Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-05.txt> (URI Scheme for Session Traversal Utilities for NAT (STUN) Protocol) to Proposed Standard
Graham Klyne <GK@ninebynine.org> Thu, 15 August 2013 14:05 UTC
Return-Path: <GK@ninebynine.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D5F321F9A57 for <ietf@ietfa.amsl.com>; Thu, 15 Aug 2013 07:05:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zbogBdVaP6Yz for <ietf@ietfa.amsl.com>; Thu, 15 Aug 2013 07:05:50 -0700 (PDT)
Received: from relay11.mail.ox.ac.uk (relay11.mail.ox.ac.uk [129.67.1.162]) by ietfa.amsl.com (Postfix) with ESMTP id 3CC3721E8145 for <ietf@ietf.org>; Thu, 15 Aug 2013 07:05:45 -0700 (PDT)
Received: from smtp1.mail.ox.ac.uk ([129.67.1.207]) by relay11.mail.ox.ac.uk with esmtp (Exim 4.80) (envelope-from <GK@ninebynine.org>) id 1V9yBK-0006bm-cY; Thu, 15 Aug 2013 15:05:42 +0100
Received: from gklyne.plus.com ([80.229.154.156] helo=conina.local) by smtp1.mail.ox.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <GK@ninebynine.org>) id 1V9yBK-0006f6-4T; Thu, 15 Aug 2013 15:05:42 +0100
Message-ID: <520CE029.3070405@ninebynine.org>
Date: Thu, 15 Aug 2013 15:05:29 +0100
From: Graham Klyne <GK@ninebynine.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Harald Alvestrand <harald@alvestrand.no>
Subject: Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-05.txt> (URI Scheme for Session Traversal Utilities for NAT (STUN) Protocol) to Proposed Standard
References: <52095E5D.5070802@ninebynine.org> <520BD147.1040505@alvestrand.no> <520C9997.2010601@ninebynine.org> <520CA7C1.6080404@alvestrand.no>
In-Reply-To: <520CA7C1.6080404@alvestrand.no>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Oxford-Username: zool0635
X-Mailman-Approved-At: Thu, 15 Aug 2013 08:19:16 -0700
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Aug 2013 14:06:01 -0000
Harald, Briefly: 1. Thanks for the reference, and 2. I misunderstood what you meant by "This is a format for a piece of data". In light of your clarification, I withdraw my comments 3 & 4. Identification of the STUN service would appear to be a perfectly reasonable use. ... So the remaining issues from my questions are whether the intended highly constrained use of these services justifies allocating a URI scheme. If the community consensus is that it is of sufficient value, I might suggest an annotation to the scheme registration along the lines of: "This URI scheme is intended for use in very specific NAT traversal environments, and should not be used otherwise on the open Web or Internet." Would such a comment run contrary to your expectations for its use? #g -- On 15/08/2013 11:04, Harald Alvestrand wrote: > On 08/15/2013 11:04 AM, Graham Klyne wrote: >> Hi Harald, >> >> On 14/08/2013 19:49, Harald Alvestrand wrote: >>> On 08/13/2013 12:14 AM, Graham Klyne wrote: >> [...] >>>> But, in a personal capacity, not as designated reviewer, I have to ask *why* >>>> this needs to be a URI. As far as I can tell, it is intended for use only in >>>> very constrained environments, where there seems to be little value in having >>>> an identifier that can appear in all the contexts where a URI may be >>>> recognized. >>>> >>>> The criteria for new URI schemes in http://tools.ietf.org/html/rfc4395 include: >>>> >>>> "New URI schemes SHOULD have clear utility to the broad Internet community, >>>> beyond that available with already registered URI schemes." >>>> -- http://tools.ietf.org/html/rfc4395#section-2.1 >>>> >>>> This "utility to the broader community" is not clear to me, but I don't fully >>>> understand the intended scope of this protocol, so I could be missing >>>> something. So, in declaring consensus for this specification, I would request >>>> that this aspect at least be considered. >>> >>> I can only give my personal opinion.... >>> >>> 1) This is a format for a piece of data. This data cannot be expressed using any >>> existing URI scheme - indeed, I don't think there exists another well-defined >>> textual representation of this piece of data. >>> >>> 1) This is defining an identifier that will be used in W3C-defined APIs. W3C >>> tends to use URIs every time they want a self-defining piece of data with a >>> clearly defined structure. >>> In the particular API where this is wanted, one wants to have STUN URIs, TURNS >>> URIs and TURN URIs passed over the same interface. Thus, keeping with the W3C >>> tradition of URIs seems reasonable. >>> >>> I think this answers the question about "utility to the broader community" to my >>> satisfaction - your mileage may differ, of course. >> >> Some thoughts occur to me: >> >> 1. My reading was that this is a generic NAT traversal protocol, so the >> requirement here is not Web/W3C specific. But you do say "used in W3C-defined >> APIs"... > > Truth in advertising: One W3C-defined API. > The specific reference: > > http://dev.w3.org/2011/webrtc/editor/webrtc.html#dictionary-rtciceserver-members > >> >> 2. If this is being driven by W3C activities, this should probably be flagged >> with W3C TAG. I'll raise it there. >> >> 3. URIs are not generally used as *data* formats, but rather as identifiers >> for resources. Web architecture and REST principles tend to discourage >> information encoded in URIs in favour of data representation formats. Cf. >> http://www.w3.org/TR/webarch/#uri-opacity, >> http://www.w3.org/2001/tag/doc/metaDataInURI-31.html > > Well, it is. The data encoded is the identification of a STUN server, which is a > resource. > >> >> 4. If the purpose here is simply to encode data, then there does already exist >> a suitable URI scheme, viz data:. A new content type can be defined to >> actually encode the required data, and the whole be wrapped in a data: URI. >> This approach has the advantage that alternative mechanisms (other than URIs) >> can be used to transfer the traversal data if required (though that may be >> moot in the very restricted intended scope of deployment for stun:, etc.) > > Yes, but why? > >> >>>> >>>> ... >>>> >>>> Further, according to http://tools.ietf.org/html/rfc5389 it appears that there >>>> are security considerations with regard to the STUN protocol that it should >>>> not be used in isolation: >>>> [[ >>>> Classic STUN also had a security vulnerability -- attackers could >>>> provide the client with incorrect mapped addresses under certain >>>> topologies and constraints, and this was fundamentally not solvable >>>> through any cryptographic means. Though this problem remains with >>>> this specification, those attacks are now mitigated through the use >>>> of more complete solutions that make use of STUN. >>>> >>>> For these reasons, this specification obsoletes RFC 3489, and instead >>>> describes STUN as a tool that is utilized as part of a complete NAT >>>> traversal solution. >>>> ]] >>>> -- http://tools.ietf.org/html/rfc5389#section-2 >>>> >>>> It seems to me that creating a URI for STUN could encourage its use in >>>> environments outside the "more complete solutions that make use of STUN". >>>> This seems to be further reason that STUN[S] should not be a URI scheme. >>>> >>>> I have also suggested that, if registered, the URI scheme registration should >>>> carries a "health warning" to this effect, and that it is not suitable for >>>> general use that is not part of a "complete NAT traversal solution". But I >>>> also recognize that I do not fully grasp the security implications, and that >>>> if those that do know better can agree that there is no potential for creating >>>> security risks here, this suggestion may be unnecessary. >>> >>> This URI scheme does not represent STUN. It represents configuration data that >>> is used to initialize a protocol machine that utilizes STUN. >>> >>> This configuration data has to be passed no matter what the format of the data >>> is - whether it be URI or not. >>> >>> Thus, I do not think the argument raised is really relevant to the context. The >>> data will be passed, and registering an URI scheme will cause no more and no >>> less data to be passed. >>> >>> Again, my opinion. >>> >> >> If the URI is used only in very constrained contexts, then I agree. >> >> But the whole point of using a URI is that, due to URI opacity, it can be used >> a a range of contexts where URIs are used. If it cannot properly be used in >> those other contexts, I have to question if it really is a URI, as opposed to >> a string that happens to look like a URI. > > The subject of "if it really is an URI" has plagued the whole URI space since > day one. My current opinion is that if it looks like an URI, and parses > according to the URI spec, it should probably be called an URI. > > So far, we know of one context where we need this (RTCWEB). It's the first > context I know of where the Web and STUN intersect. It's not certain that it'll > be the last one. > >> >> I also note that this looks as if it may fall foul of the "confidential >> metadata" practice noted in the W3C TAG finding about metadata in URIs >> (http://www.w3.org/2001/tag/doc/metaDataInURI-31.html#hideforsecurity) > > That's why we took the "credentials" part out of the URI scheme. >
- Last Call: <draft-nandakumar-rtcweb-stun-uri-05.t… Graham Klyne
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… S Moonesamy
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Harald Alvestrand
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Harald Alvestrand
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Harald Alvestrand
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Hadriel Kaplan
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Hadriel Kaplan
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Harald Alvestrand
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Peter Saint-Andre
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Harald Alvestrand
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Graham Klyne
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Graham Klyne
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Marc Petit-Huguenin
- Re: Last Call: <draft-nandakumar-rtcweb-stun-uri-… Graham Klyne