Re: [tram] Path Forward for STUN ORIGIN
Martin Thomson <martin.thomson@gmail.com> Tue, 25 August 2015 20:41 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC0351B2F0A for <tram@ietfa.amsl.com>; Tue, 25 Aug 2015 13:41:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jsvltyhf4dk0 for <tram@ietfa.amsl.com>; Tue, 25 Aug 2015 13:41:03 -0700 (PDT)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E9D81B2F0D for <tram@ietf.org>; Tue, 25 Aug 2015 13:41:03 -0700 (PDT)
Received: by ykdt205 with SMTP id t205so168167435ykd.1 for <tram@ietf.org>; Tue, 25 Aug 2015 13:41:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=E/zcErtF/2yxqxkOOAxZSpESi7S25tpL6Qh19VMmaq0=; b=FfDPaCctAFYKEQuDPoXGgG1USl8CqSyiTZEfoa4rmmEBb80PqYROHi70nQFeCiDx6w OuW3uBZMXjSqMiA9jYzQgN+rdgE7EOuLycJdCu4vQllXQTtxVhxgwxqEPhB49Ifrl1lO cZ9bF9duT7gy6rcCKSW4lcnE+phqPT67YYzo5PXXoUp53nOtCplK1hC0INShFDJr9S1g jIX87mZe2/5rmY1l5yPL2aai0/dkSlcuF73uGqk60dbAaauIq3KqhojTY2Y7IwXrMeal mUHPH6a0zv0ruhYw2Yx7aJSWRfVCSZuvqBP1KiMsMrLR5JlFc4IpYtqWtVZdnUSOdVbT lkyA==
MIME-Version: 1.0
X-Received: by 10.170.199.7 with SMTP id q7mr10589292yke.57.1440535262851; Tue, 25 Aug 2015 13:41:02 -0700 (PDT)
Received: by 10.129.133.130 with HTTP; Tue, 25 Aug 2015 13:41:02 -0700 (PDT)
In-Reply-To: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com>
Date: Tue, 25 Aug 2015 13:41:02 -0700
Message-ID: <CABkgnnVef2voSb1i_uKZPjSimYw7Zxooh5wZh=ZmnuLeFj0Hrw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Alan Johnston <alan.b.johnston@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/IIMiqM0U21jhxGnh-kYpTJtF_kk>
Cc: "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: Re: [tram] Path Forward for STUN ORIGIN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2015 20:41:07 -0000
I'm wondering here whether this might be advised by similar work in the area. ORIGIN is analogous to the HTTP Referer [sic] header field. There, the damage was done long ago, and we aren't sure that it can be fixed. After several attempts to reduce the information that we expose by default, I think that browser vendors are basically resigned to status quo (at least for now). That's the cautionary aspect of this discussion that we have to be aware of. However, what advises this is the secondary controls browsers are providing for controlling use of Referer. See referrer policy [1]. All this is driven by a simple principle: if we see an explicit signal that a site wants to share Referer, then we include it for them. This is based on the realization that if we don't do this, they will find another way to exfiltrate the data. Usernames and passwords being the obvious channels available for TURN, but I'll observe that there are no winners if you force people to resort to hacks to get the information they need or think they need. Maybe all we need to do here is recognize that we need to provide adequate controls. Make it clear that you expect someone else (hello browser vendors) to apply the policies. If a TURN server is configured with a special flag (call it "includeOrigin" for argument's sake), then we might send the ORIGIN attribute. Then, I think that the concerns raised around privacy can be addressed by having ORIGIN omitted by default. Privacy-preserving by default is perhaps the most relevant concern here. I realize that this might be less than ideal for you because it means talking to a whole new set of people over @w3.org, but I think that option is likely to be less cumbersome than your proposed solution. [1] http://w3c.github.io/webappsec/specs/referrer-policy/ On 25 August 2015 at 12:57, Alan Johnston <alan.b.johnston@gmail.com> wrote: > All, > > Based on feedback during IETF-93 in Prague, the authors of > draft-ietf-stun-origin are looking for feedback on a possible path forward > to solve the privacy/meta data issues and clear the DISCUSSes (see > https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/). > There are two areas of feedback: Use Cases and Proposed Solution. > > Use Cases > ======== > > First, we want to be sure that we are considering all the use cases for STUN > ORIGIN. In the draft, three are described: > > 1. Logging of usage of STUN/TURN server. An operator of a STUN or TURN > server would learn the Origin of the web, SIP, and XMPP users. > > 2. REALM selection for multi-tenanted TURN server. This avoids having to > run multiple instances on different ports or IP addresses when more than one > REALM is in use. > > 3. Service determination after authentication. Bandwidth or QoS policy can > be applied, after authentication, based on the Origin. > > Also, the following use cases have also been discussed but are not in the > draft > > 4. Authorization at border TURN server after authentication. An enterprise > border TURN server can apply policy and allow usage for certain Origins > (whitelist) or block usage of others (blacklist). > > 5. draft-jennings-behave-rtcweb-firewall-01 discusses how a firewall with > STUN server could use ORIGIN in authorization decisions. > > Are there any other use cases we should consider? > > Possible Solution > ============= > > The solution that was discussed in Prague that seems to be the best tradeoff > between privacy and functionality is to only include ORIGIN information in a > STUN or TURN request if the domain of the Origin matches the domain of the > STUN or TURN server in the STUN or TURN URI. Since web and STUN and TURN > run on different ports, and often will resolve to different IP addresses, a > full host comparison is not possible. This proposal is not perfect: it does > not provide perfect privacy for subdomains (e.g. sub1.example.com and > sub2.example.com will match with this rule, even if they are separate > entities. Of course, subdomain users could always register a new domain and > point DNS records to their sub hoster.) > > In comparing this solution against the use cases above: > > 1. Allows logging of your own users on your own TURN server (or one that you > setup DNS SRV records to point towards). Other users of your STUN or TURN > server will not be identified by an Origin, but you will at least know if > others are using your server. > > 2. Works for REALM selection as long as you use your own TURN server (or one > that you setup DNS SRV records to point towards). > > 3. Again, works for service determination as long as you use your own TURN > server (or one that you setup DNS SRV records to point towards). Having > service-specific TURN credentials is another solution that doesn't rely on > ORIGIN. > > 4. & 5. Does not seem provide a good solution for these use cases. > > Does this analysis make sense? > > Feedback most welcome so we can move forward with this draft. > > - Alan - > > > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram >
- [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Tirumaleswar Reddy (tireddy)
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - analysis Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - how to … Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Justin Uberti
- [tram] Oauth vs Origin [Was: Path Forward for STU… Justin Uberti
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Oleg Moskalenko
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Tirumaleswar Reddy (tireddy)
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams