Re: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt

"Tirumaleswar Reddy (tireddy)" <> Tue, 18 February 2014 05:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id DCDFC1A042E for <>; Mon, 17 Feb 2014 21:34:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.048
X-Spam-Status: No, score=-10.048 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZGrvhvvYx2t6 for <>; Mon, 17 Feb 2014 21:34:25 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 590D51A02EE for <>; Mon, 17 Feb 2014 21:34:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=28007; q=dns/txt; s=iport; t=1392701661; x=1393911261; h=from:to:cc:subject:date:message-id:mime-version; bh=mpw0zafMKWkJFdrwVTumheVtZNUFZ2xV1zAk34ArOJY=; b=EVwQ8LqvGBrxORGo3JT2fn+1YxuYXYY5dT2/9CJaVXcN4154efNqadDG jczHVKuwX5GXLY6X14df+rFEJ9HGUoPyAzets0lwimUtqsPfe3w0vSmjG Vn8Qv9MEaCx/Ny1PgBMpAOCJUE089TYtBJG1NHkPdDvSU676GI9JiBpxD k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="4.97,500,1389744000"; d="scan'208,217"; a="21178734"
Received: from ([]) by with ESMTP; 18 Feb 2014 05:34:20 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id s1I5YK1h006296 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 18 Feb 2014 05:34:20 GMT
Received: from ([]) by ([]) with mapi id 14.03.0123.003; Mon, 17 Feb 2014 23:34:19 -0600
From: "Tirumaleswar Reddy (tireddy)" <>
To: Oleg Moskalenko <>
Thread-Topic: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt
Thread-Index: Ac8sau5mQl6VH9TvQn+mrFuN/xrk0A==
Date: Tue, 18 Feb 2014 05:34:18 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A242C01CBxmbrcdx10ciscoc_"
MIME-Version: 1.0
Cc: "" <>
Subject: Re: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Feb 2014 05:34:31 -0000

Hi Oleg,

Please see inline [TR1]

From: Oleg Moskalenko []
Sent: Monday, February 17, 2014 11:59 PM
To: Tirumaleswar Reddy (tireddy)
Subject: Re: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt

Hi Tiru
please see below as [Oleg]:

On Mon, Feb 17, 2014 at 3:10 AM, Tirumaleswar Reddy (tireddy) <<>> wrote:
Hi Oleg,

Thanks for the review. Please see inline [TR]

From: Oleg Moskalenko [<>]
Sent: Sunday, February 16, 2014 10:31 AM
To: Tirumaleswar Reddy (tireddy)
Subject: Re: [tram] FW: New Version Notification for draft-reddy-tram-turn-third-party-authz-00.txt

Hi Tiru
I have some comments:
1) Section 4. Obtaining a Token Using OAuth, figure 4

I believe that the sequence of messages is incorrect. The TURN server most probably will contact the Authorization server AFTER it gets the Allocate request. But on the figure 4, it looks like it somehow can predict the incoming request. The correct sequence must be, in the general case:
   Access Token Request (1) from client to Auth server
   Access Token + Session Key (2) from Auth server to client
   Allocate request from client to TURN server (3)
   Get Token from TURN Server to Auth server (4)
   Token metadata from Auth Server to TURN server (5)
   Allocate response from TURN server to the client (6)
[TR] Good catch, fixed it. It got messed when we were changing from self-contained to handle token.

The sequence shown on the figure 4 is possible only is the Auth Server and TURN server are somehow closely integrated and that is unnecessary.
[TR] Yes, the AS and TURN server have to be integrated. There may be ways to standardize this, but this is not in the scope of this doc right away.

[Oleg]: I am afraid that if we require that AS and TURN to be provided by the same company, it may affect the adoption of this approach.

[TR1] Agreed, it may be true in few cases that the same company provides AS and TURN.

2) The document is saying that the client when communicating to the Auth Server uses HTTP requests with JSON (REST API ?). May be it would be helpful if the communication protocol between TURN server and Auth server would be mentioned, too.
[TR] Drafts in OAuth WG like discuss the communication mechanism b/w Resource Server and Authorization server.  You may also want to look into which discusses such communication mechanism already implemented but for a different purpose. I guess it all worked because Resource server and Authorization server are developed by the same company but with this use case we may have to discuss if standardization is required for the communication mechanism.

[Oleg]: As I said, if the AS and TURN in practice will have to be provided by the same company, then that may be a problem - it will affect the standard adoption by the WebRTC community. I'll have to explore the current situation with the open-source OAuth servers - whether they provide a viable "introspection" protocol. I hope some protocol recommendations can be provided for third-party AS communications.

[TR1] Agreed.

3) Section 7.2:

   OAuth does not impose any limitation on the length of the access token but since
   STUN messages cannot exceed 548 bytes (Section 7.1 of [RFC5389]),
   access token length needs to be restricted to fit within the maximum
   STUN message size.

I am not sure that the STUN (Binding ?) max message size is relevant here and worth mentioning at all - because this doc is about TURN, and the TURN messages are often much larger than 548 bytes (especially when carrying the video traffic). So I see no relevance of the 548 limit to the new authentication standard. And that limitation of 548 bytes is applicable only to the cases when we suspect that the path MTU is really really low and that is an extremely rare case.
[TR] Good point. But RFC 5766 recommends to restrict the size (Section 2.7 Avoiding Fragmentation)


   As a guideline, sending a maximum of 500 bytes of application data in
   a single TURN message (by the client on the client-to-server leg) or
   a UDP datagram (by the peer on the peer-to-server leg) will generally
   avoid IP fragmentation.


[Oleg]: We recently had a discussion about that in WebRTC forum, with Justin. He is saying that the WebRTC client tools (Chrome) assume the minimum practical MTU as 1280 and that limit is used for media traffic. And he is right that this MTU is a real modern practical limit.

[TR1] And depending on the initial number of allocations (let's say X) it would consume that much additional bandwidth (X*Length of the token)

4) Are we sure that we want to limit the OAuth applicability only to the long-term credentials mechanism ? I see no technical or philosophical reasons why not to use it for short-term credentials mechanism, too. It would be a more "symmetric" approach.
[TR] what is the use case for short-term credential mechanism with TURN ?

[Oleg]: Currently WebRTC uses only the long-term credentials mechanism but still there is a TURN standard for the short-term mechanism. While I cannot provide any concrete example, I suppose there are some. And I believe that OAuth is orthogonal to the TURN auth mechanism used - they can be combined either way. So I see that coupling OAuth with the long-term mechanism is rather artificial.

[TR1] May be I am missing something
Are you referring to short-term mechanism defined in STUN ? (I don't see any discussion in about this short-term mechanism)
The token given to the client has a lifetime and after the call is terminated the WebRTC server can revoke the token. This way the resources on the TURN server are no longer used by the client for some other purpose when not using WebRTC server.
This way it's short-term usage of the token only.

5) I'd put more definite wording how TURN server handles the token lifetime. What happens in the middle of the TURN session, is the auth token expires while the session is still active ? There may be two possible cases:
   - the token lifetime is applicable only to the session initiation procedure. When the TURN session has been already established, it can go indefinitely while the client is refreshing the session properly.
   - in second case when the token expires, the server rejects new requests from the client (in the same TURN session) until the client sends the new token data in re-authentication exchange.

I'd suggest the first case as an eisier case for the implementation.
[TR] The client MUST obtain a new token after the previously used one expires. As you point out an already established TURN session can continue, the new token is applicable for new requests.

[Oleg]: Tiru, I'd still like to hear a more definite language: what about "new requests" within the existing session ? They are allowed to use the old token - right ? When you are saying "new requests" you mean "new session allocation requests", right ?

These are my initial thoughts (we probably need more discussion on this topic):
[a] New token is definitely applicable for "new session allocation requests".  If the client uses the token after its lifetime then the TURN server MUST return error that the token is invalid which is in line with the steps defined in
[b] For "new request" within the existing session why not use the new token ? This way the client has to maintain only one token.  We can clarify in the draft that Refresh request can carry the new access token.
[c The actual lifetime provided by the server in the Allocate/refresh response should be less than or equal to the lifetime of the token.