Re: [tram] Review of draft-johnston-tram-stun-origin-02
Oleg Moskalenko <mom040267@gmail.com> Thu, 05 June 2014 19:55 UTC
Return-Path: <mom040267@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDB81A025B for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 12:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aZLtEpkp0V7 for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 12:55:55 -0700 (PDT)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8152F1A018E for <tram@ietf.org>; Thu, 5 Jun 2014 12:55:54 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id w61so1687536wes.40 for <tram@ietf.org>; Thu, 05 Jun 2014 12:55:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jEUtiPaEdOWPGZB3wGLstAdu9rles9lXznsf876tSH0=; b=UPSqsTrOtY/3R6Geg31/mg7+mKzncoSLltdYt1isPOpP0Jv4c4IzCpYisEjvutBnvS p63OwWcAoGViR2lTGfxF3jLT0PkNk+qYUhK14Rk+JMjFs2RdnZ8pk0YPJyA4YPypZVq6 cY46Xu2lgfguiZdnEFZmALVsyTZWMMBm0HrWptURRb6njep5K0Om4qJbqsafbyu8b1FU f5sBLlLPfESBVEA/zS3zQtQOnLpP6939DbX9lBmPzigZ5XXH1mEt3QQwRN6tl8vkJJZ5 hX4oaT3tdq4a8I6MbA/OfiSclTE25DdvYTUw/iPoVSuwE8Y99bSVpySVs5869ifCTgig 965g==
MIME-Version: 1.0
X-Received: by 10.194.82.170 with SMTP id j10mr85776998wjy.63.1401998146802; Thu, 05 Jun 2014 12:55:46 -0700 (PDT)
Received: by 10.194.120.71 with HTTP; Thu, 5 Jun 2014 12:55:46 -0700 (PDT)
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net>
References: <5368BF90.2070307@getjive.com> <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net> <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net>
Date: Thu, 05 Jun 2014 12:55:46 -0700
Message-ID: <CALDtMrKxd=bowBag0_Z8sSGPMfjUHBTOzX6F233WFDVPa1rgrg@mail.gmail.com>
From: Oleg Moskalenko <mom040267@gmail.com>
To: "Hutton, Andrew" <andrew.hutton@unify.com>
Content-Type: multipart/alternative; boundary="047d7bb04fee843af704fb1c2177"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/R_p0uJniSxbZaymU1XWnEAAbeLY
Cc: Alan Johnston <alan.b.johnston@gmail.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 19:55:57 -0000
If we do want to support multiple origins per request then we have to state, clearly, three things: 1) Use cases. 2) How we use multiple origins when we process the request. 3) How we format multiple origins in the request - as comma-separated single field or multiple origin attributes. As STUN/TURN is a binary protocol, I think that the second option is better. The usefulness of multiple origins in TURN is not very obvious to me. I implemented ORIGIN in a pilot implementation https://code.google.com/p/coturn/ but I assumed a single ORIGIN field per request. Oleg On Thu, Jun 5, 2014 at 7:48 AM, Hutton, Andrew <andrew.hutton@unify.com> wrote: > Multiple Origins for HTTP Requests are covered in > http://tools.ietf.org/html/rfc6454#section-7.2 I just assumed the same > would apply to the usage in this context. > > Andy > > > -----Original Message----- > > From: Oleg Moskalenko [mailto:mom040267@gmail.com] > > Sent: 05 June 2014 15:26 > > To: Hutton, Andrew > > Cc: Alan Johnston; tram@ietf.org > > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 > > > > What would be the purpose of multiple origins ? > > > > Oleg > > > > On Jun 5, 2014, at 7:19 AM, "Hutton, Andrew" <andrew.hutton@unify.com> > > wrote: > > Hi, > > > > I had another read through this draft and hope we can move this forward > > and adopt the draft soon. > > > > I only have one additional comment at this time and that is that I > > assume it should be possible for the client to include more than one > > origin in the Origin header field and if so the procedures around this > > should explained in the draft. > > > > Regards > > Andy > > > > > > > > > > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston > > Sent: 07 May 2014 18:50 > > To: Marc Petit-Huguenin > > Cc: tram@ietf.org > > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 > > > > Marc, > > > > Thanks for the review. See my comments below. > > > > - Alan - > > > > On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin > > <marcph@getjive.com> wrote: > > A1. Intended Status: Informational > > > > Shouldn't this be Standard Track? > > > > Yes. > > > > A2. Section 1, 2nd paragraph, last sentence: "as generating the > > response..." > > > > I do not think that the reason for no authentication for the NAT > > Discovery Usage is because it is less work, but because there is no > > resource to protect so adding more work does not make sense. > > > > I disagree that there is *no* resource to protect. A STUN server might > > be minimal resources, but not none. If a simple authentication scheme > > were available, I'm sure some people would use it so they could > > minimize the cost of their server footprint by ensuring that only > > authenticated users were utilizing it. I will add some text pointing > > out that the minimal resources. > > > > A3. Section 1, 8th paragraph > > > > I do not think that the ORIGIN should be used to select the certificate > > when (D)TLS is used. First it does not work with DANE, as when an SRV > > (and probably NAPTR too, but that's undefined yet) RR redirects to a > > different domain, the domain to be checked with is the host name, not > > the service domain (see draft-ietf-dane-srv). For non-DANE cases, I > > think that the correct way to select the certificate is to use SNI. > > > > The draft does not suggest that ORIGIN be used to select certificates - > > as Oleg pointed out it isn't possible. This paragraph was describing > > how RFC 6066 does not solve the problem, as had been suggested on the > > list. > > > > > > So I would suggest to restrict the normative use of ORIGIN only to > > select realms. > > > > A4. Section 2.2. ORIGIN attribute usage > > > > The text does not say if the ORIGIN attribute should/can be provided > > after the authentication (i.e. refresh, data packets, etc...) > > > > Currently, the text says SHOULD include, for a conformant client. For > > logging, it has value even after the initial authentication. > > > > > > A5. Section 2.2. Mandatory support for server > > > > How a TURN server that requires the usage of ORIGIN can signal this? > > > > Right now there is no way to do this. I agree with Oleg that it is up > > to the server what to do if ORIGIN is no present. > > > > A6. Section 2. Other Usages > > > > I think that other STUN Usages should be listed after section 2.3: > > > > - Media Keep-Alive Usage (Section 20 of RFC5245) > > - SIP Keep-Alive Usage (RFC 5626) > > - NAT Behavior Discovery Usage (RFC 5780) > > > > I'll take a look at these scenarios. I suspect that it would be a > > reasonable usage for client-to-server usages, but not for peer-to-peer > > usages. > > > > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute > > is present, the contents of the ORIGIN attribute are integrity > > protected." > > > > Which never happen in the usages listed in the document: for section > > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is > > needed to select the realm, so the ORIGIN is sent before it can be > > protected. Perhaps 2.2 should say that if ORIGIN was sent to select > > the > > realm, it MUST be repeated at identical on the second Allocate (the one > > that has an M-I) and that the server MUST reject it if it is not > > identical to the first one. Not sure it matters though. > > > > I agree that there is no integrity protection of the ORIGIN attribute > > (or any other attribute) until after authentication. However, ORIGIN > > can be used both before and after authentication. I'll review this > > text and make sure this is clear. I don't believe we need any special > > rules, as this applies to any STUN attribute. > > > > Nits > > ---- > > > > - Section 2, 2nd paragraph: "The number used for the this in the ..." > > > > Does not parse. > > > > The middle "the" shouldn't be there. > > > > > > -- > > Marc Petit-Huguenin > > Developer | Jive Communications, Inc. > > Jive.com | marcph@getjive.com > > > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org > > https://www.ietf.org/mailman/listinfo/tram > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org > > https://www.ietf.org/mailman/listinfo/tram >
- [tram] Review of draft-johnston-tram-stun-origin-… Marc Petit-Huguenin
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston