Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt

Harald Alvestrand <> Tue, 03 September 2013 14:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 19E8111E820D for <>; Tue, 3 Sep 2013 07:05:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.533
X-Spam-Status: No, score=-110.533 tagged_above=-999 required=5 tests=[AWL=0.066, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7aMeHZ522gnS for <>; Tue, 3 Sep 2013 07:05:11 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5D0B711E81FE for <>; Tue, 3 Sep 2013 07:05:11 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7803C39E3CE for <>; Tue, 3 Sep 2013 16:05:10 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1yZb4UnsGu0c for <>; Tue, 3 Sep 2013 16:05:09 +0200 (CEST)
Received: from (unknown [IPv6:2620:0:1043:1:7646:a0ff:fe90:e2bb]) by (Postfix) with ESMTPSA id 56CB439E3CA for <>; Tue, 3 Sep 2013 16:05:09 +0200 (CEST)
Message-ID: <>
Date: Tue, 03 Sep 2013 16:05:08 +0200
From: Harald Alvestrand <>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8
MIME-Version: 1.0
References: <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [pntaw] FW: New Version Notification for draft-reddy-behave-turn-auth-03.txt
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 Sep 2013 14:05:18 -0000

Quick review of this document..... I am typing this up because I spent 
time reading the draft, not because I have a particular opinion about 
what should be done with it.

1) Please get someone to fix the grammar. For non-native English 
speakers like me, it is problematic to parse sentences like this:

    TURN server plays a vital and is a building block to support direct,
    interactive, real-time communication using audio, video,
    collaboration, games, etc., between two peers web-browsers in Web
    Real-Time communication (WebRTC) [I-D.ietf-rtcweb-overview]

the problems of this specific sentence include:
- no article ("the", "a") on "Turn server"
- The sentence fragment around "peers web-browsers in..." does not parse 
for me. Either "peers using web browsers that implement" or, simpler, 
"two peers' web browsers using the" - or it's possible that the intended 
meaning wasthat "in Web Real-Time communication" was intended to group 
with "a building block". There's no way I can tell from the sentence.
- "plays a vital" has no object

I could go on, but it's really distracting and error-prone to guess at 
the intended grammar before I can start guessing at the intended meaning.

(the subsequent sections are actually a bit better. But this particular 
sentence was scary to me.)

2) The use case reference is wrong. Section doesn't exist. 
Section seems to fit the bill, but it's more stable to refer to 
them by name.

3) The password guessing attack described in section 4 bullet 1 *is* an 
offline dictionary attack. So the paragraph gives the same attack twice.

4) section 4 bullet 2 assumes that one needs a credentials database at 
the TURN server to verify the credentials. This is incorrect, as 
draft-uberti shows; all that is required is that the credentials are 

5) In section 4 bullet 4 one talks about "the USERNAME of the host". 
This word is used in addition to "client" and "user, seemingly 
interchangeably. The takeaway here is that reusing USERNAMEs over time 
leads to tracking of usages of the USERNAME, which may lead to tracking 
of the entity (client or user) that uses it. This is a good argument for 
a draft-uberti-like mechanism for throwaway credentials.

6) The security section is just incorrect. The whole draft is about 
raising security concerns.

I am not very happy with the idea of spending significant draft and 
review time on listing issues - but if we list issues, the issues should 
be correctly stated.

On 09/03/2013 01:53 PM, Tirumaleswar Reddy (tireddy) wrote:
> [Including pntaw mailing list]
> This draft discusses the issues with STUN Authentication for TURN. Comments and suggestions are welcome. In BEHAVE WG there were discussions to solve the problem mentioned in the draft using techniques like TURN over DTLS, draft-uberti-behave-turn-rest-00.
> -Tiru.
> -----Original Message-----
> From: []
> Sent: Tuesday, September 03, 2013 12:10 PM
> To: Ram Mohan R (rmohanr); Tirumaleswar Reddy (tireddy); Muthu Arul Mozhi Perumal (mperumal); Alper Yegin; Ram Mohan R (rmohanr); Alper E. Yegin; Muthu Arul Mozhi Perumal (mperumal)
> Subject: New Version Notification for draft-reddy-behave-turn-auth-03.txt
> A new version of I-D, draft-reddy-behave-turn-auth-03.txt
> has been successfully submitted by Tirumaleswar Reddy and posted to the
> IETF repository.
> Filename:	 draft-reddy-behave-turn-auth
> Revision:	 03
> Title:		 Problems with STUN Authentication for TURN
> Creation date:	 2013-09-03
> Group:		 Individual Submission
> Number of pages: 7
> URL:   
> Status:
> Htmlized:
> Diff:  
> Abstract:
>     This document discusses some of the issues with STUN authentication
>     for TURN messages.
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at
> The IETF Secretariat
> _______________________________________________
> pntaw mailing list