Re: [tram] Contradictions in RFC8489

Simon Perreault <Simon.Perreault@logmein.com> Thu, 25 February 2021 12:49 UTC

Return-Path: <prvs=569060aa1e=simon.perreault@logmein.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2D7413A1967 for <tram@ietfa.amsl.com>; Thu, 25 Feb 2021 04:49:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.568
X-Spam-Level:
X-Spam-Status: No, score=-17.568 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=logmein.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wPQH1KFN4cAz for <tram@ietfa.amsl.com>; Thu, 25 Feb 2021 04:49:02 -0800 (PST)
Received: from mx0b-001a0901.pphosted.com (mx0a-001a0901.pphosted.com [67.231.144.179]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 610923A1965 for <tram@ietf.org>; Thu, 25 Feb 2021 04:49:02 -0800 (PST)
Received: from pps.filterd (m0074897.ppops.net [127.0.0.1]) by mx0a-001a0901.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 11PCjdYq000885; Thu, 25 Feb 2021 07:49:02 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=logmein.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=email; bh=Z1+IYePTATtRN2vnwTol1HAxpGsA5SOUSjiHG0IPAeE=; b=UkMyeQfzlstZtyY/QApL/4E9o/gTJp1OVTAJQwdyW/u/3XDKPzgtGttQ8Wx1G/AjoGmP CgmULvSmghkoILdojPqG5JTwl5DR3ARK7Ul4xFJEdOEkm4CncsJZNVzep9B+eQ4oa2IZ RDuHaOQDso7FLUo7J7xCn69EJGoDbsih4LE=
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2175.outbound.protection.outlook.com [104.47.55.175]) by mx0a-001a0901.pphosted.com with ESMTP id 36u06uvnsr-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 25 Feb 2021 07:49:01 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KVkQEHmHLauixDDe7KXn8ebxskFtlsn4dV17aBUxg84CdBqetDIG9hXVZJCNHRkqiIpFvFRVVCkVjxVgx7X1R3CluCLeZ2R5Gc21dT7JqtL8JYLly4kRgWxde9QR7BEht9GMs8LWLI2aTJzrBZi8JKRnhJqOu9/cxJ967m8FQSVk7WgkRJvZ+kE2lPw2MNIDMJ0cYf4Cb/zd2JE6lI6ViQ3Vz4fhGThVboqW9YYmnhxgCA58HmfSZFgXUx1oQ/NTqp8ps/HzmXMDxQMk4X97hd7ei7OLcx3QOZV3TKEzwULqJVaHSm2+P7My/gsI5g5jLYcZGLN3Urg/hlbd/2DoGg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Z1+IYePTATtRN2vnwTol1HAxpGsA5SOUSjiHG0IPAeE=; b=N/+0VYmbRwrfWEtfi6JSZXzOSk7q3ttsUFfpFatRRYdmKQGG/cFoTLBEABMzShn7BWIAtKMURDYcqf5kGxKQAcLZMs1nI+cu2X5Iw8PeQYGd4L7HUqXcx2VhzD8NzcSOd49A6+c3wiD0nZb+flz+WBenQEYnCSgHAXW4k4v+KGAe9qIltmjzm6tSXgQ6GLrjd9M2ELihfJSEfBLSn5tdHS5NN8jXsFCVYxpP+qlG75+Y3aR6r2zaMdQSpM/i+eFERdcTdnywBLroosxgmFB0yQcjxsXE3uswkaOgsScgyTfblIC2bYEjCGB/7wxURYNx2qRhmTUEStk6vrAS+Q/Avg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=logmein.com; dmarc=pass action=none header.from=logmein.com; dkim=pass header.d=logmein.com; arc=none
Received: from DM6PR15MB2698.namprd15.prod.outlook.com (2603:10b6:5:1af::14) by DM5PR1501MB2039.namprd15.prod.outlook.com (2603:10b6:4:a6::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3890.19; Thu, 25 Feb 2021 12:48:59 +0000
Received: from DM6PR15MB2698.namprd15.prod.outlook.com ([fe80::d8f4:45b2:3669:3bee]) by DM6PR15MB2698.namprd15.prod.outlook.com ([fe80::d8f4:45b2:3669:3bee%4]) with mapi id 15.20.3868.034; Thu, 25 Feb 2021 12:48:59 +0000
From: Simon Perreault <Simon.Perreault@logmein.com>
To: Nils Ohlmeier <nohlmeier@mozilla.com>
CC: "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [tram] Contradictions in RFC8489
Thread-Index: AQHXCwkCrIQ+/7jJWEuU4eqNKVNuGqpo0xmA
Date: Thu, 25 Feb 2021 12:48:59 +0000
Message-ID: <D47E7EAD-0386-45FD-B51B-46621976009D@logmein.com>
References: <2DB77788-814F-4F0D-AD42-B28126F1EFB8@mozilla.com>
In-Reply-To: <2DB77788-814F-4F0D-AD42-B28126F1EFB8@mozilla.com>
Accept-Language: fr-CA, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3445.104.17)
authentication-results: mozilla.com; dkim=none (message not signed) header.d=none;mozilla.com; dmarc=none action=none header.from=logmein.com;
