Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 04 September 2013 08:41 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D733511E8196 for <pntaw@ietfa.amsl.com>; Wed, 4 Sep 2013 01:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.499
X-Spam-Level:
X-Spam-Status: No, score=-10.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYcf4sdX4wdM for <pntaw@ietfa.amsl.com>; Wed, 4 Sep 2013 01:41:08 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 8990C11E80AD for <pntaw@ietf.org>; Wed, 4 Sep 2013 01:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5931; q=dns/txt; s=iport; t=1378284068; x=1379493668; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ic4LYIR/WZCr2Dn7KFR6voGGBpSMOmAOxbxA9PAFxFM=; b=ShC3NQSUVCbdHGqKoiNyXhz59f6a8RJVXM+kDP9/M2eARoazpmfXsbjH RmJFKUoAExo8cgZzMwZOeZy0NWMpE46BqxyKa1+bsxKVAOhk8ePfQ0L2q 5MN6643HWK1ZviEJ+hU/xIwq0umRbuKbG1OqnlQdQs2CGsYU2ACTsESKE E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah0FAL3xJlKtJV2a/2dsb2JhbABagwc1SwbBM4EjFnSCJAEBAQMBAQEBNzQJBwcEAgEIEQQBAQEKDgEFCQcnCxQIAQgCBAESCAGHcwYHBbk2j0U4BhKDBYEAA5kkkDeBY4E9gUwFGSQc
X-IronPort-AV: E=Sophos;i="4.89,1020,1367971200"; d="scan'208";a="255169608"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP; 04 Sep 2013 08:41:07 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r848f7Ni021131 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 4 Sep 2013 08:41:07 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0318.004; Wed, 4 Sep 2013 03:41:07 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Harald Alvestrand <harald@alvestrand.no>, "pntaw@ietf.org" <pntaw@ietf.org>
Thread-Topic: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
Thread-Index: AQHOqK61I+psrSYpfUOo3Qt2S7d7qJm0NUdA
Date: Wed, 4 Sep 2013 08:41:06 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A1905AEF1@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A1904E373@xmb-rcd-x10.cisco.com> <5225EC94.7000601@alvestrand.no>
In-Reply-To: <5225EC94.7000601@alvestrand.no>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.64.38]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 08:41:14 -0000

Hi Harald,

Thanks for the comments. Please see inline

> -----Original Message-----
> From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf Of
> Harald Alvestrand
> Sent: Tuesday, September 03, 2013 7:35 PM
> To: pntaw@ietf.org
> Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-
> auth-03.txt
> 
> Quick review of this document..... I am typing this up because I spent
> time reading the draft, not because I have a particular opinion about
> what should be done with it.
> 
> 1) Please get someone to fix the grammar. For non-native English
> speakers like me, it is problematic to parse sentences like this:
> 
>     TURN server plays a vital and is a building block to support direct,
>     interactive, real-time communication using audio, video,
>     collaboration, games, etc., between two peers web-browsers in Web
>     Real-Time communication (WebRTC) [I-D.ietf-rtcweb-overview]
>     framework.
> 
> the problems of this specific sentence include:
> - no article ("the", "a") on "Turn server"
> - The sentence fragment around "peers web-browsers in..." does not parse
> for me. Either "peers using web browsers that implement" or, simpler,
> "two peers' web browsers using the" - or it's possible that the intended
> meaning wasthat "in Web Real-Time communication" was intended to group
> with "a building block". There's no way I can tell from the sentence.
> - "plays a vital" has no object

Thanks, corrected.

> 
> I could go on, but it's really distracting and error-prone to guess at
> the intended grammar before I can start guessing at the intended meaning.
> 
> (the subsequent sections are actually a bit better. But this particular
> sentence was scary to me.)
> 
> 2) The use case reference is wrong. Section 4.2.4.1 doesn't exist.
> Section 3.2.5.1 seems to fit the bill, but it's more stable to refer to
> them by name.

In version 11 of draft rtcweb-use-cases-and-requirements section numbers have changed added section name for clarity (it is Section 3.2.5.1).

> 
> 3) The password guessing attack described in section 4 bullet 1 *is* an
> offline dictionary attack. So the paragraph gives the same attack twice.

Fixed.

> 
> 4) section 4 bullet 2 assumes that one needs a credentials database at
> the TURN server to verify the credentials. This is incorrect, as
> draft-uberti shows; all that is required is that the credentials are
> verifiable.

TURN server needs access to a credential database with username, realm and MD5 hash computed over the username, realm, and password. TURN server needs key derived from username and password (key = MD5(username ":" realm ":" SASLprep(password))) to validate message integrity for TURN request and also to calculate message-integrity for TURN response. 

> 
> 5) In section 4 bullet 4 one talks about "the USERNAME of the host".
> This word is used in addition to "client" and "user, seemingly
> interchangeably. 

changed to "client" in all the places.

> The takeaway here is that reusing USERNAMEs over time
> leads to tracking of usages of the USERNAME, which may lead to tracking
> of the entity (client or user) that uses it. This is a good argument for
> a draft-uberti-like mechanism for throwaway credentials.
> 
> 6) The security section is just incorrect. The whole draft is about
> raising security concerns.

Fixed.

Thanks and Regards,
-Tiru.

> 
> I am not very happy with the idea of spending significant draft and
> review time on listing issues - but if we list issues, the issues should
> be correctly stated.
> 
> 
> On 09/03/2013 01:53 PM, Tirumaleswar Reddy (tireddy) wrote:
> > [Including pntaw mailing list]
> >
> > This draft discusses the issues with STUN Authentication for TURN. Comments
> and suggestions are welcome. In BEHAVE WG there were discussions to solve the
> problem mentioned in the draft using techniques like TURN over DTLS, draft-
> uberti-behave-turn-rest-00.
> >
> > -Tiru.
> >
> > -----Original Message-----
> > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
> > Sent: Tuesday, September 03, 2013 12:10 PM
> > To: Ram Mohan R (rmohanr); Tirumaleswar Reddy (tireddy); Muthu Arul Mozhi
> Perumal (mperumal); Alper Yegin; Ram Mohan R (rmohanr); Alper E. Yegin; Muthu
> Arul Mozhi Perumal (mperumal)
> > Subject: New Version Notification for draft-reddy-behave-turn-auth-03.txt
> >
> >
> > A new version of I-D, draft-reddy-behave-turn-auth-03.txt
> > has been successfully submitted by Tirumaleswar Reddy and posted to the
> > IETF repository.
> >
> > Filename:	 draft-reddy-behave-turn-auth
> > Revision:	 03
> > Title:		 Problems with STUN Authentication for TURN
> > Creation date:	 2013-09-03
> > Group:		 Individual Submission
> > Number of pages: 7
> > URL:             http://www.ietf.org/internet-drafts/draft-reddy-behave-
> turn-auth-03.txt
> > Status:          http://datatracker.ietf.org/doc/draft-reddy-behave-turn-
> auth
> > Htmlized:        http://tools.ietf.org/html/draft-reddy-behave-turn-auth-03
> > Diff:            http://www.ietf.org/rfcdiff?url2=draft-reddy-behave-turn-
> auth-03
> >
> > Abstract:
> >     This document discusses some of the issues with STUN authentication
> >     for TURN messages.
> >
> >
> >
> >
> > Please note that it may take a couple of minutes from the time of submission
> > until the htmlized version and diff are available at tools.ietf.org.
> >
> > The IETF Secretariat
> >
> > _______________________________________________
> > pntaw mailing list
> > pntaw@ietf.org
> > https://www.ietf.org/mailman/listinfo/pntaw
> 
> _______________________________________________
> pntaw mailing list
> pntaw@ietf.org
> https://www.ietf.org/mailman/listinfo/pntaw