Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Tue, 15 May 2018 15:34 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B60F12D945; Tue, 15 May 2018 08:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtuBkWnsYphB; Tue, 15 May 2018 08:33:58 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79AC512D942; Tue, 15 May 2018 08:33:58 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id q7-v6so183300ywd.9; Tue, 15 May 2018 08:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=biv3EiCPlCrMw8HcTF+diAd9HO+iOoail8NF8h6a95o=; b=uPwFWzGxzdnPUsPnAPu+uFL+PY0LI8Ft6Wrce8pmA5HgBPEsE9hVCMiHiXU09xR81w 9xeFToLPpSsADOOq60YpzHjsLVpz9laxA3fKAj3yw/YT+SYTMz2RMxbLLyC8rWRF+csd vO+tT8bpm7gZTQ5QuM81cyV0Ypud2Tyl0N74MDDvKHyOUYiQ6zzuHrl6nifGWo70eZMR 9sjKZtt2zKScs/hGIjTyQqitZ4Fpy//HLjuoaVOW2mF9r3UzbkHBiGg1wssJPl46TvjW CoFdaBG0UMi99M44HfN2H2unU6SHgszd+iH89GlFmv0M8VQ7NzZzZv6c8VLT90uc1Co7 sVuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=biv3EiCPlCrMw8HcTF+diAd9HO+iOoail8NF8h6a95o=; b=p8FAZWK7KJadcaFC1iSzfkfMeUpOq1ZBs+OhGa+I/oBrkrnhUt29Mu5BUNvON9Hc1a Bk04nEymskV6yq8sfl8zFnaJGvrUnd3/uHj2i3JsMh8b1TUXq34260r3woeTZg+lZV6R vPcNAhKJpyoX06ZXyNaaRCDdA044sSuoiMqmwrJeXXGUX+PhtOvu14Azdcd9oC3TYeSV pgIfBiJzu8P7j4661hc3nUB+TvQflS4qtplcWoFyf2uMIGpSQ68CVg7FTeiuSN9Hb6yy HnaFtqlJkSz3N72EpeQEINyhCx/PTQAER/1k4leONMX/Ql1FlszVcAofYgnq+rHjyeoq ovXA==
X-Gm-Message-State: ALKqPweIZAuhkEyC8Cy4GLXHZ5yp70dAuyzNBpt9GjguPQzFt5rJI0K8 y8ccSrST9RJLG/1hlsybRB+fxc3x3ZPAFjyLt94=
X-Google-Smtp-Source: AB8JxZosAn8fEAyt8NMK7msObQ7k23hqSBIhJGAWjidbmcJdMw57O/In7MvqxGFKzW18CrUf5EiXKd4xFDlBQQ0NV1Y=
X-Received: by 2002:a81:ec14:: with SMTP id j20-v6mr6582491ywm.311.1526398437583; Tue, 15 May 2018 08:33:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:d014:0:0:0:0:0 with HTTP; Tue, 15 May 2018 08:33:57 -0700 (PDT)
In-Reply-To: <55552202-8550-235b-b907-5f7dd65dbde2@petit-huguenin.org>
References: <152421676370.10784.8969648253452773656.idtracker@ietfa.amsl.com> <CAKKJt-ffi8CVqeWGsf8x9HDX7fEOKYztuPNZ90HhcpjMZ3ApYA@mail.gmail.com> <55552202-8550-235b-b907-5f7dd65dbde2@petit-huguenin.org>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Tue, 15 May 2018 10:33:57 -0500
Message-ID: <CAKKJt-fkm5L0qdQ5tFBbHR=ODQwiXaWYY8AVQKMg1ZutytpHDA@mail.gmail.com>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: draft-ietf-tram-stun-pmtud@ietf.org, tram-chairs@ietf.org, tram@ietf.org, Tolga Asveren <tasveren@rbbn.com>
Content-Type: multipart/alternative; boundary="000000000000a870cc056c405459"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/-aEMogBNqjO-fGZcYmiV17lRDe0>
Subject: Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 15:34:02 -0000
Hi, Marc, On Mon, May 14, 2018 at 6:50 PM, Marc Petit-Huguenin < marc@petit-huguenin.org> wrote: > Hi Spencer, > > Thank you for the review. Please see inline. > > On 05/08/2018 08:31 PM, Spencer Dawkins at IETF wrote: > > Dear Authors, > > > > On Fri, Apr 20, 2018 at 4:32 AM, Gonzalo Camarillo < > > gonzalo.camarillo@ericsson.com> wrote: > > > >> Gonzalo Camarillo has requested publication of > >> draft-ietf-tram-stun-pmtud-07 as Proposed Standard on behalf of the TRAM > >> working group. > >> > >> Please verify the document's state at https://datatracker.ietf.org/ > >> doc/draft-ietf-tram-stun-pmtud/ > > > > > > This document was fairly clear to me. I did have some questions I'd like > to > > work through before requesting Last Call, but none of them are > showstoppers > > - they shouldn't even slow the show down much. > > > > Thanks, > > > > Spencer > > > > I've been wrong before, but I'm thinking that > > > > Not all UDP-based protocols implement the Path MTU discovery > > mechanism described in [RFC4821]. > > > > is an understatement - I'm thinking of several widely used UDP-based > > protocols that try to use heuristics including just pick a low MTU size, > or > > switch to TCP transport, or some other workaround. This statement seems > to > > say that most UDP-based protocols do RFC 4821. Is it fair to say that > many > > UDP-based protocols don't do RFC 4821 PMTU discovery? > > New text: > > Many UDP-based protocols do not implement the Path MTU discovery > mechanism described in [RFC4821]. These protocols can make use of > [...] > > > > > For this section, > > > > 3. Terminology > > > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this > > document are to be interpreted as described in [RFC2119]. When these > > words are not in ALL CAPS (such as "must" or "Must"), they have their > > usual English meanings, and are not to be interpreted as RFC 2119 key > > words. > > > > you might consider replacing it with the corresponding paragraph in > > https://tools.ietf.org/html/rfc8174 - I'm seeing an increasing number of > > comments on IESG ballots suggesting this, and it's likely that the new > BCP > > text will more familiar to most readers over time. > > Done. > > > > > This may be a dumb question, but in this text, > > > > Implementations supporting this specification MUST implement the > > server side of both the Simple Probing mechanism (Section 4.1) and > > the Complete Probing mechanism (Section 4.2). > > > > Implementations supporting this specification MUST implement the > > client side of the Complete Probing mechanism. They MAY implement > > the client side of the Simple Probing mechanism. > > > > does this mean "Server implementations" and "Client implementations"? > > No, a compliant implementation must support both the client and the server > side so to discover the PMTU in both directions. The only choice is to not > support the client side of the simple probing mechanism. > > > > > I'm a bit confused about this text: > > > > Some application layer protocols may already have a way of > > identifying each individual UDP packet, in which case these > > identifiers SHOULD be used in the IDENTIFIERS attribute of the Report > > Response. While there are other possible packet identification > > schemes, this document describes two different ways to identify a > > specific packet. > > > > In the first packet identification mechanism, the server computes a > > checksum over each packet received and sends back to the sender the > > list of checksums ordered chronologically. The client compares this > > list to its own list of checksums. > > > > In the second packet identification mechanism, the client prepends > > the UDP data with a header that provides a sequence number. The > > server sends back the chronologically ordered list of sequence > > numbers received that the client then compares with its own list. > > > > It wasn't clear to me from this text whether these two packet > > identification mechanism are descriptions of what applications do if they > > DON'T already have a way of identifying packets. If that's what's > intended, > > perhaps > > > > Some application layer protocols may already have a way of > > identifying each individual UDP packet, in which case these > > identifiers SHOULD be used in the IDENTIFIERS attribute of the Report > > Response. While there are other possible packet identification > > schemes, this document describes two different ways to identify a > > specific packet, when no application layer protocol-specific > > identification > > > > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > mechanism is available. > > ^^^^^^^^^^^^^^^^^^^^^^ > > ? > > Applied. > > > > > When I read this text, > > > > Then the client waits half the RTO, if it is known, or 250 ms after > > sending the last Probe Indication and then sends the Report Request > > to the server over UDP. > > > > I was confused - isn't there's a 500-ms default RTO value in 4.1.1? Is > this > > different from > > > > Then the client waits half the RTO after > > sending the last Probe Indication and then sends the Report Request > > to the server over UDP. > > > > or am I missing your point? > > Replaced by your text. > > > > > In this text, > > > > The algorithm used to calculate the checksum is similar to the > > algorithm used for the FINGERPRINT attribute (i.e., the CRC-32 of the > > payload XOR'ed with the 32-bit value 0x5354554e). > > > > is there a reference you could provide for the "algorithm used for the > > FINGERPRINT attribute" here? I'm pretty sure I could find the right one, > > but googling for "STUN FINGERPRINT checksum" is a lot less helpful than I > > expected, and making sure that you understand what something is "similar > > to" seems important if that's going to be helpful information for > > implementers. > > Added reference to ITU V42. > > > > > If using authentication in > > > > UDP-based protocols that want to use any of these mechanisms, > > including the PMTUD-SUPPORTED attribute, to signal PMTUD capabilities > > MUST ensure that it cannot be used to launch an amplification attack. > > For example, using authentication can ensure this. > > > > is only one way to ensure prevention of amplification attacks, is there > any > > guidance or reference you could point to that would help implementers > > evaluate other approaches? > > It's a good question. I have to think about that. > Thanks for the quick and thorough responses. I think I'm good on your responses for all my other questions. I'll let the working group chew on this one, and let the chairs/shepherd let me know when to request Last Call. Spencer > > Actually, after reading > > > > The Probe Request or Indication that are used to implicitly signal > > probing support in the reverse direction MUST be authenticated to > > prevent amplification attacks. > > > > I wonder why authentication isn't a MUST for UDP-based protocols using > > STUN-PMTUD, but that's just me wondering ... > > When STUN-PMTUD is used as an add-on to an existing protocol, it is > difficult to impose to make the whole protocol authenticated. When it is > for a new protocol I agree that it should be secure, but then it is up to > the protocol designer to do that (and to the IESG to enforce it). > > > > > I was a bit confused by > > > > This specification defines two new STUN methods and two new STUN > > attributes. IANA added these new protocol elements to the "STUN > > Parameters Registry" created by [RFC5389]. > > > > because they haven't been added to the registry yet, right? > > > > Right. I changed the whole IANA section to look like the one in STUNBis. > > -- > Marc Petit-Huguenin > Email: marc@petit-huguenin.org > Blog: https://marc.petit-huguenin.org > Profile: https://www.linkedin.com/in/petithug > >
- Re: [tram] Publication has been requested for dra… Gonzalo Camarillo
- [tram] Publication has been requested for draft-i… Gonzalo Camarillo
- Re: [tram] Publication has been requested for dra… Spencer Dawkins at IETF
- Re: [tram] Publication has been requested for dra… Gonzalo Camarillo
- Re: [tram] Publication has been requested for dra… Marc Petit-Huguenin
- Re: [tram] Publication has been requested for dra… Spencer Dawkins at IETF
- Re: [tram] Publication has been requested for dra… Spencer Dawkins at IETF
- Re: [tram] Publication has been requested for dra… Marc Petit-Huguenin
- Re: [tram] Publication has been requested for dra… Spencer Dawkins at IETF
- Re: [tram] Publication has been requested for dra… Marc Petit-Huguenin
- Re: [tram] Publication has been requested for dra… Spencer Dawkins at IETF
- Re: [tram] Publication has been requested for dra… Marc Petit-Huguenin
- Re: [tram] Publication has been requested for dra… Spencer Dawkins at IETF