IETF Logo Mail Archive

Re: [tram] Path Forward for STUN ORIGIN

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 27 August 2015 01:15 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B41E11B3863 for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 18:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HvjxWC8vzOj0 for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 18:15:07 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBCFE1B3861 for <tram@ietf.org>; Wed, 26 Aug 2015 18:15:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25198; q=dns/txt; s=iport; t=1440638107; x=1441847707; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=GgltgKzoruQXASnoF6f/DeBepaQB0PfmYtApEnoSUZM=; b=ffy9aBUXJk+JrK+QK0qGcBwBlUzohYEjQICRpUEU8AG0iUuA0K2QbsSR qvei8jTUTnu3EasF5BYaJ0jzJ4VAZ9t5ldj3nYRACP/At/GCzsblSMKV4 vQCD5mxlxkkiPP4oOkIk1tH5Lb2MnzjLXMTZsjEPOYGBaXDxcMtzg74RJ s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DJBAAqZN5V/49dJa1dgk5NVGkGgx26JSoBCYF6hXkCHIEaOBQBAQEBAQEBgQqEIwEBAQICIwpMEAIBCBEEAQELHQMCAgIfERQJCAIEAQ0FCBOHfgMSDbN6j0UNhTABAQEBAQEBAQEBAQEBAQEBAQEBAQEXiliBA4I9EoFwGi0EBgEJgmAvgRQFjGyIUAGFBYV/gzdGkRODUINrERWDf3EBgUeBBQEBAQ
X-IronPort-AV: E=Sophos; i="5.17,420,1437436800"; d="scan'208,217"; a="27490567"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-3.cisco.com with ESMTP; 27 Aug 2015 01:15:06 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by rcdn-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t7R1F5Cp008198 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2015 01:15:05 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 26 Aug 2015 20:15:04 -0500
Received: from xhc-rcd-x02.cisco.com (173.37.183.76) by xch-rcd-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Wed, 26 Aug 2015 20:15:04 -0500
Received: from xmb-rcd-x10.cisco.com ([169.254.15.53]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.03.0248.002; Wed, 26 Aug 2015 20:15:04 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Alan Johnston <alan.b.johnston@gmail.com>, Justin Uberti <justin@uberti.name>
Thread-Topic: [tram] Path Forward for STUN ORIGIN
Thread-Index: AQHQ33BbHdq2UKCT/kKmaQfeZhVABZ4ex3+7gABCZKA=
Date: Thu, 27 Aug 2015 01:15:03 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A478C77E6@xmb-rcd-x10.cisco.com>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com> <CALe60zCuFR-refCESNBTYDSypB6QviwKC7=Swh2OnHuXRx5=TA@mail.gmail.com> <CAKhHsXFyK0VvyiVB+8XWuBhh2RpnLOa-DqnbjWiiuxxU8nF4TQ@mail.gmail.com>
In-Reply-To: <CAKhHsXFyK0VvyiVB+8XWuBhh2RpnLOa-DqnbjWiiuxxU8nF4TQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.53.75]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A478C77E6xmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/TVDgZnz1C3wsyC_3mGK6E_AVOtw>
Cc: "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: Re: [tram] Path Forward for STUN ORIGIN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 01:15:09 -0000

Hi Alan,

OAuth solves all the below use cases, #4 and #5 is discussed in https://www.iab.org/wp-content/IAB-uploads/2015/01/semi2015_reddy.pdf.

-Tiru

From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston
Sent: Thursday, August 27, 2015 2:37 AM
To: Justin Uberti
Cc: tram@ietf.org; draft-ietf-tram-stun-origin@tools.ietf.org
Subject: Re: [tram] Path Forward for STUN ORIGIN

Justin,

It is an important question for the WG on whether ORIGIN is a useful solution to the use cases.  Hopefully we'll get more feedback on this.

