IETF Logo Mail Archive

Re: [tram] Review of draft-johnston-tram-stun-origin-02

Alan Johnston <alan.b.johnston@gmail.com> Thu, 05 June 2014 20:28 UTC

Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19DC01A031C for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 13:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIv0sHrqZOQ0 for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 13:28:28 -0700 (PDT)
Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9231A0305 for <tram@ietf.org>; Thu, 5 Jun 2014 13:28:26 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id j15so2180170qaq.9 for <tram@ietf.org>; Thu, 05 Jun 2014 13:28:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jQTr+fhasSr8QU59c75C1Ac/zshV73+Ux7aZXsp+iwE=; b=AojRHzdnZ+sQLwidfqm35Xhk00rarFrH065F6tqydH/rIzQq99sPTyimlibBBKZrSl I8mMTd32DMMiVdKJmYl9WS6f8PdADS+xnlmGqqeIgMs6Sp769/Jl4hVwK1HHGyTzgBVk kHm1XykXNV5VepfIjEjhqSGeY/LJCVrHbAdHDxRmCSNXKqqXOf8CiK07JbeLrpgzWbRP vzMvQCLywNWGXjgxvxweL8VJXXFFTRCQ3AImOz94EZ/aem7Vhk9TcMb6oN0JH/LXPHIm J8qpMBzrNBLPn66Mog1jXFID0aM2MZKt7d5G668JOpErEPj5qXZq4cSEOM0H94Y2YfeF bjUg==
X-Received: by 10.229.212.196 with SMTP id gt4mr186556qcb.18.1402000098940; Thu, 05 Jun 2014 13:28:18 -0700 (PDT)
Received: from [192.168.1.5] (24-241-75-164.dhcp.stls.mo.charter.com. [24.241.75.164]) by mx.google.com with ESMTPSA id z67sm10400498yhk.50.2014.06.05.13.28.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 13:28:17 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-E448B49C-F6E7-4950-A242-9560E0AD28DD"
Mime-Version: 1.0 (1.0)
From: Alan Johnston <alan.b.johnston@gmail.com>
X-Mailer: iPhone Mail (11D201)
In-Reply-To: <CALDtMrKxd=bowBag0_Z8sSGPMfjUHBTOzX6F233WFDVPa1rgrg@mail.gmail.com>
Date: Thu, 05 Jun 2014 15:28:16 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <2356C6CE-16ED-4823-800F-5DD1CE5DFBB8@gmail.com>
References: <5368BF90.2070307@getjive.com> <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net> <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net> <CALDtMrKxd=bowBag0_Z8sSGPMfjUHBTOzX6F233WFDVPa1rgrg@mail.gmail.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/2GiPbMKGfHsyNGZHbOrKQing6X8
Cc: "Hutton, Andrew" <andrew.hutton@unify.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 20:28:33 -0000

Andy,

Thanks for your review and comments. 

When you mentioned multiple origins, I thought you were referring to a SIP origin and an HTTP origin, but it seems the HTTP origin has the concept of more than one. I wonder if browsers ever generate this?

I will add some discussion of this in the next version, including Oleg's useful set of issues below. 

