Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)
Alissa Cooper <alissa@cooperw.in> Thu, 14 May 2015 13:48 UTC
Return-Path: <alissa@cooperw.in>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B42C41AD376 for <tram@ietfa.amsl.com>; Thu, 14 May 2015 06:48:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kLBRIh9Jt6Za for <tram@ietfa.amsl.com>; Thu, 14 May 2015 06:48:25 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 340D21B2A34 for <tram@ietf.org>; Thu, 14 May 2015 06:48:11 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id 9FD1620969 for <tram@ietf.org>; Thu, 14 May 2015 09:48:10 -0400 (EDT)
Received: from frontend2 ([10.202.2.161]) by compute3.internal (MEProxy); Thu, 14 May 2015 09:48:10 -0400
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=acgIWJrZb8RDuc6Pn7Mp4VOTZy4=; b=lWwWFK XG2coEvE+tHoj9Txm+ceSqvICgdBwct4KQMj/NMQxcK8/5Dzb76BREsX4Pv+eoFI r9JEFKK5cQRpdFrunq907uaDEq3aXCmMo5Tr6iW7pLWdaGuU+rMD9TbbD2iwSMlV RKSwxrZboG+GSfrQ84McScBu1UufoBx+Vm10U=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=acgIWJrZb8RDuc6 Pn7Mp4VOTZy4=; b=L/kS4gq0pLSzEsGsBgrg1xeT2omnaIgaHy/gXuZ2ZikndG0 8i1iKFba7YRem1lnT5qLvXKVEhiAxHRPlH84BUz0exrwqEhigX5z6fczYwELieZb 3Hf+K0FT44C7i8WPv5wytrvkCZP9EQ4oD610+lnr3RTP9gluhqokp3L2Brx0=
X-Sasl-enc: KbpDSjpF7qLC2eXBN/IuUIf7X3anxY3I918rdlKdyOVz 1431611290
Received: from [192.168.1.193] (unknown [24.6.61.198]) by mail.messagingengine.com (Postfix) with ESMTPA id 32BED6801A4; Thu, 14 May 2015 09:48:10 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Alissa Cooper <alissa@cooperw.in>
X-Mailer: iPhone Mail (12F70)
In-Reply-To: <93BEDDC39A54294B9E78C7860516FA47673B781F@AZ-US1EXMB06.global.avaya.com>
Date: Thu, 14 May 2015 06:48:08 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <13E02B6B-0D89-4AD3-8B69-06426A26732E@cooperw.in>
References: <20150511233012.17046.42319.idtracker@ietfa.amsl.com> <93BEDDC39A54294B9E78C7860516FA47673B781F@AZ-US1EXMB06.global.avaya.com>
To: "Yoakum, John H (John)" <yoakum@avaya.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/3faxHqQZyYlNaBNYAk4MujADmUc>
Cc: "tram-chairs@ietf.org" <tram-chairs@ietf.org>, "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin.shepherd@ietf.org" <draft-ietf-tram-stun-origin.shepherd@ietf.org>, "draft-ietf-tram-stun-origin.ad@ietf.org" <draft-ietf-tram-stun-origin.ad@ietf.org>, "sperreault@jive.com" <sperreault@jive.com>, The IESG <iesg@ietf.org>, "draft-ietf-tram-stun-origin@ietf.org" <draft-ietf-tram-stun-origin@ietf.org>
Subject: Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 13:48:26 -0000
If some of this context could be added to the draft, I think that would be much better than just saying "logging and analytics." Thanks, Alissa > On May 11, 2015, at 6:04 PM, Yoakum, John H (John) <yoakum@avaya.com> wrote: > > There seems to be some questions around why things like logging and administrative debugging are useful and possibly some of it is a matter of context. Inside enterprises it is very common to have a variety of logging capabilities across all parts of a system or solution as well as to perform debugging activities based on whatever combinations of insight are available whenever problems occur. > > With WebRTC is will be very common to find TURN servers run by enterprises to serve various enterprise-centric websites that desire real-time communications as part of the enterprise web experience for people from outside the enterprise who may be external parties or in many use cases may actually be enterprise employees. ORIGN tells a STUN or TURN server what realm is associated with the request. That piece of knowledge is already well known by the browser making the request (except in the privacy-sensitive situations accommodated in the draft, which will seldom be the case for employees of an enterprises) and is highly useful to enterprises who have web services and related communications enablement gear like STUN and TURN servers necessary to allow employees access from home, virtual offices, or while traveling (without the need for VPNs or other specialized network connections). Large enterprises often have multiple applications, multiple domains or subdomains, and multiple realms. This simple extension to STUN to conveys insight related to the web applications using communications ennoblements like STUN and TURN servers will find many uses inside enterprises. > > ORIGIN is not a substitute for more accurate authentication, it is a way to quickly determine the best authentication to attempt as well as to quickly filter out things where authentication attempts or other processing (even simple STUN requests) are a waste of resources as that realm will never be serviced anyway. > > In terms of troubleshooting, within an enterprise it is highly useful to look at insight from all the parts of a solution and identify inconsistences. As an example if it is discovered while debugging a communications failure that a browser inside an enterprise is lying about ORIGIN it may help in uncovering that the browser has been compromised by malware. Enterprises can never have too much insight in their logs for short periods of time as that is what they rely on to debug sophisticated systems. Just as importantly log data is often used to judge system usage to help justify investing in additional resources or spread costs to the applications or departments involved. > > Is any of this enterprise perspective helpful or just adding to the confusion? One of the great promises of WebRTC is to allow simpler systems without all the complicated telephony approaches from the past and capitalizing on simple web-centric concepts like ORIGIN is one great enabler. This draft even extends these more modern concepts to things like SIP to help simplify some of the more conventional technologies. > > > Cheers, > John > > AVAYA > 1.919.425.8446 > > > -----Original Message----- > From: Alissa Cooper [mailto:alissa@cooperw.in] > Sent: Monday, May 11, 2015 7:30 PM > To: The IESG > Cc: tram-chairs@ietf.org; draft-ietf-tram-stun-origin.shepherd@ietf.org; draft-ietf-tram-stun-origin.ad@ietf.org; sperreault@jive.com; draft-ietf-tram-stun-origin@ietf.org; tram@ietf.org > Subject: Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS) > > Alissa Cooper has entered the following ballot position for > draft-ietf-tram-stun-origin-05: Discuss > > When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) > > > Please refer to https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_iesg_statement_discuss-2Dcriteria.html&d=AwICaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=O4OIzAW7EVPxOEhYXzj7Eg&m=UUw6tlPYwiPTqTiPb-8d0JzXAshUyyMqbEveZ1APHyg&s=7-Ky3gBkj-nh5lszKh8A2T5LKV9tUum5QpJKbNUFUeM&e= > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dtram-2Dstun-2Dorigin_&d=AwICaQ&c=BFpWQw8bsuKpl1SgiZH64Q&r=O4OIzAW7EVPxOEhYXzj7Eg&m=UUw6tlPYwiPTqTiPb-8d0JzXAshUyyMqbEveZ1APHyg&s=qyAN_jyGYafpPgJ3Hxg9bybo3UDOUHoCxUU2CZhcpmQ&e= > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > This is a bit of a weird DISCUSS since I didn't manage to ballot when the > document was first on the IESG's agenda, so I'm coming in mid-stream. > > I support Stephen's DISCUSS. If Alan's proposed changes make it into the > document, they would resolve most of my concerns. However, I still see a > problem with this proposed new text: > > "For STUN requests sent without authentication to a STUN server (i.e. > > STUN binding requests sent to a STUN server), the STUN client SHOULD > > include the ORIGIN attribute. The ORIGIN attribute MUST NOT be > included > > if it is a "privacy-sensitive" context, as discussed in the Security > Considerations > > section." > > For requests sent with authentication, I understand that the origin > attribute needs to be accurate in order for the client to authenticate. > In those cases, the STUN server can rely on the attribute it receives. > But for requests without authentication, what prevents the client from > lying? And if those requests are not (D)TLS-protected, what prevents them > from being modified in transit? I understand Alan to be saying that the > justification for the origin in this case is operational troubleshooting, > but if the server can't rely on the origin it receives, doesn't that make > it risky for the server to act on that information? > > My additional concern is about the use of "logging" as a justification > for including and origin attribute. Logging in and of itself is not a > reasonable justification. Alan's mail discussed the use of the origin for > operational troubleshooting, which seems like what might actually be > intended instead of "logging." In any event the purpose for the logging > either needs to be explained or "logging" should not be listed as a > justification. > > > >
- [tram] Alissa Cooper's Discuss on draft-ietf-tram… Alissa Cooper
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Oleg Moskalenko
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Alissa Cooper
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Yoakum, John H (John)
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Stephen Farrell
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Simon Perreault
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Simon Perreault
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Stephen Farrell
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Simon Perreault
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Stephen Farrell
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Simon Perreault
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Alissa Cooper
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Alissa Cooper's Discuss on draft-ietf-… Alan Johnston