Your comments seem mainly directed towards a solution for use case #2 below (REALM selection for TURN authentication), right?  I'm not sure if use case #3 applies or not.  I don't think OAuth helps with #1 or #4 or #5.

I know we have discussed it before, but I also don't think that everyone believes that OAuth means that ORIGIN is no longer needed. There have been suggestions that a multi-tenanted TURN server using OAuth might still use ORIGIN.

And using domain-specific USERNAME attributes sounds a bit like the problem that Martin mentioned of simply working around the approach.

- Alan -

On Tue, Aug 25, 2015 at 3:50 PM, Justin Uberti <justin@uberti.name<mailto:justin@uberti.name>> wrote:
Overall, I think most/all of the goals that ORIGIN is trying to accomplish would be better handled by STUN OAuth (https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/)

Generally, it's not clear that ORIGIN is a great solution for any of the use cases listed.
1) is easily accomplished via oauth, without any of the restrictions present here
2) can be dealt with using other means (e.g. oauth, or supplying domain info in USERNAME)
3) is fairly weak control, and can be done better through oauth, or domained USERNAMEs

Of course, as noted by others, use of domained USERNAMEs creates a quasi-ORIGIN value within the USERNAME attribute, which makes OAuth more attractive.

On Tue, Aug 25, 2015 at 12:57 PM Alan Johnston <alan.b.johnston@gmail.com<mailto:alan.b.johnston@gmail.com>> wrote:
All,

Based on feedback during IETF-93 in Prague, the authors of draft-ietf-stun-origin are looking for feedback on a possible path forward to solve the privacy/meta data issues and clear the DISCUSSes (see https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/).  There are two areas of feedback: Use Cases and Proposed Solution.

Use Cases
========

First, we want to be sure that we are considering all the use cases for STUN ORIGIN.  In the draft, three are described:

1.  Logging of usage of STUN/TURN server. An operator of a STUN or TURN server would learn the Origin of the web, SIP, and XMPP users.

2.  REALM selection for multi-tenanted TURN server. This avoids having to run multiple instances on different ports or IP addresses when more than one REALM is in use.

3.  Service determination after authentication.  Bandwidth or QoS policy can be applied, after authentication, based on the Origin.

Also, the following use cases have also been discussed but are not in the draft

4.  Authorization at border TURN server after authentication.  An enterprise border TURN server can apply policy and allow usage for certain Origins (whitelist) or block usage of others (blacklist).

5. draft-jennings-behave-rtcweb-firewall-01 discusses how a firewall with STUN server could use ORIGIN in authorization decisions.

Are there any other use cases we should consider?

Possible Solution
=============

The solution that was discussed in Prague that seems to be the best tradeoff between privacy and functionality is to only include ORIGIN information in a STUN or TURN request if the domain of the Origin matches the domain of the STUN or TURN server in the STUN or TURN URI.  Since web and STUN and TURN run on different ports, and often will resolve to different IP addresses, a full host comparison is not possible.  This proposal is not perfect: it does not provide perfect privacy for subdomains (e.g. sub1.example.com<http://sub1.example.com> and sub2.example.com<http://sub2.example.com> will match with this rule, even if they are separate entities.  Of course, subdomain users could always register a new domain and point DNS records to their sub hoster.)

In comparing this solution against the use cases above:

1. Allows logging of your own users on your own TURN server (or one that you setup DNS SRV records to point towards).  Other users of your STUN or TURN server will not be identified by an Origin, but you will at least know if others are using your server.

2. Works for REALM selection as long as you use your own TURN server (or one that you setup DNS SRV records to point towards).

3. Again, works for service determination as long as you use your own TURN server (or one that you setup DNS SRV records to point towards).  Having service-specific TURN credentials is another solution that doesn't rely on ORIGIN.

4. & 5. Does not seem provide a good solution for these use cases.

Does this analysis make sense?

Feedback most welcome so we can move forward with this draft.

- Alan -

v2.23.0 | Report a Bug | By Email