- Alan -

> On Jun 5, 2014, at 2:55 PM, Oleg Moskalenko <mom040267@gmail.com> wrote:
> 
> If we do want to support multiple origins per request then we have to state, clearly, three things:
> 
>   1) Use cases.
>   2) How we use multiple origins when we process the request.
>   3) How we format multiple origins in the request - as comma-separated single field or multiple origin attributes. As STUN/TURN is a binary protocol, I think that the second option is better.
> 
> The usefulness of multiple origins in TURN is not very obvious to me. I implemented ORIGIN in a pilot implementation https://code.google.com/p/coturn/ but I assumed a single ORIGIN field per request.
> 
> Oleg
> 
> 
>  
> 
> 
>> On Thu, Jun 5, 2014 at 7:48 AM, Hutton, Andrew <andrew.hutton@unify.com> wrote:
>> Multiple Origins for HTTP Requests are covered in http://tools.ietf.org/html/rfc6454#section-7.2 I just assumed the same would apply to the usage in this context.
>> 
>> Andy
>> 
>> > -----Original Message-----
>> > From: Oleg Moskalenko [mailto:mom040267@gmail.com]
>> > Sent: 05 June 2014 15:26
>> > To: Hutton, Andrew
>> > Cc: Alan Johnston; tram@ietf.org
>> > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
>> >
>> > What would be the purpose of multiple origins ?
>> >
>> > Oleg
>> >
>> > On Jun 5, 2014, at 7:19 AM, "Hutton, Andrew" <andrew.hutton@unify.com>
>> > wrote:
>> > Hi,
>> >
>> > I had another read through this draft and hope we can move this forward
>> > and adopt the draft soon.
>> >
>> > I only have one additional comment at this time and that is that I
>> > assume it should be possible for the client to include more than one
>> > origin in the Origin header field and if so the procedures around this
>> > should explained in the draft.
>> >
>> > Regards
>> > Andy
>> >
>> >
>> >
>> >
>> > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston
>> > Sent: 07 May 2014 18:50
>> > To: Marc Petit-Huguenin
>> > Cc: tram@ietf.org
>> > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
>> >
>> > Marc,
>> >
>> > Thanks for the review.  See my comments below.
>> >
>> > - Alan -
>> >
>> > On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin
>> > <marcph@getjive.com> wrote:
>> > A1. Intended Status: Informational
>> >
>> > Shouldn't this be Standard Track?
>> >
>> > Yes.
>> >
>> > A2. Section 1, 2nd paragraph, last sentence: "as generating the
>> > response..."
>> >
>> > I do not think that the reason for no authentication for the NAT
>> > Discovery Usage is because it is less work, but because there is no
>> > resource to protect so adding more work does not make sense.
>> >
>> > I disagree that there is *no* resource to protect.  A STUN server might
>> > be minimal resources, but not none.  If a simple authentication scheme
>> > were available, I'm sure some people would use it so they could
>> > minimize the cost of their server footprint by ensuring that only
>> > authenticated users were utilizing it.  I will add some text pointing
>> > out that the minimal resources.
>> >
>> > A3. Section 1, 8th paragraph
>> >
>> > I do not think that the ORIGIN should be used to select the certificate
>> > when (D)TLS is used.  First it does not work with DANE, as when an SRV
>> > (and probably NAPTR too, but that's undefined yet) RR redirects to a
>> > different domain, the domain to be checked with is the host name, not
>> > the service domain (see draft-ietf-dane-srv).  For non-DANE cases, I
>> > think that the correct way to select the certificate is to use SNI.
>> >
>> > The draft does not suggest that ORIGIN be used to select certificates -
>> > as Oleg pointed out it isn't possible.  This paragraph was describing
>> > how RFC 6066 does not solve the problem, as had been suggested on the
>> > list.
>> >
>> >
>> > So I would suggest to restrict the normative use of ORIGIN only to
>> > select realms.
>> >
>> > A4. Section 2.2. ORIGIN attribute usage
>> >
>> > The text does not say if the ORIGIN attribute should/can be provided
>> > after the authentication (i.e. refresh, data packets, etc...)
>> >
>> > Currently, the text says SHOULD include, for a conformant client.  For
>> > logging, it has value even after the initial authentication.
>> >
>> >
>> > A5. Section 2.2.  Mandatory support for server
>> >
>> > How a TURN server that requires the usage of ORIGIN can signal this?
>> >
>> > Right now there is no way to do this.  I agree with Oleg that it is up
>> > to the server what to do if ORIGIN is no present.
>> >
>> > A6. Section 2. Other Usages
>> >
>> > I think that other STUN Usages should be listed after section 2.3:
>> >
>> > - Media Keep-Alive Usage (Section 20 of RFC5245)
>> > - SIP Keep-Alive Usage (RFC 5626)
>> > - NAT Behavior Discovery Usage (RFC 5780)
>> >
>> > I'll take a look at these scenarios.  I suspect that it would be a
>> > reasonable usage for client-to-server usages, but not for peer-to-peer
>> > usages.
>> >
>> > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute
>> > is present, the contents of the ORIGIN attribute are integrity
>> > protected."
>> >
>> > Which never happen in the usages listed in the document:  for section
>> > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is
>> > needed to select the realm, so the ORIGIN is sent before it can be
>> > protected.  Perhaps 2.2 should say that if ORIGIN was sent to select
>> > the
>> > realm, it MUST be repeated at identical on the second Allocate (the one
>> > that has an M-I) and that the server MUST reject it if it is not
>> > identical to the first one.  Not sure it matters though.
>> >
>> > I agree that there is no integrity protection of the ORIGIN attribute
>> > (or any other attribute) until after authentication.  However, ORIGIN
>> > can be used both before and after authentication.  I'll review this
>> > text and make sure this is clear.  I don't believe we need any special
>> > rules, as this applies to any STUN attribute.
>> >
>> > Nits
>> > ----
>> >
>> > - Section 2, 2nd paragraph: "The number used for the this in the ..."
>> >
>> > Does not parse.
>> >
>> > The middle "the" shouldn't be there.
>> >
>> >
>> > --
>> > Marc Petit-Huguenin
>> > Developer  |  Jive Communications, Inc.
>> > Jive.com  |  marcph@getjive.com
>> >
>> >
>> > _______________________________________________
>> > tram mailing list
>> > tram@ietf.org
>> > https://www.ietf.org/mailman/listinfo/tram
>> >
>> > _______________________________________________
>> > tram mailing list
>> > tram@ietf.org
>> > https://www.ietf.org/mailman/listinfo/tram
>

v2.23.0 | Report a Bug | By Email