[tram] draft-ietf-tram-stun-origin-06.txt review
Brandon Williams <brandon.williams@akamai.com> Tue, 10 November 2015 21:33 UTC
Return-Path: <brandon.williams@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD14A1A90C4 for <tram@ietfa.amsl.com>; Tue, 10 Nov 2015 13:33:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a-u7iLDNvr22 for <tram@ietfa.amsl.com>; Tue, 10 Nov 2015 13:33:04 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id DA0721A90B0 for <tram@ietf.org>; Tue, 10 Nov 2015 13:33:00 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 8B5E2423FD1 for <tram@ietf.org>; Tue, 10 Nov 2015 21:33:00 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 75960423F74 for <tram@ietf.org>; Tue, 10 Nov 2015 21:33:00 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1447191180; bh=EWCcKtsgEW0gtqhBI96MwAhSH/8hFpbdlXgYfb7W5/w=; l=1978; h=To:References:From:Date:In-Reply-To:From; b=zi6E/PWeQDJPiXxobkbZ+O/uawL/fiGVq2K1Zbe9XjsQEr/KJnUqC6F5f7OWamdm+ +tO5xCkOoDigq1WCj95kovsj4a7kdbpZFLEmkHGaJPDs51YrOPrvQ9YTlwu6kOsFYY h55eCN8lx9TYGxPbBh7AA3Wcm+TGvRlmJlM3d9Wo=
Received: from [172.28.113.245] (bowill.kendall.corp.akamai.com [172.28.113.245]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 505D5214E for <tram@ietf.org>; Tue, 10 Nov 2015 21:33:00 +0000 (GMT)
To: "tram@ietf.org" <tram@ietf.org>
References: <56426125.20204@akamai.com>
From: Brandon Williams <brandon.williams@akamai.com>
Message-ID: <5642628C.2050400@akamai.com>
Date: Tue, 10 Nov 2015 16:33:00 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <56426125.20204@akamai.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/GGav9hPEAHGvFU3c58s7nn43C-A>
Subject: [tram] draft-ietf-tram-stun-origin-06.txt review
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2015 21:33:05 -0000
Here's the review that I promised to write up. Sorry I didn't get it out before the meeting. I already raised my biggest concerns in the meeting last week, but will repeat them for the list: * Although I understand the privacy concerns that have been raised, I think that the new "Origin Matching Rules" makes the attribute enough less useful that I likely would not implement support. We do some fairly unique things for client-specific relay mapping, so I understand if I'm in the minority on this point, and I don't consider the draft bad to publish if there are enough others who still consider it useful with this limitation. * I am concerned that some of the suggested uses for the attribute provide an incentive to lie. I'm not convinced by the argument that the system won't work if you lie, because there is no requirement to use ORIGIN as a realm selector for auth purposes. As a result, the client could lie in order to get through a related firewall restriction or to get around a service limitation on the relay. OK, as for the minor comments ... S2.2 The new text requires the client to send ORIGIN in any case that matches the constraints in S2.1. The old text only required it for web origins and only recommended it for others. What's the reason for the change? The section would benefit from a rationale for the MUST. S2.3 The same comment about changed requirements and providing a rationale applies. S4 This probably should have occurred to me in earlier reviews, but I now see that the Security Considerations section conflicts with the requirements text in S2.2 and S2.3. The earlier sections require ORIGIN to be sent in some messages where Security Considerations directly allows it to be omitted if not using (D)TLS. It's a little confusing for it to be expressed as required in one place and not required in another. That's it. Please let me know if you have any questions about the above. --Brandon
- [tram] draft-ietf-tram-stun-origin-06.txt review Brandon Williams
- Re: [tram] draft-ietf-tram-stun-origin-06.txt rev… Alan Johnston