Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 25 April 2013 18:44 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F2FF21F8A18 for <behave@ietfa.amsl.com>; Thu, 25 Apr 2013 11:44:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X38EeQQ3Zjuw for <behave@ietfa.amsl.com>; Thu, 25 Apr 2013 11:44:28 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 4DA2821F89DB for <behave@ietf.org>; Thu, 25 Apr 2013 11:44:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3093; q=dns/txt; s=iport; t=1366915468; x=1368125068; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=39sRkKZ5wdWpjrW26b9ZyhmOtSFwTIpvjNZMkBENAu8=; b=hYMT/PBXek0rcZe0z7+7dxBe5fuimsCePUV2UCPfTveacOe2Ksg9XCyG rInW6ZK9eCwzJ79vT99EBvPNixnSYQmSJ5xG02gKhQTAGscm6hMmce4kR vjdbwF0Iap/X2evCFatWAiHW6D7SW0RbkMuJN33KBNhWRK0X5JziJHH6I A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFADh4eVGtJXHB/2dsb2JhbABRgwa+ZIEEFnSCHwEBAQMBdw4EAgEIEQQBAQsODwcyFAgBCAIEARIIE4dzBr5VjwQ4BhKCVWEDiFmfZYFYgTaCKA
X-IronPort-AV: E=Sophos;i="4.87,552,1363132800"; d="scan'208";a="202925467"
Received: from rcdn-core2-6.cisco.com ([173.37.113.193]) by rcdn-iport-1.cisco.com with ESMTP; 25 Apr 2013 18:44:25 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by rcdn-core2-6.cisco.com (8.14.5/8.14.5) with ESMTP id r3PIiP59002564 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 25 Apr 2013 18:44:25 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.150]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.02.0318.004; Thu, 25 Apr 2013 13:44:25 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Simon Perreault <simon.perreault@viagenie.ca>, "behave@ietf.org" <behave@ietf.org>
Thread-Topic: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
Thread-Index: AQHOQeToW/CAZcoTg0SCQxMcWJzg9Q==
Date: Thu, 25 Apr 2013 18:44:24 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A14978FF1@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A149778C5@xmb-rcd-x10.cisco.com> <5177968F.6050805@viagenie.ca>
In-Reply-To: <5177968F.6050805@viagenie.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.68.27]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 18:44:29 -0000
Hi Sam, Thanks for the comments; please see inline > -----Original Message----- > From: Simon Perreault [mailto:simon.perreault@viagenie.ca] > Sent: Wednesday, April 24, 2013 1:54 PM > To: behave@ietf.org > Subject: Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave- > turn-auth-00.txt > > Le 2013-04-24 05:22, Tirumaleswar Reddy (tireddy) a écrit : > > This draft discusses some of the problems with current TURN authentication > so that it can serve as the basis for stronger TURN authentication mechanisms. > > > > comments and suggestions are welcome. > > And here are some... > > - "TURN authentication" doesn't exist. It's "STUN authentication" that > you're talking about. TURN just uses STUN auth. Yes, TURN uses the authentication mechanism specified in STUN. TURN authentication is required because resources will be allocated on the TURN server, whereas with STUN there are no resources allocated on the STUN server. The STUN server is stateless and is only responding to the request from the client. Though both techniques need authentication for integrity protection of request and response. But there are STUN servers deployed without authentication and if the endpoints use DTLS-SRTP then there may not be a problem even if man-in-middle device modifies the STUN response. But TURN servers let's say deployed in DMZ need authentication. > > - In section "4. Problems with TURN Authentication", what's the > difference between problems 1 and 2 ? [TR] Problem 1 seem to be possible even if strong password is used. since password does not change frequently, the attacker could keep trying a number of candidate passwords. [/TR] > > - Problem 4 could also include the REALM attribute, which could be > snooped and harvested similarly. > > - About the above: wasn't this all well known and accepted at the time > STUN auth was being designed ? May be the authors of STUN/TURN could answer this question, if these attacks were previously discussed or not in WG. If TURN over TLS is used it would solve the problem; but it would impact sending media over TCP and could introduce delays which are directly noticeable. > > - I have encountered another problem: it's impossible to host multiple > realms on a single IP address. When the server needs to send the REALM > attribute in response to an unauthenticated request, it has no useful > information for determining which realm it should send, except the > destination address of the request. This sucks, IPv4 addresses being not > exactly free... Good point. For web Authentication, destination IP address helps to pick different REALM, but with TURN the only information available is the Source IP. > > I'm very interested in hearing about any solution you may have in mind... we are still discussing the solutions, some of them already being discussed in PCP WG that needs to be evaluated for TURN are EAP-over-TURN, PANA etc. --Tiru. > > Simon
- [BEHAVE] FW: New Version Notification for draft-r… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] FW: New Version Notification for dra… Simon Perreault
- Re: [BEHAVE] FW: New Version Notification for dra… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] FW: New Version Notification for dra… Simon Perreault
- Re: [BEHAVE] FW: New Version Notification for dra… Tirumaleswar Reddy (tireddy)
- Re: [BEHAVE] FW: New Version Notification for dra… Simon Perreault
- Re: [BEHAVE] FW: New Version Notification for dra… Alper Yegin