Re: [tram] AD Evaluation of draft-ietf-tram-turnbis-23

[Magnus Westerlund <magnus.westerlund@ericsson.com>]

Hi,

Thanks for the reply. Sorry about the delay in responding. Comments below.

On 2019-04-11 10:27, Konda, Tirumaleswar Reddy wrote:
> Hi Magnus,
>
> Thanks for the detailed review. Please see inline 
>
>> -----Original Message-----
>> From: tram <tram-bounces@ietf.org> On Behalf Of Magnus Westerlund
>> Sent: Thursday, April 4, 2019 7:30 PM
>> To: tram@ietf.org; draft-ietf-tram-turnbis@ietf.org
>> Subject: [tram] AD Evaluation of draft-ietf-tram-turnbis-23
>>
>>
>>
>> Hi,
>>
>> I have now finished the AD review. There are a lot of details that I think needs
>> fixing or at least feedback on. I also think there are a couple of more serious
>> issues here. Especially regarding the handling of MTU and fragmentation, as
>> well as IP header fields in address family translation and with non UDP
>> transport. We need to conclude on these before we go to IETF last call.
>>
>> My Review comments are:
>>
>> A. Section 1: "The client can arrange
>>    for the server to relay packets to and from certain other hosts
>>    (called peers) and can control aspects of how the relaying is done."
>>
>> I don't think this is an accurate description of what Turn does. One may easily
>> get the impression that the whole packet TURN receives are relayed, rather
>> than the transport protocol data part and some of the header information are
>> relayed between the client <-> peer, with a knowledge of the peer transport
>> address for the client. I think that should be clarified in the introduction.
> Sure, updated the text as follows:
>
> When a peer sends a packet to the relayed transport address, the server relays the transport protocol data from the packet to the client. The client knows the peer from which the transport protocol data was relayed by the server. When the server receives an ICMP

Should the last "When" be an "If"?

>  error packet, the server also relays certain layer 3/4 header fields from the ICMP header to the client. When the client sends a packet to the server, the server relays the transport protocol data from the packet to the appropriate peer using the relayed transport address as the source.

"appropriate" appears wrong. The peer is the one the client have
configure for the allocation. So I think a more direct language can be
used.

Othewise fine with me.


>> B. Section 2.7:
>>
>> "Applications using TCP can more or less
>>    ignore this issue because fragmentation avoidance is now a standard
>>    part of TCP, but applications using UDP (and thus any application
>>    using this version of TURN) must handle fragmentation avoidance
>>    themselves."
>>
>> Lower case "must", and as the document uses RFC 2119, this must have the
>> meaning of "MUST". A reformulation here is likely in order.
> Replaced "must" with "MUST". 

I think it is inappropriate to make this into a MUST statement. There is
no single answer for how the application handles it. The application
needs to handle it or live with the consequences. I think swithing the
"must" to "needs to" is more appropriate.



>> C. Section 2.7:
>>
>>    In this approach, the application exploits the
>>    fact that the IP specification [RFC0791] specifies that IP packets up
>>    to 576 bytes should never need to be fragmented.
>>
>>    As a guideline, sending a maximum of 500 bytes of application data in
>>    a single TURN message (by the client on the client-to-server leg) or
>>    a UDP datagram (by the peer on the peer-to-server leg) will generally
>>    avoid IP fragmentation.  To further reduce the chance of
>>    fragmentation, it is recommended that the client use ChannelData
>>    messages when transferring significant volumes of data, since the
>>    overhead of the ChannelData message is less than Send and Data
>>    indications.
>>
>> In that first paragraph I think it is worth discussing the IPv6 requirement of
>> supporting a 1280 minimal size.
> Yes. 
>
>> Secondly, I think recommending only a 500 MTU is way to conservative.
>> Those studies I have seen appears to indicate that at least 1220 bytes UDP
>> payloads should be be working as well as 500 bytes. See for example figure 12
>> in this:
>> https://static.googleusercontent.com/media/research.google.com/sv//pubs/arc
>> hive/46403.pdf
> I have updated the text as follows to address your comments:
>
>    In this approach, the application MUST assume a
>    PMTU of 1280 bytes, as IPv6 requires that every link in the Internet
>    have an MTU of 1280 octets or greater as specified in [RFC8200].  If
>    IPv4 support on legacy or otherwise unusual networks is a
>    consideration, the application MAY assume on a PMTU of 576 bytes for
>    IPv4 datagrams, as every IPv4 host must be capable of receiving a
>    packet whose length is equal to 576 bytes as discussed in [RFC0791].

Yes, I think that is quite good.


>> D. Section 2.7:
>>
>>    [I-D.ietf-tram-stun-pmtud] is an implementation of [RFC4821] that
>>    uses STUN to discover the path MTU, and so might be a suitable
>>    approach to be used in conjunction with a TURN server that supports
>>    the DONT-FRAGMENT attribute.  When the client includes the DONT-
>>    FRAGMENT attribute in a Send indication, this tells the server to set
>>    the DF bit in the resulting UDP datagram that it sends to the peer.
>>    Since some servers may be unable to set the DF bit, the client should
>>    also include this attribute in the Allocate request -- any server
>>    that does not support the DONT-FRAGMENT attribute will indicate this
>>    by rejecting the Allocate request.
>>
>> I want to verify that the WG is working on resolving the issues with the STUN
>> PMTUD document. I definitely sees the point of the recommendation, but only
>> if the WG will conclude on that document in a reasonable time frame.
> The authors of the ietf-tram-stun-pmtud draft are working on resolving the DISCUSS from ISEG review.


Great, looking forward to have that Discuss resolved.

>
>> E. Section 3:
>>
>>    Server-Reflexive Transport Address:  A transport address on the
>>       "public side" of a NAT.  This address is allocated by the NAT to
>>       correspond to a specific host transport address.
>>
>> Shouldn't "public side" be replace with "external side"? That is the terminology
>> used by the Behave RFCs.
> Okay, replaced "public side" with "external side". 
>
>> F. Section 3:
>>
>>    5-tuple:  The combination (client IP address and port, server IP
>>       address and port, and transport protocol (currently one of UDP,
>>       TCP, or (D)TLS)) used to communicate between the client and the
>>       server.
>>
>> I see some issues that the 5-tuple aggregates the transport protocol with the
>> security protocol. I agree from the TURN protocol perspective the protocol
>> combination is the important one. However, writing like you do here you
>> obfuscate both that when security is in place you have a combination, as well as
>> that there are 4 alternatives defined by this document.
> (D)TLS can be considered as pseudo transport protocol. 

May I suggest that you simple reword it in this way:

   5-tuple:  The combination (client IP address and port, server IP
      address and port, and transport protocol (currently one of UDP,
      TCP, DTLS/UDP or TLS/TCP)) used to communicate between the client
and the
      server.  The 5-tuple uniquely identifies this communication
      stream.  The 5-tuple also uniquely identifies the Allocation on
      the server.

In this specification you are using the words Transport Protocol in a
way that is not the most common understanding of the word. Thus, I think
you should include a definition in section 3 of your usage of "Transport
Protocol".

Transport Protocol: The protocols above IP that carries TURN Requests,
Responses, and Indications as well as providing identifiable flows using
a 5-tuple. In this specification UDP and TCP is defined as well as their
combination with a security layer using DTLS and TLS respectively.


