Re: [tram] Oauth vs Origin [Was: Path Forward for STUN ORIGIN]
Oleg Moskalenko <mom040267@gmail.com> Wed, 02 September 2015 01:59 UTC
Return-Path: <mom040267@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B66F71B3A8D for <tram@ietfa.amsl.com>; Tue, 1 Sep 2015 18:59:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.75
X-Spam-Level:
X-Spam-Status: No, score=-0.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ggee6A7cRYxe for <tram@ietfa.amsl.com>; Tue, 1 Sep 2015 18:59:43 -0700 (PDT)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 740BF1B3A97 for <tram@ietf.org>; Tue, 1 Sep 2015 18:59:43 -0700 (PDT)
Received: by igcpb10 with SMTP id pb10so15271320igc.1 for <tram@ietf.org>; Tue, 01 Sep 2015 18:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=jT9Q5BKBh9igmD0i/isyOqGgO5+BtrMtmNhoYLtt4qk=; b=oObjKRCqYZfAgwQn/dA5Z+FhDY6eihCFbOhyCi/8pEzDmoqIaDz1Iq5T8pb7l9IskR Xyu58e6zxP9TDpF9KJU3T8D67QjfFksz1UNVO1HFP1FeOJJ/APatRCeSsUp8w0tEkZmw vFo1wELJgeotcYUBO6Dbtf/Ia/FiUhf0gg8srsb1WGccBgi6K/TuKzilJ/Y8rJYYskqX PHtPKWiXEpQ2fC/hwc28tDDRJGj8xXE2VhExQmKjfgTMTKGw5qcjyOo1A3Nl4hoTRpPl 4YI+lNLOKW1T4OCSazaqX5C6Vd2EDHoq25y2ZigqWHiSdHVcZ0/O2F47HAJ/9OZKfO7q Tb9w==
MIME-Version: 1.0
X-Received: by 10.50.62.112 with SMTP id x16mr1031059igr.23.1441159182822; Tue, 01 Sep 2015 18:59:42 -0700 (PDT)
Received: by 10.50.171.68 with HTTP; Tue, 1 Sep 2015 18:59:42 -0700 (PDT)
In-Reply-To: <55E6200A.6000708@akamai.com>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com> <CALe60zCuFR-refCESNBTYDSypB6QviwKC7=Swh2OnHuXRx5=TA@mail.gmail.com> <CAKhHsXFyK0VvyiVB+8XWuBhh2RpnLOa-DqnbjWiiuxxU8nF4TQ@mail.gmail.com> <CALe60zBsgTDUo0NRBDUVvjFTBw1Cf93i4fvN=NsYa4qJh0_6vA@mail.gmail.com> <55E6200A.6000708@akamai.com>
Date: Tue, 01 Sep 2015 18:59:42 -0700
Message-ID: <CALDtMrLju9tit7y3YZ12A75XgLC5dyKG+cGEceEDvqJHWOaTzg@mail.gmail.com>
From: Oleg Moskalenko <mom040267@gmail.com>
To: Brandon Williams <brandon.williams@akamai.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/3ijFVIzAbcOdzMWbPgVoCIIgrh4>
Cc: Justin Uberti <justin@uberti.name>, Alan Johnston <alan.b.johnston@gmail.com>, "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: Re: [tram] Oauth vs Origin [Was: Path Forward for STUN ORIGIN]
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 01:59:45 -0000
The kid value must be unique across the server (the relay ?). Otherwise, it all does not make sense. Probably the RFC7635 writers even did not consider possibility that it may be not unique... and I understand why. Non-unique kids raise all sorts of weird questions. We can assign single unique REALM to each KID, and then we achieve "multi-homeness". Thanks Oleg On Tue, Sep 1, 2015 at 3:00 PM, Brandon Williams <brandon.williams@akamai.com> wrote: > I agree that using the RFC7635 mechanism can work for #2, and I prefer that > to ORIGIN for this purpose. That said, I think the mechanism is currently > underspecified, in that there is nothing explicitly defined in RFC7635 that > could be used to play the role of ORIGIN for auth purposes, so > interoperability could be an issue. > > > If the kid value delivered in the USERNAME attribute is unique to the relay, > then the kid value alone is enough to allow ORIGIN identification. This > rules out the method for key distribution describe in section 4.1.1 of the > RFC though, since that method has the auth server selecting the keys/kid, > not the relay server, and I don't know how the necessary uniqueness would be > guaranteed in that case. As long as the kid is unique to the relay, though, > the necessary keys can be retrieved. > > > If the kid is not guaranteed to be unique for the relay, then some method to > qualify the kid and provide uniqueness would be necessary. Either ORIGIN or > REALM could be used for this purpose, but whichever one it is would itself > have to be unique for the relay in order to ensure that qualifier+kid is > unique. > > > RFC7635 doesn't impose requirements on kid uniqueness, nor does it require > REALM, ORIGIN, or any other source of uniqueness to be present in the > message that contains the token. Provided that either