[tram] Path Forward for STUN ORIGIN
Alan Johnston <alan.b.johnston@gmail.com> Tue, 25 August 2015 19:57 UTC
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3B051A010E for <tram@ietfa.amsl.com>; Tue, 25 Aug 2015 12:57:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B9lUNor0Szlt for <tram@ietfa.amsl.com>; Tue, 25 Aug 2015 12:57:41 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 516E51A87D9 for <tram@ietf.org>; Tue, 25 Aug 2015 12:57:41 -0700 (PDT)
Received: by iodv127 with SMTP id v127so200383979iod.3 for <tram@ietf.org>; Tue, 25 Aug 2015 12:57:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=zMSpGtbFyW3pl+Khl0uhW+i8zzEwiK89qC8RNEoFhm0=; b=VszVz3Dkn5vjLBKsU73YZep8idqzZMFNH43u9psXQ2HEqNt62YoGK73cyguewav8IK GExbJuqACDPtk0q3UCI9lLGHmfm9CHAXMpuuIzxyVYTIYQOp8jtxAJiXp8TE8L4QheVi JSXKyq0nZcz+4LH7DykgeS1XutqkLBnjmMkZeZ8JFJ6xo3s8OCkZfBc7NPPqBQn5lFJG HJglAKMZkFAEwS4ooeAg0CWsonFPJC3UJR9RhlTkO12qzNOFvRHNbQgO4PrPMiSm7djh 7JpBGhhf97B4o2WKqL80i+q4CcI5gql3CL8hX+BoKrCwDDKuC+uCRnLDdgsxDO2KF62Y vL7w==
MIME-Version: 1.0
X-Received: by 10.107.11.29 with SMTP id v29mr27083797ioi.186.1440532660611; Tue, 25 Aug 2015 12:57:40 -0700 (PDT)
Received: by 10.79.32.86 with HTTP; Tue, 25 Aug 2015 12:57:40 -0700 (PDT)
Date: Tue, 25 Aug 2015 14:57:40 -0500
Message-ID: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com>
From: Alan Johnston <alan.b.johnston@gmail.com>
To: "tram@ietf.org" <tram@ietf.org>
Content-Type: multipart/alternative; boundary="001a113e059685f3ff051e28258b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/ECDPM3wPITn1NBQSSRhhdAJmOFE>
Cc: "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: [tram] Path Forward for STUN ORIGIN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 19:57:43 -0000
All, Based on feedback during IETF-93 in Prague, the authors of draft-ietf-stun-origin are looking for feedback on a possible path forward to solve the privacy/meta data issues and clear the DISCUSSes (see https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/). There are two areas of feedback: Use Cases and Proposed Solution. Use Cases ======== First, we want to be sure that we are considering all the use cases for STUN ORIGIN. In the draft, three are described: 1. Logging of usage of STUN/TURN server. An operator of a STUN or TURN server would learn the Origin of the web, SIP, and XMPP users. 2. REALM selection for multi-tenanted TURN server. This avoids having to run multiple instances on different ports or IP addresses when more than one REALM is in use. 3. Service determination after authentication. Bandwidth or QoS policy can be applied, after authentication, based on the Origin. Also, the following use cases have also been discussed but are not in the draft 4. Authorization at border TURN server after authentication. An enterprise border TURN server can apply policy and allow usage for certain Origins (whitelist) or block usage of others (blacklist). 5. draft-jennings-behave-rtcweb-firewall-01 discusses how a firewall with STUN server could use ORIGIN in authorization decisions. Are there any other use cases we should consider? Possible Solution ============= The solution that was discussed in Prague that seems to be the best tradeoff between privacy and functionality is to only include ORIGIN information in a STUN or TURN request if the domain of the Origin matches the domain of the STUN or TURN server in the STUN or TURN URI. Since web and STUN and TURN run on different ports, and often will resolve to different IP addresses, a full host comparison is not possible. This proposal is not perfect: it does not provide perfect privacy for subdomains (e.g. sub1.example.com and sub2.example.com will match with this rule, even if they are separate entities. Of course, subdomain users could always register a new domain and point DNS records to their sub hoster.) In comparing this solution against the use cases above: 1. Allows logging of your own users on your own TURN server (or one that you setup DNS SRV records to point towards). Other users of your STUN or TURN server will not be identified by an Origin, but you will at least know if others are using your server. 2. Works for REALM selection as long as you use your own TURN server (or one that you setup DNS SRV records to point towards). 3. Again, works for service determination as long as you use your own TURN server (or one that you setup DNS SRV records to point towards). Having service-specific TURN credentials is another solution that doesn't rely on ORIGIN. 4. & 5. Does not seem provide a good solution for these use cases. Does this analysis make sense? Feedback most welcome so we can move forward with this draft. - Alan -
- [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Tirumaleswar Reddy (tireddy)
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - analysis Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - how to … Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Justin Uberti
- [tram] Oauth vs Origin [Was: Path Forward for STU… Justin Uberti
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Oleg Moskalenko
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Tirumaleswar Reddy (tireddy)
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams