IETF Logo Mail Archive

Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Tue, 15 May 2018 15:34 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B60F12D945; Tue, 15 May 2018 08:34:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dtuBkWnsYphB; Tue, 15 May 2018 08:33:58 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79AC512D942; Tue, 15 May 2018 08:33:58 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id q7-v6so183300ywd.9; Tue, 15 May 2018 08:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=biv3EiCPlCrMw8HcTF+diAd9HO+iOoail8NF8h6a95o=; b=uPwFWzGxzdnPUsPnAPu+uFL+PY0LI8Ft6Wrce8pmA5HgBPEsE9hVCMiHiXU09xR81w 9xeFToLPpSsADOOq60YpzHjsLVpz9laxA3fKAj3yw/YT+SYTMz2RMxbLLyC8rWRF+csd vO+tT8bpm7gZTQ5QuM81cyV0Ypud2Tyl0N74MDDvKHyOUYiQ6zzuHrl6nifGWo70eZMR 9sjKZtt2zKScs/hGIjTyQqitZ4Fpy//HLjuoaVOW2mF9r3UzbkHBiGg1wssJPl46TvjW CoFdaBG0UMi99M44HfN2H2unU6SHgszd+iH89GlFmv0M8VQ7NzZzZv6c8VLT90uc1Co7 sVuQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=biv3EiCPlCrMw8HcTF+diAd9HO+iOoail8NF8h6a95o=; b=p8FAZWK7KJadcaFC1iSzfkfMeUpOq1ZBs+OhGa+I/oBrkrnhUt29Mu5BUNvON9Hc1a Bk04nEymskV6yq8sfl8zFnaJGvrUnd3/uHj2i3JsMh8b1TUXq34260r3woeTZg+lZV6R vPcNAhKJpyoX06ZXyNaaRCDdA044sSuoiMqmwrJeXXGUX+PhtOvu14Azdcd9oC3TYeSV pgIfBiJzu8P7j4661hc3nUB+TvQflS4qtplcWoFyf2uMIGpSQ68CVg7FTeiuSN9Hb6yy HnaFtqlJkSz3N72EpeQEINyhCx/PTQAER/1k4leONMX/Ql1FlszVcAofYgnq+rHjyeoq ovXA==
X-Gm-Message-State: ALKqPweIZAuhkEyC8Cy4GLXHZ5yp70dAuyzNBpt9GjguPQzFt5rJI0K8 y8ccSrST9RJLG/1hlsybRB+fxc3x3ZPAFjyLt94=
X-Google-Smtp-Source: AB8JxZosAn8fEAyt8NMK7msObQ7k23hqSBIhJGAWjidbmcJdMw57O/In7MvqxGFKzW18CrUf5EiXKd4xFDlBQQ0NV1Y=
X-Received: by 2002:a81:ec14:: with SMTP id j20-v6mr6582491ywm.311.1526398437583; Tue, 15 May 2018 08:33:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a25:d014:0:0:0:0:0 with HTTP; Tue, 15 May 2018 08:33:57 -0700 (PDT)
In-Reply-To: <55552202-8550-235b-b907-5f7dd65dbde2@petit-huguenin.org>
References: <152421676370.10784.8969648253452773656.idtracker@ietfa.amsl.com> <CAKKJt-ffi8CVqeWGsf8x9HDX7fEOKYztuPNZ90HhcpjMZ3ApYA@mail.gmail.com> <55552202-8550-235b-b907-5f7dd65dbde2@petit-huguenin.org>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Tue, 15 May 2018 10:33:57 -0500
Message-ID: <CAKKJt-fkm5L0qdQ5tFBbHR=ODQwiXaWYY8AVQKMg1ZutytpHDA@mail.gmail.com>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>
Cc: draft-ietf-tram-stun-pmtud@ietf.org, tram-chairs@ietf.org, tram@ietf.org, Tolga Asveren <tasveren@rbbn.com>
Content-Type: multipart/alternative; boundary="000000000000a870cc056c405459"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/-aEMogBNqjO-fGZcYmiV17lRDe0>
Subject: Re: [tram] Publication has been requested for draft-ietf-tram-stun-pmtud-07
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 May 2018 15:34:02 -0000

Hi, Marc,

On Mon, May 14, 2018 at 6:50 PM, Marc Petit-Huguenin <
marc@petit-huguenin.org> wrote:

> Hi Spencer,
>
> Thank you for the review.  Please see inline.
>
> On 05/08/2018 08:31 PM, Spencer Dawkins at IETF wrote:
> > Dear Authors,
> >
> > On Fri, Apr 20, 2018 at 4:32 AM, Gonzalo Camarillo <
> > gonzalo.camarillo@ericsson.com> wrote:
> >
> >> Gonzalo Camarillo has requested publication of
> >> draft-ietf-tram-stun-pmtud-07 as Proposed Standard on behalf of the TRAM
> >> working group.
> >>
> >> Please verify the document's state at https://datatracker.ietf.org/
> >> doc/draft-ietf-tram-stun-pmtud/
> >
> >
> > This document was fairly clear to me. I did have some questions I'd like
> to
> > work through before requesting Last Call, but none of them are
> showstoppers
> > - they shouldn't even slow the show down much.
> >
> > Thanks,
> >
> > Spencer
> >
> > I've been wrong before, but I'm thinking that
> >
> >   Not all UDP-based protocols implement the Path MTU discovery
> >    mechanism described in [RFC4821].
> >
> > is an understatement - I'm thinking of several widely used UDP-based
> > protocols that try to use heuristics including just pick a low MTU size,
> or
> > switch to TCP transport, or some other workaround. This statement seems
> to
> > say that most UDP-based protocols do RFC 4821. Is it fair to say that
> many
> > UDP-based protocols don't do RFC 4821 PMTU discovery?
>
> New text:
>
>    Many UDP-based protocols do not implement the Path MTU discovery
>    mechanism described in [RFC4821].  These protocols can make use of
>    [...]
>
> >
> > For this section,
> >
> > 3.  Terminology
> >
> >    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
> >    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
> >    document are to be interpreted as described in [RFC2119].  When these
> >    words are not in ALL CAPS (such as "must" or "Must"), they have their
> >    usual English meanings, and are not to be interpreted as RFC 2119 key
> >    words.
> >
> > you might consider replacing it with the corresponding paragraph in
> > https://tools.ietf.org/html/rfc8174 - I'm seeing an increasing number of
> > comments on IESG ballots suggesting this, and it's likely that the new
> BCP
> > text will more familiar to most readers over time.
>
> Done.
>
> >
> > This may be a dumb question, but in this text,
> >
> >    Implementations supporting this specification MUST implement the
> >    server side of both the Simple Probing mechanism (Section 4.1) and
> >    the Complete Probing mechanism (Section 4.2).
> >
> >    Implementations supporting this specification MUST implement the
> >    client side of the Complete Probing mechanism.  They MAY implement
> >    the client side of the Simple Probing mechanism.
> >
> > does this mean "Server implementations" and "Client implementations"?
>
> No, a compliant implementation must support both the client and the server
> side so to discover the PMTU in both directions.  The only choice is to not
> support the client side of the simple probing mechanism.
>
> >
> > I'm a bit confused about this text:
> >
> >    Some application layer protocols may already have a way of
> >    identifying each individual UDP packet, in which case these
> >    identifiers SHOULD be used in the IDENTIFIERS attribute of the Report
> >    Response.  While there are other possible packet identification
> >    schemes, this document describes two different ways to identify a
> >    specific packet.
> >
> >    In the first packet identification mechanism, the server computes a
> >    checksum over each packet received and sends back to the sender the
> >    list of checksums ordered chronologically.  The client compares this
> >    list to its own list of checksums.
> >
> >    In the second packet identification mechanism, the client prepends
> >    the UDP data with a header that provides a sequence number.  The
> >    server sends back the chronologically ordered list of sequence
> >    numbers received that the client then compares with its own list.
> >
> > It wasn't clear to me from this text whether these two packet
> > identification mechanism are descriptions of what applications do if they
> > DON'T already have a way of identifying packets. If that's what's
> intended,
> > perhaps
> >
> >   Some application layer protocols may already have a way of
> >    identifying each individual UDP packet, in which case these
> >    identifiers SHOULD be used in the IDENTIFIERS attribute of the Report
> >    Response.  While there are other possible packet identification
> >    schemes, this document describes two different ways to identify a
> >    specific packet, when no application layer protocol-specific
> > identification
> >
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >    mechanism is available.
> >    ^^^^^^^^^^^^^^^^^^^^^^
> > ?
>
> Applied.
>
> >
> > When I read this text,
> >
> >   Then the client waits half the RTO, if it is known, or 250 ms after
> >    sending the last Probe Indication and then sends the Report Request
> >    to the server over UDP.
> >
> > I was confused - isn't there's a 500-ms default RTO value in 4.1.1? Is
> this
> > different from
> >
> >   Then the client waits half the RTO after
> >    sending the last Probe Indication and then sends the Report Request
> >    to the server over UDP.
> >
> > or am I missing your point?
>
> Replaced by your text.
>
> >
> > In this text,
> >
> >   The algorithm used to calculate the checksum is similar to the
> >    algorithm used for the FINGERPRINT attribute (i.e., the CRC-32 of the
> >    payload XOR'ed with the 32-bit value 0x5354554e).
> >
> > is there a reference you could provide for the "algorithm used for the
> > FINGERPRINT attribute" here? I'm pretty sure I could find the right one,
> > but googling for "STUN FINGERPRINT checksum" is a lot less helpful than I
> > expected, and making sure that you understand what something is "similar
> > to" seems important if that's going to be helpful information for
> > implementers.
>
> Added reference to ITU V42.
>
> >
> > If using authentication in
> >
> >   UDP-based protocols that want to use any of these mechanisms,
> >    including the PMTUD-SUPPORTED attribute, to signal PMTUD capabilities
> >    MUST ensure that it cannot be used to launch an amplification attack.
> >    For example, using authentication can ensure this.
> >
> > is only one way to ensure prevention of amplification attacks, is there
> any
> > guidance or reference you could point to that would help implementers
> > evaluate other approaches?
>
> It's a good question.  I have to think about that.
>

Thanks for the quick and thorough responses.

I think I'm good on your responses for all my other questions. I'll let the
working group chew on this one, and let the chairs/shepherd let me know
when to request Last Call.

Spencer


> > Actually, after reading
> >
> >   The Probe Request or Indication that are used to implicitly signal
> >    probing support in the reverse direction MUST be authenticated to
> >    prevent amplification attacks.
> >
> > I wonder why authentication isn't a MUST for UDP-based protocols using
> > STUN-PMTUD, but that's just me wondering ...
>
> When STUN-PMTUD is used as an add-on to an existing protocol, it is
> difficult to impose to make the whole protocol authenticated.  When it is
> for a new protocol I agree that it should be secure, but then it is up to
> the protocol designer to do that (and to the IESG to enforce it).
>
> >
> > I was a bit confused by
> >
> >   This specification defines two new STUN methods and two new STUN
> >    attributes.  IANA added these new protocol elements to the "STUN
> >    Parameters Registry" created by [RFC5389].
> >
> > because they haven't been added to the registry yet, right?
> >
>
> Right.  I changed the whole IANA section to look like the one in STUNBis.
>
> --
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: https://marc.petit-huguenin.org
> Profile: https://www.linkedin.com/in/petithug
>
>

v2.23.0 | Report a Bug | By Email