IETF Logo Mail Archive

[tram] Review of draft-johnston-tram-stun-origin-02

Marc Petit-Huguenin <marcph@getjive.com> Tue, 06 May 2014 10:55 UTC

Return-Path: <marcph@getjive.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1837E1A07A4 for <tram@ietfa.amsl.com>; Tue, 6 May 2014 03:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8AlBjMTvJ5S1 for <tram@ietfa.amsl.com>; Tue, 6 May 2014 03:55:28 -0700 (PDT)
Received: from mail-ie0-x22c.google.com (mail-ie0-x22c.google.com [IPv6:2607:f8b0:4001:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 5D0B91A02A5 for <tram@ietf.org>; Tue, 6 May 2014 03:55:28 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id as1so9643745iec.3 for <tram@ietf.org>; Tue, 06 May 2014 03:55:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=getjive.com; s=mail; h=message-id:date:from:user-agent:mime-version:to:subject :content-type; bh=asEyomg8Mg5l3pabKBKLBxX+GQaPxkxPwyWhlMslGXM=; b=H8VMcbMsdKrcTIRePpnHFHe2IoV57Q+esHjt6tvXnOrtkF9Ep9VLvsGzyoYMhLH4cO Ba6q/vszBDsDAKQi034FOKz796twmfPkJ/CeeylQ1r6y9S6pFUbHjOXBbbbm4jTsNEpt G6/tcIcP0kW+XqstJRQEi6gmPRAdXr8UllIGM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type; bh=asEyomg8Mg5l3pabKBKLBxX+GQaPxkxPwyWhlMslGXM=; b=GLOMQuH33YXBGHa2HPCJKueR2HtKd3cGJIO0mnvbgew0kyINwgbC4oUhEpFL/Hjfhl 86vSvZCBqidHawgqLMbO64o4msMoqFUJXPc1O7RoR/adJaYZxbyVnQJ57TXhQnAhxmDC BMxyaw4i0R3J15gHOPwhJ6/Ka9+T90Aj+dM+kAbNAfF6MsdegCclO1JmB4idF2eeKe9F FzvfIvZ5DalydrQNLdiiMkzHt+w/8c3Psiln0IaoBeUZiMAPPcKE8KbR7NVsD0WxVjI6 +1IKu4/m6RqL7ppCWDB4xFH6MZCYDz3Z9KCLbTHMvd4XmRKaepdTt8pXOpD7ns4MtY/P jDnQ==
X-Gm-Message-State: ALoCoQk4hqk5Qqw2XzZdwPvGPPT/Gzp6DSSj1b5XVAgp/36oez9ngXuH/pIpxmrg0fMikdu+1yID
X-Received: by 10.50.49.109 with SMTP id t13mr31350698ign.2.1399373724532; Tue, 06 May 2014 03:55:24 -0700 (PDT)
Received: from jivecommunications.com ([199.87.120.126]) by mx.google.com with ESMTPSA id k8sm37872835ige.0.2014.05.06.03.55.17 for <tram@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 06 May 2014 03:55:18 -0700 (PDT)
Message-ID: <5368BF90.2070307@getjive.com>
Date: Tue, 06 May 2014 04:55:12 -0600
From: Marc Petit-Huguenin <marcph@getjive.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: "tram@ietf.org" <tram@ietf.org>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="3x4B0nkIeWurlsE5JFSn4SwvnpJT6O5VX"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/XcRuG4DqoqclB8FB91EwOQRg2S0
Subject: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 10:55:30 -0000

A1. Intended Status: Informational

Shouldn't this be Standard Track?

A2. Section 1, 2nd paragraph, last sentence: "as generating the response..."

I do not think that the reason for no authentication for the NAT
Discovery Usage is because it is less work, but because there is no
resource to protect so adding more work does not make sense.

A3. Section 1, 8th paragraph

I do not think that the ORIGIN should be used to select the certificate
when (D)TLS is used.  First it does not work with DANE, as when an SRV
(and probably NAPTR too, but that's undefined yet) RR redirects to a
different domain, the domain to be checked with is the host name, not
the service domain (see draft-ietf-dane-srv).  For non-DANE cases, I
think that the correct way to select the certificate is to use SNI.

So I would suggest to restrict the normative use of ORIGIN only to
select realms.

A4. Section 2.2. ORIGIN attribute usage

The text does not say if the ORIGIN attribute should/can be provided
after the authentication (i.e. refresh, data packets, etc...)

A5. Section 2.2.  Mandatory support for server

How a TURN server that requires the usage of ORIGIN can signal this?

A6. Section 2. Other Usages

I think that other STUN Usages should be listed after section 2.3:

- Media Keep-Alive Usage (Section 20 of RFC5245)
- SIP Keep-Alive Usage (RFC 5626)
- NAT Behavior Discovery Usage (RFC 5780)

A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute
is present, the contents of the ORIGIN attribute are integrity protected."

Which never happen in the usages listed in the document:  for section
2.1, there is never an integrity protection, and for 2.2, the ORIGIN is
needed to select the realm, so the ORIGIN is sent before it can be
protected.  Perhaps 2.2 should say that if ORIGIN was sent to select the
realm, it MUST be repeated at identical on the second Allocate (the one
that has an M-I) and that the server MUST reject it if it is not
identical to the first one.  Not sure it matters though.

Nits
----

- Section 2, 2nd paragraph: "The number used for the this in the ..."

Does not parse.

-- 
Marc Petit-Huguenin
Developer  |  Jive Communications, Inc.
Jive.com  |  marcph@getjive.com

v2.23.0 | Report a Bug | By Email