Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-server-discovery
Brandon Williams <brandon.williams@akamai.com> Sat, 10 December 2016 15:14 UTC
Return-Path: <brandon.williams@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5686129482; Sat, 10 Dec 2016 07:14:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.597
X-Spam-Level:
X-Spam-Status: No, score=-5.597 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EYUH5v7rMWtK; Sat, 10 Dec 2016 07:14:12 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 6D861129472; Sat, 10 Dec 2016 07:14:12 -0800 (PST)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id AA8AB43344E; Sat, 10 Dec 2016 15:14:11 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 88BCA43344A; Sat, 10 Dec 2016 15:14:11 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1481382851; bh=Hy6nx4nAOg/Z8LtDfb7wUS513NwwIpIc7U4iwdy1Agw=; l=73628; h=To:References:Cc:From:Date:In-Reply-To:From; b=CZdgdBE8f54Epk6BV29di8Kl1k7je4gxV3GTtt6gFqR9BB8+tbrFL6HWbQr2vaxxC LeFJAK/HRPjj14o4p0avPUhoDuO463k5V7m00tTKSb1ilIVUXYW0f6NR40MyuCxJu+ vxbDr4UgMpA1oLFyjg+zTQm+u9a7aXQU+RtvpOiw=
Received: from [172.28.118.39] (bowill.kendall.corp.akamai.com [172.28.118.39]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 7D5E81FC9B; Sat, 10 Dec 2016 15:14:11 +0000 (GMT)
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Karl Stahl <karl.stahl@ingate.com>, 'tram mailing list' <tram@ietf.org>
References: <E1FFF433-D80C-4567-9C7D-16E46C025F00@cisco.com> <012701d24112$ebca82e0$c35f88a0$@stahl@ingate.com> <521b142d7fd9482ca18102655d4ef4e6@XCH-RCD-017.cisco.com> <021701d2436e$4cee87d0$e6cb9770$@stahl@ingate.com> <03166323036f4cf187c0a67b9c183138@XCH-RCD-017.cisco.com> <034501d244e7$ad9ac060$08d04120$@stahl@ingate.com> <bbb0ee81baab4e68923c3c422c352f65@XCH-RCD-017.cisco.com> <061301d248ea$12c01110$38403330$@stahl@ingate.com> <3cf392b265354926a46f8e70109df236@XCH-RCD-017.cisco.com> <065101d24958$64f42fc0$2edc8f40$@stahl@ingate.com> <7f4a0d29c1b844539a5d2b38ee699c38@XCH-RCD-017.cisco.com> <00a901d24c77$6a9b7d80$3fd27880$@stahl@ingate.com> <b80c05736736466ba5e2e30c4306f71d@XCH-RCD-01 7.cisco.com> <01ad01d24f12$886f0af0$994d20d0$@stahl@ingate.com> <4f7b5e476e394b249d7f109afbda924b@XCH-RCD-017.cisco.com> <02d301d2502e$49a89b70$dcf9d250$@stahl@ingate.com> <d383f46699534d8d89d6f70f51231952@XCH-RCD-017.cisco.com> <ce9af14a-58fb-e0f2-c1ac-f62e6b80ac2b@akamai.com>
From: Brandon Williams <brandon.williams@akamai.com>
Message-ID: <df54193a-acc9-e7e1-66f4-59ec0027d988@akamai.com>
Date: Sat, 10 Dec 2016 10:14:11 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <ce9af14a-58fb-e0f2-c1ac-f62e6b80ac2b@akamai.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/1ntVGdXaAj8EMDd5axbjHrs47A4>
Cc: "Prashanth Patil (praspati)" <praspati@cisco.com>, "tram-chairs@ietf.org" <tram-chairs@ietf.org>, 'Dan Wing' <dan@danwing.org>, 'Spencer Dawkins at IETF' <spencerdawkins.ietf@gmail.com>
Subject: Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-server-discovery
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Dec 2016 15:14:17 -0000
Wait ... I take back my +1 here ... As I was writing a separate response to the server-side requirement thread, I changed my thinking about this one (or rather remembered my earlier thinking). Keeping track of this discussion has become really difficult at this point. Sorry about my confusion. I'll send a separate e-mail that describes my thinking about (D)TLS, since I've already got it started in a separate window. --Brandon On 12/10/2016 10:06 AM, Brandon Williams wrote: > +1 > > On 12/06/2016 11:17 PM, Tirumaleswar Reddy (tireddy) wrote: >> Karl Wrote: Also, you said you were NOT interested in mandating D(TLS) >> for validation, which was the text thrown during the discuss, and the >> only thing I have suggested to be removed. >> >> >> >> [Tiru] >> >> I can fix the following text to avoid the confusion that (D)TLS is >> mandatory but validating the TURN server identity is not mandatory: >> >> >> >> OLD: >> >> A TURN client MUST use (D)TLS in the absence of STUN long-term >> credential mechanism [RFC5389] or STUN Extension for Third-Party >> Authorization [RFC7635]. >> >> >> >> NEW: >> >> In the absence of STUN long-term credential mechanism [RFC5389] or STUN >> Extension for Third-Party Authorization [RFC7635], a TURN client MUST >> use (D)TLS and if (D)TLS authentication to validate the TURN server >> identity is not possible then the TURN client MUST fallback to >> encryption-only (D)TLS. >> >> >> >> -Tiru >> >> >> >> *From:* Karl Stahl [mailto:karl.stahl@ingate.com] >> *Sent:* Wednesday, December 7, 2016 7:35 AM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com>; 'tram mailing >> list' <tram@ietf.org>; 'Brandon Williams' <brandon.williams@akamai.com> >> *Cc:* Prashanth Patil (praspati) <praspati@cisco.com>; >> tram-chairs@ietf.org; 'Dan Wing' <dan@danwing.org>; 'Spencer Dawkins at >> IETF' <spencerdawkins.ietf@gmail.com> >> *Subject:* SV: [tram] to Tiru, WAS:draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> Isn’t all of that in the draft since version -7 and no one has suggested >> to remove it: >> >> Author’s: “Please refer >> https://tools.ietf.org/html/draft-ietf-tram-turn-server-discovery-10#section-9 >> >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtram-2Dturn-2Dserver-2Ddiscovery-2D10-23section-2D9&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=6aJ1JWFxE2YgbNJfXZnnIngnYbMdeK80XioPfnUwks4&e=> >> >> for more details.” >> >> >> >> “An auto-discovered TURN server is considered to be only as trusted as >> >> the path between the client and the TURN server. In order to safely >> >> use auto-discovered TURN servers for sessions with 'strict privacy' >> >> requirements, the user needs to be able to define privacy criteria >> >> (e.g. a trusted list of servers, networks, or domains) that are >> >> considered acceptable for such traffic. Any discovered TURN server >> >> outside the criteria is considered untrusted and therefore MUST NOT >> >> be used for privacy sensitive communication. >> >> >> >> In some auto-discovery scenarios, it might not be possible for the >> >> TURN client to use (D)TLS authentication to validate the TURN server. >> >> However, fall-back to clear text in such cases could leave the TURN >> >> client open to on-path injection of spoofed TURN messages. Instead, >> >> with an explicit administrator choice, a TURN client SHOULD fall-back >> >> to encryption-only (D)TLS when (D)TLS authentication is not >> >> available. Another reason to fall-back to encryption-only is for >> >> privacy, which is analogous to SMTP opportunistic encryption >> >> [RFC7435 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7435&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=o-ahnzvSKRMEYO1xIUtpMh0QBXqHdM5jncX_6SLG31k&e=>] >> >> where one does not require privacy but one desires privacy >> >> when possible. >> >> >> >> It is suggested that a TURN client attempt (D)TLS with authentication >> >> and encryption, falling back to encryption-only if the TURN server >> >> cannot be authenticated via (D)TLS. A TURN client could fall back to >> >> clear text, with an explicit administrator choice, if it does not >> >> support unauthenticated (D)TLS, but fallback to clear text is NOT >> >> RECOMMENDED because it makes the client more susceptible to man-in- >> >> the-middle attacks and on-path packet injection.” >> >> >> >> Also, you said you were NOT interested in mandating D(TLS) for >> validation, which was the text thrown during the discuss, and the only >> thing I have suggested to be removed. >> >> >> >> In addition to “A TURN server in such cases must be configured to only >> process STUN >> >> requests from the trusted local network or subscribers of the access >> >> network. Operational measures must be taken in order protect the >> >> TURN server; some of these measures include, but not limited to, >> >> access control by means of access-lists, firewalls, subscriber quota >> >> limits, ingress filtering etc.” as compensation for the >> authentication downgrade from MUST, which also no one has suggested to >> be removed, I suggested that this sentence thrown in during the discuss, >> is removed: >> >> “A TURN client MUST use (D)TLS in the absence of STUN long-term >> >> credential mechanism [RFC5389 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5389&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=F4YughE0J_rmP7Ulo5T9IJB4Fu3W-JNMyoheE6iyek8&e=>] >> >> or STUN Extension for Third-Party >> >> Authorization [RFC7635 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7635&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=MIL4juxvOv918XY6KGHPmqDeE7OJsySEhai5dbBIXMo&e=>].” >> >> >> And this yellow (that Brandon wanted, but you were not interested in >> the validation) is still there in all versions from -7 to suggested -11. >> >> “It is RECOMMENDED that the TURN client use >> >> one of the following techniques with (D)TLS to validate the TURN >> >> server: >> >> >> >> >> >> So I think we can keep the *(D)TLS consensus* that has been there since >> version -7 and remains in my suggested -11. >> >> >> >> /Karl >> >> >> >> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> *Skickat:* den 6 december 2016 06:59 >> *Till:* Karl Stahl; 'tram mailing list'; 'Brandon Williams' >> *Kopia:* Prashanth Patil (praspati); tram-chairs@ietf.org >> <mailto:tram-chairs@ietf.org>; 'Dan Wing'; 'Spencer Dawkins at IETF' >> *Ämne:* RE: [tram] to Tiru, WAS:draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Karl, >> >> >> >> Inside attacks are possible in local networks (e.g. Enterprise network). >> >> >> >> I will elaborate one of the attacks: >> >> >> >> a)Inside attacker passively monitors the TURN messages b/w the TURN >> client and TURN server, and learns the nonce value conveyed by the TURN >> server in Allocate response. >> >> >> >> b)Inside attacker spoofs a TURN request to the TURN server to close the >> allocation (lifetime set to zero). Attacker spoofs the source IP address >> of the TURN client and uses the nonce learned previously. >> >> >> >> c)TURN server checks if the nonce value is valid and successfully closes >> the allocation >> >> >> >> With opportunistic encryption, attacker will not see the nonce value >> sent by the TURN server to the TURN client and cannot close the >> allocation. >> >> >> >> -Tiru >> >> >> >> *From:* Karl Stahl [mailto:karl.stahl@ingate.com] >> *Sent:* Monday, December 5, 2016 9:44 PM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >> <mailto:tireddy@cisco.com>>; 'tram mailing list' <tram@ietf.org >> <mailto:tram@ietf.org>>; 'Brandon Williams' <brandon.williams@akamai.com >> <mailto:brandon.williams@akamai.com>> >> *Cc:* Prashanth Patil (praspati) <praspati@cisco.com >> <mailto:praspati@cisco.com>>; tram-chairs@ietf.org >> <mailto:tram-chairs@ietf.org>; 'Dan Wing' <dan@danwing.org >> <mailto:dan@danwing.org>>; 'Spencer Dawkins at IETF' >> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> >> *Subject:* SV: [tram] to Tiru, WAS:draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> See previous: >> >> I think all you bring up, since version -7 of this draft, is already >> discussed in Author’s: “Please refer >> https://tools.ietf.org/html/draft-ietf-tram-turn-server-discovery-10#section-9 >> >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtram-2Dturn-2Dserver-2Ddiscovery-2D10-23section-2D9&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=6aJ1JWFxE2YgbNJfXZnnIngnYbMdeK80XioPfnUwks4&e=> >> >> for more details.” >> >> >> >> /Karl >> >> >> >> PS: Yet some comments below >> >> >> >> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> *Skickat:* den 4 december 2016 07:09 >> *Till:* Karl Stahl; 'Brandon Williams'; Prashanth Patil (praspati); >> tram@ietf.org <mailto:tram@ietf.org> >> *Kopia:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> *Ämne:* RE: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> No, Mandating (D)TLS does not mean forbidding TURN server usage in local >> (Enterprise) and access networks. >> >> --- See previous >> >> Opportunistic encryption protects the TURN client from the attacks I had >> discussed in the previous mail, attacker cannot see the TURN messages >> exchanged b/w the TURN client and TURN server, >> >> --- On local networks, you are among friends (or much worse than TURN >> server spoof attacks may happen) >> >> --- On access networks you are hopefully in cafe mode, not being in >> contact with the other users (seeing their TURN messages) >> >> and cannot spoof TURN messages. >> >> --- encryption does not hide source or destination ip addresses as far >> as I understand >> >> /Karl >> >> -Tiru >> >> >> >> *From:* Karl Stahl [mailto:karl.stahl@ingate.com] >> *Sent:* Friday, December 2, 2016 2:08 PM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >> <mailto:tireddy@cisco.com>>; 'Brandon Williams' >> <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>; >> Prashanth Patil (praspati) <praspati@cisco.com >> <mailto:praspati@cisco.com>>; tram@ietf.org <mailto:tram@ietf.org> >> *Cc:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer Dawkins at IETF' >> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> >> *Subject:* SV: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> I am trying to make the point that there is no option for this draft, >> supposed to fulfill: >> >> *[tram] Milestone 3: TURN server auto-discovery mechanism for enterprise >> and ISPs*** >> >> to result in: “We forbid usage of such (yellow) network provided TURN >> servers (use gray or grayish TURN servers instead)”, which is the >> consequence of mandating (D)TLS. >> >> >> >> Simply leave the consensus since version -7 of this draft by removing >> the (D)TLS mandating for TURN servers provided by the local or access >> network thrown-in during the discuss. >> >> >> >> /Karl >> >> >> >> PS: I believe the attack discussion below is already done, and that you >> are wrong in thinking that authentication which protects against spoof >> attacks can be exchanged for encryption, and that any of these things >> protects against DDOS attacks . These security things address different >> things and are not interchangeable, nor are they universal means against >> attacks of various kinds. >> >> >> >> And the outcome of any such discussion doesn’t change the above. >> >> >> >> Please note (sorry to repeat) that for the purpose of getting a better >> path for real-time traffic than through the default gateway path, we >> cannot expect to also get a higher security or trust level, nor to >> resolve every problem in the world. >> >> >> >> >> >> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> *Skickat:* den 28 november 2016 10:53 >> *Till:* Karl Stahl; 'Brandon Williams'; Prashanth Patil (praspati); >> tram@ietf.org <mailto:tram@ietf.org> >> *Kopia:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> *Ämne:* RE: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Karl, >> >> >> >> Yes, I am discussing TURN servers provided by local or access networks, >> referring to inside attacks launched by attackers inside the local or >> access network. >> >> a)An inside attacker sends faked permissions to the TURN server to >> launch attack (DOS or DDOS) on the victim (TURN client). >> >> b)An inside attacker sends spoofed TURN requests to the TURN server to >> close allocations. >> >> >> >> Both above attacks can be prevented by using opportunistic encryption >> with (D)TLS. >> >> >> >> -Tiru >> >> >> >> *From:* tram [mailto:tram-bounces@ietf.org] *On Behalf Of *Karl Stahl >> *Sent:* Monday, November 28, 2016 2:49 PM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >> <mailto:tireddy@cisco.com>>; 'Brandon Williams' >> <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>; >> Prashanth Patil (praspati) <praspati@cisco.com >> <mailto:praspati@cisco.com>>; tram@ietf.org <mailto:tram@ietf.org> >> *Cc:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer Dawkins at IETF' >> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> >> *Subject:* Re: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> Now I don’t know where you are again. >> >> >> >> Are you discussing TURN servers provided by the local or access network >> (the yellow TURN servers), that are released from authentication (no >> dispute there), but for which (D)TLS mandate was thrown in-during the >> discuss (making them gray)? That is the showstopper that must go away. >> >> >> >> Some comments below. Hope we agree the below does not relate to the >> yellow TURN server. >> >> >> >> /Karl >> >> >> >> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> *Skickat:* den 28 november 2016 04:02 >> *Till:* Karl Stahl; 'Brandon Williams'; Prashanth Patil (praspati); >> tram@ietf.org <mailto:tram@ietf.org> >> *Kopia:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> *Ämne:* RE: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Karl, >> >> >> >> No, I don’t agree that (D)TLS is not mandatory. Opportunistic encryption >> is not new. It’s discussed in RFC7435, and used in TCP increased >> security (TCPINC WG) and DNS privacy exchange (DPRIVE WG). >> >> >> >> How do you propose to handle the following passive attacks without >> (D)TLS or STUN authentication ? >> >> >> >> a) https://tools.ietf.org/html/rfc5766#section-17.2.1 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5766-23section-2D17.2.1&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=ZZ-_SMjOP8Ki9gZ6wzPjBywDoWtHtOREkDxWQHt0hA4&e=>, >> >> where attacker sends faked permissions to the TURN server to launch >> attack (DOS or DDOS) on the victim (TURN client). >> >>> Since the _TURN server sits outside_ the firewall, at attacker >>> outside the >> firewall can now send a >> >> --- A TURN server provided by local or access network, shall only be >> accessible by users inside the firewall. >> >> >> >> b) https://tools.ietf.org/html/rfc5766#section-17.3.3 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5766-23section-2D17.3.3&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=-mVAbbScCntQIQqG27WQgiJYDUnDrwrv3TooeaeW9WQ&e=>, >> >> attacker sends spoofed TURN requests to the TURN server to close >> allocations. >> >> --- I don’t think (D)TLS helps if you can spoof and have such attackers >> inside your network. (that paragraph says: TURN prevents this by >> requiring that the credentials used”) meaning authentication (not >> certificate checking, nor encryption). >> >> >> >> >> >> -Tiru >> >> >> >> *From:* tram [mailto:tram-bounces@ietf.org] *On Behalf Of *Karl Stahl >> *Sent:* Monday, November 28, 2016 1:39 AM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >> <mailto:tireddy@cisco.com>>; 'Brandon Williams' >> <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>; >> Prashanth Patil (praspati) <praspati@cisco.com >> <mailto:praspati@cisco.com>>; tram@ietf.org <mailto:tram@ietf.org> >> *Cc:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer Dawkins at IETF' >> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> >> *Subject:* Re: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> So we agree that the (D)TLS mandate thrown-in during the discuss (making >> yellow TURN servers gray) shall go away and we are back to what was >> consensus since version -7 of the draft. I think the attacks you are >> discussing now have been listed already and for TURN servers in a local >> or access network (no change since version -7), we should not expect a >> higher security or trust level when sending our real-time traffic >> through another path than the through default gateway, both paths are >> provided by the same network provider. >> >> * * >> >> If “protects the client from various attacks discussed in previous >> mails” related to discovery of TURN servers, really is possible by >> introducing something (why reopen that now?), we have to be careful not >> to make yellow TURN servers grayish, which I am afraid self signed >> certificates might do, and further, does this belong in a discovery >> draft, risking to pick a fight with the WebRTC browser makers supposed >> to use this specification. We know they don’t fancy self signed >> certificates… >> >> >> >> Isn’t it specifications for some specific usage/application (like the >> return draft for WebRTC browsers) that should consider such things (not >> this draft), without any recommendation from this specification? >> >> >> >> /Karl >> >> >> >> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> *Skickat:* den 23 november 2016 04:15 >> *Till:* Karl Stahl; 'Brandon Williams'; Prashanth Patil (praspati); >> tram@ietf.org <mailto:tram@ietf.org> >> *Kopia:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> *Ämne:* RE: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> I am not suggesting that authentication is mandatory for TURN servers >> provided by local or access networks using (D)TLS but use of >> (D)TLS[Karl: “these become gray not yellow” or are you suggesting >> certificated signed by the network provider] >> >> >> >> [TR] No, they are yellow and not grey; clients will use (D)TLS but do >> not validate the TURN server certificate (referred to as Opportunistic >> security in the draft). >> >> >> >> [Karl: Seems like you are suggesting self signed certificates to just >> get the encryption (again – also discussed)] >> >> >> >> [TR] Yes, that’s one possible option to mandate (D)TLS. Client cannot >> validate the TURN server certificate but use encryption-only (D)TLS and >> protects the client from various attacks discussed in previous mails. >> >> >> >> -Tiru >> >> >> >> *From:* Karl Stahl [mailto:karl.stahl@ingate.com] >> *Sent:* Tuesday, November 22, 2016 11:12 PM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >> <mailto:tireddy@cisco.com>>; 'Brandon Williams' >> <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>; >> Prashanth Patil (praspati) <praspati@cisco.com >> <mailto:praspati@cisco.com>>; tram@ietf.org <mailto:tram@ietf.org> >> *Cc:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer Dawkins at IETF' >> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> >> *Subject:* SV: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> Please understand that in this context: >> >> - Authentication is to only allow certain users to use the TURN server >> resource >> >> - Certificate checking as when using (D)TLS is to assure the user is >> using a trusted TURN server (and further is sets up an encrypted >> channel). >> >> >> >> These things are not interchangeable or do the same things or achieves >> the same, which has been discussed over and over again in this draft >> already. >> >> >> >> Let it rest with that we cannot/should not expect a higher trust or >> security level when sending our real-time traffic through the TURN >> server path, than trough the default gateway path. You simply have to >> trust the access from the network provider you select to connect to, or >> refrain from using it. >> >> >> >> Please also understand that “the gray TURN servers” are provided by >> others than the local or access network, and you chose to trust them >> with your real-time traffic based on checking their certificate (Who >> configures which to allow into the WebRTC browser?). >> >> >> >> In a specification which main purpose is to auto discover TURN servers >> provided by the local or access network (“the yellow ones”), you CANNOT >> LOGICALLY end up with saying you MUST/SHOULD or are RECOMMENDED to use >> “the gray ones” instead, provided by some authority or Brandon maybe >> (which are meant for other purposes). Then you have not delivered the >> specification we need = The showstopper. >> >> >> >> /Karl >> >> >> >> PS: Some comments below. >> >> >> >> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> *Skickat:* den 22 november 2016 04:31 >> *Till:* Karl Stahl; 'Brandon Williams'; Prashanth Patil (praspati); >> tram@ietf.org <mailto:tram@ietf.org> >> *Kopia:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> *Ämne:* RE: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Karl, >> >> >> >> I am not suggesting that authentication is mandatory for TURN servers >> provided by local or access networks using (D)TLS but use of >> (D)TLS[Karl: “these become gray not yellow” or are you suggesting >> certificated signed by the network provider]without authenticating the >> TURN server is mandatory to avoid various attacks listed in previous >> mails. >> >> >> >> In short, the TURN servers provided by local or access networks must use >> (D)TLS but it’s not mandatory for these TURN servers to get certificates >> from CA or any explicit configuration is required on the client to trust >> the TURN server.[Karl: Seems like you are suggesting self signed >> certificates to just get the encryption (again – also discussed)] >> >> >> >> -Tiru >> >> >> >> *From:* Karl Stahl [mailto:karl.stahl@ingate.com] >> *Sent:* Monday, November 21, 2016 2:10 AM >> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >> <mailto:tireddy@cisco.com>>; 'Brandon Williams' >> <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>; >> Prashanth Patil (praspati) <praspati@cisco.com >> <mailto:praspati@cisco.com>>; tram@ietf.org <mailto:tram@ietf.org> >> *Cc:* tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer Dawkins at IETF' >> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>> >> *Subject:* SV: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Tiru, >> >> >> >> Trying to clarify as you request: I have lost track of in which context >> you are when you are "discussing various attacks" and what you mean with >> the ?? I marked below. >> >> >> >> My concern was whether this may again lead to that WE HAVE *_NO_* TURN >> SERVERS in the yellow area below resulting from the (D)TLS mandating >> that was thrown-in into version -10 during the discuss (=the >> showstopping), since TURN servers with certificates are NOT provided by >> the local or access network (those are provided by some "trust anchor >> store [RFC6024] allows a TURN client ..." or by "Certification >> authorities that issue TURN server certificates" etc..) >> >> >> >> cid:image003.png@01D24376.AB3EFEC0 >> >> >> >> So, just let me rest with that your discussion does not take away the >> allowance to use TURN servers provided by the local or access network >> without authentication that was re-introduced in version -7 of the draft >> (after long discussions, including with you Tiru). Remember, _those >> yellow TURN servers were the requirement of this draft to auto discover_ >> so they can be used by the WebRTC browsers – Usage cannot be forbidden >> (or un-recommended as Brandon suggests, although Brandon is agreeing to >> that the (D)TLS mandate must vanish for the yellow TURN servers). >> >> >> >> >> >> FURTHER JUST TO REMIND AUTHORS of what is needed to be addresses in this >> draft; it is found in >> >> https://www.ietf.org/mail-archive/web/tram/current/msg02216.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02216.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=RoQksDYwTif8WcC7pu9mSw93lTpGv0PpvAVrBJmOqBE&e=> >> >> >> and the contradiction in section 7.2 as said in >> >> https://www.ietf.org/mail-archive/web/tram/current/msg02226.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02226.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=HlFe94mDcpEMQcstYO_MnhU7YzYVgNNLj_zA6fKbQsw&e=> >> >> >> while this discussion with Author Tiru and >“I don't run a local network >> or an access network and would not expect to deploy relays meant to >> function in that mode“ Brandon*, has been on more or less deviated >> subjects, or repeating what we already have been through earlier (PS: >> Notice that Author Prashanth already listed/discussed the attack stuff >> during the discuss. I feared you were redoing that.) >> >> >> >> /Karl >> >> >> >> * https://www.ietf.org/mail-archive/web/tram/current/msg02217.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02217.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=MDJEF8Fm0L5d86VeSQoKznG8WMvrLGyL37ZlVoK7RbE&e=> >> >> >> >> >> >> >> -----Ursprungligt meddelande----- >> Från: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> Skickat: den 18 november 2016 04:00 >> Till: Karl Stahl; 'Brandon Williams'; Prashanth Patil (praspati); >> tram@ietf.org <mailto:tram@ietf.org> >> Kopia: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> Ämne: RE: [tram] draft-ietf-tram-turn-server-discovery >> >> >> >> Hi Karl, >> >> >> >> I don't understand your concerns, please clarify. The draft mandates >> (D)TLS but does not mandate TURN server validation. >> >> We are discussing various attacks possbile for the WG to decide if >> (D)TLS is a MUST or SHOULD. >> >> >> >> -Tiru >> >> >> >> >> >>> -----Original Message----- >> >>> From: Karl Stahl [mailto:karl.stahl@ingate.com] >> >>> Sent: Friday, November 18, 2016 2:11 AM >> >>> To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >>> <mailto:tireddy@cisco.com>>; 'Brandon Williams' >> >>> <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>; >> Prashanth Patil (praspati) >> >>> <praspati@cisco.com <mailto:praspati@cisco.com>>; tram@ietf.org >> <mailto:tram@ietf.org> >> >>> Cc: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer Dawkins >> >>> at IETF' <spencerdawkins.ietf@gmail.com >>> <mailto:spencerdawkins.ietf@gmail.com>> >> >>> Subject: SV: [tram] draft-ietf-tram-turn-server-discovery >> >>> >> >>> Continuing the thread of this subject with the view that it should be >>> about the >> >>> MUST/SHOULD/RECOMMEND discussion regarding D(TLS) for the USAGE of >> >>> an already discovered TURN server, which must be totally independent >>> of the >> >>> method used for discovery. >> >>> >> >>> I can't say I understand where Brandon's/Tiru's discussion fits in >>> and whether >> >>> are right things are said and are in the right context: >> >>> >> >>> ?? > > The draft mandates (D)TLS but does not mandate TURN server >> >>> validation. >> >>> ?? (D)TLS helps avoid various attacks, like attacker sending spoofed >>> TURN >> >>> messages ?? We should discuss all such possible attacks, before we >>> decide to >> >>> go with MUST or SHOULD. >> >>> >> >>> Where are we know? >> >>> >> >>> Please, just keep the clearance from authentication as it was from >>> version >> >>> -07 of the draft already, until the D(TLS) mandate was thrown in >>> during the >> >>> DISCUSS. >> >>> >> >>> Simply, logically: >> >>> > >> TURN servers *provided by* (and maintained by?) some "trust anchor >> >>> > >> store [RFC6024] allows a TURN client ..." or by "Certification >> >>> > >> authorities that issue TURN server certificates" >> >>> are NOT under the clearance discussed, which is for "TURN servers >>> *provided >> >>> by* the local network or by the access network". >> >>> so a SHOULD or RECOMMENDED of D(TLS) does not even belong under the >> >>> clearance discussed. >> >>> >> >>> >> >>> FURTHER, When I read: >> >>> >> >>> 7.2. Recursively Encapsulated TURN >> >>> >> >>> WebRTC endpoints SHOULD treat any TURN server discovered through the >> >>> mechanisms described in this specification as an enterprise/gateway >> >>> or access network server, in accordance with Recursively Encapsulated >> >>> TURN [I-D.ietf-rtcweb-return]. >> >>> >> >>> Isn't that "any" in total contradiction to the clearance being >>> discussed? >> >>> I thought: "enterprise/gateway or access network" was the same as your >> >>> "local or access network" and that for OTHER discovered TURN servers >> >>> (outside the local or access network), it must be the application >>> that instructs >> >>> the TURN client how to use. >> >>> >> >>> I suggest the 7.2 section is replaced with my: >> >>> > >>> (4) "Deployment Considerations for TURN Servers Provided by the >> >>> > >>> Local or >> >>> > >> Access Network" >> >>> >> >>> which mentions Recursively Encapsulated TURN [I-D.ietf-rtcweb-return]. >> >>> (you can spell it out like that) >> >>> >> >>> /Karl >> >>> >> >>> -----Ursprungligt meddelande----- >> >>> Från: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com] >> >>> Skickat: den 15 november 2016 05:01 >> >>> Till: Brandon Williams; Karl Stahl; Prashanth Patil (praspati); >>> tram@ietf.org <mailto:tram@ietf.org> >> >>> Kopia: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing'; >> 'Spencer Dawkins at IETF' >> >>> Ämne: RE: [tram] draft-ietf-tram-turn-server-discovery >> >>> >> >>> Hi Brandon, >> >>> >> >>> I just listed one possible attack, there could be various other >>> attacks like the >> >>> one discussed in https://tools.ietf.org/html/rfc5766#section-17.2.1 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5766-23section-2D17.2.1&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=ZZ-_SMjOP8Ki9gZ6wzPjBywDoWtHtOREkDxWQHt0hA4&e=>, >> >> >>> where attacker sends faked permissions to the TURN server to launch >>> attack >> >>> (DOS or DDOS) on the victim (TURN client). >> >>> >> >>> We should discuss all such possible attacks, before we decide to go with >> >>> MUST or SHOULD. >> >>> >> >>> -Tiru >> >>> >> >>> > -----Original Message----- >> >>> > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Brandon >> >>> > Williams >> >>> > Sent: Monday, November 14, 2016 7:31 PM >> >>> > To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com >>> <mailto:tireddy@cisco.com>>; Karl Stahl >> >>> > <karl.stahl@ingate.com <mailto:karl.stahl@ingate.com>>; Prashanth >>> Patil >> (praspati) >> >>> > <praspati@cisco.com <mailto:praspati@cisco.com>>; tram@ietf.org >> <mailto:tram@ietf.org> >> >>> > Cc: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer >> >>> > Dawkins at IETF' <spencerdawkins.ietf@gmail.com >>> <mailto:spencerdawkins.ietf@gmail.com>> >> >>> > Subject: Re: [tram] draft-ietf-tram-turn-server-discovery >> >>> > >> >>> > +1 on the rationale. It makes almost no difference how you secure the >> >>> > local or access network at the border, it's still possible that there >> >>> > are >> >>> on-path >> >>> > adversaries, and using some type of authentication (either (D)TLS or >> >>> > STUN) helps to protect against them. >> >>> > >> >>> > I still agree with Karl on downgrading the MUST back to SHOULD or >> >>> > RECOMMENDED, since I think there's room for disagreement about how >> >>> > critical it is to mitigate against that attack. Ease-of-use might win >> >>> > out >> >>> for some >> >>> > networks provided they have other protection mechanisms at either the >> >>> > network or datalink layer. I don't think it should drop below the >> >>> > recommendation level though, because most network will not have such >> >>> > mechanisms in place. >> >>> > >> >>> > --Brandon >> >>> > >> >>> > On 11/14/2016 06:36 AM, Tirumaleswar Reddy (tireddy) wrote: >> >>> > > There seems to be confusion why (D)TLS is mandated in the draft. >> >>> > > >> >>> > > The draft mandates (D)TLS but does not mandate TURN server >>> validation. >> >>> In >> >>> > scenarios where the TURN client cannot validate the TURN server, >> >>> > (D)TLS helps avoid various attacks, like attacker sending spoofed TURN >> >>> > messages >> >>> to >> >>> > TURN client and server. For example, when (D)TLS is not used, attacker >> >>> > can send spoofed TURN requests to the TURN server to close >>> allocations. >> >>> > > >> >>> > > The above attack is possible when TURN servers are provided by >> >>> > > either >> >>> local >> >>> > or access networks. >> >>> > > >> >>> > > -Tiru >> >>> > > >> >>> > >> -----Original Message----- >> >>> > >> From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Karl Stahl >> >>> > >> Sent: Monday, November 14, 2016 1:38 PM >> >>> > >> To: 'Brandon Williams' <brandon.williams@akamai.com >>> <mailto:brandon.williams@akamai.com>>; Prashanth >> >>> > >> Patil >> >>> > >> (praspati) <praspati@cisco.com <mailto:praspati@cisco.com>>; >>> tram@ietf.org >> <mailto:tram@ietf.org> >> >>> > >> Cc: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan Wing' >> <dan@danwing.org <mailto:dan@danwing.org>>; 'Spencer >> >>> > >> Dawkins at IETF' <spencerdawkins.ietf@gmail.com >>> <mailto:spencerdawkins.ietf@gmail.com>>; >> Tirumaleswar >> >>> > >> Reddy >> >>> > >> (tireddy) <tireddy@cisco.com <mailto:tireddy@cisco.com>> >> >>> > >> Subject: Re: [tram] draft-ietf-tram-turn-server-discovery >> >>> > >> >> >>> > >> Hi Brandon, >> >>> > >> >> >>> > >> In this draft, you have been pushing for "validation" of the >> >>> > >> discovered TURN server by using DTLS. The use case for that has not >> >>> > >> been spelled out, but the use case of "TURN servers *provided by* >> >>> > >> the local network or by the access network", really needs to be >> >>> > >> clarified in this draft. For this use case, clearance from >> >>> > >> authentication and validation was made in version -07 of the draft >> >>> already. >> >>> > >> >> >>> > >> Regarding your comment below, it is not clear which use case YOU >> >>> > >> NOW are considering. >> >>> > >> >> >>> > >> Further, DISCOVERY and USAGE are not the same in this discussion. >> >>> > >> You mix that, especially regarding the anycast method. No one is >> >>> > >> suggesting that the TURN server is USED when addressed by anycast. >> >>> > >> There is only ONE packet addressed by anycast and sent to the >> >>> > >> STUN/TURN server and that is for DISCOVERING it. >> >>> > >> >> >>> > >> See further inline below. >> >>> > >> >> >>> > >> Thanks, >> >>> > >> Karl >> >>> > >> >> >>> > >> -----Ursprungligt meddelande----- >> >>> > >> Från: Brandon Williams [mailto:brandon.williams@akamai.com] >> >>> > >> Skickat: den 11 november 2016 19:08 >> >>> > >> Till: Karl Stahl; 'Prashanth Patil (praspati)'; tram@ietf.org >>> <mailto:tram@ietf.org> >> >>> > >> Kopia: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; 'Dan >>> Wing'; >> 'Spencer Dawkins at IETF'; >> >>> > >> 'Tirumaleswar Reddy (tireddy)' >> >>> > >> Ämne: Re: [tram] draft-ietf-tram-turn-server-discovery >> >>> > >> >> >>> > >> (1) I agree with Karl that the MUST for (D)TLS or STUN auth should >> >>> > >> revert to a SHOULD or a RECOMMENDED, given that network perimeter >> >>> > >> control is called out with MUST (note that there are a few "must" >> >>> > >> to "MUST" edits required in that text). Although I would disagree >> >>> > >> with an enterprise network admin who chooses not to do one of those >> >>> > >> two things (see my comments about (3)/(4) below), I think there's >> >>> > >> room for difference of opinion there, so MUST is unlikely to be >> >>> > >> complied >> >>> with >> >>> > anyway. >> >>> > >> >> >>> > >> [Karl] Good that you agree the MUST (thrown-in during discuss) must >> >>> > >> go away, but for the use case of "TURN servers *provided by* the >> >>> > >> local network or by the access network." there should not even be >> >>> SHOULD >> >>> > or RECOMMEND. >> >>> > >> Your are relating to TURN servers *provided by* (and maintained >> >>> > >> by?) some "trust anchor store [RFC6024] allows a TURN client ..." >> >>> > >> or by "Certification authorities that issue TURN server >> >>> > >> certificates" that *provide TURN servers with their certificates >> >>> > >> in* that you expect to be discovered and where the TURN client (the >> >>> > >> WebRTC browser) must be equipped to accept those certificates. That >> >>> > >> is NOT FOR "the TURN servers *provided by* the local network or by >> >>> > >> the access network" that >> >>> is >> >>> > being discussed here. >> >>> > >> >> >>> > >> >> >>> > >> (2) I disagree with Karl about anycast. A server that properly >> >>> > >> supports anycast [Karl] What is "a server that properly supports >> >>> > >> anycast"? It is certainly NOT A [RFC5766] TURN server that is >> >>> > >> supposed >> >>> to >> >>> > be discovered by this draft. >> >>> > >> Also notice that we are talking about one anycast packet FOR >> >>> > >> DISCOVERY, NOT USAGE (relaying traffic) with anycast adressing. >> >>> > >> (I asked that the confusing "supports anycast" statement is removed >> >>> > >> from the beginning of the draft.) >> >>> > >> >> >>> > >> will indeed treat incoming requests differently depending upon >> >>> > >> whether they arrive on the anycast address or the unicast address. >> >>> > >> I strongly disagree with the idea of using Try Alternate on the >> >>> > >> binding request, because you want redirect for the long-lived >> >>> > >> allocate request, not for the query-response binding request. >> >>> > >> [Karl] With a TURN server provided by the local or access network, >> >>> > >> STUN is NOT USED for setting up any binding and no subsequent >> >>> > >> traffic. The STUN binding response 300 Try Alternate (statically >> >>> > >> configured) in my proposed text, is only an indication used at >> >>> > >> DISCOVERY, that a network provided TURN server is there and should >> >>> > >> be used at its unicast address revealed in the >> >>> > >> 300 response. The long-lived TURN allocate IS USED for the traffic. >> >>> > >> The STUN server portion of the TURN server paralleling the default >> >>> > >> gateway router is never used for any binding. >> >>> > >> >> >>> > >> Part of my reason for this is that good (by my definition) TURN >> >>> > >> server distribution is broader than is reasonable for anycast >> >>> > >> address management, and determining a redirect address to be >> >>> > >> delivered increases the cost of handling the STUN bind request. It >> >>> > >> is desirable for that cost to scale with the TURN allocate load, >> >>> > >> not the STUN bind >> >>> load. >> >>> > >> [Karl] You just add a static route in you access router for the >> >>> > >> anycast address to point to your TURN server! >> >>> > >> >> >>> > >> I don't oppose supporting both in the spec if someone wants to >> >>> > >> propose language for that, but it would add burden to client >> >>> > >> implementations because they would be required to support both even >> >>> > >> though the server could use either. On the other hand, the >> >>> > >> currently defined method shouldn't require changes to clients at >>> all. >> >>> > >> [Karl] ?! But it does not find [RFC5766] TURN servers... >> >>> > >> >> >>> > >> (3)/(4) I disagree with Karl's assessment of the deployment >> >>> > >> considerations, especially the conclusion that anycast is the >> >>> > >> better path for local/access networks. >> >>> > >> [Karl] If you mean traffic paths (like I did), "paths" are for >> >>> > >> USAGE and no one is suggesting anycast for that. >> >>> > >> Independent of how discovered (by anycast or any of the DNS >> >>> > >> methods) ALL USAGE through paths is by unicast addressing. >> >>> > >> >> >>> > >> It might be better for the server >> >>> > >> implementer, but not for the the client, because I think it's >> >>> > >> particularly difficult for a client to determine whether it's >> >>> > >> network >> >>> is >> >>> > "sealed". >> >>> > >> [Karl] No, not at all. Blocking STUN packets at the default gateway >> >>> > >> is the way to "network wise" seal the local network (and only allow >> >>> > >> the parallel TURN path)! That is easily detected by a TURN client. >> >>> > >> >> >>> > >> The client has to trust that the network is properly sealed, since >> >>> > >> it's difficult (at >> >>> > >> least) for the client to verify. Also, I think that the DNS and >> >>> > >> DHCP methods are likely to be easier for enterprise and access >> >>> > >> networks to implement, since they will have the necessary systems >> >>> > >> in place already. Even a home network gateway appliance will >> >>> > >> already have both integrate DNS and integrate DHCP, so I suspect >> >>> > >> that a small local network will have an easier time with these >>> than you >> >>> suggest as well. >> >>> > >> >> >>> > >> [Karl] So you agree that for a TURN server in a local network, its >> >>> > >> address shall only be deployed in local DNS - I think the draft >> >>> > >> should >> >>> say >> >>> > that also. >> >>> > >> >> >>> > >> Despite the fact that I disagree with the assessment, I don't run a >> >>> > >> local network or an access network and would not expect to deploy >> >>> > >> relays meant to function in that mode, so I will not have strong >> >>> > >> objections to including that language if there is broad support >> >>> > >> within >> >>> the >> >>> > WG for Karl's framing. >> >>> > >> >> >>> > >> --Brandon >> >>> > >> >> >>> > >> On 11/10/2016 05:48 PM, Karl Stahl wrote: >> >>> > >>> (1) The downgrade of the MUST level requirement for authentication >> >>> > >>> defined >> >>> > >> in [RFC5766] was "rightly" (to use the term from below) introduced >> >>> > >> and made OPTIONAL for TURN servers provided by the local or access >> >>> > network. >> >>> > >>> >> >>> > >>> HOWEVER, Prashanth's: "I think we can mandate (D)TLS *if* STUN >> >>> > >> authentication or third-party authorization is not used." thrown-in >> >>> > >> during the DISCUSS, must be deleted from the -10 version of this >> >>> > >> discovery since it BLOCKs the usage and deployment of network >> >>> > >> provided TURN servers, which was the main purpose of this discovery >> >>> > >> draft. (Also, Authors's did not follow Ben Campbell's: "I saw a >> >>> > >> comment on my DISCUSS email thread from Karl Stahl, stating that >> >>> > >> DTLS could not be mandated. Has that input been >> >>> > >> considered?") >> >>> > >>> >> >>> > >>> The thrown-in addition in version -10 (not shown in full below) >> >>> > >>> highlights >> >>> > >> this: >> >>> > >>> >> >>> > >>> A TURN client MUST use (D)TLS ... in the absence of STUN >>> long-term >> >>> > >>> credential mechanism [RFC5389] or STUN Extension for >>> Third-Party >> >>> > >>> Authorization [RFC7635]. ... >> >>> > >>> >> >>> > >>> o For certificate-based authentication, a pre-populated trust >> >>> anchor >> >>> > >>> store [RFC6024] allows a TURN client ... >> >>> > >>> >> >>> > >>> o Certification authorities that issue TURN server >>> certificates >> >>> > >>> ... >> >>> > >>> >> >>> > >>> o For TURN servers that don't have a certificate trust chain >> >>> (e.g., >> >>> > >>> because they are on a home network or a corporate >>> network), a >> >>> > >>> configured list of TURN servers can contain the Subject >> >>> > >>> Public >> >>> Key >> >>> > >>> Info (SPKI) fingerprint of the TURN servers... etc. >> >>> > >>> >> >>> > >>> What does the Authors have in mind - a regulated network of TURN >> >>> > >>> servers, >> >>> > >> when the purpose was for everyone to be able to use good WebRTC >> >>> > >> everywhere you can surf, including behind your home Best Buy bought >> >>> > >> WiFi router (which we can hope, some day, will include a default >> >>> > >> configured, ready to use, TURN server path paralleling its default >> >>> > >> gateway path (i.e. the NAT/firewall/access router/default gateway)? >> >>> > >>> >> >>> > >>> This specification shall (at least) specify discovery of network >> >>> > >>> provided >> >>> > >> TURN servers to allow real-time communication, in situations where >> >>> > >> it otherwise is not possible or bad: >> >>> > >>> - to meet the auto configuration of RFC 7478 (Web Real-Time >> >>> > >>> Communication >> >>> > >> Use Cases and Requirements) 2.3.5.1. >> >>> > >>> - providing a discovery method suitable for >> >>> > >>> draft-ietf-rtcweb-return-01 >> >>> > >>> >> >>> > >>> The above has already been discussed many times in this WG: >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg01319.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg01319.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=UQ8nxZHjChRSQF3sc2tbr82Vo2rwqxib6C1flqSTj0M&e=> >> >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg01742.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg01742.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=bEWAC26Xp-ZCCpWasI9Az-CSOA7wvnm9eja0udVuZrk&e=> >> >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg02191.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02191.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=TR1caTM9QwgFaASc71-diTPehw0IpmP3MWC-Kv3ECEA&e=> >> >> >>> > >>> >> >>> > >>> Just as credentials for authentication cannot be expected to be >> >>> > >>> available >> >>> > >> for this general usage, nor can we impose that certificates should >> >>> > >> be >> >>> used. >> >>> > >> For the network provided TURN server, we should not/must not expect >> >>> > >> some higher level of trust or security when the real-time media >> >>> > >> flows through the TURN server than when it goes through the default >> >>> gateway! >> >>> > >>> >> >>> > >>> The use of (D)TLS has been discussed intensively in the -04 >> >>> > >>> version of the >> >>> > >> draft >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg01821.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg01821.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=1K6T0yYhF7wHe5ZWa8i_FgptKRnKJPCrjulsFhA7ZiU&e=> >> >> >>> > >>> and was NOT mandated for the TURN server provided by the local or >> >>> > >>> access >> >>> > >> network. It cannot be thrown-in now again! >> >>> > >>> >> >>> > >>> Any arguments against have been of type: We need security in >> >>> > >>> itself >> >>> > >>> - >> >>> > >> protect this and that - do every authentication/validation in the >> >>> > >> book (whether needed or not) etc., which only leads to responses >> >>> > >> like I had to bring up during the discuss: >> >>> > >>> [Karl] Do you think we need to discover TURN servers for the >> >>> > >>> pleasure of >> >>> > >> doing "security that deal directly with TURN messages" in itself, >> >>> > >> and not for what they are supposed to do (relay "application data") >> >>> > >> and do you also think that is why a network provider will deploy >> >>> > >> such TURN >> >>> > server for his users? >> >>> > >> Please do not stop the purpose (by such phrases)! >> >>> > >>> (Also, encryption and protection against man-in-the-middle >> >>> > >>> attacks, for >> >>> > >> the payload (real-time traffic) are for the endpoints to do - like >> >>> > >> with WebRTC, mandating DTLS-SRTP media - it should not be expected >> >>> > >> to be done by a TURN server, especially when not always used.) >> >>> > >>> >> >>> > >>> >> >>> > >>> (2) Also as pointed out during the DISCUSS >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg02144.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02144.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=rAmhwLM0wIIegwZIGibns7sX1UArUnQPAKVg1lac1IM&e=> >> >> >>> > >>> and two times earlier (during WG discussions, but not addressed or >> >>> > >> responded to by the Authors): >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg02081.htm >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02081.htm&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=n5wv4T-Romjuscl7TckqrB8HlLTNQQT2hhkbVLdC0nw&e=>l >> >> >>> > >>> and https://www.ietf.org/mail- >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2D&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=ngvMj_FO-lqDILKiWc_vhnRwu9uGvez69CcN3WT7tZk&e=> >> >> >>> > archive/web/tram/current/msg01976.html >> >>> > >>> >> >>> > >>> The anycast method does not work with RFC5766 TURN servers! That >> >>> > >>> has not >> >>> > >> been addressed at all. >> >>> > >>> >> >>> > >>> A TURN server doesn't react one way (answering 300 Try Alternate) >> >>> > >>> when >> >>> > >> addressed by an anycast address and another way (accepting the >> >>> > >> Allocate >> >>> > >> request) when addressed by its unicast address, does it? >> >>> > >>> >> >>> > >>> Author's (during the DISCUSS): "We intend to add the following to >> >>> > >>> explain >> >>> > >> server behavior a little better: >> >>> > >>> "A TURN anycast server performs checks 1 to 7 discussed in Section >> >>> > >>> 6.2 of >> >>> > >> RFC5766. If all checks pass, the TURN anycast server MUST respond >> >>> > >> with a >> >>> > >> 300 (Try Alternate) error as described in [RFC5766];" >> >>> > >>> does not help and I responded: [Karl] That must be an update of >> >>> RFC5766. >> >>> > >> Or does "TURN anycast server" imply that there ALSO is a "TURN >> >>> > >> unicast server" at the same interface accepting the Allocate >>> request? >> >>> > >> What are these things? >> >>> > >>> >> >>> > >>> I have proposed this modification of the anycast method, which is >> >>> > >>> better >> >>> > >> (in several aspects) and doesn't need to update RFC5766: >> >>> > >>> >> >>> > >>> "When a client requires TURN services, it sends a STUN binding >> >>> > >>> request to >> >>> > >> the assigned anycast address. The STUN server >> >>> > >>> responds with a 300 (Try Alternate) error as described in >> >>> > >>> [RFC5389]; The >> >>> > >> response contains a unicast address in the ALTERNATE-SERVER >> >>> > >> attribute, which the client compares with the source address of the >> >>> > >> response and if the >> >>> > >>> addresses are the same, it is an indication to use the TURN server >> >>> > >>> at that >> >>> > >> address. >> >>> > >>> >> >>> > >>> For subsequent communication with the TURN server, the client uses >> >>> > >>> that >> >>> > >> responding server's unicast address." >> >>> > >>> >> >>> > >>> The sentence in the -10 draft under "3 Discovery Procedure": "not >> >>> > >>> all TURN >> >>> > >> servers may support anycast" can then be removed. >> >>> > >>> >> >>> > >>> >> >>> > >>> (3) I cannot see this -10 draft telling which discovery method >> >>> > >>> that is fit >> >>> > >> for the TURN servers provided by the local or access network (the >> >>> > >> network provided TURN server). However, there are confusing client >> >>> > >> behavior recommendations, like the sentences in the draft under "3 >> >>> > >> Discovery >> >>> > >> Procedure": "For best results, a client SHOULD implement all >> >>> > >> discovery mechanisms described above." and under "1 Introduction": >> >>> > >> "three discovery mechanisms, so as to maximize opportunity for >> >>> > >> discovery, based on the network in which the TURN client finds >>> itself." >> >>> > >>> >> >>> > >>> A network provided TURN server is only meant for the users on the >> >>> > >>> specific >> >>> > >> network - others should not be able to use such TURN server, and it >> >>> > >> would then be preferred that it is only advertized and discovered >> >>> > >> at that local network - which is badly described by "maximize >> >>> > >> opportunity >> >>> for >> >>> > discovery". >> >>> > >>> >> >>> > >>> If a DNS method would be used to discover the network provided >> >>> > >>> TURN >> >>> > >> server, its private address should only be configured in private >> >>> > >> (local) DNS (we don't like to put our private IP addresses in >> >>> > >> public DNS), but I see no such recommendation. Further, the DNS >> >>> > >> methods are complex and expensive to deploy and one of them depends >> >>> > >> on DHCP that is not available on all access networks. That makes (a >> >>> > >> working) anycast discovery method the clear choice for a TURN >> >>> > >> server provided by >> >>> > the local or access network. >> >>> > >>> >> >>> > >>> Network provided TURN servers paralleling a NAT/firewall/access >> >>> > >> router/default gateway is a new concept that came up during WebRTC >> >>> > >> standardization work to deal with traversal and quality problems of >> >>> > >> real-time traffic. However, this draft give little or no guidance >> >>> > >> for deployment and I therefore suggest that a separate section is >> >>> > >> added, that spells out the deployment considerations for TURN >> >>> > >> servers provided by the local or access network (which now is >> >>> > >> missing, but I propose the following >> >>> > >> text): >> >>> > >>> >> >>> > >>> >> >>> > >>> (4) "Deployment Considerations for TURN Servers Provided by the >> >>> > >>> Local or >> >>> > >> Access Network" >> >>> > >>> (Suggested text for an additional section) >> >>> > >>> >> >>> > >>> The concept of paralleling a NAT/firewall/access-router/default >> >>> > >>> gateway at >> >>> > >> the local or access network with a TURN server, to deal with >> >>> > >> traversal and quality problems of real-time traffic, is new and >> >>> > >> came up during the WebRTC standardization work. >> >>> > >>> >> >>> > >>> Such network provided TURN servers, only accessible by the users >> >>> > >>> on the >> >>> > >> local or access network, must be automatically discovered and used, >> >>> > >> without specific configuration or having credentials for >> >>> > >> authentication or certificates for validation, to be useful for >>> e.g. >> >>> > >> a WebRTC browsers to allow quality media traffic "everywhere you >> >>> > >> can >> >>> > surf". >> >>> > >>> >> >>> > >>> Just as for the Internet access itself, the TURN server is offered >> >>> > >>> by the >> >>> > >> network provider and there is no change in the trust or security >> >>> > >> level (which should not be expected) when real-time traffic flows >> >>> > >> through the TURN server path, than through the default gateway >>> path. >> >>> > >> (The purpose of the network provided turn server is to allow >> >>> > >> traversal of real-time media traffic in environments with >> >>> > >> restrictive NAT/firewalls closed for UDP traffic and/or to allow >> >>> > >> better quality through the often data congested router at the >> >>> > >> default >> >>> > >> gateway.) >> >>> > >>> >> >>> > >>> The discovery of the network provided TURN server should meet the >> >>> > >>> auto >> >>> > >> configuration of RFC 7478 (Web Real-Time Communication Use Cases >> >>> > >> and >> >>> > >> Requirements) 2.3.5.1. and draft-ietf-rtcweb-return-01 is defining >> >>> > >> the TURN client behavior for WebRTC browsers. >> >>> > >>> >> >>> > >>> For quality reasons, a sealed network configuration - i.e. the >> >>> > >>> media has >> >>> > >> to go through the TURN server, not through the default gateway (by >> >>> > >> using STUN instead of TURN) - is the typical intention when a TURN >> >>> > >> server is deployed in the local or access network. The sealed >> >>> > >> configuration can be enforced and signaled to the TURN client by >> >>> > >> the network provider blocking STUN packets at the default gateway. >> >>> > >>> >> >>> > >>> A network configuration enforcing sealed behavior, has the good >> >>> > >>> effect of >> >>> > >> allowing the TURN client (e.g. a WebRTC browser) in itself to have >> >>> > >> a >> >>> > >> non- sealed default configuration. (ietf-rtcweb-return-01 explains >> >>> > >> that a sealed default configuration in the browser itself, would >> >>> > >> result in that media between local clients would have to pass the >> >>> > >> TURN server, which is not >> >>> > >> desirable.) >> >>> > >>> >> >>> > >>> The above assumes that the TURN client using a TURN server in the >> >>> > >>> local or >> >>> > >> access network shall use unencrypted STUN/TURN (over UDP for best >> >>> > >> quality) so the STUN cookie can be detected and stopped in the >> >>> > >> default >> >>> > gateway. >> >>> > >>> >> >>> > >>> A TURN server included in the router at the default gateway, that >> >>> > >> intercepts and responds to an allocate request, should be >>> treated as >> >>> a >> >>> > >> discovered network provided sealed TURN server configuration by a >> >>> > >> TURN client (without having to review any 300 Try Alternate >> >>> > >> response as outlined in anycast method description) allowing for >> >>> > >> tolerant and >> >>> secure >> >>> > deployment. >> >>> > >>> >> >>> > >>> A web application that wants to try the default gateway path >> >>> > >>> instead of >> >>> > >> the TURN server path (in spite of a sealed network configuration) >> >>> > >> can suggest encrypted (D)TLS STUN and TURN candidates that will not >> >>> > >> be blocked by STUN cookie recognition at the default gateway. It is >> >>> > >> then up to application's TURN client whether to try the default >> >>> > >> gateway >> >>> path. >> >>> > >>> >> >>> > >>> A further advantage of detecting a sealed network configuration, >> >>> > >>> is that a >> >>> > >> TURN client can select to *only in a sealed network configuration* >> >>> > >> look for a TURN server by the anycast method for discovery, thus >> >>> > >> eliminating the leakage risk mentioned under 9.3. Further, there >> >>> > >> will be no risk that a far away TURN server will be discovered and >> >>> > >> used and there will be no need for the TTL limitation suggested >>> under 9.3. >> >>> > >>> >> >>> > >>> The anycast discovery method, combined with the above >> >>> > >>> recommendations, >> >>> > >> allow for an easy and robust deployment of network provided TURN >> >>> > >> servers, fitting all types of local and access networks. >> >>> > >>> >> >>> > >>> The DNS based methods of this specification are more complex and >> >>> > >>> expensive >> >>> > >> to deploy and one of them depends on DHCP that is not available on >> >>> > >> all access networks. If any of the DNS based methods is used to >> >>> > >> advertize and discover a TURN in the local or access network, its >> >>> > >> private addresses should only be configured in private (local) DNS >> >>> > >> and not be published publicly, which adds further to the complexity >> >>> > >> and >> >>> > cost of deployment. >> >>> > >>> >> >>> > >>> >> >>> > >>> (5) Most (all?) of what is considered and summed up under (4) (the >> >>> > >> suggested additional text), has been brought forward on the TRAM WG >> >>> > >> list before, but not brought into the current -10 draft, see: >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg00132.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg00132.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=RYHSesfqj7o8Z-N2Cf-bzialwIHWlsyrSz0xRmHzY4c&e=> >> >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg00138.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg00138.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=KHA3cB1EXSI0iHSKZJ2M35wFeNJlswYbPCeUR0bsAA8&e=> >> >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg01721.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg01721.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=_tS_buEDXuCbIC40GFNswK2X9uWoL1Whf5szrHEJDO4&e=> >> >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg01745.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg01745.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=O11Dc68fLCzyFKwE5uk4gGITttt8x4swXSiI2Rq1t-I&e=> >> >> >>> > >>> The links given under (1) and (2) above >> >>> > >>> https://www.ietf.org/mail-archive/web/tram/current/msg02155.html >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tram_current_msg02155.html&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=Z3119bHFcte36WxImltxLO6FN_1UkgzYWpoPYZDVzt4&e=> >> >> >>> > >>> >> >>> > >>> /Karl >> >>> > >>> >> >>> > >>> >> >>> > >>> -----Ursprungligt meddelande----- >> >>> > >>> Från: tram [mailto:tram-bounces@ietf.org] För Prashanth Patil >> >>> > >>> (praspati) >> >>> > >>> Skickat: den 2 november 2016 22:18 >> >>> > >>> Till: tram@ietf.org <mailto:tram@ietf.org> >> >>> > >>> Kopia: tram-chairs@ietf.org <mailto:tram-chairs@ietf.org>; Dan >>> Wing; Spencer >> Dawkins at IETF; >> >>> > >> Tirumaleswar Reddy (tireddy) >> >>> > >>> Ämne: [tram] draft-ietf-tram-turn-server-discovery >> >>> > >>> >> >>> > >>> The TURN discovery draft originally suggested that STUN >> >>> > >>> authentication be >> >>> > >> relaxed and made OPTIONAL for TURN servers provided by the local or >> >>> > >> access network. The intention was to allow new/guest users (who do >> >>> > >> not necessarily possess long term credentials for STUN >> >>> > >> authentication) in the network to discover and use TURN services >> >>> offered >> >>> > by the network. >> >>> > >>> Ben Campbell raised an objection during IESG evaluation that we >> >>> > >>> clearly >> >>> > >> indicate that this is a downgrade of a MUST level requirement >> >>> > >> defined in [RFC5766] and explain its consequences. It was also >> >>> > >> rightly suggested that we mandate the use of (D)TLS in the absence >> >>> > >> of STUN authentication for protection against a variety of attacks; >> >>> > >> the draft now makes it a MUST that TURN servers use (D)TLS in the >> >>> > >> absence of STUN >> >>> > authentication. >> >>> > >>> >> >>> > >>> To put it simply, the draft mandates that TURN servers in a local >> >>> > >>> or >> >>> > >> access network do at least one of (D)TLS or STUN authentication. If >> >>> > >> you have an opinion about this change, please let the working group >> >>> > >> know on the mailing list before the end of IETF 97. >> >>> > >>> >> >>> > >>> See below for snippets of what changed. >> >>> > >>> >> >>> > >>> Excerpt from Security Considerations of >> >>> > >> draft-ietf-tram-turn-server-discovery-09: >> >>> > >>> >> >>> > >>> "Use of Session Traversal Utilities for NAT (STUN) [RFC5389] >> >>> > >>> authentication is OPTIONAL for TURN servers provided by the >>> local >> >>> > >>> network or by the access network. A network provided TURN >> >>> > >>> server >> >>> > MAY >> >>> > >>> be configured to accept Allocation requests without STUN >> >>> > >>> authentication, and a TURN client MAY be configured to accept >> >>> > >>> Allocation success responses without STUN authentication from a >> >>> > >>> network provided TURN server. In order to protect against >>> man-in- >> >>> > >>> the-middle attacks when accepting a TURN allocation response >> >>> without >> >>> > >>> STUN authentication, it is RECOMMENDED that the TURN client use >> >>> one >> >>> > >>> of the following techniques with (D)TLS to validate the TURN >> >>> server" >> >>> > >>> >> >>> > >>> >> >>> > >>> Updated text in Security Considerations of >> >>> > >> draft-ietf-tram-turn-server-discovery-10: >> >>> > >>> >> >>> > >>> "Use of Session Traversal Utilities for NAT (STUN) [RFC5389] >> >>> > >>> authentication is OPTIONAL for TURN servers provided by the >>> local >> >>> > >>> network or by the access network. A network provided TURN >> >>> > >>> server >> >>> > MAY >> >>> > >>> be configured to accept Allocation requests without STUN >> >>> > >>> authentication, and a TURN client MAY be configured to accept >> >>> > >>> Allocation success responses without STUN authentication from a >> >>> > >>> network provided TURN server. >> >>> > >>> >> >>> > >>> Making STUN authentication OPTIONAL is a downgrade of a MUST >> >>> level >> >>> > >>> requirement defined in [RFC5766]. The downgrade allows TURN >> >>> servers >> >>> > >>> provided by local or access network to accept Allocation >>> requests >> >>> > >>> from new and/or guest users in the network who do not >>> necessarily >> >>> > >>> possess long term credentials for STUN authentication. The >> >>> > >>> intention, in such deployments, being to provide TURN services >> >>> > >>> to >> >>> all >> >>> > >>> users in the local or access network. However, this opens up a >> >>> TURN >> >>> > >>> server to a variety of attacks described in Section 17 of >> >>> [RFC5766]. >> >>> > >>> A TURN server in such cases must be configured to only >>> process STUN >> >>> > >>> requests from the trusted local network or subscribers of the >> >>> access >> >>> > >>> network. Operational measures must be taken in order >>> protect the >> >>> > >>> TURN server; some of these measures include, but not limited >>> to, >> >>> > >>> access control by means of access-lists, firewalls, subscriber >> >>> quota >> >>> > >>> limits, ingress filtering etc. >> >>> > >>> >> >>> > >>> A TURN client MUST use (D)TLS in the absence of STUN long-term >> >>> > >>> credential mechanism [RFC5389] or STUN Extension for >>> Third-Party >> >>> > >>> Authorization [RFC7635]." >> >>> > >>> >> >>> > >>> Please refer >> >>> > >> https://tools.ietf.org/html/draft-ietf-tram-turn-server-discovery-1 >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtram-2Dturn-2Dserver-2Ddiscovery-2D1&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=DVGS9E_SiopOIRk_em6JrGzQfeEIFTKDaFuOyMBN88Y&e=> >> >> >>> > >> 0# >> >>> > >> section >> >>> > >> -9 for more details. >> >>> > >>> >> >>> > >>> Thanks, >> >>> > >>> Authors >> >>> > >>> >> >>> > >>> _______________________________________________ >> >>> > >>> tram mailing list >> >>> > >>> tram@ietf.org <mailto:tram@ietf.org> >> >>> > >>> https://www.ietf.org/mailman/listinfo/tram >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tram&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=m-0KDgh3LnSwNkYBXRZEvmD-6KbIBecTW_LVyOtpxKw&e=> >> >> >>> > >>> >> >>> > >>> _______________________________________________ >> >>> > >>> tram mailing list >> >>> > >>> tram@ietf.org <mailto:tram@ietf.org> >> >>> > >>> https://www.ietf.org/mailman/listinfo/tram >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tram&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=m-0KDgh3LnSwNkYBXRZEvmD-6KbIBecTW_LVyOtpxKw&e=> >> >> >>> > >>> >> >>> > >> >> >>> > >> _______________________________________________ >> >>> > >> tram mailing list >> >>> > >> tram@ietf.org <mailto:tram@ietf.org> >> >>> > >> https://www.ietf.org/mailman/listinfo/tram >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tram&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=m-0KDgh3LnSwNkYBXRZEvmD-6KbIBecTW_LVyOtpxKw&e=> >> >> >>> > >> >>> > _______________________________________________ >> >>> > tram mailing list >> >>> > tram@ietf.org <mailto:tram@ietf.org> >> >>> > https://www.ietf.org/mailman/listinfo/tram >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tram&d=DgMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=7_NPCCssr1qNc9mpIa2KGK9mZALgQpov0FRi9DO1LVs&s=m-0KDgh3LnSwNkYBXRZEvmD-6KbIBecTW_LVyOtpxKw&e=> >> >> > -- Brandon Williams; Chief Architect Cloud Networking; Akamai Technologies Inc.
- [tram] draft-ietf-tram-turn-server-discovery Prashanth Patil (praspati)
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- [tram] Anycast discovery, was: draft-ietf-tram-tu… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Brandon Williams
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Simon Perreault
- Re: [tram] Anycast discovery, was: draft-ietf-tra… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Pal Martinsen (palmarti)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Tirumaleswar Reddy (tireddy)
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Tirumaleswar Reddy (tireddy)
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Karl Stahl
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Tirumaleswar Reddy (tireddy)
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Brandon Williams
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Brandon Williams
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Karl Stahl
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Karl Stahl
- Re: [tram] draft-ietf-tram-turn-server-discovery Karl Stahl
- Re: [tram] to Tiru, WAS:draft-ietf-tram-turn-serv… Tirumaleswar Reddy (tireddy)
- Re: [tram] draft-ietf-tram-turn-server-discovery Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Tirumaleswar Reddy (tireddy)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Pal Martinsen (palmarti)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Tirumaleswar Reddy (tireddy)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Brandon Williams
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Tirumaleswar Reddy (tireddy)
- Re: [tram] Maybe we have (D)TLS consensus; WAS: d… Karl Stahl