Re: [tram] Path Forward for STUN ORIGIN - analysis
Cullen Jennings <fluffy@iii.ca> Thu, 27 August 2015 13:44 UTC
Return-Path: <fluffy@iii.ca>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9C0B1A1B6A for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 06:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCM4H6J2DWPk for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 06:43:58 -0700 (PDT)
Received: from smtp80.ord1c.emailsrvr.com (smtp80.ord1c.emailsrvr.com [108.166.43.80]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD4871A9008 for <tram@ietf.org>; Thu, 27 Aug 2015 06:43:58 -0700 (PDT)
Received: from smtp27.relay.ord1c.emailsrvr.com (localhost.localdomain [127.0.0.1]) by smtp27.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 0DEC13801E9; Thu, 27 Aug 2015 09:43:58 -0400 (EDT)
Received: by smtp27.relay.ord1c.emailsrvr.com (Authenticated sender: fluffy-AT-iii.ca) with ESMTPSA id 5797E380318; Thu, 27 Aug 2015 09:43:57 -0400 (EDT)
X-Sender-Id: fluffy@iii.ca
Received: from [192.168.4.100] ([UNAVAILABLE]. [128.107.241.180]) (using TLSv1 with cipher DHE-RSA-AES256-SHA) by 0.0.0.0:465 (trex/5.4.2); Thu, 27 Aug 2015 13:43:58 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Cullen Jennings <fluffy@iii.ca>
In-Reply-To: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com>
Date: Thu, 27 Aug 2015 07:43:55 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <481CA2CB-22F9-4E75-837E-E03C8CB27EF5@iii.ca>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com>
To: Alan Johnston <alan.b.johnston@gmail.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/JssEcMUO98CWfNV1QIiBe6kx6TM>
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Path Forward for STUN ORIGIN - analysis
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 13:44:00 -0000
more or the analysis of cases 4 and 5 > On Aug 25, 2015, at 1:57 PM, Alan Johnston <alan.b.johnston@gmail.com> wrote: > > > 4. Authorization at border TURN server after authentication. An enterprise border TURN server can apply policy and allow usage for certain Origins (whitelist) or block usage of others (blacklist). > > 5. draft-jennings-behave-rtcweb-firewall-01 discusses how a firewall with STUN server could use ORIGIN in authorization decisions. > ... > > In comparing this solution against the use cases above: > > 4. & 5. Does not seem provide a good solution for these use cases. > I think the solution here does meet the most important pats of use case 4 and 5... let me explain. For case 5 ... For applications that care about working in network environments that require the ORIGIN, they will have to add a DNS entry to point at the turn server they want to use. Note they don't have to run their own TURN or STUN server, they just have to have a DNS entry that points at the one they use then use the DNS name that matches their website in the javascript. The -02 firewall draft is updated to assume a solution like this. For case 4 ... I'm not seeing the problem. The DNS name of the TURN server would have been provided along with credential s by whatever discover / configuration mechanisms gave it to the browser so it would match and would be provided.
- [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Tirumaleswar Reddy (tireddy)
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - analysis Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - how to … Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Justin Uberti
- [tram] Oauth vs Origin [Was: Path Forward for STU… Justin Uberti
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Oleg Moskalenko
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Tirumaleswar Reddy (tireddy)
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams