IETF Logo Mail Archive

Re: [tram] ALPN identifiers for STUN and TURN

Martin Thomson <martin.thomson@gmail.com> Thu, 31 July 2014 18:26 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7488D1A0314 for <tram@ietfa.amsl.com>; Thu, 31 Jul 2014 11:26:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHlwWeb0UzHf for <tram@ietfa.amsl.com>; Thu, 31 Jul 2014 11:26:42 -0700 (PDT)
Received: from mail-we0-x22b.google.com (mail-we0-x22b.google.com [IPv6:2a00:1450:400c:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8AD71A02BA for <tram@ietf.org>; Thu, 31 Jul 2014 11:26:41 -0700 (PDT)
Received: by mail-we0-f171.google.com with SMTP id p10so3240588wes.16 for <tram@ietf.org>; Thu, 31 Jul 2014 11:26:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=AJZS1SMoCRQoydOdgHCuZjJtBWGQQVb8DCho9qQY92o=; b=flLtziEepGjhFiL4Ne4o37UC+7U7Pzf93kpp5J6MlFlIUNC/C6Zz2LIueAgP/Wx9aJ e4T3hwUQ/VccDGdsiIkKR2OSurDcxO+UYplh75XYTI0L1AsR9dawcTh+oL7vrrPP4vMK AxO4L/nD9OgdB5Om3WkxJbs8xAxNYYTFmf7wbBVSdo7cdnVG7IUOwMJiuhO8QU6mCKHz wG75MUas6z/IyrKysXb1sHhzdpzzXSkTa0K9gNP2GshZ0MvwcQ7vzr8thVSI/gmzpnI8 v9Muhz6J4tpb8SBiAne5zcTFX96lT0PhTlQ1yGsOCcAHqfOO2B0cWBBgJFVeM2B1c9cG V/3w==
MIME-Version: 1.0
X-Received: by 10.194.143.49 with SMTP id sb17mr18992271wjb.25.1406831200545; Thu, 31 Jul 2014 11:26:40 -0700 (PDT)
Received: by 10.194.169.10 with HTTP; Thu, 31 Jul 2014 11:26:40 -0700 (PDT)
In-Reply-To: <D0008149.45B7F%praspati@cisco.com>
References: <D0008149.45B7F%praspati@cisco.com>
Date: Thu, 31 Jul 2014 11:26:40 -0700
Message-ID: <CABkgnnUPOX0=gD0de2j4P=uvw5q4tGjbOj8YFeC+DtK2_Qx-jg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "Prashanth Patil (praspati)" <praspati@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/Uajrjx1-lRvgJxfAnCSOOMg8VL4
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] ALPN identifiers for STUN and TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 18:26:47 -0000

On 31 July 2014 10:57, Prashanth Patil (praspati) <praspati@cisco.com> wrote:
> There was some discussion on the need for separate STUN and TURN identifiers
> during the TRAM session. Separate identifiers could be useful when middle
> boxes such as a firewall want protocol identification e.g as described in
> http://tools.ietf.org/html/draft-hutton-httpbis-connect-protocol-00#section-1.

I raised this concern previously, and it has been bothering me
somewhat.  I'll try to make this a little clearer, and apologies for
the rambling post.

The application that you are using is what matters in this context.
That's why we have ALPN identifiers for WebRTC.

Identifying as TURN or STUN isn't as useful, particularly when it
comes to enforcing policy, because they are effectively blank cheques.
"You are establishing a tunnel to a relay, great, what for?"

For the server that terminates TURN over DTLS identifying TURN is
useful.  It means that the TURN server doesn't have to know about
"webrtc" and all the other potential uses of TURN in order to
determine that this is a client that wants to talk TURN (and not some
other strange protocol).  After all, when you talk TURN over DTLS, the
server you talk to is talking TURN.

TURN in the clear with DTLS inside is a no brainer, you always
identify that as something other than TURN at the DTLS layer.

STUN on the other hand, when used in the peer-to-peer sense, doesn't
work that way.  You know about "webrtc" or whatever other application
protocol you might be using.  You can identify the actual application
protocol.  I don't think that we need an identifier for STUN at all.

The only question I have then is what you do for TURN over DTLS.  In
the draft-hutton- sense, as well as in the DTLS ClientHello.  I've
been saying now for a while that these two points should include the
same information, but it might make sense to have the real usage
(e.g., "webrtc") visible to both proxy and TURN server.

Or, we could consider the case of TURN over DTLS as a measure that
intentionally protects the usage from intermediaries, and explicitly
not include information about what might be carried inside of this
tunnel.  After all, the primary security advantage provided by TURN
over DTLS is protection of meta information about what tunnels are
being created to where.

v2.23.0 | Report a Bug | By Email