IETF Logo Mail Archive

Re: [BEHAVE] [rtcweb] URI schemes for TURN and STUN

Marc Petit-Huguenin <petithug@acm.org> Sun, 30 October 2011 15:34 UTC

Return-Path: <petithug@acm.org>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E335321F8569 for <behave@ietfa.amsl.com>; Sun, 30 Oct 2011 08:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.652
X-Spam-Level:
X-Spam-Status: No, score=-101.652 tagged_above=-999 required=5 tests=[AWL=-0.269, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, RCVD_IN_PBL=0.905, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 66A4W0YpEEyg for <behave@ietfa.amsl.com>; Sun, 30 Oct 2011 08:34:38 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA8F21F84BC for <behave@ietf.org>; Sun, 30 Oct 2011 08:34:38 -0700 (PDT)
Received: from [192.168.42.25] (mfd0536d0.tmodns.net [208.54.5.253]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 7797720371; Sun, 30 Oct 2011 15:25:57 +0000 (UTC)
Message-ID: <4EAD6E87.6000508@acm.org>
Date: Sun, 30 Oct 2011 11:34:31 -0400
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20111010 Icedove/3.1.15
MIME-Version: 1.0
To: Keith Moore <moore@network-heretics.com>
References: <4EAC6BF4.2000604@alvestrand.no> <CALiegf=f4kFzyDLWK+Y5vbuCEJFXX590+VuZ4bbnHZnvX0CoBA@mail.gmail.com> <4EAC8AE0.3020307@acm.org> <4EACD558.1050003@alvestrand.no> <8E6C5B0D-2161-4D14-9BEE-7B41998CDB7E@network-heretics.com>
In-Reply-To: <8E6C5B0D-2161-4D14-9BEE-7B41998CDB7E@network-heretics.com>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: Keith Moore <moore@cs.utk.edu>, Harald Alvestrand <harald@alvestrand.no>, Behave WG <behave@ietf.org>, Ned Freed <ned.freed@mrochek.com>, Iñaki Baz Ca stillo <ibc@aliax.net>
Subject: Re: [BEHAVE] [rtcweb] URI schemes for TURN and STUN
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Oct 2011 15:34:43 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/30/2011 12:44 AM, Keith Moore wrote:
> 
> On Oct 30, 2011, at 12:40 AM, Harald Alvestrand wrote:
> 
>> On 10/29/2011 04:23 PM, Marc Petit-Huguenin wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 10/29/2011 03:36 PM, Iñaki Baz Castillo wrote:
>>>> 2011/10/29 Harald Alvestrand<harald@alvestrand.no>:
>>>>> - I do not think it's appropriate to use "turn" and "turns" for indicating
>>>>> transport. Polluting the URI namespace with more configuration parameters in
>>>>> the form of trailing "s" is a Bad Thing.
>>>> But there should be some way to indicate that a TURN server listens in
>>>> TLS, right?
>>>>
>>> We should continue this discussion in BEHAVE, but I would like to ask the OP to
>>> send a pointer on the RFC or discussion that says that using a trailing "s" to
>>> indicate security is a bad thing.
>> I'll have to forward this question to the apps ADs of a few years ago about whether there's documentation for it. It does not seem to have been captured in an RFC that I can find; discussion was in the ~2000-2005 timeframe.
>>
>> The short version, from memory: Doing "s" locks you into one and exactly one security scheme, and prevents you from saying anything about the requisite parameters for that scheme, while using AUTH parameters such as POP or in-band negotiation such as IMAP  are much more flexible approaches.
> 
> Security schemes change over time as new (presumably better) ones appear, and vulnerabilities are discovered in old ones.   There's nothing inherently wrong with having a URI scheme end in "s".  But it's a Bad Idea to promote the notion that "s" means "security".
> 

I understand the "s" suffix as meaning "the transport to the next app level hop
MUST be secure", which actually means TLS, but it could be anything else.  I
agree that it would have been a better idea to define a scheme separator like in
[1], to not have to register multiple schemes (i.e. "sip+s:", "http+s:",
"turn+s:", etc...).  Similarly, one can define a suffix (say +sec) that means
e2e security like in [2].  That would give "sip+sec:" for e2e SIP security, and
"turn+sec:" for a secure transport and allocation.


[1] http://tools.ietf.org/html/draft-wood-tae-specifying-uri-transports
[2] http://tools.ietf.org/html/draft-gurbani-sip-sipsec

- -- 
Marc Petit-Huguenin
Personal email: marc@petit-huguenin.org
Professional email: petithug@acm.org
Blog: http://blog.marc.petit-huguenin.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6tboMACgkQ9RoMZyVa61eTTACgoDKJ5LQ1KFwFH1Epnc2x/iH4
x90AoJ+ogURbCcw682se9lj+luF1gQgs
=MfbQ
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email