Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 04 September 2013 08:41 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D733511E8196 for <pntaw@ietfa.amsl.com>; Wed, 4 Sep 2013 01:41:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.499
X-Spam-Level:
X-Spam-Status: No, score=-10.499 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HYcf4sdX4wdM for <pntaw@ietfa.amsl.com>; Wed, 4 Sep 2013 01:41:08 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 8990C11E80AD for <pntaw@ietf.org>; Wed, 4 Sep 2013 01:41:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5931; q=dns/txt; s=iport; t=1378284068; x=1379493668; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=ic4LYIR/WZCr2Dn7KFR6voGGBpSMOmAOxbxA9PAFxFM=; b=ShC3NQSUVCbdHGqKoiNyXhz59f6a8RJVXM+kDP9/M2eARoazpmfXsbjH RmJFKUoAExo8cgZzMwZOeZy0NWMpE46BqxyKa1+bsxKVAOhk8ePfQ0L2q 5MN6643HWK1ZviEJ+hU/xIwq0umRbuKbG1OqnlQdQs2CGsYU2ACTsESKE E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah0FAL3xJlKtJV2a/2dsb2JhbABagwc1SwbBM4EjFnSCJAEBAQMBAQEBNzQJBwcEAgEIEQQBAQEKDgEFCQcnCxQIAQgCBAESCAGHcwYHBbk2j0U4BhKDBYEAA5kkkDeBY4E9gUwFGSQc
X-IronPort-AV: E=Sophos;i="4.89,1020,1367971200"; d="scan'208";a="255169608"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rcdn-iport-1.cisco.com with ESMTP; 04 Sep 2013 08:41:07 +0000
Received: from xhc-rcd-x06.cisco.com (xhc-rcd-x06.cisco.com [173.37.183.80]) by rcdn-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r848f7Ni021131 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 4 Sep 2013 08:41:07 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-rcd-x06.cisco.com ([173.37.183.80]) with mapi id 14.02.0318.004; Wed, 4 Sep 2013 03:41:07 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Harald Alvestrand <harald@alvestrand.no>, "pntaw@ietf.org" <pntaw@ietf.org>
Thread-Topic: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
Thread-Index: AQHOqK61I+psrSYpfUOo3Qt2S7d7qJm0NUdA
Date: Wed, 04 Sep 2013 08:41:06 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A1905AEF1@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A1904E373@xmb-rcd-x10.cisco.com> <5225EC94.7000601@alvestrand.no>
In-Reply-To: <5225EC94.7000601@alvestrand.no>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.64.38]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Sep 2013 08:41:14 -0000
Hi Harald, Thanks for the comments. Please see inline > -----Original Message----- > From: pntaw-bounces@ietf.org [mailto:pntaw-bounces@ietf.org] On Behalf Of > Harald Alvestrand > Sent: Tuesday, September 03, 2013 7:35 PM > To: pntaw@ietf.org > Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn- > auth-03.txt > > Quick review of this document..... I am typing this up because I spent > time reading the draft, not because I have a particular opinion about > what should be done with it. > > 1) Please get someone to fix the grammar. For non-native English > speakers like me, it is problematic to parse sentences like this: > > TURN server plays a vital and is a building block to support direct, > interactive, real-time communication using audio, video, > collaboration, games, etc., between two peers web-browsers in Web > Real-Time communication (WebRTC) [I-D.ietf-rtcweb-overview] > framework. > > the problems of this specific sentence include: > - no article ("the", "a") on "Turn server" > - The sentence fragment around "peers web-browsers in..." does not parse > for me. Either "peers using web browsers that implement" or, simpler, > "two peers' web browsers using the" - or it's possible that the intended > meaning wasthat "in Web Real-Time communication" was intended to group > with "a building block". There's no way I can tell from the sentence. > - "plays a vital" has no object Thanks, corrected. > > I could go on, but it's really distracting and error-prone to guess at > the intended grammar before I can start guessing at the intended meaning. > > (the subsequent sections are actually a bit better. But this particular > sentence was scary to me.) > > 2) The use case reference is wrong. Section 4.2.4.1 doesn't exist. > Section 3.2.5.1 seems to fit the bill, but it's more stable to refer to > them by name. In version 11 of draft rtcweb-use-cases-and-requirements section numbers have changed added section name for clarity (it is Section 3.2.5.1). > > 3) The password guessing attack described in section 4 bullet 1 *is* an > offline dictionary attack. So the paragraph gives the same attack twice. Fixed. > > 4) section 4 bullet 2 assumes that one needs a credentials database at > the TURN server to verify the credentials. This is incorrect, as > draft-uberti shows; all that is required is that the credentials are > verifiable. TURN server needs access to a credential database with username, realm and MD5 hash computed over the username, realm, and password. TURN server needs key derived from username and password (key = MD5(username ":" realm ":" SASLprep(password))) to validate message integrity for TURN request and also to calculate message-integrity for TURN response. > > 5) In section 4 bullet 4 one talks about "the USERNAME of the host". > This word is used in addition to "client" and "user, seemingly > interchangeably. changed to "client" in all the places. > The takeaway here is that reusing USERNAMEs over time > leads to tracking of usages of the USERNAME, which may lead to tracking > of the entity (client or user) that uses it. This is a good argument for > a draft-uberti-like mechanism for throwaway credentials. > > 6) The security section is just incorrect. The whole draft is about > raising security concerns. Fixed. Thanks and Regards, -Tiru. > > I am not very happy with the idea of spending significant draft and > review time on listing issues - but if we list issues, the issues should > be correctly stated. > > > On 09/03/2013 01:53 PM, Tirumaleswar Reddy (tireddy) wrote: > > [Including pntaw mailing list] > > > > This draft discusses the issues with STUN Authentication for TURN. Comments > and suggestions are welcome. In BEHAVE WG there were discussions to solve the > problem mentioned in the draft using techniques like TURN over DTLS, draft- > uberti-behave-turn-rest-00. > > > > -Tiru. > > > > -----Original Message----- > > From: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] > > Sent: Tuesday, September 03, 2013 12:10 PM > > To: Ram Mohan R (rmohanr); Tirumaleswar Reddy (tireddy); Muthu Arul Mozhi > Perumal (mperumal); Alper Yegin; Ram Mohan R (rmohanr); Alper E. Yegin; Muthu > Arul Mozhi Perumal (mperumal) > > Subject: New Version Notification for draft-reddy-behave-turn-auth-03.txt > > > > > > A new version of I-D, draft-reddy-behave-turn-auth-03.txt > > has been successfully submitted by Tirumaleswar Reddy and posted to the > > IETF repository. > > > > Filename: draft-reddy-behave-turn-auth > > Revision: 03 > > Title: Problems with STUN Authentication for TURN > > Creation date: 2013-09-03 > > Group: Individual Submission > > Number of pages: 7 > > URL: http://www.ietf.org/internet-drafts/draft-reddy-behave- > turn-auth-03.txt > > Status: http://datatracker.ietf.org/doc/draft-reddy-behave-turn- > auth > > Htmlized: http://tools.ietf.org/html/draft-reddy-behave-turn-auth-03 > > Diff: http://www.ietf.org/rfcdiff?url2=draft-reddy-behave-turn- > auth-03 > > > > Abstract: > > This document discusses some of the issues with STUN authentication > > for TURN messages. > > > > > > > > > > Please note that it may take a couple of minutes from the time of submission > > until the htmlized version and diff are available at tools.ietf.org. > > > > The IETF Secretariat > > > > _______________________________________________ > > pntaw mailing list > > pntaw@ietf.org > > https://www.ietf.org/mailman/listinfo/pntaw > > _______________________________________________ > pntaw mailing list > pntaw@ietf.org > https://www.ietf.org/mailman/listinfo/pntaw
- [pntaw] FW: New Version Notification for draft-re… Tirumaleswar Reddy (tireddy)
- Re: [pntaw] FW: New Version Notification for draf… Sergio Garcia Murillo
- Re: [pntaw] FW: New Version Notification for draf… Harald Alvestrand
- Re: [pntaw] FW: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [pntaw] FW: New Version Notification for draf… Harald Alvestrand
- Re: [pntaw] FW: New Version Notification for draf… Tirumaleswar Reddy (tireddy)