Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
Simon Perreault <simon.perreault@viagenie.ca> Fri, 26 April 2013 08:12 UTC
Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3255821F97F9 for <behave@ietfa.amsl.com>; Fri, 26 Apr 2013 01:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1C+3g7vv5eL for <behave@ietfa.amsl.com>; Fri, 26 Apr 2013 01:12:15 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id DEDAD21F97F6 for <behave@ietf.org>; Fri, 26 Apr 2013 01:12:03 -0700 (PDT)
Received: from porto.nomis80.org (unknown [193.49.160.97]) by jazz.viagenie.ca (Postfix) with ESMTPSA id F3886469B1; Fri, 26 Apr 2013 04:12:02 -0400 (EDT)
Message-ID: <517A36D2.6040504@viagenie.ca>
Date: Fri, 26 Apr 2013 10:12:02 +0200
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130402 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
References: <913383AAA69FF945B8F946018B75898A149778C5@xmb-rcd-x10.cisco.com> <5177968F.6050805@viagenie.ca> <913383AAA69FF945B8F946018B75898A14978FF1@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A14978FF1@xmb-rcd-x10.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 08:12:17 -0000
Le 2013-04-25 20:44, Tirumaleswar Reddy (tireddy) a écrit : >> - "TURN authentication" doesn't exist. It's "STUN authentication" >> that you're talking about. TURN just uses STUN auth. > > Yes, TURN uses the authentication mechanism specified in STUN. TURN > authentication is required because resources will be allocated on the > TURN server, whereas with STUN there are no resources allocated on > the STUN server. The STUN server is stateless and is only responding > to the request from the client. Though both techniques need > authentication for integrity protection of request and response. But > there are STUN servers deployed without authentication and if the > endpoints use DTLS-SRTP then there may not be a problem even if > man-in-middle device modifies the STUN response. > > But TURN servers let's say deployed in DMZ need authentication. I understand all that, but that's not the point. The point is that "TURN authentication" does not *exist*. All the problems you have identified apply to *STUN* authentication, which is defined in the *STUN* RFC. The fact that the Allocate request is more likely than the Binding request to be identified by a server administrator as needing auth protection is completely irrelevant, except perhaps in the introduction, or an operational considerations section. >> - In section "4. Problems with TURN Authentication", what's the >> difference between problems 1 and 2 ? > > [TR] Problem 1 seem to be possible even if strong password is used. > since password does not change frequently, the attacker could keep > trying a number of candidate passwords. [/TR] Doesn't that characteristic also apply to problem 2? >> - About the above: wasn't this all well known and accepted at the >> time STUN auth was being designed ? > > May be the authors of STUN/TURN could answer this question, if these > attacks were previously discussed or not in WG. If TURN over TLS is > used it would solve the problem; but it would impact sending media > over TCP and could introduce delays which are directly noticeable. DTLS? >> - I have encountered another problem: it's impossible to host >> multiple realms on a single IP address. When the server needs to >> send the REALM attribute in response to an unauthenticated request, >> it has no useful information for determining which realm it should >> send, except the destination address of the request. This sucks, >> IPv4 addresses being not exactly free... > > Good point. For web Authentication, destination IP address helps to > pick different REALM, but with TURN the only information available is > the Source IP. Exactly! I guess (D)TLS would solve that issue with the server_name extension [RFC6066]. >> I'm very interested in hearing about any solution you may have in >> mind... > > we are still discussing the solutions, some of them already being > discussed in PCP WG that needs to be evaluated for TURN are > EAP-over-TURN, PANA etc. I don't think we can rely on the PCP stuff also applying to STUN. The environments are very different, both on servers and clients. Anyway, I would appreciate being involved in that discussion. Thanks, Simon -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca
- [BEHAVE] FW: New Version Notification for draft-r… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] FW: New Version Notification for dra… Simon Perreault
- Re: [BEHAVE] FW: New Version Notification for dra… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] FW: New Version Notification for dra… Simon Perreault
- Re: [BEHAVE] FW: New Version Notification for dra… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] FW: New Version Notification for dra… Simon Perreault
- Re: [BEHAVE] FW: New Version Notification for dra… Alper Yegin