IETF Logo Mail Archive

Re: [tram] AD Evaluation of draft-ietf-tram-turnbis-23

Gonzalo Camarillo <gonzalo.camarillo@ericsson.com> Mon, 15 April 2019 13:43 UTC

Return-Path: <gonzalo.camarillo@ericsson.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D931C1201AB; Mon, 15 Apr 2019 06:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pZQEw0J6qqap; Mon, 15 Apr 2019 06:43:37 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60062.outbound.protection.outlook.com [40.107.6.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D83E12017E; Mon, 15 Apr 2019 06:43:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=U5xEDZc50POkP1fAYSpri1fjOlzcE60HpeXiMIyiM04=; b=jSkPLfs2ygLOfWTbzpbz09/aZII7eIeSlLuIE/2Nzdz9p6CXCs6PzipPe+y1WwA0JXIlZrH3tYnly+SE54Nie2QRretUaqVj8sP0ojUZtfwWnxoHJCXLYguoFWvtO+PQSevef6Gbbtl4YGdBNZaAxa7+cVJnXYNShFA1Kb5jpeI=
Received: from HE1PR0702MB3689.eurprd07.prod.outlook.com (52.133.6.143) by HE1SPR01MB03.eurprd07.prod.outlook.com (10.160.67.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1813.9; Mon, 15 Apr 2019 13:43:32 +0000
Received: from HE1PR0702MB3689.eurprd07.prod.outlook.com ([fe80::8016:9a82:4ff3:a264]) by HE1PR0702MB3689.eurprd07.prod.outlook.com ([fe80::8016:9a82:4ff3:a264%6]) with mapi id 15.20.1813.009; Mon, 15 Apr 2019 13:43:31 +0000
From: Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-turnbis@ietf.org" <draft-ietf-tram-turnbis@ietf.org>
Thread-Topic: [tram] AD Evaluation of draft-ietf-tram-turnbis-23
Thread-Index: AQHU6u6miufFCL2QUEG5nrdQuPpiPw==
Date: Mon, 15 Apr 2019 13:43:31 +0000
Message-ID: <HE1PR0702MB3689B2A3C1DFA1F612583E6C832B0@HE1PR0702MB3689.eurprd07.prod.outlook.com>
References: <HE1PR0701MB2522B08D2A1B3503000BE38695500@HE1PR0701MB2522.eurprd07.prod.outlook.com> <HE1PR0701MB2522FF7BB48F366FFE4DA2A795510@HE1PR0701MB2522.eurprd07.prod.outlook.com> <HE1PR0702MB3689AE241DCBDCF250C4CDD283510@HE1PR0702MB3689.eurprd07.prod.outlook.com> <HE1PR0702MB36895B0A9807CB4D6459E351832B0@HE1PR0702MB3689.eurprd07.prod.outlook.com> <BYAPR16MB2790323AF45D8080CEB0E80AEA2B0@BYAPR16MB2790.namprd16.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=gonzalo.camarillo@ericsson.com;
x-originating-ip: [37.136.23.131]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0f63db95-9933-42f2-06ad-08d6c1a8597f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600140)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1SPR01MB03;
x-ms-traffictypediagnostic: HE1SPR01MB03:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <HE1SPR01MB0304D644F9C2AB549EE62E832B0@HE1SPR01MB03.eurprd07.prod.outlook.com>
x-forefront-prvs: 000800954F
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(396003)(366004)(346002)(376002)(39860400002)(136003)(13464003)(51914003)(189003)(199004)(476003)(2906002)(52536014)(7696005)(71200400001)(6506007)(99286004)(44832011)(446003)(2201001)(71190400001)(66574012)(97736004)(26005)(86362001)(2501003)(6246003)(6436002)(55016002)(53946003)(6306002)(9686003)(316002)(30864003)(486006)(110136005)(53936002)(229853002)(81156014)(81166006)(5660300002)(305945005)(105586002)(8936002)(7736002)(6116002)(33656002)(561944003)(53546011)(8676002)(93886005)(68736007)(25786009)(66066001)(76176011)(478600001)(102836004)(3846002)(18074004)(256004)(106356001)(74316002)(966005)(14454004)(14444005)(186003)(151285002)(559001)(579004)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1SPR01MB03; H:HE1PR0702MB3689.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: aioWi9ZCIz1qtxnfZjsHNUTiXd713HduTKKfoGVEDa+qM2q7rWwosBlJnLWXAIAnfiP5jLsDRN5jPZZhWfbY000B8iRMZulVo+vVG2A4YO9NnuW2mvU6lWu5KGV12jCO+vtyRREwjbi4oATrT2vD0WUF4kkbnPrBgZtKPh9oFNrl0hGJbc/6ycp1SzPpTuruK+GnMQ/9uo+nBy5FUBzMjdGL2DQLuGG0SrTMlM8YxDz8TQQlxeOa3OsSQzE25o1k8ldUv4QBnFGOE5HnoU5BTTcoA+PfwYjEMLU/odnz2iqM8hDW7Bmx2ATPoxLCFJlASxQh+O/1xlVHU+WA+91p4HI5Y+HEDoljLNzeRKiSDIUpOrNZ0p7nFASvZ6Z38axH1+EEYT0aA0liuqSQQBnBn7flTWDXZDbVK3uROocGryU=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0f63db95-9933-42f2-06ad-08d6c1a8597f
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Apr 2019 13:43:31.7996 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1SPR01MB03
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/n5m6OD_ffQzeKVNwG-gMBy1TtGI>
Subject: Re: [tram] AD Evaluation of draft-ietf-tram-turnbis-23
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 13:43:42 -0000

Hi Magnus,

could you please look into Tiru's responses and let us know how you want
to proceed? Thanks!

Cheers,

Gonzalo

On 15-Apr-19 14:05, Konda, Tirumaleswar Reddy wrote:
>> -----Original Message-----
>> From: tram <tram-bounces@ietf.org> On Behalf Of Gonzalo Camarillo
>> Sent: Monday, April 15, 2019 4:09 PM
>> To: Magnus Westerlund <magnus.westerlund@ericsson.com>; tram@ietf.org;
>> draft-ietf-tram-turnbis@ietf.org
>> Subject: Re: [tram] AD Evaluation of draft-ietf-tram-turnbis-23
>>
>>
>>
>> Authors of TURNbis,
>>
>> could you please look into this and let us know your time plan to address
>> Magnus's review? Thanks!
> 
> I have already responded to the comments from Magnus https://mailarchive.ietf.org/arch/msg/tram/CVcl_2D-uads0zw3kS9uVqr0WFk, waiting for his response.
> 
> Cheers,
> -Tiru
> 
>>
>> Cheers,
>>
>> Gonzalo
>>
>> On 05-Apr-19 11:20, Gonzalo Camarillo wrote:
>>> Thanks for the review, Magnus!
>>>
>>> Authors, could you please look into Magnus's comments and provide him
>>> with responses?
>>>
>>> Thanks,
>>>
>>> Gonzalo
>>>
>>> On 05-Apr-19 10:11, Magnus Westerlund wrote:
>>>> Hi,
>>>>
>>>> One addition.
>>>>
>>>> Section 16.13.  ICMP Attribute
>>>>
>>>> This attribute is flawed as it lacks a data part to carry values
>>>> certain codes have. I specifically think of ICMPv6 Type = 2, Packet Too Big.
>>>> That message has a 32-bit unsigned integer carrying the MTU of the
>>>> Next Hop Link that causes the ICMP message to be sent. That really
>>>> should be replicated back to the client.
>>>>
>>>> There is also the question if ICMP messages for Parameter Problem
>>>> should included the pointer?
>>>>
>>>> I really think there need to be a 32-bit data field with the ICMP
>>>> attribute.
>>>>
>>>> Cheers
>>>>
>>>> Magnus
>>>>
>>>>
>>>> On 2019-04-04 16:00, Magnus Westerlund wrote:
>>>>> Hi,
>>>>>
>>>>> I have now finished the AD review. There are a lot of details that I
>>>>> think needs fixing or at least feedback on. I also think there are a
>>>>> couple of more serious issues here. Especially regarding the
>>>>> handling of MTU and fragmentation, as well as IP header fields in
>>>>> address family translation and with non UDP transport. We need to
>>>>> conclude on these before we go to IETF last call.
>>>>>
>>>>> My Review comments are:
>>>>>
>>>>> A. Section 1: "The client can arrange
>>>>>    for the server to relay packets to and from certain other hosts
>>>>>    (called peers) and can control aspects of how the relaying is done."
>>>>>
>>>>> I don't think this is an accurate description of what Turn does. One
>>>>> may easily get the impression that the whole packet TURN receives
>>>>> are relayed, rather than the transport protocol data part and some
>>>>> of the header information are relayed between the client <-> peer,
>>>>> with a knowledge of the peer transport address for the client. I
>>>>> think that should be clarified in the introduction.
>>>>>
>>>>> B. Section 2.7:
>>>>>
>>>>> "Applications using TCP can more or less
>>>>>    ignore this issue because fragmentation avoidance is now a standard
>>>>>    part of TCP, but applications using UDP (and thus any application
>>>>>    using this version of TURN) must handle fragmentation avoidance
>>>>>    themselves."
>>>>>
>>>>> Lower case "must", and as the document uses RFC 2119, this must have
>>>>> the meaning of "MUST". A reformulation here is likely in order.
>>>>>
>>>>> C. Section 2.7:
>>>>>
>>>>>    In this approach, the application exploits the
>>>>>    fact that the IP specification [RFC0791] specifies that IP packets up
>>>>>    to 576 bytes should never need to be fragmented.
>>>>>
>>>>>    As a guideline, sending a maximum of 500 bytes of application data in
>>>>>    a single TURN message (by the client on the client-to-server leg) or
>>>>>    a UDP datagram (by the peer on the peer-to-server leg) will generally
>>>>>    avoid IP fragmentation.  To further reduce the chance of
>>>>>    fragmentation, it is recommended that the client use ChannelData
>>>>>    messages when transferring significant volumes of data, since the
>>>>>    overhead of the ChannelData message is less than Send and Data
>>>>>    indications.
>>>>>
>>>>> In that first paragraph I think it is worth discussing the IPv6
>>>>> requirement of supporting a 1280 minimal size.
>>>>>
>>>>> Secondly, I think recommending only a 500 MTU is way to conservative.
>>>>> Those studies I have seen appears to indicate that at least 1220
>>>>> bytes UDP payloads should be be working as well as 500 bytes. See
>>>>> for example figure 12 in this:
>>>>> https://static.googleusercontent.com/media/research.google.com/sv//p
>>>>> ubs/archive/46403.pdf
>>>>>
>>>>>
>>>>> D. Section 2.7:
>>>>>
>>>>>    [I-D.ietf-tram-stun-pmtud] is an implementation of [RFC4821] that
>>>>>    uses STUN to discover the path MTU, and so might be a suitable
>>>>>    approach to be used in conjunction with a TURN server that supports
>>>>>    the DONT-FRAGMENT attribute.  When the client includes the DONT-
>>>>>    FRAGMENT attribute in a Send indication, this tells the server to set
>>>>>    the DF bit in the resulting UDP datagram that it sends to the peer.
>>>>>    Since some servers may be unable to set the DF bit, the client should
>>>>>    also include this attribute in the Allocate request -- any server
>>>>>    that does not support the DONT-FRAGMENT attribute will indicate this
>>>>>    by rejecting the Allocate request.
>>>>>
>>>>> I want to verify that the WG is working on resolving the issues with
>>>>> the STUN PMTUD document. I definitely sees the point of the
>>>>> recommendation, but only if the WG will conclude on that document in
>>>>> a reasonable time frame.
>>>>>
>>>>> E. Section 3:
>>>>>
>>>>>    Server-Reflexive Transport Address:  A transport address on the
>>>>>       "public side" of a NAT.  This address is allocated by the NAT to
>>>>>       correspond to a specific host transport address.
>>>>>
>>>>> Shouldn't "public side" be replace with "external side"? That is the
>>>>> terminology used by the Behave RFCs.
>>>>>
>>>>> F. Section 3:
>>>>>
>>>>>    5-tuple:  The combination (client IP address and port, server IP
>>>>>       address and port, and transport protocol (currently one of UDP,
>>>>>       TCP, or (D)TLS)) used to communicate between the client and the
>>>>>       server.
>>>>>
>>>>> I see some issues that the 5-tuple aggregates the transport protocol
>>>>> with the security protocol. I agree from the TURN protocol
>>>>> perspective the protocol combination is the important one. However,
>>>>> writing like you do here you obfuscate both that when security is in
>>>>> place you have a combination, as well as that there are 4
>>>>> alternatives defined by this document.
>>>>>
>>>>> G. Section 4.1:
>>>>>
>>>>>    The "turn" and "turns" URI schemes are used to designate a TURN
>>>>>    server (also known as a relay) on Internet hosts accessible using the
>>>>>    TURN protocol.  The TURN protocol supports sending messages over UDP,
>>>>>    TCP, TLS-over-TCP or DTLS-over-UDP.  The "turns" URI scheme MUST be
>>>>>    used when TURN is run over TLS-over-TCP or in DTLS-over-UDP, and the
>>>>>    "turn" scheme MUST be used otherwise.  The required <host> part of
>>>>>    the "turn" URI denotes the TURN server host.  The <port> part, if
>>>>>    present, denotes the port on which the TURN server is awaiting
>>>>>    connection requests.  If it is absent, the default port is 3478 for
>>>>>    both UDP and TCP.  The default port for TURN over TLS and TURN over
>>>>>    DTLS is 5349.
>>>>>
>>>>> First, I was wondering if this document needed to update RFC 7065?
>>>>> The high level obvious is the reference, but otherwise on the
>>>>> surface it doesn't look necessary. My main complaint when reading
>>>>> was that it was not obvious what not specifying the transport
>>>>> parameter means. Then I saw this in Section 3.1 of RFC 7065:
>>>>>
>>>>>    The <host>, <port>, and <transport> components are passed without
>>>>>    modification to the [RFC5928] algorithm.  <secure> is set to false if
>>>>>    <scheme> is equal to "turn", and set to true if <scheme> is equal to
>>>>>    "turns" and passed to the [RFC5928] algorithm with the other
>>>>>    components.
>>>>>
>>>>> After some digging I figured out that RFC5928 is actually updated by
>>>>> RFC
>>>>> 7350 that defines the resolution and SRV records for DTLS.
>>>>>
>>>>> Can you please update the text in Section 4 to also reference RFC
>>>>> 7350 so that one doesn't miss this definitions.
>>>>>
>>>>> H. Section 5:
>>>>>
>>>>>    If the server requires requests to be
>>>>>    authenticated, then the server's administrator MUST choose a realm
>>>>>    value that will uniquely identify the username and password
>>>>>    combination that the client must use, even if the client uses
>>>>>    multiple servers under different administrations.
>>>>>
>>>>> Just to verify, TURN does not allow a single server address to host
>>>>> multiple realms do it? Each Realm needs its own unique server
>>>>> transport address?
>>>>>
>>>>> I. Section 5:
>>>>>
>>>>>    For each Allocate request, the server SHOULD generate a
>>>>>    new random nonce when the allocation is first attempted following the
>>>>>    randomness recommendations in [RFC4086] and SHOULD expire the
>> nonce
>>>>>    at least once every hour during the lifetime of the allocation.
>>>>>
>>>>> So, I think this text due to its use of RFC 2119 language is a bit
>>>>> confusing in its relation to STUNbis. To me it is unclear if the
>>>>> above overrides completely what is written in Section 5 of STUNbis:
>>>>>
>>>>>    To indicate that it supports this specification, a server MUST
>>>>>    prepend the NONCE attribute value with the character string composed
>>>>>    of "obMatJos2" concatenated with the (4 character) Base64 [RFC4648]
>>>>>    encoding of the 24 bit STUN Security Features as defined in
>>>>>    Section 18.1.  The 24 bit Security Feature set is encoded as 3 bytes,
>>>>>    with bit 0 as the most significant bit of the first byte and bit 23
>>>>>    as the least significant bit of the third byte.  If no security
>>>>>    features are used, then a byte array with all 24 bits set to zero
>>>>>    MUST be encoded instead.  For the remainder of this document the term
>>>>>    "nonce cookie" will refer to the complete 13 character string
>>>>>    prepended to the NONCE attribute value.
>>>>>
>>>>> Or is the randomness recommendations in TURNbis only for the NONCE
>>>>> attribute value part?
>>>>>
>>>>> Secondly, I interpret the text to say that compared to STUN, where a
>>>>> Nonce can be long lived after the initial Long Term Credential
>>>>> establishment, in TURN for each allocation one will have to to the
>>>>> Allocate, expired nonce->here is your new nonce, resend allocate
>>>>> using new nonce, success dance.
>>>>>
>>>>> I think part of the problem with the above text in TURNbis is that
>>>>> the sentences prior to the quoted one appear to be rehashing of the
>>>>> STUNbis requirements. Then the quoted part that actually changes
>>>>> behavior without being clear about it. I think it would be good to
>>>>> make it clear what is a change compared to STUNbis.
>>>>>
>>>>> J. Section 6:
>>>>>
>>>>>    Note that, rather than storing the password explicitly, for
>>>>>    security reasons, it may be desirable for the server to store the key
>>>>>    value, which is a secure hash over the username, realm, and password
>>>>>    (see [I-D.ietf-tram-stunbis]).
>>>>>
>>>>> Why isn't this recommendation stronger. Are there any reasons why a
>>>>> server would actually store the plain text password at all?
>>>>>
>>>>> K. Section 7.1:
>>>>>
>>>>>    The client first picks a host transport address.  It is RECOMMENDED
>>>>>    that the client pick a currently unused transport address, typically
>>>>>    by allowing the underlying OS to pick a currently unused port for a
>>>>>    new socket.
>>>>>
>>>>> I think talk about socket in this context should be skipped as it
>>>>> otherwise have been eliminated.
>>>>>
>>>>> L. Section 7.1:
>>>>>
>>>>>   The client then picks a transport protocol to use between the client
>>>>>    and the server.  The transport protocol MUST be one of UDP, TCP, TLS-
>>>>>    over-TCP or DTLS-over-UDP.
>>>>>
>>>>> I find it strange that this indicates that one should pick the
>>>>> transport protocol to use client to server without considering the
>>>>> server capabilities. Especially as the client configuration or
>>>>> server discovery procedures will indicate transport protocol support.
>>>>>
>>>>> Secondly, what is the motivation for the MUST in the second sentence?
>>>>> This is appears to have strange interactions with any future
>>>>> extensions and have no impact. A client must obvious chose a client
>>>>> to server transport protocol it supports, and one that the server
>>>>> supports or the client hope it will support.
>>>>>
>>>>> M. Section 7.1:
>>>>>
>>>>>    The client also picks a server transport address, which SHOULD be
>>>>>    done as follows.  The client uses one or more procedures described in
>>>>>    [RFC8155] to discover a TURN server and uses the TURN server
>>>>>    resolution mechanism defined in [RFC5928] to get a list of server
>>>>>    transport addresses that can be tried to create a TURN allocation.
>>>>>
>>>>> 1) So RFC 8155 states that it has no recommendation on server
>>>>> selection, nor on how to related local configuration to any auto-discovery
>> servers.
>>>>> To me it appears that the protocol utilizing TURN should consider
>>>>> what makes sense in their deployments. Thus, does the need for such
>>>>> consideration needs to be highlighted somewhere in this specification.
>>>>>
>>>>> 2) The RFC5928 reference  should be complemented with an RFC 7350
>>>>> reference.
>>>>>
>>>>> N. Section 7.1:
>>>>>
>>>>>  Clients MUST NOT include a REQUESTED-ADDRESS-
>>>>>    FAMILY attribute in an Allocate request that contains a RESERVATION-
>>>>>    TOKEN attribute, for the reasons outlined in [RFC6156].
>>>>>
>>>>> Considering that this document obsoletes RFC 6156, I think it is bad
>>>>> form to reference that document, rather than to move the necessary
>>>>> motivation into this document.
>>>>>
>>>>> O. Section 7.1:
>>>>>
>>>>>    If the client wishes to obtain a relayed transport address of a
>>>>>    specific address type then it includes a REQUESTED-ADDRESS-FAMILY
>>>>>    attribute in the request.
>>>>>
>>>>> I don't find anything describing what the default behavior is if one
>>>>> doesn't include the attribute, but the TURN server supports multiple
>>>>> address families.
>>>>>
>>>>> I see that bullet 7 in Section 7.2 indicates that IPv4 is default.
>>>>> Should the text in 7.1 be explicit about this default?
>>>>>
>>>>> P. Section 7.2:
>>>>>
>>>>>          Otherwise, if the attribute is included but
>>>>>         specifies a protocol other that UDP, the server rejects the
>>>>>         request with a 442 (Unsupported Transport Protocol) error.
>>>>>
>>>>> Assuming that you don't support an extension for that transport
>>>>> protocol. Should that be made explicit?
>>>>>
>>>>> Q. Section 8.3:
>>>>>
>>>>>    If the client receives a success response to its Refresh request with
>>>>>    a non-zero lifetime, it updates its copy of the allocation data
>>>>>    structure with the time-to-expiry value contained in the response.
>>>>>
>>>>>    If the client receives a 437 (Allocation Mismatch) error response to
>>>>>    a request to delete the allocation, then the allocation no longer
>>>>>    exists and it should consider its request as having effectively
>>>>>    succeeded.
>>>>>
>>>>> So there are no considerations for the client if it receives an
>>>>> error response to a refresh request when Lifetime was non-zero?
>>>>>
>>>>> I am bit surprised by that. I assume that there are certain cases
>>>>> when the request could be resent, and others where the meaning is
>>>>> that the allocation is gone.
>>>>>
>>>>> R. Section 11.5:
>>>>>
>>>>>    When the server receives an ICMP packet, the server verifies that the
>>>>>    type is either 3, 11 or 12 for an ICMPv4 [RFC0792] packet or either
>>>>>    1, 2, or 3 for an ICMPv6 [RFC4443] packet.  It also verifies that the
>>>>>    IP packet in the ICMP packet payload contains a UDP header.  If
>>>>>    either of these conditions fail, then the ICMP packet is silently
>>>>>    dropped.
>>>>>
>>>>> Why is not ICMPv6 Type 4 (Parameter Problem) included when Parameter
>>>>> Problem are for ICMPv4?
>>>>>
>>>>> S. Section 12.5:
>>>>>
>>>>>    Over TCP and TLS-over-TCP, the ChannelData message MUST be padded
>> to
>>>>>    a multiple of four bytes in order to ensure the alignment of
>>>>>    subsequent messages.  The padding is not reflected in the length
>>>>>    field of the ChannelData message, so the actual size of a ChannelData
>>>>>    message (including padding) is (4 + Length) rounded up to the nearest
>>>>>    multiple of 4.  Over UDP, the padding is not required but MAY be
>>>>>    included.
>>>>>
>>>>> Are there anywhere written what one may or may not include of the
>>>>> TURN related messages in a single UDP datagram. Because it is
>>>>> technically feasible I belive to include two Send Indications in one
>>>>> UDP datagram to the server.
>>>>>
>>>>> T. Section 13.1:
>>>>>
>>>>>    Flow Label
>>>>>
>>>>>       Preferred behavior: The relay sets the Flow label to 0.  The relay
>>>>>       can choose to set the Flow label to a different value if it
>>>>>       supports the IPv6 Flow Label field [RFC6437].
>>>>>
>>>>>       Alternate behavior: The relay sets the Flow label to the default
>>>>>       value for outgoing packets.
>>>>>
>>>>> I think this section should be improved in two ways.
>>>>>
>>>>> First of all I think it should clarify that each allocation to peer
>>>>> flow is its own IPv6 Flow in perspective of the IPv6 Flow label.
>>>>>
>>>>> Secondly, I think in the spirit of RFC 6473 the preferred behavior
>>>>> should be to set the IPv6 flow label if the implementation is
>>>>> capable, or leave it to the underlying network stack to actually set
>>>>> it. Compared to RFC 7915, the TURN server actually have an
>>>>> understanding of what are different flows without having examining
>> additional protocol layers.
>>>>>
>>>>> Thirdly, I don't understand what the alternative behavior actually is.
