Overview: Real Time Protocols for Browser-based Applications
draft-ietf-rtcweb-overview-19

Note: This ballot was opened for revision 18 and is now closed.

Ben Campbell Yes

Comment (2017-04-24 for -18)
I am balloting "yes", but I have a few minor comments:

Substantive Comments:

-2.2 : 
-- Why is a WebRTC gateway assumed to be a "compatible" endpoint rather than a full endpoint? I recognize a gateway is different from a typical end-user endpoint, but are there specific endpoint requirements that a gateway is not likely to meet? (Feel free to say "it's documented in the gateway draft...." :-) )

-- "In this case, similar security considerations as for Javascript may be needed; however, since such APIs are not defined or referenced here, this document cannot give any specific rules for those interfaces."
I am confused by this sentence, since I don't see any security considerations specific to Javascript in this draft, either.

-7
-- list item 2: Is it an open question whether a signaling gateway is needed for interacting with SIP devices?
-- Last paragraph: This is specifically about non-browser endpoints, right? As written, it seems to weaken the previous paragraph about browser endpoints, since the draft previously said the term "endpoint" includes both browsers and non-browsers.

-9, 2nd bullet: "Privacy concerns MUST be satisfied..."
Is that MAY really intended as normative, or is a statement of fact? If normative, what actor(s) does it constrain? Also, if it is normative, the clause "the APIs should be available" seems to weaken the MUST. 

Editorial Comments:

-2.3, last paragraph: The paragraph is a single, convoluted sentence that is hard to parse. (It's also a comma splice). Please consider breaking into multiple simpler sentences.

-3, first paragraph: This is also convoluted and hard to parse.

-7, list item 1: The citiation to [3264] seems misplaced. It describes the offer/answer model, not SIP in general. I suggest moving the citation to after the word "semantics".

Alissa Cooper (was No Objection) Yes

Spencer Dawkins Yes

Comment (2017-04-26 for -18)
I've been waiting for this one, for a while. Thanks for finishing it. I'm a Yes, with comments.

I agree with EKR that there's a lot of general philosophy in this draft. I wouldn't ask that you pull all of it, but perhaps it could be trimmed down a bit.

This is a nit, but in this text,
 
   Other efforts, for instance the W3C WEBRTC, Web Applications and
   Device API working groups, focus on making standardized APIs and
   interfaces available, within or alongside the HTML5 effort,
   
it would be nice to have the names here match what's on the W3C website. So, "Web Real-Time Communication", "Web Application Security", and "Device and Sensors", unless I'm guessing at the mapping wrong. It's also easy to read that text with "Web Applications and Device API" as a single working group, so using a comma after "Web Application Security" would be helpful.

The term of art "floor control" is likely to be new to many readers in the future. Since it appears in a list of non-niche examples, maybe you don't need it at all?

I'm not sure whether "let a thousand flowers bloom" is a reference to the Hundred Flowers campaign in 1956, but (1) that ended very badly for the bloomers, and (2) I could easily imagine the phrase tripping DPI filtering for a specific part of the Internet community. Maybe there's a better phrase?

I'm not sure how tutorial you want section 4 to be, but I'd at least mention appropriate retransmission and in-order delivery, in addition to congestion control, since you get that with SCTP on the data channel.

4.  Data transport

   Data transport refers to the sending and receiving of data over the
   network interfaces, the choice of network-layer addresses at each end
   of the communication, and the interaction with any intermediate
   entities that handle the data, but do not modify it (such as TURN
   relays).

   It includes necessary functions for congestion control: When not to
   send data.
   
Or maybe you can just chop that sentence, because the next paragraph points to https://tools.ietf.org/html/draft-ietf-rtcweb-transports-06, anyway?

I found the reference to MMUSIC WG in

   3.  When a new codec is specified, and the SDP for the new codec is
       specified in the MMUSIC WG, no other standardization should be
       required for it to be possible to use that in the web browsers.

to be odd. MMUSIC may be around forever, but this work might be refactored at some point in the future. Is the point that 

   3.  When SDP for a new codec is specified, 
       no other standardization should be
       required for it to be used in the web browsers.
       
Or is there another way to say this?

I'm also wondering if the statement is true for any WebRTC endpoint, not just browsers.

In this text,

   WebRTC endpoints MUST implement the functions described in that
   document that relate to the network layer (for example Bundle
   [I-D.ietf-mmusic-sdp-bundle-negotiation], RTCP-mux [RFC5761] and
   Trickle ICE [I-D.ietf-ice-trickle]), but do not need to support the
   API functionality described there.
   
I would have thought these were related to the transport layer. No?

Adam Roach Yes

Comment (2017-08-10 for -18)
The GENART review contains a number of editorial nits to be addressed.

[Reminder to myself so it doesn't get lost: The reference to ICE needs to be updated to point to the existing RFC, not the -bis draft; this is based on EKR's earlier Discuss]

(Alia Atlas) No Objection

Deborah Brungard No Objection

(Benoit Claise) (was Discuss) No Objection

Comment (2017-04-27 for -18)
This topic below was discussed during the IESG telechat:

Reading from the document objectives, from the abstract:

   This document gives an overview and context of a protocol suite
   intended for use with real-time applications that can be deployed in
   browsers - "real time communication on the Web".

   It intends to serve as a starting and coordination point to make sure
   all the parts that are needed to achieve this goal are findable, and
   that the parts that belong in the Internet protocol suite are fully
   specified and on the right publication track.

Reading this, I was thinking: great, I will have the full overview.
With "deployed", "starting and coordination point to make sure that all the parts ..." I will have some  focus on the operational aspects, basically, how should operators operate theses browser-embedded applications.
Now, reading further ...

   This document is intended to serve as the roadmap to the WebRTC
   specifications.  It defines terms used by other parts of the WebRTC
   protocol specifications, lists references to other specifications
   that don't need further elaboration in the WebRTC context, and gives
   pointers to other documents that form part of the WebRTC suite.

... I thought: Ok, if not covered here, at least I will have a pointer to another operational document.
But wait:

   By reading this document and the documents it refers to, it should be
   possible to have all information needed to implement an WebRTC
   compatible implementation.

So is this only about implementation?

I like this document very much as it explains all the RTCWEB pieces in one location. However, there is one important piece missing: the network management considerations. See https://datatracker.ietf.org/doc/html/rfc5706#appendix-A
This is where I'm coming from, discussing some more with Warren (this a cut and past from this ballot):

    [ Edit: So, after more thought (and some discussion) I think that it would be useful for the document to at least note the fact that technologies like this mean that some of the existing operational practices may need to change. For example, many enterprises perform QoS based upon the fact that certain types of devices live in certain subnets (e.g many phones get placed in a specific VLAN using LLDP or CDP). With more real time content coming from browsers, these matching practices break, and so operators may not be able to QoS mark / prioritize traffic accordingly. Perhaps something like: "One of the implications of a solution like WebRTC is that more real-time traffic will be sourced from computers (and not dedicated devices like telephones or videoconferencing devices). This may have implications for operators performing QoS marking and prioritization" ? This isn't really specific to webrtc, but rather to a more general set of solutions like softphones and the like, but is accelerated by WebRTC. ]

In light of the previous discussions about draft-mm-wg-effect-encrypt-11, the operators are used to manage voice, video, gaming a certain way, with their operational current practices. Now, their current practices might not work any longer. What should they do now in term of monitoring, troubleshooting, QoS, SLA monitoring, etc these days with WebRTC?
While we should add this note (or a similar one) in the doc, I'm wondering: where are (should be) those operational aspects discussed, if not here?
I've seen https://tools.ietf.org/html/draft-ietf-tsvwg-rtcweb-qos-18, not sure it's appropriate. Anyway, it's now in a RFC-editor state.
I could have requested a specific manageability doc in the charter. Too late now.

Suresh Krishnan No Objection

Warren Kumari No Objection

Comment (2017-04-25 for -18)
Thank you -- I like these sort of overview documents for complex things like WebRTC - they provide a newcomer to the technology a good place to start, and help describe some of the reasons why things look the way they do.

[ Edit: So, after more thought (and some discussion) I think that it would be useful for the document to at least note the fact that technologies like this mean that some of the existing operational practices may need to change. For example, many enterprises perform QoS based upon the fact that certain types of devices live in certain subnets (e.g many phones get placed in a specific VLAN using LLDP or CDP). With more real time content coming from browsers, these matching practices break, and so operators may not be able to QoS mark / prioritize traffic accordingly. Perhaps something like: "One of the implications of a solution like WebRTC is that more real-time traffic will be sourced from computers (and not dedicated devices like telephones or  videoconferencing devices). This may have implications for operators performing QoS marking and prioritization" ? This isn't really specific to webrtc, but rather to a more general set of solutions like softphones and the like, but is accelerated by WebRTC. ] 


I do have a few comments on the document itself - there are all minor / bikeshedding and can be ignored if you choose:
1: "Development of The Universal Solution has proved hard, however, for all the usual reasons."
 -- this is cute, but leaves people wondering what "all the usual reasons are". Perhaps just "Development of The Universal Solution has, however,  proved hard." (or just cut after the "however in the original").

2: I'm not sure why you have "Protocol" in the terminology section. It doesn't seem like it is useful for the document, and this document doesn't seem like the right place to (re) define it.

3: Acknowledgements: 
Funny spacing in "Olle E.     Johansson"

Mirja Kühlewind No Objection

Comment (2017-04-24 for -18)
One high level comments on normative language:
While I think this document is very useful to explain the relationship between the other webrtc documents and serves a a good starting point for an implementor, I'm not sure if the use of normative language is actually helpful. Most of the language is used to say that a webrtc endpoint MUST implement a certain other document. However, I believe this is inherently necessary to achieve interoperability. So I don't see a need to specify this normatively.

In regard to the shepherd write-up, I just want to note that using normative language does not automatically make the document Standards Track; there are many informational docs that use normative language. As such, I don't want raise a big discussion on status now, but this document sounds more informational to me (giving pointers to other document). However, I don't object to publication on Standards Track.

minor comments:
1) I would not need all the text on the history of Internet communication in this doc (especially all text on page 3 in the intro as well as section 2.3 and the second to last paragraph in 3)... however, I guess it doesn't hurt

2) Agree with Warren that 'Protocol' probably doesn't need to be (re)defined in this doc

3) section 3: 
"Data transport: TCP, UDP and the means to securely set up
      connections between entities, as well as the functions for
      deciding when to send data: Congestion management, bandwidth
      estimation and so on."
This seems to implicitly assume that only TCP or something encapsulated over UDP can be used. Even though that might be true, I assume this was not intentionally, maybe:
NEW
"Data transport: such as TCP or UDP and the means to securely set up
      connections between entities, as well as the functions for
      deciding when to send data: Congestion management, bandwidth
      estimation and so on."

nit:
-"massage the signals": not sure if "massage" is actually a meaningful word here…

Terry Manderson No Objection

Alexey Melnikov No Objection

Comment (2017-04-20 for -18)
Last time I checked the document is referencing normatively 2 expired drafts (security considerations and security architecture). What is the plan for completing them?

(Kathleen Moriarty) No Objection

Comment (2017-04-25 for -18)
Thanks for your work on this draft, it's a helpful overview.  I see the reasoning in the shepherd report for standards track (although it reads more like an informational draft), but am curious if the standards track status is needed for other SDOs that might reference this document?  

In reading sections 8 & 9, I would think the presentation and control in section 8 would have the privacy implications of the second bullet in section 9.  As such, it seems odd that normative language is used in this bullet and not in section 8.  I'd be fine with no normative language in either as long as the protocol drafts cover that appropriately.  Some mention of privacy in section 8 could be helpful since it covers more ground than the example in section 9.

Security considerations: I don't see anything listed for security or privacy considerations in respect to the signaling channel to the web/application server.  Should there be considerations listed?  Security of the actual server and content on the server as well as vulnerabilities in listening protocols are just a few of the questions that come to mind.  If it doesn't matter, please let me know.  I appreciate the comment on the browser being target rich as they have been in many attacks to gain entry into networks leveraging established outbound sessions.  Maybe this is covered in I-D.ietf-rtcweb-security and if so (have not had a chance to review it yet), a high-level mention of gateway security here might be helpful.

I agree with Warren's comment about the management aspects being covered here since it is an overview document.  It could be a very helpful consideration for protocol developers that may devise new ways to enable management as a result of understanding the issues.

I had to look up jingle and BOSH, you may want to consider adding references to the XMPP specifications.

Eric Rescorla (was Discuss) No Objection

Comment (2017-08-10 for -18)
UPDATE: Removing my discuss. Will let Adam manage this from here.

This document seems rather long on philosophy (justifying MTI,
the freed to innovate material in S 4.) I would remove all this.


S 2.4.
Why do you have two terminology sections? I would merge them.


S 3.
The diagrams here seem to assume a federation model that I
generally don't see used with WebRTC. So, for instance,
the on-the-wire protocols arrow on page 9. Who does that?
This also applies to "a commonly imagined model"

I would say HTTP(S) in this diagram.

You should probably list DTLS, SCTP, and SDP in this section. It's
not like we haven't decided we need them.

"The functionality groups that are needed in the browser can be
 specified, more or less from the bottom up, as:
 ...
 Connection management: ... SIP and Jingle/XMPP belong in this category."

As far as I know, nothing in this layer is specified in WebRTC
or implemented in the browser, so this doesn't seem to make
sense.

Alvaro Retana No Objection