Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
Benjamin Schwartz <bemasc@webrtc.org> Wed, 08 April 2015 14:27 UTC
Return-Path: <bemasc@webrtc.org>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 837071B3125 for <tram@ietfa.amsl.com>; Wed, 8 Apr 2015 07:27:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S2XRD0V1QZVH for <tram@ietfa.amsl.com>; Wed, 8 Apr 2015 07:27:21 -0700 (PDT)
Received: from mail-qk0-f173.google.com (mail-qk0-f173.google.com [209.85.220.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C64AF1B3108 for <tram@ietf.org>; Wed, 8 Apr 2015 07:27:20 -0700 (PDT)
Received: by qkhg7 with SMTP id g7so86061821qkh.2 for <tram@ietf.org>; Wed, 08 Apr 2015 07:27:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=rwGu7jurCktDRiMRHzE6mrU0XCe5lUXM7IUZYOaMDCM=; b=OEmGjasRsR46cU9M1SwJ+C3Xv2HH6bSkqX7SrY/WfjiwFR4sogLxiOqXjOxo8y1nbc i4GvNyx5gosmSCh0q5q+07nG5mRyfbatHdXfp/Xntoe5CRCAfIUshdieHIXEC9iDkVVS QGEF3XgdUzsqbTT0ejsYYauFHrU63SaULzEKm98Ah4i/XlDwCGwDJ17q7oD89QddHqaz FK+8MQZExo+DLDzpFGrudJyib14fnRUfaY5VmQe+K633G1WRFmGEdKzdRH/dFfR4rNqE DVqgLeX4CbtXIJxp3Szg0KXu2Gas5os2iAXzSDIQnTL1nOEn6aDFpdyAj0KzJPdH0B7m 8lnA==
X-Gm-Message-State: ALoCoQmICELnGu3AUmGGRGyiQizqwdKfD9Z27lrKgkU4NkgNY/cJ/UA3hv4vCWhzkYflX5Os0hU4
X-Received: by 10.229.29.136 with SMTP id q8mr31355203qcc.2.1428503239998; Wed, 08 Apr 2015 07:27:19 -0700 (PDT)
Received: from mail-qg0-f49.google.com (mail-qg0-f49.google.com. [209.85.192.49]) by mx.google.com with ESMTPSA id q34sm7589444qkq.4.2015.04.08.07.27.18 for <tram@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Apr 2015 07:27:19 -0700 (PDT)
Received: by qgej70 with SMTP id j70so29663515qge.2 for <tram@ietf.org>; Wed, 08 Apr 2015 07:27:18 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.140.134.135 with SMTP id 129mr30696870qhg.7.1428503238634; Wed, 08 Apr 2015 07:27:18 -0700 (PDT)
Received: by 10.229.183.138 with HTTP; Wed, 8 Apr 2015 07:27:18 -0700 (PDT)
In-Reply-To: <913383AAA69FF945B8F946018B75898A411FE350@xmb-rcd-x10.cisco.com>
References: <6042868B-57EB-4C5A-B93E-C58D846E14E4@cisco.com> <55251A5B.5040909@jive.com> <913383AAA69FF945B8F946018B75898A411FE350@xmb-rcd-x10.cisco.com>
Date: Wed, 08 Apr 2015 10:27:18 -0400
Message-ID: <CAHbrMsD1T8U=ZBFXjtfCOwUSiSHLOyxwr=74f7u-DCpj0+iafA@mail.gmail.com>
From: Benjamin Schwartz <bemasc@webrtc.org>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Content-Type: multipart/alternative; boundary="001a1136f0c01992d805133754b7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/CIHxiYb6FTJYaD7opSkDiHFnmKU>
Cc: Simon Perreault <sperreault@jive.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 14:27:23 -0000
If the TURN server's identity is discovered over mDNS, then how can the client authenticate the TURN server, except to prove that it's the same one advertised over mDNS? Assuming mDNS is trivial to forge on a broadcast network, this does not seem like sufficient protection. Maybe you are saying that the TURN server's "real identity" is configured by some other mechanism, and only its address is distributed by mDNS? I'm not familiar with the interaction between mDNS and DNSSEC, or how this would help to identify trusted servers. This seems like another case in which a trusted pre-configuration mechanism is still required. On Wed, Apr 8, 2015 at 8:40 AM, Tirumaleswar Reddy (tireddy) < tireddy@cisco.com> wrote: > > -----Original Message----- > > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Simon Perreault > > Sent: Wednesday, April 08, 2015 5:39 PM > > To: tram@ietf.org > > Subject: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return > > > > TRAMsters, > > > > I'd like to see some discussion on how this impacts the server-discovery > > draft. This part in particular... > > > > "endpoints MUST NOT implement a configuration based on > > unauthenticated > > network multicast (e.g. mDNS)" > > > > ...seems at odds with what was decided in Dallas (i.e., define mDNS > > discovery). > > > > Thoughts? > > Yes. After TURN server is discovered using mDNS, client must authenticate > the TURN server to avoid some malicious host advertising that it offers > TURN service. Further mDNS http://tools.ietf.org/html/rfc6762#section-21 > also refers to using DNSSEC so that the client can ensure that the service > is provided by a trusted participant and not a rouge participant. > > -Tiru > > > > > I see having a coherent story for return and server-discovery as somewhat > > required... > > > > Simon > > > > -------- Message transféré -------- > > Sujet : Re: [rtcweb] draft-schwartz-rtcweb-return Date : Wed, 8 Apr 2015 > > 00:58:29 +0000 De : Cullen Jennings (fluffy) <fluffy@cisco.com> Pour : > > rtcweb@ietf.org <rtcweb@ietf.org> > > > > > > > On Mar 26, 2015, at 9:20 AM, Cullen Jennings <fluffy@cisco.com> wrote: > > > > > > I'd like to point out that the combination of > ietf-tram-turn-server-discovery > > and draft-schwartz-rtcweb-return allow any network you are connected to > > more or less MITM your media and do things like rate limit it, generate > > analytics on who you are talking to, force your traffic through an > > intermediary that is in a different legal jurisdiction and so on. > > > > We discussed this after the meeting and came up with a way to resolve > this > > concern. Benjamin has added some text to the -06 to that specifically > > addresses this issue > > > > > http://www.ietf.org/rfcdiff?url1=draft-schwartz-rtcweb-return-05&url2=draft- > > schwartz-rtcweb-return-06 > > > > This completely deals with the issue I raised and with that change I > support > > adopting this as a WG document. > > > > After adoption, I think the WG should consider if any text is needed > around > > the issue of TURN credentials. (If you run TURN with no credentials and > an > > attacker can spoof the IP address in UDP packets, you can end up with the > > TURN servers in a nasty forwarding loop that allows an huge amplification > > factor for an attacker trying do DOS the turn servers - this is still > possible > > with authentication but you know who to blame. When TURN was first done > > with was one of the reason TURN requires auth and STUN does not). > > However, I believe this issue can solved and should not block adopting > the > > draft. ) > > > > Cullen > > > > > > > > > > _______________________________________________ > > rtcweb mailing list > > rtcweb@ietf.org > > https://www.ietf.org/mailman/listinfo/rtcweb > > > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org > > https://www.ietf.org/mailman/listinfo/tram > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram >
- [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-re… Simon Perreault
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Benjamin Schwartz
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Martin Thomson