>>>>> This as it is either setting it to 0, or classifying things as flow
>>>>> and then provide it with a random flow label. I think the right
>>>>> alternative behavior is to set it 0.
>>>>>
>>>>> U. Section 13. 1,2,3:
>>>>>
>>>>>       For both preferred and alternate behavior, the DONT-FRAGMENT
>>>>>       attribute MUST be ignored by the server.
>>>>>
>>>>> I don't understand why just because one performs v4<->v6 or v6 to v4
>>>>> translation or v6 to v6 relaying now can ignore the DONT-FRAGEMENT
>>>>> attribute. If the client has request to not fragment and the server
>>>>> is unable to do that when forwarding to the peer it needs to
>>>>> generate an ICMP attribute response saying the packet is to big.
>>>>> Otherwise the relay breaks the Path MTU discovery mechanisms.
>>>>>
>>>>> V. Section 13.2:
>>>>>
>>>>> Fragmentation:
>>>>>
>>>>>       If the incoming packet included a Fragment header and the outgoing
>>>>>       packet size exceeds the outgoing link's MTU, the relay MUST
>>>>>       fragment the outgoing packet into fragments of no more than 1280
>>>>>       bytes.  The relay sets the fields of the Fragment header as
>>>>>       appropriate for a packet originating from the server.
>>>>>
>>>>> Is really the intention here to refragment the packet without
>>>>> providing any indication that the practical MTU is smaller than what
>>>>> the peer or client thinks it is?
>>>>>
>>>>> W. Section 14:
>>>>>
>>>>>       Preferred Behavior: Set the outgoing value to the incoming value,
>>>>>       UNLESS the server is doing Active Queue Management, the incoming
>>>>>       ECN field is ECT(1) (=0b01) or ECT(0) (=0b10), and the server
>>>>>       wishes to indicate that congestion has been experienced, in which
>>>>>       case set the outgoing value to CE (=0b11).
>>>>>
>>>>> First of all do you have any special meaning with all capital UNLESS?
>>>>>
>>>>> Secondly, I don't know how wise it is to have partial definitions of
>>>>> what the ECN behavior is. Maybe simpler to say that that the relay
>>>>> is performing AQM it can support the ECN marking behavior as defined
>>>>> in RFC 3168.
>>>>>
>>>>> X. Section 14:
>>>>>
>>>>> How are these IP level fields handled when the transport is TCP or
>>>>> TLS/TCP? There there are not necessary a one to one mapping between
>>>>> datagrams and TCP packets. And if there are no support then there
>>>>> are need for clarification of behaviors when using TCP based transport.
>>>>>
>>>>> Y. Section 16.4.  DATA
>>>>>
>>>>>    The DATA attribute is present in all Send and Data indications.  The
>>>>>    value portion of this attribute is variable length and consists of
>>>>>    the application data (that is, the data that would immediately follow
>>>>>    the UDP header if the data was been sent directly between the client
>>>>>    and the peer).  If the length of this attribute is not a multiple of
>>>>>    4, then padding must be added after this attribute.
>>>>>
>>>>> Can you please clarify if one would get all the remaining bytes of
>>>>> the IP packet payload or only the number of bytes the UDP length
>>>>> field indiactes?
>>>>>
>>>>> The reason I ask is that there is possibility that there are a
>>>>> discrepancy between these fields, something the proposal for an
>>>>> experimental specification for UDP options attempt to utilize.
>>>>> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-udp-options/
>>>>>
>>>>> Note, I only want you to clarify what is actually included. I would
>>>>> assume using the UDP length field makes sense in this case.
>>>>>
>>>>> Z. The use of "relay" in the meaning of "Turn Server". There are
>>>>> many occurrences of relay in this meaning. Either make it explicit
>>>>> to be a synonym or change it to server.
>>>>>
>>>>> AA. Section 16.7
>>>>>
>>>>> rffu is lacking a definition. I would suggest making it upper case
>>>>> and copy the definition from 16.8.
>>>>>
>>>>> AB. Section 16.12:
>>>>>
>>>>> Rsvd in Format figure does not match definition below which uses
>> "Reserved".
