[tram] AD Evaluation of draft-ietf-tram-turnbis-23

[Magnus Westerlund <magnus.westerlund@ericsson.com>]

Hi,

I have now finished the AD review. There are a lot of details that I
think needs fixing or at least feedback on. I also think there are a
couple of more serious issues here. Especially regarding the handling of
MTU and fragmentation, as well as IP header fields in address family
translation and with non UDP transport. We need to conclude on these
before we go to IETF last call.

My Review comments are:

A. Section 1: "The client can arrange
   for the server to relay packets to and from certain other hosts
   (called peers) and can control aspects of how the relaying is done."

I don't think this is an accurate description of what Turn does. One may
easily get the impression that the whole packet TURN receives are
relayed, rather than the transport protocol data part and some of the
header information are relayed between the client <-> peer, with a
knowledge of the peer transport address for the client. I think that
should be clarified in the introduction.

B. Section 2.7:

"Applications using TCP can more or less
   ignore this issue because fragmentation avoidance is now a standard
   part of TCP, but applications using UDP (and thus any application
   using this version of TURN) must handle fragmentation avoidance
   themselves."

Lower case "must", and as the document uses RFC 2119, this must have the
meaning of "MUST". A reformulation here is likely in order.

C. Section 2.7:

   In this approach, the application exploits the
   fact that the IP specification [RFC0791] specifies that IP packets up
   to 576 bytes should never need to be fragmented.

   As a guideline, sending a maximum of 500 bytes of application data in
   a single TURN message (by the client on the client-to-server leg) or
   a UDP datagram (by the peer on the peer-to-server leg) will generally
   avoid IP fragmentation.  To further reduce the chance of
   fragmentation, it is recommended that the client use ChannelData
   messages when transferring significant volumes of data, since the
   overhead of the ChannelData message is less than Send and Data
   indications.

In that first paragraph I think it is worth discussing the IPv6
requirement of supporting a 1280 minimal size.

Secondly, I think recommending only a 500 MTU is way to conservative.
Those studies I have seen appears to indicate that at least 1220 bytes
UDP payloads should be be working as well as 500 bytes. See for example
figure 12 in this:
https://static.googleusercontent.com/media/research.google.com/sv//pubs/archive/46403.pdf


D. Section 2.7:

   [I-D.ietf-tram-stun-pmtud] is an implementation of [RFC4821] that
   uses STUN to discover the path MTU, and so might be a suitable
   approach to be used in conjunction with a TURN server that supports
   the DONT-FRAGMENT attribute.  When the client includes the DONT-
   FRAGMENT attribute in a Send indication, this tells the server to set
   the DF bit in the resulting UDP datagram that it sends to the peer.
   Since some servers may be unable to set the DF bit, the client should
   also include this attribute in the Allocate request -- any server
   that does not support the DONT-FRAGMENT attribute will indicate this
   by rejecting the Allocate request.

I want to verify that the WG is working on resolving the issues with the
STUN PMTUD document. I definitely sees the point of the recommendation,
but only if the WG will conclude on that document in a reasonable time
frame.

E. Section 3:

   Server-Reflexive Transport Address:  A transport address on the
      "public side" of a NAT.  This address is allocated by the NAT to
      correspond to a specific host transport address.

Shouldn't "public side" be replace with "external side"? That is the
terminology used by the Behave RFCs.

F. Section 3:

   5-tuple:  The combination (client IP address and port, server IP
      address and port, and transport protocol (currently one of UDP,
      TCP, or (D)TLS)) used to communicate between the client and the
      server.

I see some issues that the 5-tuple aggregates the transport protocol
with the security protocol. I agree from the TURN protocol perspective
the protocol combination is the important one. However, writing like you
do here you obfuscate both that when security is in place you have a
combination, as well as that there are 4 alternatives defined by this
document.

G. Section 4.1:

   The "turn" and "turns" URI schemes are used to designate a TURN
   server (also known as a relay) on Internet hosts accessible using the
   TURN protocol.  The TURN protocol supports sending messages over UDP,
   TCP, TLS-over-TCP or DTLS-over-UDP.  The "turns" URI scheme MUST be
   used when TURN is run over TLS-over-TCP or in DTLS-over-UDP, and the
   "turn" scheme MUST be used otherwise.  The required <host> part of
   the "turn" URI denotes the TURN server host.  The <port> part, if
   present, denotes the port on which the TURN server is awaiting
   connection requests.  If it is absent, the default port is 3478 for
   both UDP and TCP.  The default port for TURN over TLS and TURN over
   DTLS is 5349.

First, I was wondering if this document needed to update RFC 7065? The
high level obvious is the reference, but otherwise on the surface it
doesn't look necessary. My main complaint when reading was that it was
not obvious what not specifying the transport parameter means. Then I
saw this in Section 3.1 of RFC 7065:

   The <host>, <port>, and <transport> components are passed without
   modification to the [RFC5928] algorithm.  <secure> is set to false if
   <scheme> is equal to "turn", and set to true if <scheme> is equal to
   "turns" and passed to the [RFC5928] algorithm with the other
   components.

After some digging I figured out that RFC5928 is actually updated by RFC
7350 that defines the resolution and SRV records for DTLS.

Can you please update the text in Section 4 to also reference RFC 7350
so that one doesn't miss this definitions.

H. Section 5:

   If the server requires requests to be
   authenticated, then the server's administrator MUST choose a realm
   value that will uniquely identify the username and password
   combination that the client must use, even if the client uses
   multiple servers under different administrations.

Just to verify, TURN does not allow a single server address to host
multiple realms do it? Each Realm needs its own unique server transport
address?

I. Section 5:

   For each Allocate request, the server SHOULD generate a
   new random nonce when the allocation is first attempted following the
   randomness recommendations in [RFC4086] and SHOULD expire the nonce
   at least once every hour during the lifetime of the allocation.

So, I think this text due to its use of RFC 2119 language is a bit
confusing in its relation to STUNbis. To me it is unclear if the above
overrides completely what is written in Section 5 of STUNbis:

   To indicate that it supports this specification, a server MUST
   prepend the NONCE attribute value with the character string composed
   of "obMatJos2" concatenated with the (4 character) Base64 [RFC4648]
   encoding of the 24 bit STUN Security Features as defined in
   Section 18.1.  The 24 bit Security Feature set is encoded as 3 bytes,
   with bit 0 as the most significant bit of the first byte and bit 23
   as the least significant bit of the third byte.  If no security
   features are used, then a byte array with all 24 bits set to zero
   MUST be encoded instead.  For the remainder of this document the term
   "nonce cookie" will refer to the complete 13 character string
   prepended to the NONCE attribute value.

Or is the randomness recommendations in TURNbis only for the NONCE
attribute value part?

Secondly, I interpret the text to say that compared to STUN, where a
Nonce can be long lived after the initial Long Term Credential
establishment, in TURN for each allocation one will have to to the
Allocate, expired nonce->here is your new nonce, resend allocate using
new nonce, success dance.

I think part of the problem with the above text in TURNbis is that the
sentences prior to the quoted one appear to be rehashing of the STUNbis
requirements. Then the quoted part that actually changes behavior
without being clear about it. I think it would be good to make it clear
what is a change compared to STUNbis.

J. Section 6:

   Note that, rather than storing the password explicitly, for
   security reasons, it may be desirable for the server to store the key
   value, which is a secure hash over the username, realm, and password
   (see [I-D.ietf-tram-stunbis]).

Why isn't this recommendation stronger. Are there any reasons why a
server would actually store the plain text password at all?

K. Section 7.1:

   The client first picks a host transport address.  It is RECOMMENDED
   that the client pick a currently unused transport address, typically
   by allowing the underlying OS to pick a currently unused port for a
   new socket.

I think talk about socket in this context should be skipped as it
otherwise have been eliminated.

L. Section 7.1:

  The client then picks a transport protocol to use between the client
   and the server.  The transport protocol MUST be one of UDP, TCP, TLS-
   over-TCP or DTLS-over-UDP.

I find it strange that this indicates that one should pick the transport
protocol to use client to server without considering the server
capabilities. Especially as the client configuration or server discovery
procedures will indicate transport protocol support.

Secondly, what is the motivation for the MUST in the second sentence?
This is appears to have strange interactions with any future extensions
and have no impact. A client must obvious chose a client to server
transport protocol it supports, and one that the server supports or the
client hope it will support.

M. Section 7.1:

   The client also picks a server transport address, which SHOULD be
   done as follows.  The client uses one or more procedures described in
   [RFC8155] to discover a TURN server and uses the TURN server
   resolution mechanism defined in [RFC5928] to get a list of server
   transport addresses that can be tried to create a TURN allocation.

1) So RFC 8155 states that it has no recommendation on server selection,
nor on how to related local configuration to any auto-discovery servers.
To me it appears that the protocol utilizing TURN should consider what
makes sense in their deployments. Thus, does the need for such
consideration needs to be highlighted somewhere in this specification.

2) The RFC5928 reference  should be complemented with an RFC 7350
reference.

N. Section 7.1:

 Clients MUST NOT include a REQUESTED-ADDRESS-
   FAMILY attribute in an Allocate request that contains a RESERVATION-
   TOKEN attribute, for the reasons outlined in [RFC6156].

Considering that this document obsoletes RFC 6156, I think it is bad
form to reference that document, rather than to move the necessary
motivation into this document.

O. Section 7.1:

   If the client wishes to obtain a relayed transport address of a
   specific address type then it includes a REQUESTED-ADDRESS-FAMILY
   attribute in the request.

I don't find anything describing what the default behavior is if one
doesn't include the attribute, but the TURN server supports multiple
address families.

I see that bullet 7 in Section 7.2 indicates that IPv4 is default.
Should the text in 7.1 be explicit about this default?

P. Section 7.2:

         Otherwise, if the attribute is included but
        specifies a protocol other that UDP, the server rejects the
        request with a 442 (Unsupported Transport Protocol) error.

Assuming that you don't support an extension for that transport
protocol. Should that be made explicit?

Q. Section 8.3:

   If the client receives a success response to its Refresh request with
   a non-zero lifetime, it updates its copy of the allocation data
   structure with the time-to-expiry value contained in the response.

   If the client receives a 437 (Allocation Mismatch) error response to
   a request to delete the allocation, then the allocation no longer
   exists and it should consider its request as having effectively
   succeeded.

So there are no considerations for the client if it receives an error
response to a refresh request when Lifetime was non-zero?

I am bit surprised by that. I assume that there are certain cases when
the request could be resent, and others where the meaning is that the
allocation is gone.

R. Section 11.5:

   When the server receives an ICMP packet, the server verifies that the
   type is either 3, 11 or 12 for an ICMPv4 [RFC0792] packet or either
   1, 2, or 3 for an ICMPv6 [RFC4443] packet.  It also verifies that the
   IP packet in the ICMP packet payload contains a UDP header.  If
   either of these conditions fail, then the ICMP packet is silently
   dropped.

Why is not ICMPv6 Type 4 (Parameter Problem) included when Parameter
Problem are for ICMPv4?

S. Section 12.5:

   Over TCP and TLS-over-TCP, the ChannelData message MUST be padded to
   a multiple of four bytes in order to ensure the alignment of
   subsequent messages.  The padding is not reflected in the length
   field of the ChannelData message, so the actual size of a ChannelData
   message (including padding) is (4 + Length) rounded up to the nearest
   multiple of 4.  Over UDP, the padding is not required but MAY be
   included.

Are there anywhere written what one may or may not include of the TURN
related messages in a single UDP datagram. Because it is technically
feasible I belive to include two Send Indications in one UDP datagram to
the server.

T. Section 13.1:

   Flow Label

      Preferred behavior: The relay sets the Flow label to 0.  The relay
      can choose to set the Flow label to a different value if it
      supports the IPv6 Flow Label field [RFC6437].

      Alternate behavior: The relay sets the Flow label to the default
      value for outgoing packets.

I think this section should be improved in two ways.

First of all I think it should clarify that each allocation to peer flow
is its own IPv6 Flow in perspective of the IPv6 Flow label.

Secondly, I think in the spirit of RFC 6473 the preferred behavior
should be to set the IPv6 flow label if the implementation is capable,
or leave it to the underlying network stack to actually set it. Compared
to RFC 7915, the TURN server actually have an understanding of what are
different flows without having examining additional protocol layers.

Thirdly, I don't understand what the alternative behavior actually is.
This as it is either setting it to 0, or classifying things as flow and
then provide it with a random flow label. I think the right alternative
behavior is to set it 0.

U. Section 13. 1,2,3:

      For both preferred and alternate behavior, the DONT-FRAGMENT
      attribute MUST be ignored by the server.

I don't understand why just because one performs v4<->v6 or v6 to v4
translation or v6 to v6 relaying now can ignore the DONT-FRAGEMENT
attribute. If the client has request to not fragment and the server is
unable to do that when forwarding to the peer it needs to generate an
ICMP attribute response saying the packet is to big. Otherwise the relay
breaks the Path MTU discovery mechanisms.

V. Section 13.2:

Fragmentation:

      If the incoming packet included a Fragment header and the outgoing
      packet size exceeds the outgoing link's MTU, the relay MUST
      fragment the outgoing packet into fragments of no more than 1280
      bytes.  The relay sets the fields of the Fragment header as
      appropriate for a packet originating from the server.

Is really the intention here to refragment the packet without providing
any indication that the practical MTU is smaller than what the peer or
client thinks it is?

W. Section 14:

      Preferred Behavior: Set the outgoing value to the incoming value,
      UNLESS the server is doing Active Queue Management, the incoming
      ECN field is ECT(1) (=0b01) or ECT(0) (=0b10), and the server
      wishes to indicate that congestion has been experienced, in which
      case set the outgoing value to CE (=0b11).

First of all do you have any special meaning with all capital UNLESS?

Secondly, I don't know how wise it is to have partial definitions of
what the ECN behavior is. Maybe simpler to say that that the relay is
performing AQM it can support the ECN marking behavior as defined in RFC
3168.

X. Section 14:

How are these IP level fields handled when the transport is TCP or
TLS/TCP? There there are not necessary a one to one mapping between
datagrams and TCP packets. And if there are no support then there are
need for clarification of behaviors when using TCP based transport.

Y. Section 16.4.  DATA

   The DATA attribute is present in all Send and Data indications.  The
   value portion of this attribute is variable length and consists of
   the application data (that is, the data that would immediately follow
   the UDP header if the data was been sent directly between the client
   and the peer).  If the length of this attribute is not a multiple of
   4, then padding must be added after this attribute.

Can you please clarify if one would get all the remaining bytes of the
IP packet payload or only the number of bytes the UDP length field
indiactes?

The reason I ask is that there is possibility that there are a
discrepancy between these fields, something the proposal for an
experimental specification for UDP options attempt to utilize.
https://datatracker.ietf.org/doc/draft-ietf-tsvwg-udp-options/

Note, I only want you to clarify what is actually included. I would
assume using the UDP length field makes sense in this case.

Z. The use of "relay" in the meaning of "Turn Server". There are many
occurrences of relay in this meaning. Either make it explicit to be a
synonym or change it to server.

AA. Section 16.7

rffu is lacking a definition. I would suggest making it upper case and
copy the definition from 16.8.

AB. Section 16.12:

Rsvd in Format figure does not match definition below which uses "Reserved".

AC. Section 16.12:

Reason Phrase (variable). This field is under defined. First of all the
format of the text string is not defined, which it is in Stunbis
Error-Code attribute is defined as.

   The reason phrase MUST be a UTF-8 [RFC3629] encoded
   sequence of less than 128 characters (which can be as long as 509
   bytes when encoding them or 763 bytes when decoding them).

Secondly, I think it might be worth pointing out the padding here. It is
not clear if there is any form of string termination and how the padding
which will be interpreted as NULL characters 0-3 depending on the
alignment. I note this later issue appears to be existing in STUNBis also.

AD. Section 16.2:

Why isn't the text here say that this attribute may also be used to
indicate the desired lifetime in allocation requests?

AE. Section 16.9: DONT-FRAGMENT

I think it would be good to indicate the use of the attribute in
Allocate Requests also.

AF. Section  24.2

[Protocol-Numbers]
              "IANA Protocol Numbers Registry", 2005,
              <http://www.iana.org/assignments/protocol-numbers>.

This is a normative reference based on how it is used in Section 16.8.

AG. Seciton 18.

   Sometime before the 20 minute lifetime is up, the client refreshes
   the allocation.  This is done using a Refresh request.  As before,
   the client includes the latest username, realm, and nonce values in
   the request.  The client also includes the SOFTWARE attribute,
   following the recommended practice of always including this attribute
   in Allocate and Refresh messages.  When the server receives the
   Refresh request, it notices that the nonce value has expired, and so
   replies with 438 (Stale Nonce) error given a new nonce value.  The
   client then reattempts the request, this time with the new nonce
   value.  This second attempt is accepted, and the server replies with
   a success response.  Note that the client did not include a LIFETIME
   attribute in the request, so the server refreshes the allocation for
   the default lifetime of 10 minutes (as can be seen by the LIFETIME
   attribute in the success response).

I notice that this part nor the text before appears to discuss the
permission lifetime that will expire after 5 minutes. Thus, it needs to
be refreshed prior to the Allocation.

AH. Section 18.

I am missing any example having to do with Address Family interactions.

AI. DTLS Cipher Suits

Am I understanding it correct that the definition of what DTLS cipher
suit that a TURN Server currently is to support is the ones in RFC 7525?

In that case, I think the wording is a bit weak as the only reference I
find are in Section 2.1:

If (D)TLS transport is
   used between the TURN client and the TURN server, the guidance given
   in [RFC7525] MUST be followed to avoid attacks on (D)TLS.


Cheers

Magnus Westerlund 

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------