Re: [Gen-art] [tram] Genart last call review of draft-ietf-tram-turnbis-25
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 05 June 2019 12:21 UTC
Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6DDB120020; Wed, 5 Jun 2019 05:21:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.308
X-Spam-Level:
X-Spam-Status: No, score=-4.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JVm5kQD-5yQq; Wed, 5 Jun 2019 05:21:47 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1893C120119; Wed, 5 Jun 2019 05:21:46 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1559736798; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=a ZLPM2Yul0LLNVa9zCQRQT6IOgeSLCnUWxGr6VzmK7 0=; b=UstWXrxDByyi+IWe1HogsfbaPPVKCP5yNsDH7ygpbFYb S3AyMhFVhuw50ZK8JCSILm+UQ+SomOORPSWpgytN7iDBsspt5E 2EvcC3L9R7IqkSJ/IfhZN8Mmn11gu6/XJUoxYFu+IZc/CGsXu8 LIiz47dS2EENuVnQzeNvzvOj4aU=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 1200_a439_c9e8a2f0_85e7_455d_b4d5_db6ed3cf3b24; Wed, 05 Jun 2019 06:13:18 -0600
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 5 Jun 2019 06:21:29 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 5 Jun 2019 06:21:29 -0600
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (10.44.176.240) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 5 Jun 2019 06:21:27 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB1868.namprd16.prod.outlook.com (10.174.178.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1943.18; Wed, 5 Jun 2019 12:21:27 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::3d0a:95ec:9842:68f7]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::3d0a:95ec:9842:68f7%9]) with mapi id 15.20.1943.018; Wed, 5 Jun 2019 12:21:27 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Vijay Gurbani <vijay.gurbani@gmail.com>
CC: "gen-art@ietf.org" <gen-art@ietf.org>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [tram] Genart last call review of draft-ietf-tram-turnbis-25
Thread-Index: AQHVF8AO1lDWTpR4KEeu7XcJ/Za4SaaJ4XTwgAGu9oCAAV/54A==
Date: Wed, 05 Jun 2019 12:21:26 +0000
Message-ID: <DM5PR16MB1705B319D090AEA233FBE1E3EA160@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <155931411903.6360.15337432658764941505@ietfa.amsl.com> <DM5PR16MB17053ED6AA91994433095303EA150@DM5PR16MB1705.namprd16.prod.outlook.com> <CAMMTW_Lb0tnUj-iYx-rqvpwJkd7NjWmvu_EMzGr9NHg_fDOjyw@mail.gmail.com>
In-Reply-To: <CAMMTW_Lb0tnUj-iYx-rqvpwJkd7NjWmvu_EMzGr9NHg_fDOjyw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [49.37.201.219]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f0619614-7717-48db-892c-08d6e9b05522
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600148)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DM5PR16MB1868;
x-ms-traffictypediagnostic: DM5PR16MB1868:
x-ms-exchange-purlcount: 8
x-microsoft-antispam-prvs: <DM5PR16MB1868FB79295A4C35C4F64ACFEA160@DM5PR16MB1868.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00594E8DBA
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(376002)(366004)(39860400002)(136003)(346002)(51744003)(32952001)(199004)(189003)(66446008)(66476007)(73956011)(66556008)(64756008)(66946007)(6916009)(316002)(76116006)(229853002)(6436002)(76176011)(2906002)(6506007)(6246003)(4326008)(26005)(11346002)(476003)(7696005)(486006)(790700001)(6116002)(3846002)(102836004)(7736002)(53936002)(186003)(53546011)(86362001)(25786009)(446003)(81166006)(81156014)(99286004)(8676002)(68736007)(71190400001)(54906003)(52536014)(5660300002)(9686003)(55016002)(71200400001)(8936002)(9326002)(5024004)(14444005)(256004)(6306002)(236005)(54896002)(74316002)(606006)(478600001)(80792005)(966005)(14454004)(72206003)(66066001)(33656002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1868; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 20IBce2WG4yQWs2GwvyVnO0dlaYzYCi9gdkWCeonKYCJeVCgC/xLo0Za1fcWXqzfcxNhVm9pakbGleLQqt/Xy1M9OlNYskiQX5xe7gpG8MFlcWG98eDkUQgyZUNPy2vGLZkJBBURoQx0zo4AC8DcUiPNSREcqW9mybMHIABdcxqfBadHi3WR7y5lqIp9cTPZEJZGgqs54XDqy4h4R0UtYsFEkGTznEWUIinEm6Q3J2QfhdIDuS9Jk3h/NQ5t622NPQ9sRHK5wX0321Z+mP9e5e6M59DVtqI8DSwovwS4FbsByXhac6RoLfofqAS9gRrO6irQ4UqrLMK7NQXY+jnf7gNqf4+XxBPXRawi3XZ96wlKtky+xPJOSOFDvEPeRVr0sE3Itn34c6VbOLt2ct/DpzOou3rVdE2LTDa92ZgTrzM=
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB1705B319D090AEA233FBE1E3EA160DM5PR16MB1705namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f0619614-7717-48db-892c-08d6e9b05522
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jun 2019 12:21:27.0355 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1868
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6561> : inlines <7096> : streams <1823602> : uri <2852956>
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/jlzGO_mN7RGB3EJ6lO1d4Ih0uo4>
Subject: Re: [Gen-art] [tram] Genart last call review of draft-ietf-tram-turnbis-25
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Jun 2019 12:21:51 -0000
Hi Vijay, Please see inline [TR] From: Vijay Gurbani <vijay.gurbani@gmail.com> Sent: Tuesday, June 4, 2019 7:45 PM To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> Cc: gen-art@ietf.org; draft-ietf-tram-turnbis.all@ietf.org; ietf@ietf.org; tram@ietf.org Subject: Re: [tram] Genart last call review of draft-ietf-tram-turnbis-25 CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Tiru: Thank you for attending to my comments. Please see inline for some more questions based on your comments. Thank you for your time! On Tue, Jun 4, 2019 at 4:46 AM Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote: > Major: > > - My advice would be to put S3 (Terminology) before S2. There are a lot of > terms defined in S3 that S2 simply uses; it will serve the reader well if they > already knew these terms by the time the encountered them. Works for me, moved Terminology Section. Great; thanks. > > Minor: > - S1, paragraph 2: "...NATs that are well behaved." Here, what is the > definition of a "well behaved" NAT? Is there a RFC that encodes expected > behaviour? If so, please provide a reference. If not, then some resource > should be made available (a paragraph or some reference) where the > expected behaviour of NATs is codified to some extent. Address-dependent or Address-and port-dependent mappings are not well behaved NATs, this paragraph refers to RFC4787 (see https://tools.ietf.org/html/rfc4787#section-4.1 ) and says hole-punching technique will not work with NATs having Address-dependent or Address-and port-dependent mapping behavior. NEW: As described in [RFC5128] and [RFC4787], hole punching techniques [...] The new text is a great addition. Thanks. > - S 2.4, Figure 3: "To partly mitigate this attack ...", just to be explicit, [...] If the attacker spoofs the TURN client IP address and sends bogus Send indication to the server to a peer based on the permission installed by the TURN client to the peer, this attack cannot be mitigated the server unless (D)TLS is used. However, if the attacker spoofs the TURN client IP address and sends bogus Send indication to the server to peer but the client has not installed permission to the peer, this attack can be mitigated by the server. The above points are covered in https://tools.ietf.org/html/draft-ietf-tram-turnbis-25#section-20.1.4. I think a forward reference to Section 20.1.4 can easily be made in Section 2.4 so the reader is aware of the what mitigation properties are being provided by S2.4 and which section is providing the remaining properties. It will make your document much more complete. [TR] Okay, added the following line: The techniques to fully mitigate the attack are discussed in Section 20.1.4. > - S5, second to last paragraph: "When TCP transport is used ..." Here, [...] Please see the discussion in BEHAVE WG mailing list https://mailarchive.ietf.org/arch/msg/behave/O7A7vTihIBJ-uKmJT_bSea13wIA Hmm ... so according to the above link, the bit flip has to get through the TCP checksum AND hit the length field of the TURN packet. Given today's networks, such an event has a very low probability, but in the interest of specifying protocols to handle all kinds of errors, it makes sense to address this. Of course, this is not a problem endemic to TURN, it is a problem inherent any time TCP is used. [TR] Agreed. I do not know what mitigation strategies are used across IETF for an event like this. Perhaps the TSV area directorate can help. In any case, I am fine with leaving the text as-is, although it may make sense to talk to some of the folks in TSV to see how other protocols that ride in TCP handle such cases. (For curiosity's sake, ff not for anything else.) > - S5, second to last paragraph: "...a long sequence of invalid..." Here, how > long is "long"? 2 messages? 3 messages? 4 messages? I think an explicit > guideline may help make the error handling more robust. The threshold for long sequence of invalid TURN messages looks implementation specific to me, it was not specified in the base TURN spec (see https://tools.ietf.org/html/rfc5766#section-4). If it was not specified in the base TURN specification, then it may make sense to tighten up the behaviour in the bis specification, no? This would be our chance to add a behaviour that can be measured and test cases created against it for protocol resiliency, no? Or am I missing something on why the bis specification does not want to tighten this behaviour? [TR] The threshold values for long sequence of invalid TURN messages is not discussed in the TRAM WG, and I don’t have information on the typical values used in the field. Anyways, not documenting the threshold values would not cause any interoperable issues for a really low probability scenario. > - S7.3, third paragraph: "...before trying to request any more ..." Here, how > many times should a client retry the request upon the receipt of a 508? > Again, an explicit guideline will help interoperability; otherwise, some > clients will retry only once, other more than once, and so on. The number of attempts the client would retry is implementation specific. For example, if other TURN servers are available, the client can try to get the relayed transport address from the other TURN servers and need not retry the request (see https://tools.ietf.org/html/rfc8445#section-5.1.1.2). Same feedback as above; if the number of attempts were not specified in rfc5766, could we not do better now? Any reason not to? [TR] The number of attempts depends on the context, For instance (1) If other TURN servers are available, and the client gets the relayed transport address from at least one other TURN server, the client need not retry the request (2) if the client is using ICE (https://tools.ietf.org/html/rfc8445), the client can keep retrying till the candidate gathering phase expires (please note ICE specification does not specify the candidate gathering phase timeout). Cheers, -Tiru Thanks. - vijay
- [Gen-art] Genart last call review of draft-ietf-t… Vijay Gurbani via Datatracker
- Re: [Gen-art] [tram] Genart last call review of d… Konda, Tirumaleswar Reddy
- Re: [Gen-art] [tram] Genart last call review of d… Vijay Gurbani
- Re: [Gen-art] [tram] Genart last call review of d… Konda, Tirumaleswar Reddy
- Re: [Gen-art] [tram] Genart last call review of d… Vijay Gurbani
- Re: [Gen-art] [tram] Genart last call review of d… Konda, Tirumaleswar Reddy