>
>> G. Section 4.1:
>>
>>    The "turn" and "turns" URI schemes are used to designate a TURN
>>    server (also known as a relay) on Internet hosts accessible using the
>>    TURN protocol.  The TURN protocol supports sending messages over UDP,
>>    TCP, TLS-over-TCP or DTLS-over-UDP.  The "turns" URI scheme MUST be
>>    used when TURN is run over TLS-over-TCP or in DTLS-over-UDP, and the
>>    "turn" scheme MUST be used otherwise.  The required <host> part of
>>    the "turn" URI denotes the TURN server host.  The <port> part, if
>>    present, denotes the port on which the TURN server is awaiting
>>    connection requests.  If it is absent, the default port is 3478 for
>>    both UDP and TCP.  The default port for TURN over TLS and TURN over
>>    DTLS is 5349.
>>
>> First, I was wondering if this document needed to update RFC 7065? The high
>> level obvious is the reference, but otherwise on the surface it doesn't look
>> necessary. My main complaint when reading was that it was not obvious what
>> not specifying the transport parameter means. Then I saw this in Section 3.1 of
>> RFC 7065:
>>
>>    The <host>, <port>, and <transport> components are passed without
>>    modification to the [RFC5928] algorithm.  <secure> is set to false if
>>    <scheme> is equal to "turn", and set to true if <scheme> is equal to
>>    "turns" and passed to the [RFC5928] algorithm with the other
>>    components.
>>
>> After some digging I figured out that RFC5928 is actually updated by RFC
>> 7350 that defines the resolution and SRV records for DTLS.
>>
>> Can you please update the text in Section 4 to also reference RFC 7350 so that
>> one doesn't miss this definitions.
> Sure, added the following line to Section 4:
> DTLS as a transport protocol for TURN is defined in RFC7350.
Ok.
>
>> H. Section 5:
>>
>>    If the server requires requests to be
>>    authenticated, then the server's administrator MUST choose a realm
>>    value that will uniquely identify the username and password
>>    combination that the client must use, even if the client uses
>>    multiple servers under different administrations.
>>
>> Just to verify, TURN does not allow a single server address to host multiple
>> realms do it? Each Realm needs its own unique server transport address?
> No, I don't see any such restriction in TURN.  For example, in an Enterprise network with multiple realms, the TURN server based on the client subnet can choose the realm.

I think this is a not expressed assumption, that realm determination may
be done based on source IP address of the client's request. That is an
assumption that is not generally applicable, but can work for some
combinations of realms. For example an server that has a REALM for an
WebRTC service that is intended to have no restrictions can't be
co-located with anything that has a small scope as that can lead to
selection of the wrong realm.

What do you think is the best option here. Simple document that there
are no mechanism in the protocol for the client to indicate which REALM
it thinks it belongs to and state that the basic mechanism is using
different server ports for different realms. Or to write even more where
the possibility in source IP address identification of realm is
described but also its limitations?


>
>> I. Section 5:
>>
>>    For each Allocate request, the server SHOULD generate a
>>    new random nonce when the allocation is first attempted following the
>>    randomness recommendations in [RFC4086] and SHOULD expire the nonce
>>    at least once every hour during the lifetime of the allocation.
>>
>> So, I think this text due to its use of RFC 2119 language is a bit confusing in its
>> relation to STUNbis. To me it is unclear if the above overrides completely what
>> is written in Section 5 of STUNbis:
>>
>>    To indicate that it supports this specification, a server MUST
>>    prepend the NONCE attribute value with the character string composed
>>    of "obMatJos2" concatenated with the (4 character) Base64 [RFC4648]
>>    encoding of the 24 bit STUN Security Features as defined in
>>    Section 18.1.  The 24 bit Security Feature set is encoded as 3 bytes,
>>    with bit 0 as the most significant bit of the first byte and bit 23
>>    as the least significant bit of the third byte.  If no security
>>    features are used, then a byte array with all 24 bits set to zero
>>    MUST be encoded instead.  For the remainder of this document the term
>>    "nonce cookie" will refer to the complete 13 character string
>>    prepended to the NONCE attribute value.
>>
>> Or is the randomness recommendations in TURNbis only for the NONCE
>> attribute value part?
> Yes, the randomness recommendations in TURNbis is only for the NONCE attribute value part. 
>
>> Secondly, I interpret the text to say that compared to STUN, where a Nonce can
>> be long lived after the initial Long Term Credential establishment, in TURN for
>> each allocation one will have to to the Allocate, expired nonce->here is your
>> new nonce, resend allocate using new nonce, success dance.
>>
>> I think part of the problem with the above text in TURNbis is that the sentences
>> prior to the quoted one appear to be rehashing of the STUNbis requirements.
>> Then the quoted part that actually changes behavior without being clear about
>> it. I think it would be good to make it clear what is a change compared to
>> STUNbis.
> No changes other than the randomness for the NONCE attribute value part.  Added the following line for clarity:
>
> To indicate that the server supports [I-D.ietf-tram-stunbis], the server
>  prepends the NONCE attribute value with the "nonce cookie"
> (Section 9.2 of [I-D.ietf-tram-stunbis]).
>
> Please see https://tools.ietf.org/html/draft-ietf-tram-turnbis-23#section-18, discusses using the nonce cookie with the STUN security feature for the NONCE attribute 
> sent in the Allocate response.

