Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 26 June 2019 10:33 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1481201F8; Wed, 26 Jun 2019 03:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FpHPmiiku6Fi; Wed, 26 Jun 2019 03:33:35 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 84BC612010F; Wed, 26 Jun 2019 03:33:34 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1561544606; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-ms-oob-tlc-oobclassifiers: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=MoOSwRYFZuBC3iZzps/pm8smSXRBhNFbSMG8J2 Rj+YM=; b=iWyJzbt+GAcHvD3VXuGYoc4mKTwzv92qJCSNmLmB U+Dljl2zrha3bq/F4Mn7+AfeMtr0ZDb8Vck2qeutEBOzlKn+nv a+vsJtG9QMk292LQzkXBFLmTzuL/GHrbwPjo4qSn+NhP/UT/Li x9/geRws9QL/fWG45QbxnlAFpp/vpTI=
Received: from DNVEXAPP1N04.corpzone.internalzone.com (DNVEXAPP1N04.corpzone.internalzone.com [10.44.48.88]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6417_6b48_2002c38c_1122_4b8b_a7c4_0fb6b7304d1d; Wed, 26 Jun 2019 04:23:25 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 26 Jun 2019 04:32:50 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 26 Jun 2019 04:32:50 -0600
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 26 Jun 2019 04:32:49 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB2184.namprd16.prod.outlook.com (52.132.142.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 10:32:48 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065%5]) with mapi id 15.20.2008.017; Wed, 26 Jun 2019 10:32:48 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "kaduk@mit.edu" <kaduk@mit.edu>
CC: "touch@strayalpha.com" <touch@strayalpha.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "brandon.williams@akamai.com" <brandon.williams@akamai.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25
Thread-Index: AQHVJeLARC6n0ucJHkeMQsIbR9Bl76ai+JZQgAiG+gCAANd4AIABauMA
Date: Wed, 26 Jun 2019 10:32:48 +0000
Message-ID: <DM5PR16MB17058A3EEC90267BA9A6458DEAE20@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <DM5PR16MB170564C0438321CC3FDD0ACFEAEF0@DM5PR16MB1705.namprd16.prod.outlook.com> <4C41A2BC-0CBC-42D5-B313-22F9A9D51F6E@strayalpha.com> <DM5PR16MB1705874C023145D26DCB58E6EAEE0@DM5PR16MB1705.namprd16.prod.outlook.com> <edcd66c2-0dfb-8f89-d6a3-53482c433d4e@strayalpha.com> <DM5PR16MB17057CCD4D2543D84254EFD1EAEB0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522DCB2459055A6319C439B95EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <DM5PR16MB1705E3EF8260B456A9B02C10EAEA0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522C0A1063877D45985619795EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <BD41AC2D-3925-4E11-B1EC-AD24680376AE@strayalpha.com> <DM5PR16MB1705F636477B6234FEA35A04EAE50@DM5PR16MB1705.namprd16.prod.outlook.com> <20190624233637.GF48838@kduck.mit.edu> <HE1PR0701MB25224C8F0585C940B8DBFFF695E30@HE1PR0701MB2522.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR0701MB25224C8F0585C940B8DBFFF695E30@HE1PR0701MB2522.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 34b23b2d-d54f-492a-6376-08d6fa21a2b0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB2184;
x-ms-traffictypediagnostic: DM5PR16MB2184:
x-microsoft-antispam-prvs: <DM5PR16MB218489A63DF0BF78DB28DD3CEAE20@DM5PR16MB2184.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39850400004)(136003)(366004)(376002)(396003)(346002)(32952001)(189003)(199004)(13464003)(8936002)(71190400001)(71200400001)(2906002)(99286004)(55016002)(81156014)(8676002)(6506007)(486006)(81166006)(316002)(76116006)(68736007)(86362001)(73956011)(66446008)(66946007)(66556008)(66476007)(64756008)(2501003)(52536014)(4326008)(25786009)(54906003)(110136005)(80792005)(14454004)(72206003)(7696005)(2171002)(76176011)(476003)(14444005)(53546011)(256004)(9686003)(6246003)(478600001)(11346002)(6116002)(3846002)(229853002)(26005)(7736002)(6436002)(74316002)(305945005)(102836004)(5660300002)(186003)(53936002)(446003)(33656002)(66066001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB2184; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: NYAykiSthHFVtKjf/tPuGh8UrwJKDEO/kyKdUnmAqIW+FPgcPhomzoCfkG5jAFu4i63sN1NjvbFaDzuiBACRv2eh7Cn+2ExyB8RLsf7vG0p/LwIYNjpqN85koX5cBM+SWxLqIhGEdOzQBO1rgh1sPZDgf0of5MJF/+1NxzZU1ecQsXig+tgBDgWdadqckzVxKR07b1SNkVYo/FCt6J5Uc0BfQNXH7FjoYyhfXiNtQqStfvu9aP5X17YWNRr4dJH93ONHND4QEfDDVPYCOGoy+D6u3yy2s77uJyJBzO2Ae1TMKhwLbBuSfHvtkDFs0RskaTyzmx/tYIR3O3B1CzvqtvqclCUlnwLxdptm/DoKTLyka5zlesT9sEQMFsCBsd3QdbSw41KGfvPLxJu+jic/a/dGUN8rzbODesMsD9uhNX4=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 34b23b2d-d54f-492a-6376-08d6fa21a2b0
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 10:32:48.8456 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB2184
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6576> : inlines <7110> : streams <1825601> : uri <2860508>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/1qy533fCSI0kFY9uP-VISHhcL6Q>
Subject: Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 10:33:37 -0000

As per the suggestion from Magnus, modified text as follows:

TCP connection between the TURN client and server can use TCP-AO [RFC5925] but UDP does not provide a similar type of authentication until UDP supports
authentication option.  If TCP-AO would be used between TURN client and server, it would not change the end-to-end security properties of
the UDP payload being relayed.  Therefore applications using TURN will need to secure their application data end-to-end appropriately, e.g.  SRTP for RTP applications.  

Cheers,
-Tiru

> -----Original Message-----
> From: Magnus Westerlund <magnus.westerlund@ericsson.com>
> Sent: Tuesday, June 25, 2019 5:58 PM
> To: kaduk@mit.edu; Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>
> Cc: touch@strayalpha.com; tsv-art@ietf.org; draft-ietf-tram-
> turnbis.all@ietf.org; ietf@ietf.org; brandon.williams@akamai.com;
> tram@ietf.org
> Subject: RE: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-
> 25
> 
> Hi,
> 
> > -----Original Message-----
> > From: Benjamin Kaduk <kaduk@mit.edu>
> > Sent: den 25 juni 2019 01:37
> > To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@mcafee.com>
> > Cc: Joe Touch <touch@strayalpha.com>; Magnus Westerlund
> > <magnus.westerlund@ericsson.com>; tsv-art@ietf.org; draft-ietf-tram-
> > turnbis.all@ietf.org; ietf@ietf.org; Brandon Williams
> > <brandon.williams@akamai.com>; tram@ietf.org
> > Subject: Re: [Tsv-art] [tram] Tsvart last call review of
> draft-ietf-tram-turnbis-
> > 25
> >
> > Sorry to jump in and hijack the middle of a different thread, but...
> >
> > On Wed, Jun 19, 2019 at 01:24:42PM +0000, Konda, Tirumaleswar Reddy
> > wrote:
> > > Hi Joe,
> > >
> > > I have added the following lines to address your comment:
> > >
> > >    TCP multi-path [RFC6824] is not supported by this version of TURN
> > >    because TCP multi-path is not used by both SIP and WebRTC protocols
> > >    [RFC7478] for media and non-media data.  If the TCP connection
> > >    between the TURN client and server uses TCP-AO [RFC5925] or TLS, the
> > >    client must secure application data (e.g. using SRTP) to provide
> > >    confidentially, message authentication and replay protection to
> > >    protect the application data relayed from the server to the peer
> > >    using UDP.  Attacker attempting to spoof in fake data is discussed
> > > in
> >
> > ... this kind of cross-layer security requirement ("if you were using
> TCP-layer
> > protection, now you have to impose a requirement on the application
> > protocol (stack) at a higher layer") has been quite problematic in the
> past
> > when attempted for other protocols.  Consider this early warning that it
> will
> > get a careful security area review during IESG evaluation, if not sooner.
> Being
> > very specific about which component of the system has what requirements
> > under which conditions would be helpful, as a start.
> 
> And I think this requirement is backwards. Application of TCP-AO or TLS does
> not result in an improved security property for the higher layer that
> utilizes TURN. That is still regular IP/UDP datagram payloads in this
> version. There is nothing in this specification that gives you anything
> better on the server to peer leg. Thus, application of TLS/TCP or TCP-AO on
> the client to server leg is only to mitigate some threats on this client to
> server leg, potentially making it more robust.
> 
> Thus, I would suggest that this requirement is removed. And instead it is
> explained that the actual upper layer security properties are not improved
> simply the client server leg is less vulnerable to certain attacks.
> 
> /Magnus
> >
> > -Ben
> >
> > >    Section 20.1.4.  Note that TCP-AO option obsoletes TCP MD5 option.
> > >    Unlike UDP, TCP without the TCP Fast Open extension [RFC7413] does
> > >    not support 0-RTT session resumption.  The TCP user timeout [RFC5482]
> > >    equivalent for application data relayed by the TURN is the use of RTP
> > >    control protocol (RTCP).  As a reminder, RTCP is a fundamental and
> > >    integral part of RTP.