Re: [tram] HA1 vs HA1b with TURN
Alan Johnston <alan.b.johnston@gmail.com> Thu, 22 October 2015 06:12 UTC
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6451B2F14 for <tram@ietfa.amsl.com>; Wed, 21 Oct 2015 23:12:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_21=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IKY0cTA-ofqB for <tram@ietfa.amsl.com>; Wed, 21 Oct 2015 23:12:10 -0700 (PDT)
Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283EF1B377C for <tram@ietf.org>; Wed, 21 Oct 2015 23:12:10 -0700 (PDT)
Received: by pacfv9 with SMTP id fv9so81086406pac.3 for <tram@ietf.org>; Wed, 21 Oct 2015 23:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=UyXfvHG+rup4iZc6iem0wqU/UH9yoOxaG0BzGqCkG7Y=; b=IIaf+h4M7pwQjxARY12jBO5AhSjEnlJ/5zvfBB2BidLzUzQhII0vSY7jdoBSFTDCQ7 pF+Uv3GLks+TGB13qkJ03pP+t30fl7TdwQeLOhaKlIneWDap8Ep3/Wk1hy/vWX7V6UMh h8uEIB0krs2ihvCXkkFsfhwm1YWyi47qf/4JBV2G3kkLGonf2FC5t0Dj9V/Z25hSE0mI udHE7tIhrw/bG2VZtbP4MI4Ndk9KIRcP6SOTL0I3SlJACEuW2mSI3SQbf1e8d163CtwA nDy9TGrl2oYqEZF1rmVQ1V67AeIdUu8IRaGJ5xhbJS8HWfN6Z5OU0S/qQD+HHfOrJeq6 TnoQ==
X-Received: by 10.68.102.2 with SMTP id fk2mr15220143pbb.129.1445494329755; Wed, 21 Oct 2015 23:12:09 -0700 (PDT)
Received: from [192.168.1.9] (c-73-42-162-82.hsd1.wa.comcast.net. [73.42.162.82]) by smtp.gmail.com with ESMTPSA id it10sm12271241pbc.14.2015.10.21.23.12.09 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 21 Oct 2015 23:12:09 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: Alan Johnston <alan.b.johnston@gmail.com>
X-Mailer: iPhone Mail (13A452)
In-Reply-To: <CALDtMr+mDth+faY+vtNVvg7m66Aa4RXzDdYic79iG2uZLQsRLA@mail.gmail.com>
Date: Wed, 21 Oct 2015 23:12:08 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <06FF81F8-98B3-482F-82D1-252447D19F80@gmail.com>
References: <5627F681.3010601@pocock.pro> <CALDtMr+mDth+faY+vtNVvg7m66Aa4RXzDdYic79iG2uZLQsRLA@mail.gmail.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/PMi_xkAMcohiqv913OIo3Us8MME>
Cc: Daniel Pocock <daniel@pocock.pro>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] HA1 vs HA1b with TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 06:12:12 -0000
I agree that STUN ORIGIN could work for this. I have revised the draft based on list discussion and think these changes will resolve the DISCUSSes blocking the draft. Feedback from the working group on whether this is the best path forward for STUN Origin would be helpful. - Alan - > On Oct 21, 2015, at 2:12 PM, Oleg Moskalenko <mom040267@gmail.com> wrote: > > Hi Daniel > > please see below: > >> On Wed, Oct 21, 2015 at 1:33 PM, Daniel Pocock <daniel@pocock.pro> wrote: >> >> >> I've been working with a few projects that use the "HA1b" for DIGEST and >> HMAC, e.g. >> >> HA1 = H(user:realm:password) >> >> HA1b = H(user@domain:realm:password) >> where domain (sometimes) == realm >> >> When a client is configured (user enters their SIP or XMPP address and >> their password for the first time), the client doesn't really know if it >> should use the HA1 or HA1b approach. Many default to HA1 but give the >> user the option to manually configure an auth username. >> >> Furthermore, when a SIP client sends a request, the request includes >> things like a request URI, From and To headers that allow the server or >> proxy to work out which realm to challenge with (if it supports more >> than one realm). The initial request to a TURN server doesn't give such >> clues, consequently, the TURN server typically just has a single realm. >> RFC 5389 s10.2.1.1 specifies that the client should not send username >> or realm values with the first request to the server. It is in these >> scenarios that HA1b can be particularly useful for virtual hosting on a >> single TURN server on a single UDP port. >> >> Therefore, a few things come to mind: >> >> - could the client send some attribute in the first request (RFC 5389 >> s10.2.1.1) to inform the TURN server about the full username@domain? > > there is ORIGIN draft: > > https://tools.ietf.org/html/draft-ietf-tram-stun-origin-06 > > that is the attribute that you are looking for - it allows building a > server that supports multiple realms. I am not sure about its future, > but coturn supports that functionality. > > Also, there is a third-party authorization RFC 7635 that also allows > multiple realms, but it is rather different from the usual scheme. > > But the TURN server is never using HA1b, that is not a standard > feature. With ORIGIN, you may have same user names in different > realms, and those users exist independently because all data and the > authentication are using realm as part of the key. > >> >> - could the TURN server challenge include some attribute telling the >> client to use the HA1b approach? > > Not in the current scheme. > >> >> _______________________________________________ >> tram mailing list >> tram@ietf.org >> https://www.ietf.org/mailman/listinfo/tram > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] HA1 vs HA1b with TURN Daniel Pocock
- Re: [tram] HA1 vs HA1b with TURN Oleg Moskalenko
- Re: [tram] HA1 vs HA1b with TURN Alan Johnston