kid or realm+kid is > unique to the relay, I agree that ORIGIN itself is not required for auth and > the information could be delivered via some other mechanism. > > > All of this assumes that the STUN server name sent to the client from the > relay as part of the initial unauthenticated exchange is a global value for > the service and does not need to be allowed to be ORIGIN specific. In other > words, any OAuth server that generates an access token for the 3rd party > relay service would receive the same server name from a specific STUN > server. > > > --Brandon > > > ------------------------------------------------------------------------ > *From:* Justin Uberti <justin@uberti.name> > *Sent:* Wednesday, August 26, 2015 7:08 PM > *To:* Alan Johnston > *Cc:* tram@ietf.org; draft-ietf-tram-stun-origin@tools.ietf.org > *Subject:* [tram] Oauth vs Origin [Was: Path Forward for STUN ORIGIN] > splitting thread > > On Wed, Aug 26, 2015 at 2:07 PM Alan Johnston <alan.b.johnston@gmail.com > <mailto:alan.b.johnston@gmail.com>> wrote: > > Justin, > > It is an important question for the WG on whether ORIGIN is a useful > solution to the use cases. Hopefully we'll get more feedback on this. > > Your comments seem mainly directed towards a solution for use case > #2 below (REALM selection for TURN authentication), right? I'm not > sure if use case #3 applies or not. I don't think OAuth helps with > #1 or #4 or #5. > > > I think OAuth can solve #1, #2, and #3. The app's interaction with the AS > can give the AS context, which can be encoded into the returned token. This > then allows the TURN server to have this context when receiving the token, > such that it can make informed decisions for #1/#2/#3. > > > I know we have discussed it before, but I also don't think that > everyone believes that OAuth means that ORIGIN is no longer needed. > There have been suggestions that a multi-tenanted TURN server using > OAuth might still use ORIGIN. > > > Since the origin can be determined by the AS, it's not clear why this would > also be needed at the TURN server. One might ask, why it is better to use > origin to the AS versus the TURN server? The upsides of origin over HTTP to > AS are that 1) it is encrypted and 2) it's easier to deal with the privacy > implications of origin in a single protocol rather than 2 protocols. > > > And using domain-specific USERNAME attributes sounds a bit like the > problem that Martin mentioned of simply working around the approach. > > Yes - that's what I was trying to say as well. > > - Alan - > > On Tue, Aug 25, 2015 at 3:50 PM, Justin Uberti <justin@uberti.name > <mailto:justin@uberti.name>> wrote: > > Overall, I think most/all of the goals that ORIGIN is trying to > accomplish would be better handled by STUN OAuth > > (https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/ > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dtram-2Dturn-2Dthird-2Dparty-2Dauthz_&d=BQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=YAVYqLAvlnjV5WFeb0DMhGTziYu4jLvpB3UTCbrR8T4&s=uYVEJtj6D0D8AALXY1GfSzY-RO-q9CHJJjr2mCjvWlk&e=>) > > > Generally, it's not clear that ORIGIN is a great solution for > any of the use cases listed. > 1) is easily accomplished via oauth, without any of the > restrictions present here > 2) can be dealt with using other means (e.g. oauth, or supplying > domain info in USERNAME) > 3) is fairly weak control, and can be done better through oauth, > or domained USERNAMEs > > Of course, as noted by others, use of domained USERNAMEs creates > a quasi-ORIGIN value within the USERNAME attribute, which makes > OAuth more attractive. > > On Tue, Aug 25, 2015 at 12:57 PM Alan Johnston > <alan.b.johnston@gmail.com <mailto:alan.b.johnston@gmail.com>> > wrote: > > All, > > Based on feedback during IETF-93 in Prague, the authors of > draft-ietf-stun-origin are looking for feedback on a > possible path forward to solve the privacy/meta data issues > and clear the DISCUSSes (see > > https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/ > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dietf-2Dtram-2Dstun-2Dorigin_ballot_&d=BQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=YAVYqLAvlnjV5WFeb0DMhGTziYu4jLvpB3UTCbrR8T4&s=lx5ApLOv-KiXbtLZppLxrkE5vHcqXhUqPSXlDcF-O28&e=>). > > There are two areas of feedback: Use Cases and Proposed > Solution. > > Use Cases > ======== > > First, we want to be sure that we are considering all the > use cases for STUN ORIGIN. In the draft, three are described: > > 1. Logging of usage of STUN/TURN server. An operator of a > STUN or TURN server would learn the Origin of the web, SIP, > and XMPP users. > > 2. REALM selection for multi-tenanted TURN server. This > avoids having to run multiple instances on different ports > or IP addresses when more than one REALM is in use. > > 3. Service determination after authentication. Bandwidth > or QoS policy can be applied, after authentication, based on > the Origin. > > Also, the following use cases have also been discussed but > are not in the draft > > 4. Authorization at border TURN server after > authentication. An enterprise border TURN server can apply > policy and allow usage for certain Origins (whitelist) or > block usage of others (blacklist). > > 5. draft-jennings-behave-rtcweb-firewall-01 discusses how a > firewall with STUN server could use ORIGIN in authorization > decisions. > > Are there any other use cases we should consider? > > Possible Solution > ============= > > The solution that was discussed in Prague that seems to be > the best tradeoff between privacy and functionality is to > only include ORIGIN information in a STUN or TURN request if > the domain of the Origin matches the domain of the STUN or > TURN server in the STUN or TURN URI. Since web and STUN and > TURN run on different ports, and often will resolve to > different IP addresses, a full host comparison is not > possible. This proposal is not perfect: it does not provide > perfect privacy for subdomains (e.g. sub1.example.com > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__sub1.example.com&d=BQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=YAVYqLAvlnjV5WFeb0DMhGTziYu4jLvpB3UTCbrR8T4&s=rmZxvMmZrZEWtX42fGrg7dcvFr_RUv9ngo2yod2ZHPo&e=> > and sub2.example.com > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__sub2.example.com&d=BQMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=YAVYqLAvlnjV5WFeb0DMhGTziYu4jLvpB3UTCbrR8T4&s=AyGtdO3Zale2SSP5BSnM64KJGpiFT9ICrzuSzeBVj7k&e=> > > will match with this rule, even if they are separate > entities. Of course, subdomain users could always register > a new domain and point DNS records to their sub hoster.) > > In comparing this solution against the use cases above: > > 1. Allows logging of your own users on your own TURN server > (or one that you setup DNS SRV records to point towards). > Other users of your STUN or TURN server will not be > identified by an Origin, but you will at least know if > others are using your server. > > 2. Works for REALM selection as long as you use your own > TURN server (or one that you setup DNS SRV records to point > towards). > > 3. Again, works for service determination as long as you use > your own TURN server (or one that you setup DNS SRV records > to point towards). Having service-specific TURN credentials > is another solution that doesn't rely on ORIGIN. > > 4. & 5. Does not seem provide a good solution for these use > cases. > > Does this analysis make sense? > > Feedback most welcome so we can move forward with this draft. > > - Alan - > > > > > -- > Brandon Williams; Chief Architect > Cloud Networking; Akamai Technologies Inc. > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Tirumaleswar Reddy (tireddy)
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - analysis Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - how to … Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Justin Uberti
- [tram] Oauth vs Origin [Was: Path Forward for STU… Justin Uberti
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Oleg Moskalenko
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Tirumaleswar Reddy (tireddy)
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams