Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04
Simon Perreault <simon.perreault@viagenie.ca> Mon, 24 August 2009 14:27 UTC
Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E001828C1E1 for <behave@core3.amsl.com>; Mon, 24 Aug 2009 07:27:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.451
X-Spam-Level:
X-Spam-Status: No, score=-2.451 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FHLRC-X93TDk for <behave@core3.amsl.com>; Mon, 24 Aug 2009 07:27:05 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by core3.amsl.com (Postfix) with ESMTP id 7192E28C1AB for <behave@ietf.org>; Mon, 24 Aug 2009 07:26:54 -0700 (PDT)
Received: by jazz.viagenie.ca (Postfix, from userid 8) id 9925929E15FC; Mon, 24 Aug 2009 10:26:56 -0400 (EDT)
Received: from ringo.viagenie.ca (ringo.viagenie.ca [IPv6:2620:0:230:c000::67]) by jazz.viagenie.ca (Postfix) with ESMTP id 814AD29E15ED; Mon, 24 Aug 2009 10:26:56 -0400 (EDT)
Message-ID: <4A92A330.1080103@viagenie.ca>
Date: Mon, 24 Aug 2009 10:26:56 -0400
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1b3pre) Gecko/20090513 Fedora/3.0-2.3.beta2.fc11 Thunderbird/3.0b2
MIME-Version: 1.0
To: Dave Thaler <dthaler@microsoft.com>
References: <0a9901ca10f2$93cdab60$5f7d150a@cisco.com> <E4561B14EE2A3E4E9D478EBFB5416E1B197488@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
In-Reply-To: <E4561B14EE2A3E4E9D478EBFB5416E1B197488@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-behave-turn-tcp@tools.ietf.org" <draft-ietf-behave-turn-tcp@tools.ietf.org>, "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Aug 2009 14:27:07 -0000
Thank you very much for your comments. Dave Thaler wrote, on 08/08/09 02:29 PM: > 1) Are data connections to be closed gracefully or abortively, The draft is intentionally silent about this. It is expected that "closing a connection" will be done by following Figure 6 in RFC 793 (the arrow labeled CLOSE below the ESTAB state), but the server is free to do otherwise as long as it is valid TCP. Do you have a reason in mind why we should be more explicit? > and does this depend on how the corresponding (peer vs client) > connection was closed? Note that requiring this would probably not be implementable in non-root user-space. > 2) When error 447 is returned, section 4.3 says the client MUST > wait at least 10 seconds before retrying. I think this is > for the _same_ destination IP/port, right? If the client > has other destination IP/port pairs to try, they can be > tried immediately, correct? Correct. I have change the wording: The client MAY retry *with the same XOR-PEER-ADDRESS attribute*, but MUST wait at least 10 seconds. > 3) Section 4.6 notes that no keepalive mechanism is provided > and an application can do this at a higher layer. For > NATs between a TURN client and a TURN server, why wouldn't > TCP keepalives be a possibility? Because in non-root user-space, TCP keepalives as provided by the OS are nearly worthless in many important cases because they cannot be setup per-socket. They are setup system-wide and you need to be root to change the timeout. Basically it's another item in the list of things with STUN/TURN that are the way they are because of the requirement that a server be implementable in non-root user-space. > 4) If I understand the 3rd paragraph of section 5.2, correctly, > there's an important limitation/constraint that should be > called out early (e.g. in the overview). Normally, TCP > clients can open multiple parallel connections (e.g., to > a web server) to the same destination address/port. To > accomplish this with TURN, it seems that the client needs > multiple control connections so it can get multiple > allocations, since it can only have one connection to a > given peer address/port per allocation, correct? Yes, this is correct. It follows naturally from the fact that a 5-tuple uniquely identifies a connection, and that the local address and port are fixed from the moment the allocation is created. How about adding the following sentence to the third paragraph of section 3? "Note that a maximum of one connection to a given peer (address and port combination) can be established per allocation." > 5) The 5th paragraph of Section 5.2 also implies that it's > illegal for a TURN server to refuse to initiate connections > based on the XOR-PEER-ADDRESS value. For example, if it > refuses to initiate connections to 127.0.0.1 it would be > violating a MUST. I'd like to see this relaxed. How about this modified text? "Otherwise, *and if the new connection is permitted by local policy,* the server MUST initiate an outgoing TCP connection." This lets the server filter by peer address as well as other criteria. > 6) The draft talks about timing out a peer connection after > 30 seconds in section 5.3 if the client never does a > ConnectionBind for a connection initiated by a peer. > However, section 5.2 has no corresponding rule. This > means a client can send a Connect request, and then > never open a data connection, and the server will never > time out the peer connection. The same rule needs to be > added to 5.2 to address this. Good catch. I've copied the paragraph in question to the end of section 5.2. > 7) Continuing on the same point, the security considerations > section needs to add a discussion of a memory DoS attack > due to the TURN server having to buffer data from a peer > while waiting for a ConnectionBind (which may never happen). Actually, this highlights a bug in the current spec (section 5.2, paragraph 7): The server MUST buffer any data received from the peer. Data MUST NOT be lost. It is up to the server to adjust its advertised TCP receive window should the buffer size become a limiting factor. If it is not not lose data, the server must rely on the peer obeying the TCP window. This is bad. Instead, I propose the following: The server MUST buffer any data received from the peer. Data MUST NOT be lost unless the buffer is about to exceed a limit defined by local policy, in which case the data connection MUST be closed. The server adjusts its advertised TCP receive window to reflect the amount of empty buffer space. Similar wording would be applied to section 5.3, paragraph 3. How about adding the following text to the security considerations section? After a TCP connection is established between the server and a peer, and before a ConnectionBind request is received from the client, the server buffers all data received from the peer. This protocol specification lets the server drop the connection if the buffer size is about to exceed a limit defined by local policy. This policy should ensure that memory resources are not exceeded. > Currently it has references to docs that contain > discussion of bandwidth DoS attacks, but not memory > DoS attacks, as far as I can find. The above paragraph would indeed be much improved with such a reference. Could you provide one? Thanks, Simon -- DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca vCard 4.0 --> http://www.vcarddav.org
- [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Dan Wing
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Alfred E. Heggestad
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Simon Perreault
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Dave Thaler
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Ari Keranen
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Simon Perreault
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Dan Wing
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Ari Keranen
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Simon Perreault
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Dave Thaler
- Re: [BEHAVE] WGLC: draft-ietf-behave-turn-tcp-04 Simon Perreault