Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 05 September 2013 12:15 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: pntaw@ietfa.amsl.com
Delivered-To: pntaw@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0436911E818B for <pntaw@ietfa.amsl.com>; Thu, 5 Sep 2013 05:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.524
X-Spam-Level:
X-Spam-Status: No, score=-10.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjtnH+0v8Sih for <pntaw@ietfa.amsl.com>; Thu, 5 Sep 2013 05:15:18 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 5311511E8137 for <pntaw@ietf.org>; Thu, 5 Sep 2013 05:15:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2665; q=dns/txt; s=iport; t=1378383317; x=1379592917; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ChKYw+TZZuSLgJi7UHkbchiA+3L/COP+d1ivRLUpAPQ=; b=FzBUYT4fO1hE8mmuMIFhLIrk3OTexEg4779dLDjdPVGzvrZz+0i8zFnF hhcRTDEA5deWBRC5/904xOZM2Zmq5vaIXpLlPQWdelfYwq/ex/LRUJ3+f C+4P8VC4EiG4bG4dPbnNDNKktOgKVGZWMuHBN5VJltzxGXjyiAjMGg8Xe o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AicFAOR0KFKtJXG//2dsb2JhbABbgweBBsFHgSgWdIIkAQEBAwE6PQIMBAIBCBEEAQEBCg4BBQkHMhQIAQgCBA4FCId0BrpTjy8xBwYSgwWBAAOpW4FjgT2BTAUZJBw
X-IronPort-AV: E=Sophos;i="4.90,847,1371081600"; d="scan'208";a="256028544"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by rcdn-iport-4.cisco.com with ESMTP; 05 Sep 2013 12:15:16 +0000
Received: from xhc-rcd-x01.cisco.com (xhc-rcd-x01.cisco.com [173.37.183.75]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id r85CFFLX026785 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 5 Sep 2013 12:15:15 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.33]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.02.0318.004; Thu, 5 Sep 2013 07:15:15 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Harald Alvestrand <harald@alvestrand.no>
Thread-Topic: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
Thread-Index: AQHOqVLVwVAEY/gQfUW6/w2Gl27My5m1jy+g
Date: Thu, 5 Sep 2013 12:15:15 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A1905BF04@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A1904E373@xmb-rcd-x10.cisco.com> <5225EC94.7000601@alvestrand.no> <913383AAA69FF945B8F946018B75898A1905AEF1@xmb-rcd-x10.cisco.com> <52270019.8010309@alvestrand.no>
In-Reply-To: <52270019.8010309@alvestrand.no>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.64.21]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "pntaw@ietf.org" <pntaw@ietf.org>
Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
X-BeenThere: pntaw@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <pntaw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pntaw>, <mailto:pntaw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pntaw>
List-Post: <mailto:pntaw@ietf.org>
List-Help: <mailto:pntaw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pntaw>, <mailto:pntaw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2013 12:15:30 -0000

Hi Harald,

Please see inline

> -----Original Message-----
> From: Harald Alvestrand [mailto:harald@alvestrand.no]
> Sent: Wednesday, September 04, 2013 3:11 PM
> To: Tirumaleswar Reddy (tireddy)
> Cc: pntaw@ietf.org
> Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-
> auth-03.txt
> 
> On 09/04/2013 10:41 AM, Tirumaleswar Reddy (tireddy) wrote:
> > Hi Harald,
> >
> > Thanks for the comments. Please see inline
> 
> Thanks for the rapid turnaround!
> >> 4) section 4 bullet 2 assumes that one needs a credentials database at
> >> the TURN server to verify the credentials. This is incorrect, as
> >> draft-uberti shows; all that is required is that the credentials are
> >> verifiable.
> > TURN server needs access to a credential database with username, realm and
> MD5 hash computed over the username, realm, and password. TURN server needs
> key derived from username and password (key = MD5(username ":" realm ":"
> SASLprep(password))) to validate message integrity for TURN request and also
> to calculate message-integrity for TURN response.
> 
> For the case where the "password" is machine-generated, not user-chosen,
> there are more options (this was a surprise for me the first time I
> encountered it, too!)
> 
> For instance, if
> 
> username = <string, maybe chosen by user>
> password = base64(HMAC(site-wide secret key + username))
> 
> the server that only knows the site-wide secret key can compute what the
> password should have been for any given <string chosen by user>, and
> thereby complete the verification.
> 
> (this particular scheme probably has cryptographic weaknesses; most
> schemes not designed by cryptographers are breakable)

Yes, draft-uberti-behave-turn-rest-00 is a new approach that solves some of the problems discussed in the draft. It is addressing third party authorization which will be useful in scenarios where WebRTC service and TURN server are provided by the same provider. 

The other scenario to consider is - If Enterprises want to deploy TURN server and want to use first party authentication (let's say "log-in" username and password for auditing, policy enforcement on usage of TURN resources etc)  then there is still a problem. In those cases either TLS or DTLS can be used to carry the TURN messages and addresses the problems in the draft, but WebRTC specific problem will be exposing the credential to java script.
 
-Tiru.

> 
> You don't need a database, you just need to be able to validate the MAC
> - a database is one implementation.


>