Re: [tram] Review of draft-johnston-tram-stun-origin-02
Alan Johnston <alan.b.johnston@gmail.com> Thu, 05 June 2014 20:28 UTC
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19DC01A031C for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 13:28:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIv0sHrqZOQ0 for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 13:28:28 -0700 (PDT)
Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F9231A0305 for <tram@ietf.org>; Thu, 5 Jun 2014 13:28:26 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id j15so2180170qaq.9 for <tram@ietf.org>; Thu, 05 Jun 2014 13:28:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=jQTr+fhasSr8QU59c75C1Ac/zshV73+Ux7aZXsp+iwE=; b=AojRHzdnZ+sQLwidfqm35Xhk00rarFrH065F6tqydH/rIzQq99sPTyimlibBBKZrSl I8mMTd32DMMiVdKJmYl9WS6f8PdADS+xnlmGqqeIgMs6Sp769/Jl4hVwK1HHGyTzgBVk kHm1XykXNV5VepfIjEjhqSGeY/LJCVrHbAdHDxRmCSNXKqqXOf8CiK07JbeLrpgzWbRP vzMvQCLywNWGXjgxvxweL8VJXXFFTRCQ3AImOz94EZ/aem7Vhk9TcMb6oN0JH/LXPHIm J8qpMBzrNBLPn66Mog1jXFID0aM2MZKt7d5G668JOpErEPj5qXZq4cSEOM0H94Y2YfeF bjUg==
X-Received: by 10.229.212.196 with SMTP id gt4mr186556qcb.18.1402000098940; Thu, 05 Jun 2014 13:28:18 -0700 (PDT)
Received: from [192.168.1.5] (24-241-75-164.dhcp.stls.mo.charter.com. [24.241.75.164]) by mx.google.com with ESMTPSA id z67sm10400498yhk.50.2014.06.05.13.28.17 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 13:28:17 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-E448B49C-F6E7-4950-A242-9560E0AD28DD"
Mime-Version: 1.0 (1.0)
From: Alan Johnston <alan.b.johnston@gmail.com>
X-Mailer: iPhone Mail (11D201)
In-Reply-To: <CALDtMrKxd=bowBag0_Z8sSGPMfjUHBTOzX6F233WFDVPa1rgrg@mail.gmail.com>
Date: Thu, 05 Jun 2014 15:28:16 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <2356C6CE-16ED-4823-800F-5DD1CE5DFBB8@gmail.com>
References: <5368BF90.2070307@getjive.com> <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net> <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net> <CALDtMrKxd=bowBag0_Z8sSGPMfjUHBTOzX6F233WFDVPa1rgrg@mail.gmail.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/2GiPbMKGfHsyNGZHbOrKQing6X8
Cc: "Hutton, Andrew" <andrew.hutton@unify.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 20:28:33 -0000
Andy, Thanks for your review and comments. When you mentioned multiple origins, I thought you were referring to a SIP origin and an HTTP origin, but it seems the HTTP origin has the concept of more than one. I wonder if browsers ever generate this? I will add some discussion of this in the next version, including Oleg's useful set of issues below. - Alan - > On Jun 5, 2014, at 2:55 PM, Oleg Moskalenko <mom040267@gmail.com> wrote: > > If we do want to support multiple origins per request then we have to state, clearly, three things: > > 1) Use cases. > 2) How we use multiple origins when we process the request. > 3) How we format multiple origins in the request - as comma-separated single field or multiple origin attributes. As STUN/TURN is a binary protocol, I think that the second option is better. > > The usefulness of multiple origins in TURN is not very obvious to me. I implemented ORIGIN in a pilot implementation https://code.google.com/p/coturn/ but I assumed a single ORIGIN field per request. > > Oleg > > > > > >> On Thu, Jun 5, 2014 at 7:48 AM, Hutton, Andrew <andrew.hutton@unify.com> wrote: >> Multiple Origins for HTTP Requests are covered in http://tools.ietf.org/html/rfc6454#section-7.2 I just assumed the same would apply to the usage in this context. >> >> Andy >> >> > -----Original Message----- >> > From: Oleg Moskalenko [mailto:mom040267@gmail.com] >> > Sent: 05 June 2014 15:26 >> > To: Hutton, Andrew >> > Cc: Alan Johnston; tram@ietf.org >> > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 >> > >> > What would be the purpose of multiple origins ? >> > >> > Oleg >> > >> > On Jun 5, 2014, at 7:19 AM, "Hutton, Andrew" <andrew.hutton@unify.com> >> > wrote: >> > Hi, >> > >> > I had another read through this draft and hope we can move this forward >> > and adopt the draft soon. >> > >> > I only have one additional comment at this time and that is that I >> > assume it should be possible for the client to include more than one >> > origin in the Origin header field and if so the procedures around this >> > should explained in the draft. >> > >> > Regards >> > Andy >> > >> > >> > >> > >> > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston >> > Sent: 07 May 2014 18:50 >> > To: Marc Petit-Huguenin >> > Cc: tram@ietf.org >> > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 >> > >> > Marc, >> > >> > Thanks for the review. See my comments below. >> > >> > - Alan - >> > >> > On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin >> > <marcph@getjive.com> wrote: >> > A1. Intended Status: Informational >> > >> > Shouldn't this be Standard Track? >> > >> > Yes. >> > >> > A2. Section 1, 2nd paragraph, last sentence: "as generating the >> > response..." >> > >> > I do not think that the reason for no authentication for the NAT >> > Discovery Usage is because it is less work, but because there is no >> > resource to protect so adding more work does not make sense. >> > >> > I disagree that there is *no* resource to protect. A STUN server might >> > be minimal resources, but not none. If a simple authentication scheme >> > were available, I'm sure some people would use it so they could >> > minimize the cost of their server footprint by ensuring that only >> > authenticated users were utilizing it. I will add some text pointing >> > out that the minimal resources. >> > >> > A3. Section 1, 8th paragraph >> > >> > I do not think that the ORIGIN should be used to select the certificate >> > when (D)TLS is used. First it does not work with DANE, as when an SRV >> > (and probably NAPTR too, but that's undefined yet) RR redirects to a >> > different domain, the domain to be checked with is the host name, not >> > the service domain (see draft-ietf-dane-srv). For non-DANE cases, I >> > think that the correct way to select the certificate is to use SNI. >> > >> > The draft does not suggest that ORIGIN be used to select certificates - >> > as Oleg pointed out it isn't possible. This paragraph was describing >> > how RFC 6066 does not solve the problem, as had been suggested on the >> > list. >> > >> > >> > So I would suggest to restrict the normative use of ORIGIN only to >> > select realms. >> > >> > A4. Section 2.2. ORIGIN attribute usage >> > >> > The text does not say if the ORIGIN attribute should/can be provided >> > after the authentication (i.e. refresh, data packets, etc...) >> > >> > Currently, the text says SHOULD include, for a conformant client. For >> > logging, it has value even after the initial authentication. >> > >> > >> > A5. Section 2.2. Mandatory support for server >> > >> > How a TURN server that requires the usage of ORIGIN can signal this? >> > >> > Right now there is no way to do this. I agree with Oleg that it is up >> > to the server what to do if ORIGIN is no present. >> > >> > A6. Section 2. Other Usages >> > >> > I think that other STUN Usages should be listed after section 2.3: >> > >> > - Media Keep-Alive Usage (Section 20 of RFC5245) >> > - SIP Keep-Alive Usage (RFC 5626) >> > - NAT Behavior Discovery Usage (RFC 5780) >> > >> > I'll take a look at these scenarios. I suspect that it would be a >> > reasonable usage for client-to-server usages, but not for peer-to-peer >> > usages. >> > >> > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute >> > is present, the contents of the ORIGIN attribute are integrity >> > protected." >> > >> > Which never happen in the usages listed in the document: for section >> > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is >> > needed to select the realm, so the ORIGIN is sent before it can be >> > protected. Perhaps 2.2 should say that if ORIGIN was sent to select >> > the >> > realm, it MUST be repeated at identical on the second Allocate (the one >> > that has an M-I) and that the server MUST reject it if it is not >> > identical to the first one. Not sure it matters though. >> > >> > I agree that there is no integrity protection of the ORIGIN attribute >> > (or any other attribute) until after authentication. However, ORIGIN >> > can be used both before and after authentication. I'll review this >> > text and make sure this is clear. I don't believe we need any special >> > rules, as this applies to any STUN attribute. >> > >> > Nits >> > ---- >> > >> > - Section 2, 2nd paragraph: "The number used for the this in the ..." >> > >> > Does not parse. >> > >> > The middle "the" shouldn't be there. >> > >> > >> > -- >> > Marc Petit-Huguenin >> > Developer | Jive Communications, Inc. >> > Jive.com | marcph@getjive.com >> > >> > >> > _______________________________________________ >> > tram mailing list >> > tram@ietf.org >> > https://www.ietf.org/mailman/listinfo/tram >> > >> > _______________________________________________ >> > tram mailing list >> > tram@ietf.org >> > https://www.ietf.org/mailman/listinfo/tram >
- [tram] Review of draft-johnston-tram-stun-origin-… Marc Petit-Huguenin
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston