IETF Logo Mail Archive

Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 25 June 2019 10:01 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEEF3120470; Tue, 25 Jun 2019 03:01:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_WXnm6VafNF; Tue, 25 Jun 2019 03:01:19 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D93691202A0; Tue, 25 Jun 2019 03:01:18 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1561456271; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-ms-oob-tlc-oobclassifiers: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-ms-exchange-senderadcheck:x-microsoft-antispam-message-info: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=qDzHF2iwePt+z4EOBNsF7gvDQnaxrWljdChFcC ko4ak=; b=f5fYxvVFKvas4fV0Inc/zCT09HDk3uv+o1f5ttJv WzayMH9i8f+AjG4ay8HP2y5Rtsm8R1giVMwMP76RGo2L9nTcq+ 0+AuqMqqmt6izm0/9+f/XW2lrEC9TG09JjMFZ9zAG/2aFHngrY 552Iiop+tRZNUlyOi7vU4/wh4ORq2kU=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 260c_1c1c_f8a1968a_f288_4ac4_b217_de6eea496f30; Tue, 25 Jun 2019 03:51:11 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 25 Jun 2019 04:00:11 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 25 Jun 2019 04:00:11 -0600
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 25 Jun 2019 04:00:08 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB0106.namprd16.prod.outlook.com (10.172.90.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.13; Tue, 25 Jun 2019 10:00:07 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::89e6:d84d:9681:1065%5]) with mapi id 15.20.2008.017; Tue, 25 Jun 2019 10:00:07 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Joe Touch <touch@strayalpha.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Brandon Williams <brandon.williams@akamai.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25
Thread-Index: AQHVJeLARC6n0ucJHkeMQsIbR9Bl76ai+JZQgAiG+gCAAI2SUA==
Date: Tue, 25 Jun 2019 10:00:06 +0000
Message-ID: <DM5PR16MB17054E6D6ABD1F659639D5EBEAE30@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <DM5PR16MB170564C0438321CC3FDD0ACFEAEF0@DM5PR16MB1705.namprd16.prod.outlook.com> <4C41A2BC-0CBC-42D5-B313-22F9A9D51F6E@strayalpha.com> <DM5PR16MB1705874C023145D26DCB58E6EAEE0@DM5PR16MB1705.namprd16.prod.outlook.com> <edcd66c2-0dfb-8f89-d6a3-53482c433d4e@strayalpha.com> <DM5PR16MB17057CCD4D2543D84254EFD1EAEB0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522DCB2459055A6319C439B95EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <DM5PR16MB1705E3EF8260B456A9B02C10EAEA0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522C0A1063877D45985619795EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <BD41AC2D-3925-4E11-B1EC-AD24680376AE@strayalpha.com> <DM5PR16MB1705F636477B6234FEA35A04EAE50@DM5PR16MB1705.namprd16.prod.outlook.com> <20190624233637.GF48838@kduck.mit.edu>
In-Reply-To: <20190624233637.GF48838@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 78e44d2c-77c1-4e18-36c3-08d6f953e718
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB0106;
x-ms-traffictypediagnostic: DM5PR16MB0106:
x-microsoft-antispam-prvs: <DM5PR16MB010655F90FB537CBA79405F3EAE30@DM5PR16MB0106.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0079056367
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(39860400002)(396003)(376002)(366004)(199004)(189003)(13464003)(32952001)(3846002)(8936002)(81166006)(80792005)(68736007)(4326008)(2906002)(6116002)(6916009)(476003)(25786009)(446003)(7736002)(486006)(478600001)(11346002)(9686003)(256004)(26005)(66556008)(14444005)(5024004)(81156014)(8676002)(305945005)(76116006)(66476007)(66946007)(74316002)(73956011)(64756008)(66446008)(6436002)(5660300002)(86362001)(76176011)(52536014)(6246003)(6506007)(2171002)(7696005)(53546011)(102836004)(316002)(99286004)(33656002)(53936002)(72206003)(186003)(14454004)(66066001)(55016002)(229853002)(71190400001)(71200400001)(54906003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB0106; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: pCbTemwyWCIUcmjkImY0WEPmTfQMFprXdKwctIJGSEA+4d9o/Pf9mUFoBWLFu14A3OtM8//mVVGKEXxrVavgtVNgYT1CfTEBwda1sFzRXvolGXFqSFGWq9ErPk1SkUrYstCaWyHOgQwSAF6ENiizbTc7jsOkfeCJIk9SpHZzLNK1zKrRX9iakGT+Lqv5z58G7BmIEM35uygZ23KthCilcEqzvr0zPOELLpetrc58vmy0lu8s7e/IY3Z1dR+r3jsteYYhqU1dsJ+LI5CbHVNusaVNar520ik/ksxruuwtAcUTenT/bGxosgsdUb+ETCCmhkcjiOnoMiVjQe6sd+IOvU2KeKwFbeOJkn//sPoIaKayoV8Rk2qxvLndE9F6cmCtKfgPENXh/Leg2JBt/gHVISI/pIwxtY4FXYVj6rnLerI=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 78e44d2c-77c1-4e18-36c3-08d6f953e718
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 10:00:07.0676 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB0106
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6575> : inlines <7109> : streams <1825504> : uri <2860112>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/3XtX-AaS7Ywdoux_4QWenqshHL8>
Subject: Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 10:01:22 -0000

> -----Original Message-----
> From: Benjamin Kaduk <kaduk@mit.edu>
> Sent: Tuesday, June 25, 2019 5:07 AM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> Cc: Joe Touch <touch@strayalpha.com>; Magnus Westerlund
> <magnus.westerlund@ericsson.com>; tsv-art@ietf.org; draft-ietf-tram-
> turnbis.all@ietf.org; ietf@ietf.org; Brandon Williams
> <brandon.williams@akamai.com>; tram@ietf.org
> Subject: Re: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-
> 25
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Sorry to jump in and hijack the middle of a different thread, but...
> 
> On Wed, Jun 19, 2019 at 01:24:42PM +0000, Konda, Tirumaleswar Reddy
> wrote:
> > Hi Joe,
> >
> > I have added the following lines to address your comment:
> >
> >    TCP multi-path [RFC6824] is not supported by this version of TURN
> >    because TCP multi-path is not used by both SIP and WebRTC protocols
> >    [RFC7478] for media and non-media data.  If the TCP connection
> >    between the TURN client and server uses TCP-AO [RFC5925] or TLS, the
> >    client must secure application data (e.g. using SRTP) to provide
> >    confidentially, message authentication and replay protection to
> >    protect the application data relayed from the server to the peer
> >    using UDP.  Attacker attempting to spoof in fake data is discussed
> > in
> 
> ... this kind of cross-layer security requirement ("if you were using TCP-layer
> protection, now you have to impose a requirement on the application
> protocol (stack) at a higher layer") has been quite problematic in the past
> when attempted for other protocols.  Consider this early warning that it will
> get a careful security area review during IESG evaluation, if not sooner.  Being
> very specific about which component of the system has what requirements
> under which conditions would be helpful, as a start.

Good point. I did not think from that angle, will re-phrase the text as follows  :

TCP connection between the TURN client and server can use TCP-AO [RFC5925] but UDP does not provide a similar type of authentication until UDP supports authentication option. Regardless of whether TCP-AO is used or not, In order to defend against various attacks against the application data (attacker attempting to spoof in fake data is discussed Section 20.1.4) , the client must secure application data (e.g. using SRTP). 

Cheers,
-Tiru

> 
> -Ben
> 
> >    Section 20.1.4.  Note that TCP-AO option obsoletes TCP MD5 option.
> >    Unlike UDP, TCP without the TCP Fast Open extension [RFC7413] does
> >    not support 0-RTT session resumption.  The TCP user timeout [RFC5482]
> >    equivalent for application data relayed by the TURN is the use of RTP
> >    control protocol (RTCP).  As a reminder, RTCP is a fundamental and
> >    integral part of RTP.

v2.23.0 | Report a Bug | By Email