>>>>>
>>>>> AC. Section 16.12:
>>>>>
>>>>> Reason Phrase (variable). This field is under defined. First of all
>>>>> the format of the text string is not defined, which it is in Stunbis
>>>>> Error-Code attribute is defined as.
>>>>>
>>>>>    The reason phrase MUST be a UTF-8 [RFC3629] encoded
>>>>>    sequence of less than 128 characters (which can be as long as 509
>>>>>    bytes when encoding them or 763 bytes when decoding them).
>>>>>
>>>>> Secondly, I think it might be worth pointing out the padding here.
>>>>> It is not clear if there is any form of string termination and how
>>>>> the padding which will be interpreted as NULL characters 0-3
>>>>> depending on the alignment. I note this later issue appears to be existing in
>> STUNBis also.
>>>>>
>>>>> AD. Section 16.2:
>>>>>
>>>>> Why isn't the text here say that this attribute may also be used to
>>>>> indicate the desired lifetime in allocation requests?
>>>>>
>>>>> AE. Section 16.9: DONT-FRAGMENT
>>>>>
>>>>> I think it would be good to indicate the use of the attribute in
>>>>> Allocate Requests also.
>>>>>
>>>>> AF. Section  24.2
>>>>>
>>>>> [Protocol-Numbers]
>>>>>               "IANA Protocol Numbers Registry", 2005,
>>>>>               <http://www.iana.org/assignments/protocol-numbers>.
>>>>>
>>>>> This is a normative reference based on how it is used in Section 16.8.
>>>>>
>>>>> AG. Seciton 18.
>>>>>
>>>>>    Sometime before the 20 minute lifetime is up, the client refreshes
>>>>>    the allocation.  This is done using a Refresh request.  As before,
>>>>>    the client includes the latest username, realm, and nonce values in
>>>>>    the request.  The client also includes the SOFTWARE attribute,
>>>>>    following the recommended practice of always including this attribute
>>>>>    in Allocate and Refresh messages.  When the server receives the
>>>>>    Refresh request, it notices that the nonce value has expired, and so
>>>>>    replies with 438 (Stale Nonce) error given a new nonce value.  The
>>>>>    client then reattempts the request, this time with the new nonce
>>>>>    value.  This second attempt is accepted, and the server replies with
>>>>>    a success response.  Note that the client did not include a LIFETIME
>>>>>    attribute in the request, so the server refreshes the allocation for
>>>>>    the default lifetime of 10 minutes (as can be seen by the LIFETIME
>>>>>    attribute in the success response).
>>>>>
>>>>> I notice that this part nor the text before appears to discuss the
>>>>> permission lifetime that will expire after 5 minutes. Thus, it needs
>>>>> to be refreshed prior to the Allocation.
>>>>>
>>>>> AH. Section 18.
>>>>>
>>>>> I am missing any example having to do with Address Family interactions.
>>>>>
>>>>> AI. DTLS Cipher Suits
>>>>>
>>>>> Am I understanding it correct that the definition of what DTLS
>>>>> cipher suit that a TURN Server currently is to support is the ones in RFC
>> 7525?
>>>>>
>>>>> In that case, I think the wording is a bit weak as the only
>>>>> reference I find are in Section 2.1:
>>>>>
>>>>> If (D)TLS transport is
>>>>>    used between the TURN client and the TURN server, the guidance given
>>>>>    in [RFC7525] MUST be followed to avoid attacks on (D)TLS.
>>>>>
>>>>>
>>>>> Cheers
>>>>>
>>>>> Magnus Westerlund
>>>>>
>>>>> --------------------------------------------------------------------
>>>>> -- Network Architecture & Protocols, Ericsson Research
>>>>> ----------------------------------------------------------------------
>>>>> Ericsson AB                 | Phone  +46 10 7148287
>>>>> Torshamnsgatan 23           | Mobile +46 73 0949079
>>>>> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
>>>>> --------------------------------------------------------------------
>>>>> --
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> tram mailing list
>>>>> tram@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/tram
>>>>>
>>>>
>>>
>>
>> _______________________________________________
>> tram mailing list
>> tram@ietf.org
>> https://www.ietf.org/mailman/listinfo/tram
>

v2.23.0 | Report a Bug | By Email