Re: [tram] Adam Roach's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Mon, 18 June 2018 17:45 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E137130F2B; Mon, 18 Jun 2018 10:45:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.88
X-Spam-Level:
X-Spam-Status: No, score=-1.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pOyAzS7Hjvyy; Mon, 18 Jun 2018 10:45:10 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC03D130EE2; Mon, 18 Jun 2018 10:45:10 -0700 (PDT)
Received: from Orochi.local (99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id w5IHj611092905 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Mon, 18 Jun 2018 12:45:07 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host 99-152-146-228.lightspeed.dllstx.sbcglobal.net [99.152.146.228] claimed to be Orochi.local
To: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, Marc Petit-Huguenin <marc@petit-huguenin.org>, The IESG <iesg@ietf.org>
Cc: tram-chairs@ietf.org, Tolga Asveren <tasveren@rbbn.com>, draft-ietf-tram-stunbis@ietf.org, tram@ietf.org
References: <152403138853.31946.14807823535362928987.idtracker@ietfa.amsl.com> <27cb2f70-d907-b61f-bb5a-6b19053238fe@petit-huguenin.org> <1e8cd5de-06de-6745-fc4d-d15fcdd0b4d9@petit-huguenin.org> <df27ff82-bb5a-8c83-f119-a6f4e9f65a53@nostrum.com> <a5da7dc3-472c-8dcf-27e0-7e334d6590f6@ericsson.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <5ff10fb0-301e-5d97-01b0-f15296bae0d3@nostrum.com>
Date: Mon, 18 Jun 2018 12:45:01 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <a5da7dc3-472c-8dcf-27e0-7e334d6590f6@ericsson.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/RQdktrNinvHT-Ja1JhonIKnoA-Y>
Subject: Re: [tram] Adam Roach's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 17:45:33 -0000

Gonzalo:

TL;DR -- unless someone can find evidence indicating what the WG 
intended, I believe we are waiting on you and Simon.

I had two responses in my most recent message. I presume the first 
should be uncontroversial.

The second point pertains to how the working group intended to treat IP 
addresses in STUNS URIs. The document right now is ambiguous and 
self-contradictory. If this has been discussed in the past, then the 
document simply needs to be updated to reflect the outcome of that 
conversation. If not, then I believe the WG needs to have a conversation 
about what is intended.

As it stands, the document will lead to various notions about whether 
(and how) IP addresses can be used, which will be an interop nightmare.

/a

On 6/18/18 05:41, Gonzalo Camarillo wrote:
> Marc, Adam,
>
> what is the status of this discussion?
>
> Thanks,
>
> Gonzalo
>
> On 21/05/2018 9:11 PM, Adam Roach wrote:
>> Sorry for taking so long to get back to you on this. Two responses below
>> -- everything else looks good.
>>
>> On 5/3/18 6:37 PM, Marc Petit-Huguenin wrote:
>>> On 04/23/2018 03:37 PM, Marc Petit-Huguenin wrote:
>>>>> ---------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> §17.3.1:
>>>>>
>>>>>>    IANA is requested to update the names for attributes 0x0002, 0x0003,
>>>>>>    0x0004, 0x0005, 0x0007, and 0x000B, and the reference from RFC 5389
>>>>>>    to RFC-to-be for the following STUN methods:
>>>>> ...
>>>>>>    0x0003: (Reserved; prior to [RFC5389] this was CHANGE-REQUEST)
>>>>> The attribute 0x0003 is registered by RFC 5780, and should not be
>>>>> removed by this document.
>>>> Fixed.
>>
>> Thanks for the change, but the new text still asks IANA to update the
>> table so that 0x0003 points to *this* document, instead of continuing to
>> point to RFC 5780. Since this document does not do anything with
>> CHANGE-REQUEST, this update does not seem correct.
>>
>>
>>>>> ---------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> §6.2.3 says:
>>>>>
>>>>>>    Alternatively, a
>>>>>>    client MAY be configured with a set of IP addresses that are
>>>>>> trusted;
>>>>>>    if a certificate is received that identifies one of those IP
>>>>>>    addresses, the client considers the identity of the server to be
>>>>>>    verified.
>>>>> Presumably, this means the server supplies a certificate with
>>>>> SubjectAltName
>>>>> containing an iPAddress? Please add text to clarify whether that's the
>>>>> intention.
>>>>>
>>>>> If that *is* the intended meaning, then this behavior in §8.1 seems
>>>>> unnecessarily restrictive:
>>>>>
>>>>>>    A "stuns" URI
>>>>>>    containing an IP address MUST be rejected, unless the domain name is
>>>>>>    provided by the same mechanism that provided the STUN URI, and that
>>>>>>    domain name can be passed to the verification code.
>>>>> Presumably, this is done because certs with iPAddress-form
>>>>> SubjectAltNames are
>>>>> pretty rare (although CAB Forum baseline requirements do explicitly
>>>>> allow
>>>>> their issuance) -- but if the text in §6.2.3 is based on allowing
>>>>> the use of
>>>>> such certs in a TURN deployment, then it seems that URI resolution
>>>>> should be
>>>>> also.
>>>>>
>>>> I am not sure what was the intent there, so I'll work on that later.
>>> We addressed all the other comments, but it would be great if you
>>> could suggest some text to address that one.
>> I'm not sure what was meant either!
>>
>> I think we need to untangle what the working group meant to say
>> regarding "trusted IP addresses," the way this protocol is intended to
>> use certs, and whether the prohibition on using IP addresses in "stuns"
>> URIs derives from cert handling or if it has a completely different
>> rationale behind it; and, if the former, ensure that those things that
>> are prohibited or allowed in certs are similarly prohibited or allowed
>> in URIs.
>>
>> I can suggest some *behavior*, but unless there is some record of what
>> the WG meant, any such behavior would need to be discussed by the
>> working group, and a consensus would need to be declared by the chairs.
>>
>>
>> /a
>>