IETF Logo Mail Archive

Re: [tram] Review of draft-johnston-tram-stun-origin-02

Oleg Moskalenko <mom040267@gmail.com> Thu, 05 June 2014 19:55 UTC

Return-Path: <mom040267@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDB81A025B for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 12:55:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1aZLtEpkp0V7 for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 12:55:55 -0700 (PDT)
Received: from mail-we0-x235.google.com (mail-we0-x235.google.com [IPv6:2a00:1450:400c:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8152F1A018E for <tram@ietf.org>; Thu, 5 Jun 2014 12:55:54 -0700 (PDT)
Received: by mail-we0-f181.google.com with SMTP id w61so1687536wes.40 for <tram@ietf.org>; Thu, 05 Jun 2014 12:55:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=jEUtiPaEdOWPGZB3wGLstAdu9rles9lXznsf876tSH0=; b=UPSqsTrOtY/3R6Geg31/mg7+mKzncoSLltdYt1isPOpP0Jv4c4IzCpYisEjvutBnvS p63OwWcAoGViR2lTGfxF3jLT0PkNk+qYUhK14Rk+JMjFs2RdnZ8pk0YPJyA4YPypZVq6 cY46Xu2lgfguiZdnEFZmALVsyTZWMMBm0HrWptURRb6njep5K0Om4qJbqsafbyu8b1FU f5sBLlLPfESBVEA/zS3zQtQOnLpP6939DbX9lBmPzigZ5XXH1mEt3QQwRN6tl8vkJJZ5 hX4oaT3tdq4a8I6MbA/OfiSclTE25DdvYTUw/iPoVSuwE8Y99bSVpySVs5869ifCTgig 965g==
MIME-Version: 1.0
X-Received: by 10.194.82.170 with SMTP id j10mr85776998wjy.63.1401998146802; Thu, 05 Jun 2014 12:55:46 -0700 (PDT)
Received: by 10.194.120.71 with HTTP; Thu, 5 Jun 2014 12:55:46 -0700 (PDT)
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net>
References: <5368BF90.2070307@getjive.com> <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net> <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net>
Date: Thu, 05 Jun 2014 12:55:46 -0700
Message-ID: <CALDtMrKxd=bowBag0_Z8sSGPMfjUHBTOzX6F233WFDVPa1rgrg@mail.gmail.com>
From: Oleg Moskalenko <mom040267@gmail.com>
To: "Hutton, Andrew" <andrew.hutton@unify.com>
Content-Type: multipart/alternative; boundary="047d7bb04fee843af704fb1c2177"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/R_p0uJniSxbZaymU1XWnEAAbeLY
Cc: Alan Johnston <alan.b.johnston@gmail.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 19:55:57 -0000

If we do want to support multiple origins per request then we have to
state, clearly, three things:

  1) Use cases.
  2) How we use multiple origins when we process the request.
  3) How we format multiple origins in the request - as comma-separated
single field or multiple origin attributes. As STUN/TURN is a binary
protocol, I think that the second option is better.

The usefulness of multiple origins in TURN is not very obvious to me. I
implemented ORIGIN in a pilot implementation
https://code.google.com/p/coturn/ but I assumed a single ORIGIN field per
request.

Oleg





On Thu, Jun 5, 2014 at 7:48 AM, Hutton, Andrew <andrew.hutton@unify.com>
wrote:

> Multiple Origins for HTTP Requests are covered in
> http://tools.ietf.org/html/rfc6454#section-7.2 I just assumed the same
> would apply to the usage in this context.
>
> Andy
>
> > -----Original Message-----
> > From: Oleg Moskalenko [mailto:mom040267@gmail.com]
> > Sent: 05 June 2014 15:26
> > To: Hutton, Andrew
> > Cc: Alan Johnston; tram@ietf.org
> > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
> >
> > What would be the purpose of multiple origins ?
> >
> > Oleg
> >
> > On Jun 5, 2014, at 7:19 AM, "Hutton, Andrew" <andrew.hutton@unify.com>
> > wrote:
> > Hi,
> >
> > I had another read through this draft and hope we can move this forward
> > and adopt the draft soon.
> >
> > I only have one additional comment at this time and that is that I
> > assume it should be possible for the client to include more than one
> > origin in the Origin header field and if so the procedures around this
> > should explained in the draft.
> >
> > Regards
> > Andy
> >
> >
> >
> >
> > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston
> > Sent: 07 May 2014 18:50
> > To: Marc Petit-Huguenin
> > Cc: tram@ietf.org
> > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
> >
> > Marc,
> >
> > Thanks for the review.  See my comments below.
> >
> > - Alan -
> >
> > On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin
> > <marcph@getjive.com> wrote:
> > A1. Intended Status: Informational
> >
> > Shouldn't this be Standard Track?
> >
> > Yes.
> >
> > A2. Section 1, 2nd paragraph, last sentence: "as generating the
> > response..."
> >
> > I do not think that the reason for no authentication for the NAT
> > Discovery Usage is because it is less work, but because there is no
> > resource to protect so adding more work does not make sense.
> >
> > I disagree that there is *no* resource to protect.  A STUN server might
> > be minimal resources, but not none.  If a simple authentication scheme
> > were available, I'm sure some people would use it so they could
> > minimize the cost of their server footprint by ensuring that only
> > authenticated users were utilizing it.  I will add some text pointing
> > out that the minimal resources.
> >
> > A3. Section 1, 8th paragraph
> >
> > I do not think that the ORIGIN should be used to select the certificate
> > when (D)TLS is used.  First it does not work with DANE, as when an SRV
> > (and probably NAPTR too, but that's undefined yet) RR redirects to a
> > different domain, the domain to be checked with is the host name, not
> > the service domain (see draft-ietf-dane-srv).  For non-DANE cases, I
> > think that the correct way to select the certificate is to use SNI.
> >
> > The draft does not suggest that ORIGIN be used to select certificates -
> > as Oleg pointed out it isn't possible.  This paragraph was describing
> > how RFC 6066 does not solve the problem, as had been suggested on the
> > list.
> >
> >
> > So I would suggest to restrict the normative use of ORIGIN only to
> > select realms.
> >
> > A4. Section 2.2. ORIGIN attribute usage
> >
> > The text does not say if the ORIGIN attribute should/can be provided
> > after the authentication (i.e. refresh, data packets, etc...)
> >
> > Currently, the text says SHOULD include, for a conformant client.  For
> > logging, it has value even after the initial authentication.
> >
> >
> > A5. Section 2.2.  Mandatory support for server
> >
> > How a TURN server that requires the usage of ORIGIN can signal this?
> >
> > Right now there is no way to do this.  I agree with Oleg that it is up
> > to the server what to do if ORIGIN is no present.
> >
> > A6. Section 2. Other Usages
> >
> > I think that other STUN Usages should be listed after section 2.3:
> >
> > - Media Keep-Alive Usage (Section 20 of RFC5245)
> > - SIP Keep-Alive Usage (RFC 5626)
> > - NAT Behavior Discovery Usage (RFC 5780)
> >
> > I'll take a look at these scenarios.  I suspect that it would be a
> > reasonable usage for client-to-server usages, but not for peer-to-peer
> > usages.
> >
> > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute
> > is present, the contents of the ORIGIN attribute are integrity
> > protected."
> >
> > Which never happen in the usages listed in the document:  for section
> > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is
> > needed to select the realm, so the ORIGIN is sent before it can be
> > protected.  Perhaps 2.2 should say that if ORIGIN was sent to select
> > the
> > realm, it MUST be repeated at identical on the second Allocate (the one
> > that has an M-I) and that the server MUST reject it if it is not
> > identical to the first one.  Not sure it matters though.
> >
> > I agree that there is no integrity protection of the ORIGIN attribute
> > (or any other attribute) until after authentication.  However, ORIGIN
> > can be used both before and after authentication.  I'll review this
> > text and make sure this is clear.  I don't believe we need any special
> > rules, as this applies to any STUN attribute.
> >
> > Nits
> > ----
> >
> > - Section 2, 2nd paragraph: "The number used for the this in the ..."
> >
> > Does not parse.
> >
> > The middle "the" shouldn't be there.
> >
> >
> > --
> > Marc Petit-Huguenin
> > Developer  |  Jive Communications, Inc.
> > Jive.com  |  marcph@getjive.com
> >
> >
> > _______________________________________________
> > tram mailing list
> > tram@ietf.org
> > https://www.ietf.org/mailman/listinfo/tram
> >
> > _______________________________________________
> > tram mailing list
> > tram@ietf.org
> > https://www.ietf.org/mailman/listinfo/tram
>

v2.23.0 | Report a Bug | By Email