IETF Logo Mail Archive

Re: [tram] Transport of ICMP errors in TURN

Marc Petit-Huguenin <petithug@acm.org> Thu, 27 August 2015 14:49 UTC

Return-Path: <petithug@acm.org>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262E91A9147 for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 07:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.236
X-Spam-Level:
X-Spam-Status: No, score=-1.236 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qLQdM3ue5oDs for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 07:49:53 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id DB3691A8BC0 for <tram@ietf.org>; Thu, 27 Aug 2015 07:49:52 -0700 (PDT)
Received: from [IPv6:2602:61:7515:ec00:6c4a:517e:21cb:6368] (unknown [IPv6:2602:61:7515:ec00:6c4a:517e:21cb:6368]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id E85A020415; Thu, 27 Aug 2015 16:49:51 +0200 (CEST)
To: "Cullen Jennings (fluffy)" <fluffy@cisco.com>, Simon Perreault <sperreault@jive.com>
References: <55DD94FF.7080400@acm.org> <55DDB133.6090608@jive.com> <A8F8D0A4-C847-4F3E-B5A3-45DA47CB95D9@cisco.com> <913383AAA69FF945B8F946018B75898A478C7C70@xmb-rcd-x10.cisco.com> <44C024B4-CAC6-4E3A-A812-793809449E10@cisco.com> <55DF1D4D.7010000@jive.com> <72AD57D8-AF37-4F06-9A3C-848C53B4640D@cisco.com>
From: Marc Petit-Huguenin <petithug@acm.org>
Message-ID: <55DF238E.7030400@acm.org>
Date: Thu, 27 Aug 2015 08:49:50 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.1.0
MIME-Version: 1.0
In-Reply-To: <72AD57D8-AF37-4F06-9A3C-848C53B4640D@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/2HcS3k9fL72z9K36wE5auXE_e7k>
Cc: "Pal Martinsen (palmarti)" <palmarti@cisco.com>, "tram@ietf.org" <tram@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: [tram] Transport of ICMP errors in TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 14:49:54 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/27/2015 08:33 AM, Cullen Jennings (fluffy) wrote:
> 
>> On Aug 27, 2015, at 8:23 AM, Simon Perreault <sperreault@jive.com> wrote:
>>
>> Le 2015-08-27 09:49, Cullen Jennings (fluffy) a écrit :
>>>
>>> A key part of TURN design was that it was not usable for running
>>> general purpose server that accepted traffic from anyone without
>>> first identifying who it is that you want to get the traffic from. So
>>> the client has to tell the TURN server which external hosts can send
>>> it traffic.
>>>
>>> Receiving ICMP violates this because you would need to accept stuff
>>> from sources you had not given permission to send you stuff. That
>>> allows TURN to be used to build generic servers which allows it to
>>> circumvent firewall policy. One of the reasons we invented TURN
>>> instead of using one of the other tunnel protocols was to not have
>>> this problem.
>>
>> Good point.
>>
>> That is easily solved by having the TURN server enforce permissions on
>> the 5-tuple of the ICMP error's encapsulated original packet. Exactly
>> the same way stateful firewalls do it.
>>
>> Simon
> 
> Yep, with that change it would be OK.

I believe that the text in the patch I just sent does that.

> 
> I find that many networks block ICMP for one reason or another thus one can not count on it working most of the time so it has really limited value for applications as they end up using a method that works all the time. 

Yes, and that's OK - both ICE and PMTUD are designed to work without receiving ICMP, but work better if they do.

- -- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV3yONAAoJECnERZXWan7E/MEP/iMhsPf2+UOtWxJbanHsqvs8
wstZUctFVtEyx2/dUnSP/zXfzGpDhnnGXZXdxqisqOrf+42/itP0CbCufvIzu9ZD
DuRdy6TEY7MTzYHTI3cGBByL6J6RbkZF8ytymND0h2EP2gk284PZkM6O3hKoZVYF
ZUCM3BB3vWOphrZVescHn2ulYkjZFfUgyEpnPShKi5xaYYlu+e56wVouZn8653n3
wUZA5e5QEZgV5vgzFpbOLt6ZW0EorWFqgoGOj2Qb0h925PwadNFqLnnOQF7Pf+yT
stect5QQtiNI1NdQSy0vp/IzEUn9EWTi2NXfTYqD9sA0GCGDQCiabVUjTx0DXgU4
I+WXqXFUesm9zi6SS+SB4f67zhUH37zMhwkngbyd6NTfaoHUVLVdaXNQU8MzZDHs
sQPStzn24GLSsUB5W/gsrSwq/c3s/60vFcZ/2mT8jDRErHpeTmz/ose8OYFfUGTL
QIFS28m2W2VrkPOegw04vIiGAroeo+MgFkLok99M+IHzJdM2O7BL4vAS7Qp8Lh4F
YaEkKQrlAFtff+asqwOdZr7pH9mif2eloBaghaoN0rEi51D88HnRgalY+ZguhwES
TiNwTlfJzGWGdozBDvPWcwGlB+oFmPGOoGXeNKvPrvE3UFDc69bM0/nAUTOSrx6m
3ExRElqHwELyyZ3dV1gu
=LI7w
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email