Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt

[Simon Perreault <simon.perreault@viagenie.ca>]

Le 2013-04-26 15:05, Tirumaleswar Reddy (tireddy) a écrit :
>>>> - In section "4. Problems with TURN Authentication", what's the
>>>> difference between problems 1 and 2 ?
>>>
>>> [TR] Problem 1 seem to be possible even if strong password is used.
>>> since password does not change frequently, the attacker could keep
>>> trying a number of candidate passwords. [/TR]
>>
>> Doesn't that characteristic also apply to problem 2 ?
>
> Yes it does, Do you want us to merge problem 1 and 2 ?

Well, I'm just trying to understand. If 1 and 2 are the same problem, 
then yes they should be merged. At this point I don't see any difference 
between the two.

>> - Problem 4 could also include the REALM attribute, which could be
>> snooped and harvested similarly.
>
> Do you have an attack or privacy problem in mind with REALM that we can add ?

Not really. I guess that leaking the domain of a call is acceptable.

>> I don't think we can rely on the PCP stuff also applying to STUN. The
>> environments are very different, both on servers and clients.
>
> Agreed, though there could be some scenarios where PCP capable Firewall and TURN server could be co-located.

Right. I am more focused on the WebRTC use case, where the TURN server 
is operated by the WebRTC application provider, and thus completely 
separate from any firewall the user might be behind.

Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca