IETF Logo Mail Archive

Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 22 April 2015 04:20 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2177A1A871F; Tue, 21 Apr 2015 21:20:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKM9RL2PG0Sv; Tue, 21 Apr 2015 21:20:04 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69E541A023E; Tue, 21 Apr 2015 21:20:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2252; q=dns/txt; s=iport; t=1429676405; x=1430886005; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=uW7Gp2zu1HV5KC/s8ZiM73hTg4bDC/7nDsl6LQUsglA=; b=jbTaGMCU987uBS89eJTDeZTn2dgmD4r/bjMQuRp7lSwD+SECk+NKvUBg bmbb5OCmtymGakJSD1MCWB3P3f6uTIAhdwJph9YQx32uSVCqsSJ0kVtl8 3obHmrdEWVmcsuTexp5s/gH0THOoZccJfUzNAWVleam4WvwSylpIUsg16 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AVBQDSIDdV/5JdJa1bgwtSXAXFNoI+hgQCgTpMAQEBAQEBfoQgAQEBBDo/DAQCAQgRBAEBCxQFBAcyFAkIAgQBDQUIiCMNyzsBAQEBAQEBAQEBAQEBAQEBAQEBAQETBIs3hDkaMQcGgxGBFgEEkTOEAZtVIoIEGgQVgTxvgUSBAAEBAQ
X-IronPort-AV: E=Sophos;i="5.11,621,1422921600"; d="scan'208";a="410626069"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-1.cisco.com with ESMTP; 22 Apr 2015 04:20:04 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id t3M4K3tr014944 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 22 Apr 2015 04:20:03 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.220]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.03.0195.001; Tue, 21 Apr 2015 23:20:03 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: "Salz, Rich" <rsalz@akamai.com>, "Williams, Brandon" <bowill@akamai.com>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
Thread-Index: AdB3YVGPL1OX25drRTSYceNRW1EowwFKngkAAAS+0+AAC5E5gAAHR7Ag///lFQCAAFJ4QA==
Date: Wed, 22 Apr 2015 04:20:02 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A412147B3@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A4120E0BD@xmb-rcd-x10.cisco.com> <55369856.7050203@akamai.com> <913383AAA69FF945B8F946018B75898A41214674@xmb-rcd-x10.cisco.com> <a20208ec333b45d29956e5bda4a61686@usma1ex-dag1mb2.msg.corp.akamai.com> <913383AAA69FF945B8F946018B75898A4121478B@xmb-rcd-x10.cisco.com> <30eaf35d875745128662076920f72ae8@usma1ex-dag1mb2.msg.corp.akamai.com>
In-Reply-To: <30eaf35d875745128662076920f72ae8@usma1ex-dag1mb2.msg.corp.akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.50.120]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/Xiww-5Lpz9zlkqJhOkQuLgnoLJQ>
Cc: "rlb@ipv.sx" <rlb@ipv.sx>, "tram-chairs@ietf.org" <tram-chairs@ietf.org>, "tram@ietf.org" <tram@ietf.org>, "Stephen Farrell (stephen.farrell@cs.tcd.ie)" <stephen.farrell@cs.tcd.ie>
Subject: Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2015 04:20:06 -0000

> -----Original Message-----
> From: Salz, Rich [mailto:rsalz@akamai.com]
> Sent: Wednesday, April 22, 2015 9:44 AM
> To: Tirumaleswar Reddy (tireddy); Williams, Brandon; Martin Thomson
> Cc: tram-chairs@ietf.org; tram@ietf.org; rlb@ipv.sx; Stephen Farrell
> (stephen.farrell@cs.tcd.ie)
> Subject: RE: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-
> party-authz-13: (with DISCUSS and COMMENT)
> 
> > https://tools.ietf.org/html/rfc6194#section-3 discusses problems with
> SHA1.
> > Is it safe to derive key using SHA1 ?
> 
> Those concerns do not apply here.  Yes, absolutely safe.

Thanks, updated draft in my local copy.

OLD:
   [I-D.ietf-tram-stunbis] will support hash agility and accomplish this
   agility by conveying the HMAC algorithms supported by the STUN server
   along with a STUN error message to the client.  The client then
   signals the intersection-set of algorithms supported by it and the
   STUN server to the authorization server in the 'alg' parameter
   defined in [I-D.ietf-oauth-pop-key-distribution].  The authorization
   server selects an HMAC algorithm from the list of algorithms the
   client provided and determines length of the mac_key based on the
   selected HMAC algorithm.  Note that until STUN supports hash agility
   HMAC-SHA1 is the only valid hash algorithm that the client can signal
   to the authorization server and vice-versa.

NEW:
   [I-D.ietf-tram-stunbis] supports hash agility and accomplish this agility by computing  message integrity using both HMAC-SHA-1 and HMAC-SHA-256-128.
   The client signals the algorithm supported by it to the authorization server in the 'alg' parameter
   defined in [I-D.ietf-oauth-pop-key-distribution]. The authorization determines length of the mac_key based on the
   HMAC algorithm conveyed by the client. If the client supports 
   both HMAC-SHA-1 and HMAC-SHA-256-128 then it signals HMAC-SHA-256-128 to the authorization server, gets 256-bit key from the authorization server
   and calculates 160-bit key for HMAC-SHA-1 using SHA1 taking the 256-bit key as input.

-Tiru

> 
> --
> Senior Architect, Akamai Technologies
> IM: richsalz@jabber.at Twitter: RichSalz

v2.23.0 | Report a Bug | By Email