Re: [tram] Review of draft-johnston-tram-stun-origin-02
Alan Johnston <alan.b.johnston@gmail.com> Wed, 07 May 2014 17:49 UTC
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BBED1A08B1 for <tram@ietfa.amsl.com>; Wed, 7 May 2014 10:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A0Sl8Qd2T490 for <tram@ietfa.amsl.com>; Wed, 7 May 2014 10:49:52 -0700 (PDT)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) by ietfa.amsl.com (Postfix) with ESMTP id F1EDA1A08A7 for <tram@ietf.org>; Wed, 7 May 2014 10:49:49 -0700 (PDT)
Received: by mail-we0-f177.google.com with SMTP id x48so1378729wes.36 for <tram@ietf.org>; Wed, 07 May 2014 10:49:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8m6a4VVe9Auw+re8qndeWi6RbVqnNpJGttqODPhC8gY=; b=Tb8+YdWpBx+3B0KuCXdzOM7ZlRfuqYRQEhMUYDKwHyNnhS6PdlTOi28XbLASecHGhA vTJ2dylo/iwzTXagcJa0M5bJpTd503VpdT5GZWvrN2SJfU85iojlscHAgMOqlmCASsRu XlE9zo7nkOwh7bTvEj4gfbFSSyAb+ty+cpvzhp6UyfOzUujVUzLCQhbLswYd+7w1Xx9s tQYcY++XZnyGt/yGo7TbzLINaOTdrrTSyi9dS9dDvHP5b9MbgPise8KaLtXbWvlyKOg1 jm01kMWY+AVs91yuUtnre4SF3QRute12gtQ2iogYqFQ9V5eb1y8C8ajGm4YqkBQ/TUYN FHzw==
MIME-Version: 1.0
X-Received: by 10.194.84.101 with SMTP id x5mr9360608wjy.52.1399484985223; Wed, 07 May 2014 10:49:45 -0700 (PDT)
Received: by 10.217.152.200 with HTTP; Wed, 7 May 2014 10:49:45 -0700 (PDT)
In-Reply-To: <5368BF90.2070307@getjive.com>
References: <5368BF90.2070307@getjive.com>
Date: Wed, 07 May 2014 12:49:45 -0500
Message-ID: <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com>
From: Alan Johnston <alan.b.johnston@gmail.com>
To: Marc Petit-Huguenin <marcph@getjive.com>
Content-Type: multipart/alternative; boundary="047d7bb04dce69b1ee04f8d2fd4f"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/K_YfIa_sCqF7g2chvwh0lo44gCw
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 May 2014 17:49:55 -0000
Marc, Thanks for the review. See my comments below. - Alan - On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin <marcph@getjive.com>wrote: > A1. Intended Status: Informational > > Shouldn't this be Standard Track? > > Yes. > A2. Section 1, 2nd paragraph, last sentence: "as generating the > response..." > > I do not think that the reason for no authentication for the NAT > Discovery Usage is because it is less work, but because there is no > resource to protect so adding more work does not make sense. > > I disagree that there is *no* resource to protect. A STUN server might be minimal resources, but not none. If a simple authentication scheme were available, I'm sure some people would use it so they could minimize the cost of their server footprint by ensuring that only authenticated users were utilizing it. I will add some text pointing out that the minimal resources. > A3. Section 1, 8th paragraph > > I do not think that the ORIGIN should be used to select the certificate > when (D)TLS is used. First it does not work with DANE, as when an SRV > (and probably NAPTR too, but that's undefined yet) RR redirects to a > different domain, the domain to be checked with is the host name, not > the service domain (see draft-ietf-dane-srv). For non-DANE cases, I > think that the correct way to select the certificate is to use SNI. > The draft does not suggest that ORIGIN be used to select certificates - as Oleg pointed out it isn't possible. This paragraph was describing how RFC 6066 does not solve the problem, as had been suggested on the list. > > So I would suggest to restrict the normative use of ORIGIN only to > select realms. > > A4. Section 2.2. ORIGIN attribute usage > > The text does not say if the ORIGIN attribute should/can be provided > after the authentication (i.e. refresh, data packets, etc...) > Currently, the text says SHOULD include, for a conformant client. For logging, it has value even after the initial authentication. > > A5. Section 2.2. Mandatory support for server > > How a TURN server that requires the usage of ORIGIN can signal this? > > Right now there is no way to do this. I agree with Oleg that it is up to the server what to do if ORIGIN is no present. > A6. Section 2. Other Usages > > I think that other STUN Usages should be listed after section 2.3: > > - Media Keep-Alive Usage (Section 20 of RFC5245) > - SIP Keep-Alive Usage (RFC 5626) > - NAT Behavior Discovery Usage (RFC 5780) > > I'll take a look at these scenarios. I suspect that it would be a reasonable usage for client-to-server usages, but not for peer-to-peer usages. > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute > is present, the contents of the ORIGIN attribute are integrity protected." > > Which never happen in the usages listed in the document: for section > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is > needed to select the realm, so the ORIGIN is sent before it can be > protected. Perhaps 2.2 should say that if ORIGIN was sent to select the > realm, it MUST be repeated at identical on the second Allocate (the one > that has an M-I) and that the server MUST reject it if it is not > identical to the first one. Not sure it matters though. > > I agree that there is no integrity protection of the ORIGIN attribute (or any other attribute) until after authentication. However, ORIGIN can be used both before and after authentication. I'll review this text and make sure this is clear. I don't believe we need any special rules, as this applies to any STUN attribute. > Nits > ---- > > - Section 2, 2nd paragraph: "The number used for the this in the ..." > > Does not parse. > The middle "the" shouldn't be there. > > -- > Marc Petit-Huguenin > Developer | Jive Communications, Inc. > Jive.com | marcph@getjive.com > > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > >
- [tram] Review of draft-johnston-tram-stun-origin-… Marc Petit-Huguenin
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston