IETF Logo Mail Archive

Re: [rtcweb] URI schemes for TURN and STUN

Marc Petit-Huguenin <petithug@acm.org> Tue, 01 November 2011 20:50 UTC

Return-Path: <petithug@acm.org>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9314A11E81EE; Tue, 1 Nov 2011 13:50:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.563
X-Spam-Level:
X-Spam-Status: No, score=-102.563 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N5Xb9RXNGt8X; Tue, 1 Nov 2011 13:50:45 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 75B2911E80B0; Tue, 1 Nov 2011 13:50:34 -0700 (PDT)
Received: from [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08] (shalmaneser.org [IPv6:2001:470:1f05:616:213:d4ff:fe04:3e08]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 95516204AD; Tue, 1 Nov 2011 20:41:39 +0000 (UTC)
Message-ID: <4EB05B90.10808@acm.org>
Date: Tue, 01 Nov 2011 13:50:24 -0700
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20111010 Iceowl/1.0b2 Icedove/3.1.15
MIME-Version: 1.0
To: Harald Alvestrand <harald@alvestrand.no>
References: <4EAC6BF4.2000604@alvestrand.no> <CALiegf=f4kFzyDLWK+Y5vbuCEJFXX590+VuZ4bbnHZnvX0CoBA@mail.gmail.com> <4EAC8AE0.3020307@acm.org> <4EACD558.1050003@alvestrand.no> <4EAE157F.5020901@it.aoyama.ac.jp> <4EAEB76B.9090304@acm.org> <8B0C4061-D362-4DFE-9677-7E64515A6E1C@network-heretics.com> <4EAF9391.5040209@it.aoyama.ac.jp> <4EB05A23.3060101@alvestrand.no>
In-Reply-To: <4EB05A23.3060101@alvestrand.no>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Cc: Ned Freed <ned.freed@mrochek.com>, Keith Moore <moore@network-heretics.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>, Keith Moore <moore@cs.utk.edu>, Behave WG <behave@ietf.org>
Subject: Re: [rtcweb] URI schemes for TURN and STUN
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2011 20:50:45 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/01/2011 01:44 PM, Harald Alvestrand wrote:
> Top-posting a general principle, detailed comment at the bottom....
> 
> For all URI schemes, I think the URI needs to contain all the information you
> need in order to make contact with the service; you can't negotiate until you've
> made contact.
> (the process may involve things like "resolve through a resolution mechanism
> like DNS" or "get authorization tokens from somewhere else").
> 
> In the case of TURN, you need to distinguish between TCP, UDP and TLS, and you
> need to make that determination before you send the first packet. That means the
> distinguishing information between those three things belongs in the URL; I
> don't think the scheme is a good place to encode it.
> 
> On 10/31/2011 11:37 PM, "Martin J. Dürst" wrote:
>>
>>
>> On 2011/11/01 0:33, Keith Moore wrote:
>>>
>>> On Oct 31, 2011, at 10:57 AM, Marc Petit-Huguenin wrote:
>>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hi Martin,
>>>>
>>>> So I understand Roy's email as saying in fact the opposite of what Harald said,
>>>> i.e. that using an "s" suffix to signify security is a good thing.
>>>>
>>>> What is your opinion on defining a generic scheme suffix (i.e. "+s" or "+sec")
>>>> that would indicate a well defined set of security properties that could apply
>>>> to any scheme, (vs the current "s" suffix where security properties has to be
>>>> defined scheme by scheme)?
>>>
>>>
>>> There is no "well defined set of security properties that could apply to any
>>> scheme".   Security properties necessarily vary depending on the way a
>>> resource is used, the threat model, and so forth.
>>
>> Here I agree with Keith.
>>
>>> Also, the idea that there should be a "secure" bit in a URI scheme, to
>>> distinguish it from the "insecure" form of a URL, doesn't make much sense. 
>>> You always want to use the best security that's available.
>>
>> You always want the best security you're willing to pay for.
>>
>>> You don't want that to depend on the URI scheme.
>>
>> Ideally not, but in actual operation, it made a lot of sense for HTTP as Roy
>> has explained.
> I think it made a lot of sense because the port 443 convention meant that you
> had to know whether or not to use SSL had to be known before you sent the SYN
> packet.
> 

Well, same thing for TURN, as a different default port is used when TLS is used
(3478 for TURN over UDP and TCP, and 5349 for TURN over TLS).

- -- 
Marc Petit-Huguenin
Personal email: marc@petit-huguenin.org
Professional email: petithug@acm.org
Blog: http://blog.marc.petit-huguenin.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk6wW48ACgkQ9RoMZyVa61fPKQCfTLUElFx97Pz8XwQHwkJmJNCh
kiEAn3Ew6/LOxc816VpuMWk5hFfKzi5y
=c0vN
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email