IETF Logo Mail Archive

Re: [tram] Artart telechat review of draft-ietf-tram-stunbis-16

Peter Saint-Andre <stpeter@mozilla.com> Tue, 17 April 2018 00:22 UTC

Return-Path: <stpeter@mozilla.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DB8112D957 for <tram@ietfa.amsl.com>; Mon, 16 Apr 2018 17:22:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mozilla.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lDScpP2RQ3gt for <tram@ietfa.amsl.com>; Mon, 16 Apr 2018 17:22:20 -0700 (PDT)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE74112D88E for <tram@ietf.org>; Mon, 16 Apr 2018 17:22:19 -0700 (PDT)
Received: by mail-io0-x22d.google.com with SMTP id r69so13972364iod.8 for <tram@ietf.org>; Mon, 16 Apr 2018 17:22:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mozilla.com; s=google; h=subject:to:cc:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=7+ws6D50gwwfnkvNh0mrKwGqev3OS2PSkvow0Cb3YLw=; b=IGGSzjJe5nor2jsbqbYfw0LxZClJdrUPwN4L109paW1y7aiIbhrsfdRcFgZTJr8Csh QoqBvncH0DKx6Xp/7fAfrwrMHegN2JZwq33j09++FBi5oKJFTk9UgXQIdJ/t+tIICN7s cyEUzt1GrCm+oFGMv266Hmv/x2YBSucVHkIxI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=7+ws6D50gwwfnkvNh0mrKwGqev3OS2PSkvow0Cb3YLw=; b=Aw+89+peyaQlvaoCB1+0G1YC1ZkOvr1a1mHdifK0AbJc813tD17WlLL/xEuRfTdYKr JXysLH/HDmxM+T8bX2BRrv76Mcwi3Q8K2XxfJKWe46GARtIu6tDB2r09suJ05K/q/bVh NwUv0STeBrS0/F8FHHlyVrQZ9JtpTWce/f1hxOSde6nS2zhfeT9JbzjAEMJP6X+/NcCP 0z9vFJIUNTyXoH2Tv3T6qyT/QHWdDvmEOHIo3sGxqykjQhXvzjGYidyIgpfUKL2JxCGK t2gs2DjUwHCz5D4YtvNdydL9wEHwSFHUo4+gC7HV9WdStGWJwuKZiUZWN43KGJBO9D5R KKtQ==
X-Gm-Message-State: ALQs6tC7gV5+FB74WQUEjVN6sumKJ+ZuTb0Ci1phLnroI8BXhHNkKAhF 4BSP5x4Rq2iV9atvcgRttoz82Q==
X-Google-Smtp-Source: AIpwx49FZRu0VJpi+P5nKrf1HtizWwZc7lmjyAMOOZ7FRLd1dVkwSugbqnTOgpnqHB3Q6j2ab7c3uw==
X-Received: by 10.107.146.86 with SMTP id u83mr8089924iod.110.1523924539262; Mon, 16 Apr 2018 17:22:19 -0700 (PDT)
Received: from dragon.local ([76.25.3.152]) by smtp.gmail.com with ESMTPSA id b195-v6sm5192192itb.22.2018.04.16.17.22.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 16 Apr 2018 17:22:18 -0700 (PDT)
To: Marc Petit-Huguenin <marc@petit-huguenin.org>, art@ietf.org
Cc: draft-ietf-tram-stunbis.all@ietf.org, ietf@ietf.org, tram@ietf.org
References: <152270998513.17947.16209089088681034529@ietfa.amsl.com> <ec1d7013-4886-6f96-21a2-3c758fc633cf@petit-huguenin.org>
From: Peter Saint-Andre <stpeter@mozilla.com>
Openpgp: preference=signencrypt
Autocrypt: addr=stpeter@mozilla.com; prefer-encrypt=mutual; keydata= xsFNBFonEf4BEADvZ+RGsJoOyZaw2rKedB9pBb2nNXVGgymNS9+FAL/9SsfcrKaGYSiWEz7P Lvc97hWH3LACFAHvnzoktv+4IWHjItvhdi9kUQ3Gcbahe55OcdZuSXXH3w5cHF0rKz9aYRpN jENqXM5dA8x4zIymJraqYvHlFsuuPB8rcRIV9SKsvcy14w9iRqu770NjXfE/aIsyRwwmTPiU FQ0fOSDPA/x2DLjed/GYHem90C5vF4Er9InMqH5KAMLnjIYZ9DbPx5c5EME4zW/d648HOvPB bm+roZs4JTHBhjlrTtzDDpMcxHq1e8YPvSdDLPvgFXDcTD4+ztkdO5rvDkbc61QFcLlidU8H 3KBiOVMA/5Rgl4lcWZzGfJBnwvSrKVPsxzpuCYDg01Y/7TH4AuVkv5Na6jKymJegjxEuJUNw CBzAhxOb0H9dXROkvxnRdYS9f0slcNDBrq/9h9dIBOqLhoIvhu+Bhz6L/NP5VunQWsEleGaO 3gxGh9PP/LMyjweDjPz74+7pbyOW0b5VnIDFcvCTJKP0sBJjRU/uqmQ25ckozuYrml0kqVGp EfxhSKVqCFoAS4Q7ux99yT4re2X1kmlHh3xntzmOaRpcZsS8mJEnVyhJZBMOhqE280m80ZbS CYghd2K0EIuRbexd+lfdjZ+t8ROMMdW5L51CJVigF0anyYTcAwARAQABzSdQZXRlciBTYWlu dC1BbmRyZSA8c3RwZXRlckBtb3ppbGxhLmNvbT7CwZQEEwEIAD4WIQQ1VSPTuPTvyWCdvvRl YYwYf2gUqQUCWicR/gIbIwUJCWYBgAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRBlYYwY f2gUqdaREAChG8qU1853mP0sv2Mersns8TLG1ztgoKHvMXFlMUpNz6Oi6CjjaMNFhP7eUY4T D43+yQs7f4qCkOAPWuuqO8FbNWQ+yUoVkqF8NUrrVkZUlZ1VZBMQHNlaEwwu1CGoHsLoRohP SiZ0hpmGTWB3V6cDDK4KN6nl610WJbzE9LeKY1AxtePdJi2KM281U0Fz8ntij1jWu0gF2xU4 Sez46JDogHLWKgd0srauhcCVzZjAhiWrXp1+ryzSWYaZO8Kh8SnF1f4o6jtYikMqkxUaI5nX wvD3kNX4AMSkCAZfG7Jcfj/SLDojTcREgO87g7B9bcOOsHN4lj3lHoFV0aXpgPmjfIvAjJHu fHkXZAQAH8w0u9bgJqRn703+A4NPfLopnjegyhlNi7fQ3cMQV1H7Oj7WrB/pCcprx+1u/6Uq oTtDwWh1U5uVthVAI0QojpNWR08zABDX19TlGtVoeygaQV3CAEolxTiYQtCfVavUzUplCZ/t 3v4YiRov+NylflJd+1akyOs1IAgARf444BnoH1fotkpfXNOpp9wUXXwsQcFRdP7vpMkSCkc0 sxPNTVX3ei0QImp4NsrFdaep7LV3zEb3wkAp6KE5Qno4hVVEypULbvB0G6twNZbeRfcs2Rjp jnPb2fofvg2WhAKB20dnRfIfK8OKTD/P+JDcauJANjmekM7BTQRaJxH+ARAApPwkbOTChAQu jMvteb/xcwuL5JZElmLxIqvJhqybV7JknM+3ATyN0CTYQFvPTgIrhpk4zSn0A6pEePdK8mKK 5/aHyd7pr7rLEi1sI/X3UE8ld/E83MExksKrYbs0UX1wSQwYXU6g64KicnuP2Abqg+8wrQ18 1nPcZci9jJI75XVPnTdUpZD5aaQWGp7IJ06NTbiOk30I50ORfulgKoe4m3UfsMALFxIx3pJk oy76xC2tjxYGf+4Uq1M0iK3Wy655GrcwXq/5ieODNUcAZzvK5hsUVRodBq0Lq3g1ivQF4ba7 RQayDzlW6XgoeU49xnCr9XdZYnTnj4iaPmr2NtY6AacBwRz+bJsyugeSyGgHsnVGyUSMk8YN wZHvUykMjH21LLzIUX5NFlcumLUXDOECELCJwewui4W81sI5Sq/WDJet+iJwwylUX22TSulG VwDS+j66TLZpk1hEwPanGLwFBSosafqSNBMDVWegKWvZZVyoNHIaaQbrTIoAwuAGvdVncSQz ttC6KkaFlAtlZt3+eUFWlMUOQ9jxQKTWymyliWKrx+S6O1cr4hwVRbg7RQkpfA8E2Loa13oO vRSQy/M2YBRZzRecTKY6nslJo6FWTftpGO7cNcvbmQ6I++5cBG1B1eNy2RFGJUzGh1vlYo51 pdfSg0U1oPHBPCHNvPYCJ7UAEQEAAcLBfAQYAQgAJhYhBDVVI9O49O/JYJ2+9GVhjBh/aBSp BQJaJxH+AhsMBQkJZgGAAAoJEGVhjBh/aBSpAw0P/1tEcEaZUO1uLenNtqysi3mQ6qAHYALR Df3p2z/RBKRVx0DJlzDfDvJ2R/GRwoo+vyCviecuG2RNKmJbf1vSm/QTtbQMUjwut9mx6KCY CyKwniqdhaMBmjCfV2DB2MxxZLYMtDfx/2mY7vzAci7AkjC+RkSUByMEOkyscUydKC/ETdf9 tvI8GhTY/8Q7JSylS3lQA5pMUHiIf+KpSmqKZeBPkGc7nSKM1w1UKUvFAsyyVsiG6A/hWrTr 7tTQAl7YfjtOGE8n4IKGktvrT99bbh9wdWKZ5FdHUN9hx2Q8VP8+0lR1CH2laVFbEwCOv1vM W4cgQDLxwwpo1iOTdHBVtQDxlQ9hPMKVlB1KP9KjchxuiLc24wLmCjP3pDMml4LQxOYB34Eq cgPZ3uHvJZG309sb2wTMTWaXobWNI++ZrsRD5GTmuzF3kkx3krtrq6HI5NSaemxK6MTDTjDN Rj/OwTl0yU35eJXuuryB20GFOSUsxiw00I2hMGQ1Cy9L/+IW6Dvotd8O3LmKh2tFArzXaKLx /rZyGNurS/Go5YjHp8wdJOs7Ka2p1U31js24PMWO6hf6hIiY2WRUsnE6xZNhvBTgKOY6u0KT V6hTevFqEw7OAZDCWUoE2Ob2/oHGZCCMW5SLAMgp7eihF0kGf2S2CmpIFYXGb61hAD8SqSY7 Fn7V
Message-ID: <c6df754b-8aea-637c-a8bf-7ccadc0d8704@mozilla.com>
Date: Mon, 16 Apr 2018 18:22:17 -0600
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <ec1d7013-4886-6f96-21a2-3c758fc633cf@petit-huguenin.org>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="yKq6lTWRoEdhfUFxtNTJ5NFOtrykyqKwH"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/1k8sKjdqnUBtYNQlJiG8veJrRF8>
Subject: Re: [tram] Artart telechat review of draft-ietf-tram-stunbis-16
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 00:22:23 -0000

Hi Marc, a few further comments inline.

On 4/16/18 5:43 PM, Marc Petit-Huguenin wrote:
> Hi Peter,
> 
> Thanks for the review and sorry for the delay in responding, I was traveling for the last 4 weeks.
> 
> See my responses inline.
> 
> On 04/02/2018 03:59 PM, Peter Saint-Andre wrote:
>> Reviewer: Peter Saint-Andre
>> Review result: Ready with Nits
>>

<snip/>

>> The first paragaraph of Section 6.2.3 restates recommendations from RFC
>> 7525; why not simply reference that specification?
> 
> The original text in RFC5389 said this:
> 
> " When STUN is run by itself over TLS-over-TCP, the
>   TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite MUST be implemented at a
>   minimum. [...]"
> 
> The new text is an attempt at updating it in the same spirit of giving minimal instructions and complementing them with a reference to RFC 7525 - which was the reason for the reference to RFC 7525 there.
> 
> So I kept the text there, followed by the following paragraph, in addition of moving the original last paragraph in the Security Consideration section:
> 
> " These recommendations are just a part of the the recommendations in
>   [RFC7525] that implementations and deployments of a STUN usage using
>   TLS or DTLS SHOULD follow."

I would instead suggest that we do something like Section 2 of RFC 7590
for XMPP:

   The best current practices documented in the "Recommendations for
   Secure Use of TLS and DTLS" [RFC7525] are included here by reference.
   Instead of repeating those recommendations here, this document mostly
   provides supplementary information regarding secure implementation
   and deployment of XMPP technologies.

Here's the rationale: RFC 7525 is likely to be updated/replaced more
quickly than STUNbis. If STUNbis recommends a particular cipher suite
that 7525bis stops recommending, in the absence of STUNter will STUN
implementations keep following STUNbis or will they upgrade to whatever
7525bis recommends? I suggest it will be the former, which is not what
we want.

>> Section 6.3.4 states:
>>
>>    o  If the error code is 500 through 599, the client MAY resend the
>>       request; clients that do so MUST limit the number of times they do
>>       this.
>>
>> It is reasonable to provide guidance as to the number of re-sends?
> 
> Same issue here, that's a section that is unmodified from RFC 5389. 

I understand. Now is our chance to fix it. :-)

>  As long as the client does not enter an endless loop of retransmission, choosing different numbers of re-sends does not affect interoperability.

Choosing different numbers is OK, but choosing an infinite number is
not. Can we provide guidance as to how many is too many? 10? 50? 100?

>> Section 9.1.1 and other sections invoke the OpaqueString profile of the
>> PRECIS FreeformClass; it might be helpful to mention that the profile is
>> used to handle Unicode characters outside the ASCII range, and that no
>> changes result if only ASCII characters are used.
> 
> Hmm.  But in that case the application has first to test that the string is in the ASCII range.  Isn't that better to always assume that the input string will contain Unicode, and let the implementation of OpaqueString short-circuit the processing in the case of an all-ASCII string?

Yes, I meant that as an informational note to implementers so they would
worry less. But it's not necessary and I think you can safely ignore it.

Peter

v2.23.0 | Report a Bug | By Email