Re: [tram] ALPN identifiers for STUN and TURN
Martin Thomson <martin.thomson@gmail.com> Thu, 31 July 2014 18:26 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7488D1A0314 for <tram@ietfa.amsl.com>; Thu, 31 Jul 2014 11:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHlwWeb0UzHf for <tram@ietfa.amsl.com>; Thu, 31 Jul 2014 11:26:42 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8AD71A02BA for <tram@ietf.org>; Thu, 31 Jul 2014 11:26:41 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id p10so3240588wes.16 for <tram@ietf.org>; Thu, 31 Jul 2014 11:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AJZS1SMoCRQoydOdgHCuZjJtBWGQQVb8DCho9qQY92o=; b=flLtziEepGjhFiL4Ne4o37UC+7U7Pzf93kpp5J6MlFlIUNC/C6Zz2LIueAgP/Wx9aJ e4T3hwUQ/VccDGdsiIkKR2OSurDcxO+UYplh75XYTI0L1AsR9dawcTh+oL7vrrPP4vMK AxO4L/nD9OgdB5Om3WkxJbs8xAxNYYTFmf7wbBVSdo7cdnVG7IUOwMJiuhO8QU6mCKHz wG75MUas6z/IyrKysXb1sHhzdpzzXSkTa0K9gNP2GshZ0MvwcQ7vzr8thVSI/gmzpnI8 v9Muhz6J4tpb8SBiAne5zcTFX96lT0PhTlQ1yGsOCcAHqfOO2B0cWBBgJFVeM2B1c9cG V/3w==
MIME-Version: 1.0
X-Received: by 10.194.143.49 with SMTP id sb17mr18992271wjb.25.1406831200545; Thu, 31 Jul 2014 11:26:40 -0700 (PDT)
Received: by 10.194.169.10 with HTTP; Thu, 31 Jul 2014 11:26:40 -0700 (PDT)
In-Reply-To: <D0008149.45B7F%praspati@cisco.com>
References: <D0008149.45B7F%praspati@cisco.com>
Date: Thu, 31 Jul 2014 11:26:40 -0700
Message-ID: <CABkgnnUPOX0=gD0de2j4P=uvw5q4tGjbOj8YFeC+DtK2_Qx-jg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "Prashanth Patil (praspati)" <praspati@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/Uajrjx1-lRvgJxfAnCSOOMg8VL4
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] ALPN identifiers for STUN and TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 18:26:47 -0000
On 31 July 2014 10:57, Prashanth Patil (praspati) <praspati@cisco.com> wrote: > There was some discussion on the need for separate STUN and TURN identifiers > during the TRAM session. Separate identifiers could be useful when middle > boxes such as a firewall want protocol identification e.g as described in > http://tools.ietf.org/html/draft-hutton-httpbis-connect-protocol-00#section-1. I raised this concern previously, and it has been bothering me somewhat. I'll try to make this a little clearer, and apologies for the rambling post. The application that you are using is what matters in this context. That's why we have ALPN identifiers for WebRTC. Identifying as TURN or STUN isn't as useful, particularly when it comes to enforcing policy, because they are effectively blank cheques. "You are establishing a tunnel to a relay, great, what for?" For the server that terminates TURN over DTLS identifying TURN is useful. It means that the TURN server doesn't have to know about "webrtc" and all the other potential uses of TURN in order to determine that this is a client that wants to talk TURN (and not some other strange protocol). After all, when you talk TURN over DTLS, the server you talk to is talking TURN. TURN in the clear with DTLS inside is a no brainer, you always identify that as something other than TURN at the DTLS layer. STUN on the other hand, when used in the peer-to-peer sense, doesn't work that way. You know about "webrtc" or whatever other application protocol you might be using. You can identify the actual application protocol. I don't think that we need an identifier for STUN at all. The only question I have then is what you do for TURN over DTLS. In the draft-hutton- sense, as well as in the DTLS ClientHello. I've been saying now for a while that these two points should include the same information, but it might make sense to have the real usage (e.g., "webrtc") visible to both proxy and TURN server. Or, we could consider the case of TURN over DTLS as a measure that intentionally protects the usage from intermediaries, and explicitly not include information about what might be carried inside of this tunnel. After all, the primary security advantage provided by TURN over DTLS is protection of meta information about what tunnels are being created to where.
- [tram] ALPN identifiers for STUN and TURN Prashanth Patil (praspati)
- Re: [tram] ALPN identifiers for STUN and TURN Oleg Moskalenko
- Re: [tram] ALPN identifiers for STUN and TURN Martin Thomson
- Re: [tram] ALPN identifiers for STUN and TURN Justin Uberti
- Re: [tram] ALPN identifiers for STUN and TURN Martin Thomson
- Re: [tram] ALPN identifiers for STUN and TURN - w… Paul Kyzivat
- Re: [tram] ALPN identifiers for STUN and TURN Brandon Williams
- Re: [tram] ALPN identifiers for STUN and TURN Brandon Williams
- Re: [tram] ALPN identifiers for STUN and TURN Prashanth Patil (praspati)
- Re: [tram] ALPN identifiers for STUN and TURN Martin Thomson
- Re: [tram] ALPN identifiers for STUN and TURN Tirumaleswar Reddy (tireddy)