IETF Logo Mail Archive

Re: [tram] Adam Roach's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Marc Petit-Huguenin <marc@petit-huguenin.org> Sat, 08 September 2018 21:59 UTC

Return-Path: <marc@petit-huguenin.org>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80993130DF7; Sat, 8 Sep 2018 14:59:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.107
X-Spam-Level:
X-Spam-Status: No, score=-1.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RDNS_NONE=0.793, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WA77QkMJMKCw; Sat, 8 Sep 2018 14:59:46 -0700 (PDT)
Received: from implementers.org (unknown [92.243.22.217]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EB55130DDD; Sat, 8 Sep 2018 14:59:46 -0700 (PDT)
Received: from [IPv6:2601:648:8400:8e7d:4551:936:601e:ba39] (unknown [IPv6:2601:648:8400:8e7d:4551:936:601e:ba39]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 4DDCDAE004; Sat, 8 Sep 2018 23:59:43 +0200 (CEST)
From: Marc Petit-Huguenin <marc@petit-huguenin.org>
To: Adam Roach <adam@nostrum.com>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, The IESG <iesg@ietf.org>
Cc: tram-chairs@ietf.org, Tolga Asveren <tasveren@rbbn.com>, draft-ietf-tram-stunbis@ietf.org, tram@ietf.org
References: <152403138853.31946.14807823535362928987.idtracker@ietfa.amsl.com> <27cb2f70-d907-b61f-bb5a-6b19053238fe@petit-huguenin.org> <1e8cd5de-06de-6745-fc4d-d15fcdd0b4d9@petit-huguenin.org> <df27ff82-bb5a-8c83-f119-a6f4e9f65a53@nostrum.com> <a5da7dc3-472c-8dcf-27e0-7e334d6590f6@ericsson.com> <5ff10fb0-301e-5d97-01b0-f15296bae0d3@nostrum.com>
Openpgp: preference=signencrypt
Autocrypt: addr=marc@petit-huguenin.org; prefer-encrypt=mutual; keydata= mQINBE6Mh9wBEADrUEDZChteJbQtsHwZITZExr7TAqT7pniNwhBX3nFgd+FrV3lsLKJ1rym2 52MAYpubXEJZGzMp6uCCAnROWbtmQbOm8z/jHnjxHhPqfuYCYPpAQqu8K/Sc194Rp37krMwB jz32yr7+gvWLzRgQGKIh9d2mzy8QLMETVWWQWGb6fEfpOxXo0wumN1rc/275kZwOu44JIPGg zbgwZdnEqYOUUa18K9MXeRDoWbwDISP30CvKuZDwD14lbBE3o7tBQrU9uoMhE7eFlTjbsCox qoubI2tZSuOTF8mRXjPmNrRGtf9mYkQnOB7y6qy/QxmOVMq4IRtHzOYIm/EZ6NTodcpZQHOM 2v6B6YK9uKrYrapSpJzn4f9oU7alT31Y3o2hOlxAWDQ16+Dd1MOPYsKQXOwY1/ihm4PTjiJ8 ud8yPzy7c+BSVs5wkBU6QuLNIgZHrrxdn+KxM+F/oAVtfzO7XzVoeOcXyWi3/CHL5pgoBruY enIF/RrRuplpy09pvZjmFPNfqKBYJGnqpQuqsQwO7LsFqDqfY2EuHg+KsGN1XuN+jxXc48/1 gCnKw7ALSPWEb7g25wD6KfiZTAcyRTG8LePNFQKhw61LbIWmkw9EaVLyXvwPTc1iCSc0dDT/ pcT/z+8xrWOyWGZNZAjR584NlDpKollbItcxYtFcYZkvTCmOVwARAQABtCZNYXJjIFBldGl0 LUh1Z3VlbmluIDxwZXRpdGh1Z0BhY20ub3JnPokCOAQTAQgAIgIbIwYLCQgHAwIGFQgCCQoL BBYCAwECHgECF4AFAlfy11wACgkQKcRFldZqfsRWqBAAu/61DGo+j38UefTKnEse0mftPBXa S4lre7vknn33MI0L5QXmiM8zRs9FOKSuXPx0EV+JhI4pWZGW/2MJPuyifXHvnIChcdGInN8J GBdTLZSOgdDFZL9msO+QUsvMA8ZUsqlKOEcVL1NyoLupblCWNq4fYhBCx1zDwX9LZSuGn8lZ Mk8a4QFGoR6dWKaOxeCwnoquW5IK1CfRIhYjHfQMjA5gY0H46F0iCqBaFF/S7krQwIJd0XN4 YbSL4KOrWuxtgQ+iH/iaxxBXgJ1blBNRzXaWJBF4PHv23nSnEzWO17j+uVMaHJu7ycYEf8T9 pVc0xcok1BM2rCrNE5FUFAzsUtAtBZEEK6sSIeOhRG93uD/Hv1hrWzEwf+Z7B1tVQLCQQ4kL 7wyS7SXI/JTuW2xTEGCmwMeWYGERdkgsatmx4zi5nVHDjt3/mlPMj4L+u05SkI2iV4W6xxU1 jHlBIJDs7AVM0dsxzTyIPf2Sz843WyHuBgkoCskxGfOwlkZzDX9rwcWRKal1wjy1w/25LsBY U50INandw3UbrS2I73VX8ARI8uOWZrW7uzRLf8EmuPhtSQ35ThmdoNSgGMP9EXwNgzi/i+5G hbX5KbrSLG9SITFJEcJA4tnwu3nqmBh7D7vbd5ln5X7rmqPdyjidt0zcSjvuaBA+nkmakA4A O+choWy5Ag0EToyH3AEQAL+LguHhcSDCL/IevdcvH/5/fzO2fmuuTxdGwrZZSm7l6/HD2Ira h6Wpa1LvVeRbnsRq8k6O8/i3wVapEoQPmNY3vjWfXaJb8R4vHcqgcxw9N9jhZa+mvGJk9+cI ilDyPzHRBBID4d/3oFKQCQ4Y2SIkO66znPhfBOS2f2AU7AtXHhVEyj6WsLK6boEMcj7j+w5a es2nZam0jhgoz+4DQem4uk8outrRlboGnZN7A2kCNuy39UeOp7BpvQ95IKcJCIeSoiJt2A4B NPQroqhW0zGn9Y9FJ9UiZ9YIeNPYbscUxxvrD+OU9Jv67hW0v3KfvoIKDwVKpO3MW6o+1teS Gt1KCSz+CvGJCvIxfCk7S5K5SBne7ZNKz7rkGXYIzlyr7ZoEgRHmqGmcK/sHTS4e6g2pQQrR USkspyqLZl5Uzmg7yI5oGBL0aHTzYdDkkOKMRXYnl7ivBeNtGcniGqlONLJxpbwec8j7hLRq pXFuepbtPqX/GefuK8rdo+ppEqpRJ50cJTegchTfWfSjn5/mG1B4Oz9OnOcBEeTLO729n0K9 BeTx1pmisD6P/fyrqZZTozDwVEi7Wo9AOaqWOhuTe8L0FlFIk6fc/yM0wzvDWP7sNrevEYHK V9rd+Yc/Jjt293J4uayrt6DNMmSkAw3nlBq3uK5d54J0FAsAUcsE/W2/ABEBAAGJAh8EGAEI AAkCGwwFAlfy11wACgkQKcRFldZqfsSQyA/+Kx3eWtKyb/y35TjgtjT/Hrtw+aIpr1uK97LA ln1j5m7+lQ/jh0/rvSZjs+YQMYLqVGI8oaaF/u+qrokkU6pfrhVZ49D1BmmSTMBSYgnBDYqZ yZ+uzQnnDYt/mpo2OLbl9BhuifR5QXLp43cE1FIhyDT46wfse5tNZ+ll4m4HtXuTw4W3b4cP Hto10260Mki7hXbkDMZ+icBFDMkrrZyYHSnBhelzIM7XnY7A/XZdulfFcDXEcZhAFEv3ylJs xTnGwzDyP1VAdBFL3hpP1CqfP1Kti4hKcxXZYbIgTSsBjcYbPchw3ktUTU29I/nWKH5gmD+q wFizyhtt8Qhl6U67OdZ/XbRGBXs/7tlYJIGiGZyG7IQtDOX0PsVd+6WRcDdFqkpBwYkxU8gd iCeW+YTQ5d8mXXPT2dhFAeK2hCFa2+IdaXvH8ovjZpTMeKstHrWJUDaSqQ4GFT676DbDyqtm P6Ul9cjGVtXIs64FWqR9wrbwBH1GuIHhDmG9sN5AkyB9mxXaEG3uG4E6qQeedtIKC6p+ebAs aTGgztFWMJDC8LUznu7B0oyWxNVoE/RGt5mesOeAtqYr6Jtdh7unyk8BYP1y4e+SSMwvtwh+ 69tJwNhGYbOJrdX34tXNAKb6r/rFRjVJm+sPPs5ok7LddvV35o+Fho0LRNDsioDV3HytlhA=
Message-ID: <b845eb08-7974-ec9d-0a98-e04d6071b2e1@petit-huguenin.org>
Date: Sat, 08 Sep 2018 14:59:41 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <5ff10fb0-301e-5d97-01b0-f15296bae0d3@nostrum.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="PdA8lxrKCRo3wMULcZwolywjI8djQhVZZ"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/FLfcOnWFOD8fuBIHyi8qq5JtaeE>
Subject: Re: [tram] Adam Roach's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Sep 2018 21:59:49 -0000

Hi Adam,

Apologies for the delay in working on that.

For the first issue, the fix is in my copy of the draft.

As for the second issue, Section 8.1 says:

'A "stuns" URI
 containing an IP address MUST be rejected, unless the domain name is
 provided by the same mechanism that provided the STUN URI, and that
 domain name can be passed to the verification code.'

That text was never about IP addresses in certificates, but about the way a STUN (or TURN really, but that draft does not care about TURN) server IP address is passed to a WebRTC browser.  RFC 7064 permits to store an IP address directly inside a stun URI, and RFC 7350 extended that to stuns URI, and in fact the text above is directly copied from RFC 7350.

The idea is that a stun URI can be provisioned by a JavaScript program downloaded by a WebRTC browser as part of the initialization of a WebRTC application.  A security assumption is that using a stuns URI that contains an API address is safe if the Javascript program was downloaded using https, that the hostname verification for the https certificate implies that the stuns URI embedded in the document are receiving adequate protection and can be used without worrying about the lack of certificate verification for the stuns URI.

Now that is an assumption that we made, and we'd very much like to hear if that assumption is incorrect.

Section 6.2.3 is unrelated - it is about IP addresses provisioned locally (not received from the server), and a matching certificate containing IPAddress.  I'll make that more explicit after I receive your response on the subject above.

Also it seems that your DISCUSS is not related to that issue at all, would it be possible to clear it?

Thanks.

On 06/18/2018 10:45 AM, Adam Roach wrote:
> Gonzalo:
> 
> TL;DR -- unless someone can find evidence indicating what the WG intended, I believe we are waiting on you and Simon.
> 
> I had two responses in my most recent message. I presume the first should be uncontroversial.
> 
> The second point pertains to how the working group intended to treat IP addresses in STUNS URIs. The document right now is ambiguous and self-contradictory. If this has been discussed in the past, then the document simply needs to be updated to reflect the outcome of that conversation. If not, then I believe the WG needs to have a conversation about what is intended.
> 
> As it stands, the document will lead to various notions about whether (and how) IP addresses can be used, which will be an interop nightmare.
> 
> /a
> 
> On 6/18/18 05:41, Gonzalo Camarillo wrote:
>> Marc, Adam,
>>
>> what is the status of this discussion?
>>
>> Thanks,
>>
>> Gonzalo
>>
>> On 21/05/2018 9:11 PM, Adam Roach wrote:
>>> Sorry for taking so long to get back to you on this. Two responses below
>>> -- everything else looks good.
>>>
>>> On 5/3/18 6:37 PM, Marc Petit-Huguenin wrote:
>>>> On 04/23/2018 03:37 PM, Marc Petit-Huguenin wrote:
>>>>>> ---------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> §17.3.1:
>>>>>>
>>>>>>>    IANA is requested to update the names for attributes 0x0002, 0x0003,
>>>>>>>    0x0004, 0x0005, 0x0007, and 0x000B, and the reference from RFC 5389
>>>>>>>    to RFC-to-be for the following STUN methods:
>>>>>> ...
>>>>>>>    0x0003: (Reserved; prior to [RFC5389] this was CHANGE-REQUEST)
>>>>>> The attribute 0x0003 is registered by RFC 5780, and should not be
>>>>>> removed by this document.
>>>>> Fixed.
>>>
>>> Thanks for the change, but the new text still asks IANA to update the
>>> table so that 0x0003 points to *this* document, instead of continuing to
>>> point to RFC 5780. Since this document does not do anything with
>>> CHANGE-REQUEST, this update does not seem correct.
>>>
>>>
>>>>>> ---------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>> §6.2.3 says:
>>>>>>
>>>>>>>    Alternatively, a
>>>>>>>    client MAY be configured with a set of IP addresses that are
>>>>>>> trusted;
>>>>>>>    if a certificate is received that identifies one of those IP
>>>>>>>    addresses, the client considers the identity of the server to be
>>>>>>>    verified.
>>>>>> Presumably, this means the server supplies a certificate with
>>>>>> SubjectAltName
>>>>>> containing an iPAddress? Please add text to clarify whether that's the
>>>>>> intention.
>>>>>>
>>>>>> If that *is* the intended meaning, then this behavior in §8.1 seems
>>>>>> unnecessarily restrictive:
>>>>>>
>>>>>>>    A "stuns" URI
>>>>>>>    containing an IP address MUST be rejected, unless the domain name is
>>>>>>>    provided by the same mechanism that provided the STUN URI, and that
>>>>>>>    domain name can be passed to the verification code.
>>>>>> Presumably, this is done because certs with iPAddress-form
>>>>>> SubjectAltNames are
>>>>>> pretty rare (although CAB Forum baseline requirements do explicitly
>>>>>> allow
>>>>>> their issuance) -- but if the text in §6.2.3 is based on allowing
>>>>>> the use of
>>>>>> such certs in a TURN deployment, then it seems that URI resolution
>>>>>> should be
>>>>>> also.
>>>>>>
>>>>> I am not sure what was the intent there, so I'll work on that later.
>>>> We addressed all the other comments, but it would be great if you
>>>> could suggest some text to address that one.
>>> I'm not sure what was meant either!
>>>
>>> I think we need to untangle what the working group meant to say
>>> regarding "trusted IP addresses," the way this protocol is intended to
>>> use certs, and whether the prohibition on using IP addresses in "stuns"
>>> URIs derives from cert handling or if it has a completely different
>>> rationale behind it; and, if the former, ensure that those things that
>>> are prohibited or allowed in certs are similarly prohibited or allowed
>>> in URIs.
>>>
>>> I can suggest some *behavior*, but unless there is some record of what
>>> the WG meant, any such behavior would need to be discussed by the
>>> working group, and a consensus would need to be declared by the chairs.
>>>
>>>
>>> /a
>>>
> 


-- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: https://marc.petit-huguenin.org
Profile: https://www.linkedin.com/in/petithug

v2.23.0 | Report a Bug | By Email