a lot if you could explain what problem you want to solve and what the use cases are? You've clearly put thought into the detail, but it's hard for us to work with that when we're not sure where on the big picture you're focusing.

Our explainer explainer might help with this.

@plinss plinss added this to the 2018-09-11-telcon milestone Sep 4, 2018

@martinthomson

This comment has been minimized.

Copy link

commented Sep 5, 2018

I'm adding this comment here, because I think that this needs attention from the TAG (and probably a broader audience, but we'll start with the TAG).

Background

These two specifications are very different, and should probably be the subject of separate analyses, but it is convenient that they appear together. I'll get back to QUIC later, but I want to first look at ICE.

The WebRTC WG has, for a number of years, been dedicated to establishing peer-to-peer communications. ICE is a fundamental part of that. ICE exists primarily to facilitate connection establishment in challenging network conditions (NATs, etc...). It does this by testing all possible communication paths, looking for the best one that works. The part that I want to focus on here is its function in providing confirmation of a willingness to communicate. As part of the testing process, ICE also confirms that the entity at the other end understands the communication and consents to it continuing.

For classic WebRTC uses cases, ICE exists primarily as a defense against denial of service: you don't want to be responsible for sending a fat stream of video to someone who doesn't want it. This is what ensures that web browsers can't be turned into a DoS platform.

The ICE transport spec represents an effort by the WebRTC community to provide lower-level tools for web developers. This is complementary to other efforts to decompose the giant ball of wax that is WebRTC into reusable components.

Consent to Communicate on the Web

We most often think of consent to communicate in the context of CORS. User agents use CORS to confirm that the server understands and is willing to continue communication. Though we let some requests through for legacy reasons, we first confirm (with a preflight request) that the server consents to receiving the request.

Some of the more onerous and awkward provisions in CORS derive from it being retrofitted to the web. The web for a long time didn't have programmatic access to HTTP requests, and a number of servers were deployed that were not prepared for that access. This was worst in cases where servers made the (bad) assumption that access to the network was sufficient for authorization. If browsers allowed random sites to generate requests toward those internal servers without checking first, bad things would happen.

The parallels between ICE and CORS is something that earlier versions of WebRTC didn't really concern themselves with. WebRTC 1.0 is a relatively high-level API that provides the ability to exchange media and data between peers. In that narrow context, limiting the consent function of ICE to simple denial-of-service protection makes sense.

ICE and Raw Socket Access

If we look at ICE as a more fundamental building block, we end up with new possibilities. We've struggled in the past with APIs that enabled raw socket access (such as the TCP and UDP socket API). ICE presents an option that would enable those uses.

The primary concern with those previous attempts is in exposing a capability to the web platform that enables communications with arbitrary, unprepared hosts. The scope of problems with CORS would be a pale shadow of the problems with services that operate at the next layer down in the stack.

ICE provides a way of verifying that a peer is willing to communicate. That suggests that it might be used to enable communication for more than just WebRTC. Sure, you aren't going to enable access to existing services without first teaching them how to indicate their consent to communicate, but that's the feature we needed. The consent parts of ICE are fairly simple, and deploying them could allow new services to become web-accessible.

The RTCIceTransport spec makes no effort to address these possibilities. It says nothing about how it might be used, which leaves the field fairly open. It probably assumes the narrow set of existing peer-to-peer use cases. Given that this could enable much more, some consideration of its broader applicability is wise. For instance, though it might enable DNS to UDP port 53, I would argue that it shouldn't on the basis that we should not be enabling the creation of unencrypted and unauthenticated communications channels from the web.

The Role of QUIC

As a generic building block, ICE has some fairly dire limitations. ICE relies on some out-of-band arrangement (in RTC terms, a signaling channel) that establishes session identifiers (in ICE terms ufrag and password) that are used to indicate consent. That makes it difficult to use. Servers that want to provide their own access would need to provide an HTTP server that provided a rendezvous capability.

QUIC presents a new possibility. Right now, deployment of QUIC is non-existent in its standardized form. The QUIC handshake provides the same sort of consent that ICE provides, without the awkward signaling requirements. So it is possible that we could decide that the web could support direct QUIC connections from browsers.

That is, direct access to QUIC connections, with no additional protections other than its inherent consent-to-communicate mechanisms and an expectation that QUIC deployments do not assume that access to the network implies authorization. That might be too risky, but a simple flag in the QUIC handshake would be all we need to signal consent to communicate with a web browser. No need for ICE, except where it is necessary for establishing peer-to-peer communications.

That's a discussion I think that we should have with our friends at the IETF. I don't think that shipping an RTC-based API for QUIC is advisable without having some discussion of the more fundamental issues (and possibilities).

That discussion might take some time, because it's not currently a priority for the QUIC WG. At least, that is my understanding, but you could check with @mnot and @larseggert for a more authoritative view on that, I'm merely a document editor.

One immediate consequence of this for the proposed QUIC API is in the way in which it does authentication. The mechanisms presently replicate the mechanisms we have for peer-to-peer, which would not fit with a more generic model. They assume that the site that oversees the signaling is trusted to decide identity and do not attribute any particular identity to communication peers (absent other work, which allows that authority to be shifted to a third party).

Of course, there are many other things to consider here, such as how an API like this potentially results in multiple connections from the same browser to the same server because multiple origins use the same capability, or how this might interact with the service worker lifecycle.

Other Issues

These are relatively minor concerns, but I thought I append them anyway, so there is a record in text. The editors of the WebRTC QUIC API spec (and chairs of the WG) haven't been particularly receptive to these comments, and will no doubt provide some defense, but I'll list them anyway. These are minor points relative to the rest of this, but it's worth pointing out.

  1. QUIC isn't finished. The IETF getting closer to finishing the core transport, but the protocol is still subject to change. In particular, there are very few HTTP/QUIC implementations, so we are concerned that we might learn something important. The response to this has been something like "we intend to be ready when QUIC is and the basic API contracts seem to be stable". That is fine for experiments, but it seems like there is shipping code, or there soon will be. That might have long-term consequences. Waiting a little is probably wise.

  2. If the QUIC API contracts are stable, then the API is failing to implement them. Critically, it fails to provide support for unidirectional streams. As a low-level API, it might also be necessary to allow more control over other protocol features like transport parameters, ALPN, and the aforementioned authentication snarl. The API doesn't do anything for 0-RTT either, though here I agree with the spec editors: 0-RTT is hard, so deferring support is sensible.

  3. The QUIC API uses the same awful flow control mapping pioneered by websockets. Websockets was developed before streams existed, but that is no reason to keep the bad API. The solution to the consistency problem is to retrofit streams on websockets, not to propagate its infidelities.

@larseggert

This comment has been minimized.

Copy link

commented Sep 5, 2018

+1 on @martinthomson's comment that it is premature to ship a derivative spec without a more fundamental discussion in the IETF first.

I do appreciate the interest in QUIC and the desire to move fast, but that discussion needs to happen after we ship the first standard version of QUIC (likely by end of the year.) The IETF WG is 100% focused on ironing out the final design nits and interop issues, and taking time away from that will not be the right decision for us at the moment.

@alvestrand

This comment has been minimized.

Copy link

commented Sep 5, 2018

I suggest to re-do the submission and make separate TAG reviews for ICETransport (a relatively minor extension of an existing WebRTC API, based on previous work in the ORTC CG) and QUICTransport (a new API for a new transport protocol, which will change as the underlying stuff evolves).

We have been told to seek TAG review early, so I think it's appropriate to seek guidance on the shape of the QUIC interface now, rather than waiting until the IETF work on 1.0 is done. Experimentation is happening.

@ekr

This comment has been minimized.

Copy link

commented Sep 5, 2018

Who is the "We" who is seeking TAG review? I know there is experimentation going on at some companies, but this is not a work item of any W3C WG.

This was referenced Sep 7, 2018

@shampson

This comment has been minimized.

Copy link
Author

commented Sep 7, 2018

I've separated the TAG review into two reviews - one for ICE and one for QUIC. We can close this issue, and move the discussion into those.

@plinss plinss closed this Sep 18, 2018

@pthatcherg

This comment has been minimized.

Copy link

commented Oct 5, 2018

A few of my thoughts in response to the comments:

  1. This spec isn't part of the WebRTC WG, but it is part of the ORTC CG. Do TAG reviews ever take place for CG specs?

  2. Support for unidirectional streams is being added now.

  3. I agree ALPN and 0-RTT would be nice, but there are many uses of RTCQuicTransport that don't need those, and they can easily be added later.

  4. The current RTCQuicTransport API is very different than the websocket one. If you want WHATWG streams, then a clear reason why would be appreciated (saying "don't be like websockets" isn't useful).

  5. As for authentication using ICE+QUIC, I don't think it changes the story at all as compared to ICE+DTLS+SCTP, which is completely possible today. If an endpoint doesn't want to speak ICE+QUIC, they can reject it the same way they reject ICE+DTLS+SCTP today. If started talking about dropping ICE and allowing client<->server QUIC without ICE, then we'd obviously have to make sure that such a thing followed CORS, because that's completely different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.