x-originating-ip: [70.81.184.192]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4cec82bb-6e5a-45bc-982c-08d8d98bb8ae
x-ms-traffictypediagnostic: DM5PR1501MB2039:
x-microsoft-antispam-prvs: <DM5PR1501MB20394AD5014E0D66A92ACAE7FA9E9@DM5PR1501MB2039.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IHHfndOUR7jAfopEaNlrxGKcjVXgvIUNK5JEEj4r2ZvOJWhQHUB7RcqTFRxEjGRxTEi7TrHI9g8osROuX+ir15ToYAGQzIl9WqK3wi/13qC3iuGdryDz0uZ5lHUfuTmLDsXO+z+yMrcszZGJOf00h68YbuB1+ZzA+jshS4IH/WIIThdwEaKDRZedW+BVe+G2VbbSajQMxulTPq3HQC0zp40VPeUSmL5KFn0R9du9pzuaClBec44W1rol/34xM93T/+WIdy6t94A45tSFRaagIg5inodhNkGvpC4INvjw47FEar3aacSxIRm8xcVafZmCb5hW7Y12zmDmDgJUUzGzMkS/DXr0jI2bGdDofgazpyJz6e2Mc97PFh0tckkUfdPz7ZBrsGpIw86LwJb3ACY1EBlrbo7BtKHkdBl78gnwcpCkno8ddE+3gSDwt/vleqyR+QxYSsYfOXqizEVQXEB0fFY5bFdRCuGV/VWu9q4MtIAc1hTDOtXvvx/tdqbfjFMvTsY2ziJHMSBfUijKrzsrUajwRVmMTUKDI5VseJgNcPNKyaIxt5XfjZsZ5dAMaYcz19Cu1xeGK+9dYQ8GnEu2dXLgeyjSaoYkpkUAWI1X0ryF6VlCi3KE5t4FsTRhuqOdJZ3DwZ7cvhfokzfrmUYT8g==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR15MB2698.namprd15.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(39850400004)(376002)(366004)(136003)(316002)(8676002)(71200400001)(33656002)(86362001)(53546011)(83380400001)(76116006)(91956017)(966005)(66946007)(64756008)(4326008)(66446008)(166002)(8936002)(6506007)(6916009)(66476007)(66556008)(26005)(186003)(2906002)(6486002)(2616005)(6512007)(5660300002)(478600001)(36756003)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: NBsIkdhsZ0mlDwCA54+wFk4wGwcHK+TBYbI9Htz38TbUqWJfhKSIgCBEwJGgbJT2A016J+d7th4blyqKu8skrK2Na27ld9o1PcsjRRiRVypLcXWGrGOxnksVnfoyBLE91P5DfSA+lluzWSQVnGgNJ87Xi+YzKI0vckQUUtz5z3lapNuhWBQTiIMDCuQIwVy6lcU33HBNLuCDkt152KwzUORLswM4FN8HmjRuh0gWLBVWQ7p5t3AnP1O6sAZHNrmEsDOTUeNDWvk+vDHs0KXnx9cGFiwAYqScJ5x46rxtIONwNC0yzEMrrpIwxk3jT4FG4LEudgJ7YZWQTkERasVXQaNvnjBUl2gdo/Zfmi6TI8DeMGWOK54saQ3J6FcgNr4uCdYMM8nZkY+jlRbCZ4AhewnLnu808stRM1hUXVZxmr+5se9tTwdpTRxDjupnhDG1yMG0iCVlA6piaZkMJ9iM6olA83DWMjXv4/tjJD6V518em3pKoxQg+BW+lWfNO3Gc8g4ggaC1a6BF4f9Ts7u0Y5VsgMVnKk+xXdJYElPa0lfLHYfh+AMpCQqNBabxcYhQFD96hluMOES9plgoXKntEVWcaQLgp30OO/GpBN/biPLdyp9HJ7t80CPERQOUu9UuDBgjLHePATJdP9d8mikRfqy940tbC3uSvWTuRt97B8g0unA/xB0QjxdGacfa5x7p4vGf0FSaALwLgx4SmGF9SHE0kNbiRgta18MphCGNatOkVP+Dn/h50tBd+6rta/pOCubIH5Ru3npNQwUelC5vHVryPKiC/t6l3tNMzCX4ZwLxTlsHs/7stAOynKW+mEITdGdqWFHjdaYGrfTDYuv+ZHS9yHnUotS8kU/RhHGBI1edcceFRI161FE+fBv/fCMrIS9aeuhj0IcPz/jFNIKFjO+WgA/flJ21M3JWReGWsMvayYQ/IZaJbYuHk7O856tcKyQZsP6/44y6unQWuJuK+jV5cZLe+Z6Eed1oqboWMR4LMvn/La2u1e8jZhCSE+0jn7uHX/S4Ggsk7OMJf28jDTH3nrxS80f1ltDe1lpa0XN9NcSbprrfUy42+tToWORYUGWwTu+VttjWhUFsvc4QwKdfbCg5WKjKR5vC1HTGOLqtk4v1x5LWaw/9uP472oCvaAq4oKb8np5GhRoMPFnhonJQUboTtqIPsS4sLsgWmATfoEI44Sb/2vRFpgTARn/0r8V7cjHxko9AFehky5JjfQfhl7KF+Tq63288m1Ypu8nFbrNDQtJvW3y3PA5FMByzSwKA2AsrwmE89PaY+tSG/ZO3CSHea9EvZUg+ZQYHq2jAWX1lsMDOxBF3NGm/cj6X
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D47E7EAD038645FDB51B46621976009Dlogmeincom_"
MIME-Version: 1.0
X-OriginatorOrg: logmein.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR15MB2698.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4cec82bb-6e5a-45bc-982c-08d8d98bb8ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2021 12:48:59.4477 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84c4e5b0-26a0-4dac-b686-301d76713569
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5ifTlkacTWbpodt9QKAYLo6Zka/ovetUBUlpvJDz5cciGf1u2lmoJbIlliDFRxwjnCXUNPkrID9jVz8J4MImC5se7Tvr1uO0IbsWEDRWXDY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1501MB2039
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.369, 18.0.761 definitions=2021-02-25_07:2021-02-24, 2021-02-25 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/TNbJGOx4OoFtUAvuZ4rSKu4Oz80>
Subject: Re: [tram] Contradictions in RFC8489
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Feb 2021 12:49:05 -0000

Nice catch!

Could it be that the use cases hinted at are some kind of anycast support where the anycast address redirects to a unicast address?


15<https://tools.ietf.org/html/rfc8489#section-15>.  Operational Considerations


   STUN MAY be used with anycast addresses, but only with UDP and in
   STUN Usages where authentication is not used.

Simon

On Feb 24, 2021, at 6:58 PM, Nils Ohlmeier <nohlmeier@mozilla.com<mailto:nohlmeier@mozilla.com>> wrote:

Hello,

I recently learned about an interesting contradiction in RFC 8489.

When it comes to using the 300 responses with Alternate-Server attributes section 10 https://tools.ietf.org/html/rfc8489#section-10<https://urldefense.com/v3/__https://tools.ietf.org/html/rfc8489*section-10__;Iw!!OA8L0MA-!t2G-kDCvHfAAn7R3L64PHZCuQ7azwv5ENaWNgDupXoSN2whDUFcrtyxIkxG11MC7o-O3$> says:


The error response message MAY be
   authenticated; however, there are use cases for ALTERNATE-SERVER
   where authentication of the response is not possible or practical.

But then section 14.8 https://tools.ietf.org/html/rfc8489#section-14.8<https://urldefense.com/v3/__https://tools.ietf.org/html/rfc8489*section-14.8__;Iw!!OA8L0MA-!t2G-kDCvHfAAn7R3L64PHZCuQ7azwv5ENaWNgDupXoSN2whDUFcrtyxIkxG11DOQq0dJ$> in regards to 300 responses says:


This error response MUST be protected with the
        MESSAGE-INTEGRITY or MESSAGE-INTEGRITY-SHA256 attribute, and
        receivers MUST validate the MESSAGE-INTEGRITY or MESSAGE-
        INTEGRITY-SHA256 of this response before redirecting themselves
        to an alternate server.

Looking at the previous RFC’s it looks like this contradiction has been in the STUN/TURN RFCs for a long time already.

I became aware of this problem, because it is causing interop issues between different stacks in the field.

I’m interested in the working the opinion of the TRAM experts on this topic.

Best regards
  Nils Ohlmeier

_______________________________________________
tram mailing list
tram@ietf.org<mailto:tram@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tram__;!!OA8L0MA-!t2G-kDCvHfAAn7R3L64PHZCuQ7azwv5ENaWNgDupXoSN2whDUFcrtyxIkxG11Em3cMtH$