Re: [tram] First post
Oleg Moskalenko <mom040267@gmail.com> Mon, 18 November 2013 06:48 UTC
Return-Path: <mom040267@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A6D11E857E; Sun, 17 Nov 2013 22:48:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id easf7LY-Y+4h; Sun, 17 Nov 2013 22:48:31 -0800 (PST)
Received: from mail-pb0-x231.google.com (mail-pb0-x231.google.com [IPv6:2607:f8b0:400e:c01::231]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED3811E8575; Sun, 17 Nov 2013 22:48:31 -0800 (PST)
Received: by mail-pb0-f49.google.com with SMTP id jt11so1756683pbb.36 for <multiple recipients>; Sun, 17 Nov 2013 22:48:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=/5a2XX8OydSTp0y5EbnspA06CFSsFD94Z+/eF3Oq/ZY=; b=uSTxcn6AhQ8z1pVNi+YC1FfAGErUMVMzHAtsPWdS02/gtvgcY8tkx+OVDAd5DubB/N Ft4ydPxoBVnhntbWolyIQRfQhKraWG8M4AVwckeLOR0P45mqdWWOjIPCCyhUJa38Apga pT1yR1+verGGLEsEc2DOkui64ZCJT57uPRmEmwjPLL2VDTa9/iBm9+qrne7exW3yZoiL XFBxdZU+azV0SUG3Ak3QGpXdhm7oYJoS4UM/wGt0SgQtysioiijBTdHpcv3rWWcHSZhi leuybab4KybDPObO1LrsyZQ1XgurMJ6VCWPctjcT+/ra3YHiXNUoPOb++f7KJpKDld/1 V/EA==
MIME-Version: 1.0
X-Received: by 10.66.8.66 with SMTP id p2mr1340233paa.129.1384757310969; Sun, 17 Nov 2013 22:48:30 -0800 (PST)
Received: by 10.68.147.131 with HTTP; Sun, 17 Nov 2013 22:48:30 -0800 (PST)
In-Reply-To: <913383AAA69FF945B8F946018B75898A24265484@xmb-rcd-x10.cisco.com>
References: <CALDtMrK5X4euTOwwdGJNkOGEar1KdCXpZvOnR-MgJfnY1LzAKg@mail.gmail.com> <C17C5187-E20D-4AF5-97D2-B63ABCB2E298@cisco.com> <913383AAA69FF945B8F946018B75898A24264EF5@xmb-rcd-x10.cisco.com> <CALDtMrJW1-6vvkgREWdb-J3p3n2pM9UfULiaqGWMEQeq9Arikw@mail.gmail.com> <913383AAA69FF945B8F946018B75898A24265484@xmb-rcd-x10.cisco.com>
Date: Sun, 17 Nov 2013 22:48:30 -0800
Message-ID: <CALDtMrJqpef=i_OQJfLiTAmpMKG_M6ut9YEzhCXKVFTqvMJMtQ@mail.gmail.com>
From: Oleg Moskalenko <mom040267@gmail.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Content-Type: multipart/alternative; boundary="bcaec51f97b19edef604eb6defec"
Cc: Simon Perreault <simon.perreault@viagenie.ca>, "pcp@ietf.org" <pcp@ietf.org>, "tram@ietf.org" <tram@ietf.org>, Justin Uberti <juberti@google.com>
Subject: Re: [tram] First post
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2013 06:48:34 -0000
Dan and Tiru, while contemplating the MICE implementation, I stumbled upon a potential problem in the MICE draft. According to the section 5.2.2, the server compares the encoded NONCE with the stored NONCE for the "old" 5-tuple session. But the problem is, a NONCE may expire. Its possible to have an expiration time for the NONCE (an enhanced security feature). In a non-mobility TURN implementation, that creates no problem: the server simple sends 438 error (stale nonce) back to the client together with the new generated NONCE value, and the client just re-calculates and re-sends the request. With wording in the section 5.2.2, that becomes rather complicated in the mobility case. I am not sure that I understand the exact action sequence when the session NONCE expires with mobility feature. I think that the problem can be fixed if the draft would not include wording about the MOBILE-TICKET internal structure. In one place it is saying that the ticket is opaque and implementation-dependent; but in other places it suggests how the ticket must be constructed and how it must be encoded. I think that this is unnecessary. Let's just say that the ticket is opaque and its structure has meaning only for the server - and that the server uses it as a unique identifier. I see no reason why the server must encode any meaningful information in the ticket, like 5-tuple and NONCE. That's totally up to the server. The server, for example, may just keep a hashtable with all that information and the ticket may be just a random unique key in that table. As we are using message integrity authentication anyway, and the ticket is transferred openly over the Internet, the ticket does not create any new level of defense. This is, basically, just a session ID - to match the "old" session with the "new" session. A similar approach is used in RFC 6062. They are solving a similar logical task: they are matching a new client network endpoint with an existing TURN session. They also are using a ticket, but they do not encode any information in it - that is just an opaque unique string. For protection, they also are validating the MESSAGE INTEGRITY. And they have no problem with the NONCE expiration because there is no NONCE encoded in the ticket. Let me know please what do you think about that. Thanks Oleg On Sun, Nov 17, 2013 at 5:36 AM, Tirumaleswar Reddy (tireddy) < tireddy@cisco.com> wrote: > Hi Oleg, > > > > It has some similarities but is a lot different from PCP third party > authorization. For example for TURN the Authorization Server will be > providing session key, MAC algorithm etc which is not required with the PCP > third party authorization. There are various other differences like PCP > server would need to communicate with the Authorization Server to determine > the token bound authorization data (like the number of mappings permitted, > flow characteristics allowed etc) which may not be required with TURN > authorization. PCP-controlled Firewall will most likely be in the same > administrative domain as the endpoint but that may not be true with TURN. > > > > we are working on the the details and will have something concrete in > couple of weeks. > > > > Cheers, > > -Tiru. > > *From:* tram-bounces@ietf.org [mailto:tram-bounces@ietf.org] *On Behalf > Of *Oleg Moskalenko > *Sent:* Saturday, November 16, 2013 12:56 PM > *To:* Tirumaleswar Reddy (tireddy) > *Cc:* Simon Perreault; tram@ietf.org; Justin Uberti > > *Subject:* Re: [tram] First post > > > > Tiru, I suppose that will be similar to this draft: > > http://tools.ietf.org/html/draft-wing-pcp-third-party-authz-01 > > That would be a significant addition to the TURN server. > > Regards, > Oleg > > > > > > On Fri, Nov 15, 2013 at 7:20 PM, Tirumaleswar Reddy (tireddy) < > tireddy@cisco.com> wrote: > > Hi Oleg, > > I am co-author of the MICE, draft-reddy-behave-turn-auth drafts and we are > interested in TURN evolution. Justin and we are working on TURN Extension > for Third Party Authorization using OAuth which will address some of the > problems discussed in above draft. > > Cheers, > -Tiru. > > From: Oleg Moskalenko <mom040267@gmail.com> > Subject: Re: [tram] First post > Date: November 15, 2013 11:01:24 AM PST > To: Simon Perreault <simon.perreault@viagenie.ca> > Cc: <tram@ietf.org> > > > MMUSIC has an interesting draft on TURN mobility (MICE) that I am watching > and I am going to implement. I wonder whether the authors of the draft may > be interested in the TURN evolution. > > On Fri, Nov 15, 2013 at 10:55 AM, Simon Perreault < > simon.perreault@viagenie.ca> wrote: > All, > > Any objection against sending the following to rtcweb, pntaw, and behave? > Any other lists that should be included? > > Simon > > ==================== > > All, > > A few of us have been working on a proposal for a new working group that > would focus on enhancements to STUN and TURN. The proposed name is TRAM > (Turn Revised And Modernized) and discussion is happening in < > tram@ietf.org>. > Subscribe link: <https://www.ietf.org/mailman/listinfo/tram> > > Here is the charter we have been working on. If you would like to comment > and/or get involved, please do so on the TRAM mailing list. > > Simon (and many others!) > Turn Revised And Modernized (tram) > ---------------------------------- > > Traversal Using Relays around NAT (TURN) was published as RFC 5766 in April > 2010. Until recently the protocol had only a rather limited deployment. > This > is primarily because its primary use case is as one of the NAT traversal > methods of the Interactive Connectivity Establishment (ICE) framework (RFC > 5245). This inherent dependency on ICE combined with the fact that ICE > itself > was slow to achieve widespread adoption because other alternative > mechanisms > were historically used by the VoIP industry were the causes of the initial > lack of interest. This situation has changed drastically as ICE, and > consequently TURN, are mandatory to implement in WebRTC, which is a set of > technologies developed at the IETF and W3C aiming to enable Real Time > Communication on the Web. > > Because of the ubiquity of the Web and of the new opportunities created by > the > arrival of WebRTC, there is a renewed interest in TURN and ICE, as > evidenced by > the recent work updating the ICE framework, as well as standardizing the > URIs > used to access a STUN [RFC7064] or TURN [RFC7065] server. > > The goal of the TRAM Working Group is to consolidate the various > initiatives > to update TURN and STUN, including the definition of new transport and > authentication mechanisms that make STUN and TURN more suitable for the > WebRTC > environment. The Working Group will closely coordinate with the > appropriate > Working Groups, including RTCWEB, MMUSIC, and HTTPBIS. > > The current list of deliverable is: > > - DTLS transport for TURN > > Candidate draft: draft-petithuguenin-tram-turn-dtls > > TURN defines three transports: UDP, TCP, and TLS. A straightforward > extension > of this set is DTLS, enabling secure datagram-oriented transport. > > - New authentication mechanism for TURN > > Problem analysis: draft-reddy-behave-turn-auth > Candidate draft: draft-uberti-behave-turn-rest, OAuth has also been > suggested > > The current authentication mechanism for TURN, which is reused from > STUN, has > been designed with a SIP account database in mind. The new RTCWEB usages, > which are mostly based on web applications, do not fit that model. A new > authentication mechanism optimized for such web applications will be > created. > > - TURN server auto-discovery mechanism for enterprise and ISPs > > Candidate draft: TBD > > Current TURN server discovery is based on the presence of SRV and/or > NAPTR DNS > records. These records are usually under the administrative control of > the > application or service provider, not the enterprise or the ISP on whose > network the client is situated. Enterprises or ISPs wishing to provide > their > own TURN server, in an attempt to reduce so-called "triangle routing", > need a > new auto-discovery mechanism. > > - STUN-bis > > Candidate draft: TBD > > A new revision of RFC 5389 will contain: > > - Various bug fixes > - STUN hash algorithm agility (currently only SHA-1 is allowed) > > - TURN-bis > > Candidate draft: TBD > > A new revision of RFC 5766 will contain: > > - Various bug fixes > - Support for multi-tenant servers > (Servers always send the same REALM attribute. No realm negotiation > phase > currently exists.) > > Goals and Milestones: > > [TBD] > > -- > DTN made easy, lean, and smart --> http://postellation.viagenie.ca > NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca > STUN/TURN server --> http://numb.viagenie.ca > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > > >
- [tram] First post Simon Perreault
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Gonzalo Salgueiro (gsalguei)
- Re: [tram] First post Paul Kyzivat
- Re: [tram] First post Justin Uberti
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Justin Uberti
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Dan Wing
- Re: [tram] First post Gonzalo Salgueiro (gsalguei)
- Re: [tram] First post Tirumaleswar Reddy (tireddy)
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Tirumaleswar Reddy (tireddy)
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Paul Kyzivat
- Re: [tram] First post Simon Perreault
- Re: [tram] First post Gonzalo Salgueiro (gsalguei)
- Re: [tram] First post Tirumaleswar Reddy (tireddy)
- Re: [tram] First post Oleg Moskalenko
- [tram] TURN/RTP via HTTP Proxy (was: First post) Hutton, Andrew
- Re: [tram] TURN/RTP via HTTP Proxy (was: First po… Gonzalo Salgueiro (gsalguei)
- Re: [tram] TURN/RTP via HTTP Proxy Paul Kyzivat
- Re: [tram] TURN/RTP via HTTP Proxy Gonzalo Salgueiro (gsalguei)
- Re: [tram] TURN/RTP via HTTP Proxy Paul Kyzivat
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Tirumaleswar Reddy (tireddy)