Re: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt

Oleg Moskalenko <> Sun, 16 February 2014 05:00 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1B7101A0369 for <>; Sat, 15 Feb 2014 21:00:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wFgsZ8Vz6Zqz for <>; Sat, 15 Feb 2014 21:00:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400e:c02::22f]) by (Postfix) with ESMTP id 97D001A0364 for <>; Sat, 15 Feb 2014 21:00:46 -0800 (PST)
Received: by with SMTP id w10so13539707pde.34 for <>; Sat, 15 Feb 2014 21:00:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=wdjrISW0lDWZ6TkhhC+vM74gO+K2AyC8JerUpqw8ioU=; b=NQC4eJXCsZmZFP4qXFg+YcKW3pkpqbnVmsas4xgq8+0kcB9QvFBetvapRXODeU9QeC 1a2civQPhjA9YZ7oeQVDjL5JV0EXpZNgI+kU5EwG8kTa+t1MSUmBuC8pIEgWA6DxTnO4 BmFzcxbdmCbLrH+sTye7Ta2CuEtNov6uRL8rCex62lCJH4DsSovpfvLbpdTd452mFhRO CjFqzprllOjnC6dOZ30CCFCvNOfhewse9gzU62Frm6Ui0WlgnQgRftAljjrHBenf0ios C9j/Sci/Wh7GcCNZuH785GucctuvLn7xwBWU65xy8qgNB1Vanridvp6rYNNFb/uwbvC6 dMhw==
MIME-Version: 1.0
X-Received: by with SMTP id rw4mr10664782pbc.3.1392526844591; Sat, 15 Feb 2014 21:00:44 -0800 (PST)
Received: by with HTTP; Sat, 15 Feb 2014 21:00:44 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Sat, 15 Feb 2014 21:00:44 -0800
Message-ID: <>
From: Oleg Moskalenko <>
To: "Tirumaleswar Reddy (tireddy)" <>
Content-Type: multipart/alternative; boundary="047d7b2e0903e9826204f27eeb1c"
Cc: "" <>
Subject: Re: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 16 Feb 2014 05:00:49 -0000

Hi Tiru

I have some comments:

1) Section 4. Obtaining a Token Using OAuth, figure 4

I believe that the sequence of messages is incorrect. The TURN server most
probably will contact the Authorization server AFTER it gets the Allocate
request. But on the figure 4, it looks like it somehow can predict the
incoming request. The correct sequence must be, in the general case:

   Access Token Request (1) from client to Auth server
   Access Token + Session Key (2) from Auth server to client
   Allocate request from client to TURN server (3)
   Get Token from TURN Server to Auth server (4)
   Token metadata from Auth Server to TURN server (5)
   Allocate response from TURN server to the client (6)

The sequence shown on the figure 4 is possible only is the Auth Server and
TURN server are somehow closely integrated and that is unnecessary.

2) The document is saying that the client when communicating to the Auth
Server uses HTTP requests with JSON (REST API ?). May be it would be
helpful if the communication protocol between TURN server and Auth server
would be mentioned, too.

3) Section 7.2:

OAuth does not impose any limitation on the length of the access token but since
   STUN messages cannot exceed 548 bytes (Section 7.1 of [RFC5389]),
   access token length needs to be restricted to fit within the maximum
   STUN message size.

I am not sure that the STUN (Binding ?) max message size is relevant here
and worth mentioning at all - because this doc is about TURN, and the TURN
messages are often much larger than 548 bytes (especially when carrying the
video traffic). So I see no relevance of the 548 limit to the new
authentication standard. And that limitation of 548 bytes is applicable
only to the cases when we suspect that the path MTU is really really low
and that is an extremely rare case.

4) Are we sure that we want to limit the OAuth applicability only to the
long-term credentials mechanism ? I see no technical or philosophical
reasons why not to use it for short-term credentials mechanism, too. It
would be a more "symmetric" approach.

5) I'd put more definite wording how TURN server handles the token
lifetime. What happens in the middle of the TURN session, is the auth token
expires while the session is still active ? There may be two possible cases:

   - the token lifetime is applicable only to the session initiation
procedure. When the TURN session has been already established, it can go
indefinitely while the client is refreshing the session properly.

   - in second case when the token expires, the server rejects new requests
from the client (in the same TURN session) until the client sends the new
token data in re-authentication exchange.

I'd suggest the first case as an eisier case for the implementation.


On Fri, Feb 14, 2014 at 6:41 PM, Tirumaleswar Reddy (tireddy) <> wrote:

> This document proposes the use of third party authorization using OAuth
> for TURN. Comments and suggestions are welcome.
> -Tiru
> -----Original Message-----
> From: []
> Sent: Friday, February 14, 2014 1:59 PM
> To: Ram Mohan R (rmohanr); Prashanth Patil (praspati); Tirumaleswar Reddy
> (tireddy); Prashanth Patil (praspati); Justin Uberti; Justin Uberti;
> Tirumaleswar Reddy (tireddy); Ram Mohan R (rmohanr)
> Subject: New Version Notification for
> draft-reddy-tram-turn-third-party-authz-00.txt
> A new version of I-D, draft-reddy-tram-turn-third-party-authz-00.txt
> has been successfully submitted by Tirumaleswar Reddy and posted to the
> IETF repository.
> Name:           draft-reddy-tram-turn-third-party-authz
> Revision:       00
> Title:          TURN Extension for Third Party Authorization
> Document date:  2014-02-14
> Group:          Individual Submission
> Pages:          11
> URL:
> Status:
> Htmlized:
> Abstract:
>    This document proposes the use of OAuth to obtain and validate
>    ephemeral tokens that can be used for TURN authentication.  The usage
>    of ephemeral tokens ensure that access to a TURN server can be
>    controlled even if the tokens are compromised, as is the case in
>    WebRTC where TURN credentials must be specified in Javascript.  It
>    also addresses the need for stronger authentication described in
>    [I-D.reddy-behave-turn-auth].
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at
> The IETF Secretariat
> _______________________________________________
> tram mailing list