Ok, that clarifies the randomness part.


>
>> J. Section 6:
>>
>>    Note that, rather than storing the password explicitly, for
>>    security reasons, it may be desirable for the server to store the key
>>    value, which is a secure hash over the username, realm, and password
>>    (see [I-D.ietf-tram-stunbis]).
>>
>> Why isn't this recommendation stronger. Are there any reasons why a server
>> would actually store the plain text password at all?
> Good point, no reason to store the plain text password. Updated text as follows:
>
> For security reasons, the server MUST NOT store the
> password explicitly and MUST store the key value, which is a secure
> hash over the username, realm, and password (see Section 16.1.3 in
> [I-D.ietf-tram-stunbis]).


Looks okay to me.

>
>> K. Section 7.1:
>>
>>    The client first picks a host transport address.  It is RECOMMENDED
>>    that the client pick a currently unused transport address, typically
>>    by allowing the underlying OS to pick a currently unused port for a
>>    new socket.
>>
>> I think talk about socket in this context should be skipped as it otherwise have
>> been eliminated.
> The above text is from https://tools.ietf.org/html/rfc5766#section-6.1. I presume you are proposing the following update:
>  
>     The client first picks a host transport address.  It is RECOMMENDED
>     that the client pick a currently unused transport address, typically
>     by allowing the underlying OS to pick a currently unused port.

Yes, I see no loss of real information.


>
>> L. Section 7.1:
>>
>>   The client then picks a transport protocol to use between the client
>>    and the server.  The transport protocol MUST be one of UDP, TCP, TLS-
>>    over-TCP or DTLS-over-UDP.
>>
>> I find it strange that this indicates that one should pick the transport protocol to
>> use client to server without considering the server capabilities. Especially as the
>> client configuration or server discovery procedures will indicate transport
>> protocol support.
> The server may support more than one transport protocol. 

Sorry, should have been clearer. Should there be any references to how
the client can determine the servers capabilities? You have
recommendations about using UDP and a pointer to Section 2.1 for some
discussion of the choices. So that covers giving some guidance to the
protocol choice.

Also shouldn't this paragraph come before the previous one. I.e. that
you first must pick your transport protocol before you can pick a host
transport address?


>
>> Secondly, what is the motivation for the MUST in the second sentence?
>> This is appears to have strange interactions with any future extensions and
>> have no impact. A client must obvious chose a client to server transport
>> protocol it supports, and one that the server supports or the client hope it will
>> support.
> https://tools.ietf.org/html/rfc5766#section-6.1 has the same text, I have updated the text as follows:
> The client then picks a transport protocol to use between the client and the server based on the transport protocols supported by the server.  
> The TURN server MUST enable one of the transport protocols, UDP, TCP, TLS- over-TCP or DTLS-over-UDP.

If the intention is to move the requirement to the server side for
making it normative to support at least one of the 4 options listed, I
think you need to rewrite it to say:

A TURN server MUST enable at least one of the transport protocols, UDP, TCP, TLS- over-TCP or DTLS-over-UDP.



>
>> M. Section 7.1:
>>
>>    The client also picks a server transport address, which SHOULD be
>>    done as follows.  The client uses one or more procedures described in
>>    [RFC8155] to discover a TURN server and uses the TURN server
>>    resolution mechanism defined in [RFC5928] to get a list of server
>>    transport addresses that can be tried to create a TURN allocation.
>>
>> 1) So RFC 8155 states that it has no recommendation on server selection, nor
>> on how to related local configuration to any auto-discovery servers.
>> To me it appears that the protocol utilizing TURN should consider what makes
>> sense in their deployments. Thus, does the need for such consideration needs to
>> be highlighted somewhere in this specification.
> https://tools.ietf.org/html/rfc8155#section-3 discusses using auto-discovery in the absence of local configuration or if the local configuration does not work. https://tools.ietf.org/html/rfc8155#section-9 explains the mechanisms to authenticate the discovered TURN server.  
>
> I am not sure about the additional considerations you are looking in this specification.

Let me attempt to formulate the question in another way. As the
Discovery procedure documented in RFC 8155 does not mandate any specific
order or even what mechanisms are actually used / supported, then did
the WG consider to make either a stricter recommendation or some other
considerations to better ensure that TURN clients can discover TURN
servers?

It is fine to say no.


>
>> N. Section 7.1:
>>
>>   Clients MUST NOT include a REQUESTED-ADDRESS-
>>    FAMILY attribute in an Allocate request that contains a RESERVATION-
>>    TOKEN attribute, for the reasons outlined in [RFC6156].
>>
>> Considering that this document obsoletes RFC 6156, I think it is bad form to
>> reference that document, rather than to move the necessary motivation into
>> this document.
> Done, updated text as follows:
> Clients MUST NOT include a REQUESTED-ADDRESS-FAMILY attribute in an Allocate request that contains a RESERVATION-TOKEN attribute, for the reason that server uses the previously reserved transport address corresponding to the included token and the client cannot obtain a relayed transport address of a specific address type.

Works for me.

>
>> O. Section 7.1:
>>
>>    If the client wishes to obtain a relayed transport address of a
>>    specific address type then it includes a REQUESTED-ADDRESS-FAMILY
>>    attribute in the request.
>>
>> I don't find anything describing what the default behavior is if one doesn't
>> include the attribute, but the TURN server supports multiple address families.
>>
>> I see that bullet 7 in Section 7.2 indicates that IPv4 is default.
>> Should the text in 7.1 be explicit about this default?
> The text in Section 7.1 is added for TURN clients not supporting TURNbis specification to provide backward compatibility. 

But if I understand this correctly, the legacy way is to not include the
REQUESTED-ADDRESS-FAMILY attribute for an IPv4 address. Thus, shouldn't
a sentence be added after the above to state that if the client wants an
IPv4 address it should skip using REQUESTED-ADDRESS-FAMILY attribute to
enable legacy interoperability, or do I missunderstand?


>
>> P. Section 7.2:
>>
>>          Otherwise, if the attribute is included but
>>         specifies a protocol other that UDP, the server rejects the
>>         request with a 442 (Unsupported Transport Protocol) error.
>>
>> Assuming that you don't support an extension for that transport protocol.
>> Should that be made explicit?
> I did not get the above comment. The attribute REQUESTED-TRANSPORT is originally defined in TURN (see https://tools.ietf.org/html/rfc5766#section-6.2), and TURNbis does not update the use of the attribute.

I am requesting a clarification in the text like this:

   

		Otherwise, if the attribute is included but
        specifies a protocol other that UDP that is not supported by the server, then the server rejects the
        request with a 442 (Unsupported Transport Protocol) error.

What I mean with extension above is the case when the TURN server supports an TURN extension that define for example TCP as server to peer protocol. 



>
>
>> Q. Section 8.3:
>>
>>    If the client receives a success response to its Refresh request with
>>    a non-zero lifetime, it updates its copy of the allocation data
>>    structure with the time-to-expiry value contained in the response.
>>
>>    If the client receives a 437 (Allocation Mismatch) error response to
>>    a request to delete the allocation, then the allocation no longer
>>    exists and it should consider its request as having effectively
>>    succeeded.
>>
>> So there are no considerations for the client if it receives an error response to a
>> refresh request when Lifetime was non-zero?
>>
>> I am bit surprised by that. I assume that there are certain cases when the
>> request could be resent, and others where the meaning is that the allocation is
>> gone.
> TURNbis does not update the refresh behavior already defined in https://tools.ietf.org/html/rfc5766#section-7.3.  I will add the following line:
> If the client receives an error response to its request to refresh the allocation, it should consider the allocation no longer exists.

Isn't that over simplifying cases where one attempts to refresh an
allocation and could actually handle the issue. For example an error
response to the client of 438 (Stale Nonce)  where the client can retry
the request with the new Nonce. I also wonder if request time out as
well as 400 (if it can figure out what the issue was) could be
re-attempted prior to allocation expires. But at leat hte 438 appears to
indicate a situation where the client should not give up, and thus
should have some text here.

>
>> R. Section 11.5:
>>
>>    When the server receives an ICMP packet, the server verifies that the
>>    type is either 3, 11 or 12 for an ICMPv4 [RFC0792] packet or either
>>    1, 2, or 3 for an ICMPv6 [RFC4443] packet.  It also verifies that the
>>    IP packet in the ICMP packet payload contains a UDP header.  If
>>    either of these conditions fail, then the ICMP packet is silently
>>    dropped.
>>
>> Why is not ICMPv6 Type 4 (Parameter Problem) included when Parameter
>> Problem are for ICMPv4?
> I don't get the above comment, please explain the question with an example. 

So if a server receives an ICMP for sent packet with ICMPv4 type 12 
(Parameter Problem) then that is relayed to the client according to this
text. But if the server sent a packet with IPv6 towards the peer and
receives an ICMPv6 message with Type 4 (Parameter Problem) that is not
relayed to the client. Why this discrepancy?

>
>> S. Section 12.5:
>>
>>    Over TCP and TLS-over-TCP, the ChannelData message MUST be padded to
>>    a multiple of four bytes in order to ensure the alignment of
>>    subsequent messages.  The padding is not reflected in the length
>>    field of the ChannelData message, so the actual size of a ChannelData
>>    message (including padding) is (4 + Length) rounded up to the nearest
>>    multiple of 4.  Over UDP, the padding is not required but MAY be
>>    included.
>>
>> Are there anywhere written what one may or may not include of the TURN
>> related messages in a single UDP datagram. Because it is technically feasible I
>> belive to include two Send Indications in one UDP datagram to the server.
> As per https://tools.ietf.org/html/draft-ietf-tram-turnbis-23#section-11.2, one send indication in one UDP datagram to the server.

Okay, the procedure described indicates that only a single Indication
per UDP datagram . I think that is good enough.


>
>> T. Section 13.1:
>>
>>    Flow Label
>>
>>       Preferred behavior: The relay sets the Flow label to 0.  The relay
>>       can choose to set the Flow label to a different value if it
>>       supports the IPv6 Flow Label field [RFC6437].
>>
>>       Alternate behavior: The relay sets the Flow label to the default
>>       value for outgoing packets.
>>
>> I think this section should be improved in two ways.
>>
>> First of all I think it should clarify that each allocation to peer flow is its own
>> IPv6 Flow in perspective of the IPv6 Flow label.
>>
>> Secondly, I think in the spirit of RFC 6473 the preferred behavior should be to
>> set the IPv6 flow label if the implementation is capable, or leave it to the
>> underlying network stack to actually set it. Compared to RFC 7915, the TURN
>> server actually have an understanding of what are different flows without
>> having examining additional protocol layers.
> Updated text as follows:
>
> Preferred behavior:
> The TURN server can use the relayed transport address, peer transport address and UDP protocol number 
> to generate and set the flow label value in the IPv6 packet as discussed in Section 3 of [RFC6437]. If the TURN server is incapable of 
> generating the flow label value from the IPv6 packet's 5-tuple, it sets the Flow label to 0. 
>
> (Please note the proposed update deviates from the behavior defined https://tools.ietf.org/html/rfc6156#section-8.1)  

Good, but I would suggest some tweaks to clarify:

Preferred behavior:
The TURN server can use the 5-tuple of relayed transport address, peer transport address and UDP protocol number to identify each flow, generate and set the flow label value in the IPv6 packet as discussed in Section 3 of [RFC6437]. If the TURN server is incapable of generating the flow label value from the IPv6 packet's 5-tuple, it sets the Flow label to 0. 

(Please note the proposed update deviates from the behavior defined https://tools.ietf.org/html/rfc6156#section-8.1)  



>  
>
>
>> Thirdly, I don't understand what the alternative behavior actually is.
>> This as it is either setting it to 0, or classifying things as flow and then provide it
>> with a random flow label. I think the right alternative behavior is to set it 0.
> Updated text to say:
>
>        Alternate behavior: The relay sets the Flow label to the default
>        value of zero for outgoing packets.

Ok

>
>> U. Section 13. 1,2,3:
>>
>>       For both preferred and alternate behavior, the DONT-FRAGMENT
>>       attribute MUST be ignored by the server.
>>
>> I don't understand why just because one performs v4<->v6 or v6 to v4
>> translation or v6 to v6 relaying now can ignore the DONT-FRAGEMENT
>> attribute. If the client has request to not fragment and the server is unable to
>> do that when forwarding to the peer it needs to generate an ICMP attribute
>> response saying the packet is to big. Otherwise the relay breaks the Path MTU
>> discovery mechanisms.
> TURNbis is using the translation algorithms specified in RFC7915. 
>
> [a] For IPv4 to IPv6: The translator uses the DF bit in the IPv4 header to not fragment the IPv6 packet (see https://tools.ietf.org/html/rfc7915#section-4), DON'T-FRAGMENT attribute can be ignored. 
> [b] For IPv6 to IPv4: The translation algorithm in https://tools.ietf.org/html/rfc7915#section-5 is used.  If the IPv6 endpoint wants to discover the path MTU, it will send IPv6 packets without Fragment header and DON'T-FRAGMENT attribute can be ignored.
> [c] For IPv6 to IPv6: If the IPv6 endpoint wants to discover the path MTU, it will send IPv6 packets without Fragment header and DON'T-FRAGMENT attribute can be ignored.
>
> Please note ignoring the DONT-FRAGMENT attribute is picked from https://tools.ietf.org/html/rfc6156#section-8 and discussed in the BEHAVE WG https://mailarchive.ietf.org/arch/msg/behave/oabu0VtUMBE-X3-vhgjdSFCboxc.  

Thanks for the clarification on the context. I should have read Section
4 of 7915. Then I would have likely gotten the implication that the IP
header DF or Fragmentation header impacts how things are working.

However, I find the reasoning behind this choice very strange. I don't
see how you can implement a TURN server that does IPv4 <->IPv6, or IPv6
relaying without having privileged access and where it reads the raw
headers. An implementation based on UDP sockets will not be able to do
the right thing here to my understanding. However, it could follow the
DONT-FRAGMENT attribute to instructing the sending using the Socket to
do the right thing. 

I think there are two directions we can proceed in here.

1. Redefine this text to enable usage of DONT-FRAGMENT

or

2. Clarify the scope and implications of Unpriviliged TURN Server doing
translation


For the second option I think there are several aspects that I like to
see addressed:

  2a: Update the sentence I quoted for this issue to make it clear that
you are relying soley on IPv4 DF and IPv6 Fragmentation Header to
control the fragmentation.

  2b: Clarify that Unpriviliged TURN Severs that do IPv4<-> IPv6
translation will not handle fragmentation well. And include a point to
the last paragraph of Section 2.7 and the use of DONT-FRAGMENT In
Allocate requests to determine support and that these needs to be
rejected by such a server.

By the way, there must be a typo with a "not" that shouldn't be in this
paragraph in Section 4 of 7915:

   When the IPv4 sender does not set the DF bit, the translator MUST NOT
   include the Fragment Header for the non-fragmented IPv6 packets.

To me it make sense for a IPv4->IPv6 translation where the IPv4 has
DF=TRUE to not include the fragmentation header, do you agree?

IF you agree I can file an errata on this.

>> V. Section 13.2:
>>
>> Fragmentation:
>>
>>       If the incoming packet included a Fragment header and the outgoing
>>       packet size exceeds the outgoing link's MTU, the relay MUST
>>       fragment the outgoing packet into fragments of no more than 1280
>>       bytes.  The relay sets the fields of the Fragment header as
>>       appropriate for a packet originating from the server.
>>
>> Is really the intention here to refragment the packet without providing any
>> indication that the practical MTU is smaller than what the peer or client thinks
>> it is?
> Yes, TURNbis is following the existing behavior already defined in https://tools.ietf.org/html/rfc6156#section-8.1. 
Okay.
>
>> W. Section 14:
>>
>>       Preferred Behavior: Set the outgoing value to the incoming value,
>>       UNLESS the server is doing Active Queue Management, the incoming
>>       ECN field is ECT(1) (=0b01) or ECT(0) (=0b10), and the server
>>       wishes to indicate that congestion has been experienced, in which
>>       case set the outgoing value to CE (=0b11).
>>
>> First of all do you have any special meaning with all capital UNLESS?
>>
>> Secondly, I don't know how wise it is to have partial definitions of what the ECN
>> behavior is. Maybe simpler to say that that the relay is performing AQM it can
>> support the ECN marking behavior as defined in RFC 3168.
> The above text is same as https://tools.ietf.org/html/rfc5766#section-12, replaced "UNLESS" with "unless".

So the UNLESS Is only for emphasis?

I think the sentence could be formulated so that it is easier to
understand that the text after "... active queue managmenet, ..." is in
case on does AQM. Also I think it is worth clarifying that the TURN
server can operate as defined by RFC 3168. In addition the use of ECT(1)
experiments has been changed so that also needs a reference. So perhaps:

      Preferred Behavior: Set the outgoing value to the incoming value. The server may perform Active Queue Management, in which case it SHOULD behave as a ECN aware router [RFC3168] and can mark traffic with Congestion Experienced (CE) instead of dropping the packet. The use of ECT(1) is subject to experimental usage [RFC8311].
 


>
>> X. Section 14:
>>
>> How are these IP level fields handled when the transport is TCP or TLS/TCP?
>> There there are not necessary a one to one mapping between datagrams and
>> TCP packets. And if there are no support then there are need for clarification of
>> behaviors when using TCP based transport.
> Section 14 already clarifies that the descriptions in this section do not apply to TURN messages sent over TCP or TLS transport from the server to the client.

Yes you are right. What are the recommendations for how to set the
fields when the Channel message or Send Indication arrives over
TCP/(TLS) to the server? To me the basis is the alternative behavior
with the exception for the DF bit. However, behaviors for datagrams
orignated by the server and delivered to the server over non datagram
transport will need to have recommendations also for IPv6.

>
>> Y. Section 16.4.  DATA
>>
>>    The DATA attribute is present in all Send and Data indications.  The
>>    value portion of this attribute is variable length and consists of
>>    the application data (that is, the data that would immediately follow
>>    the UDP header if the data was been sent directly between the client
>>    and the peer).  If the length of this attribute is not a multiple of
>>    4, then padding must be added after this attribute.
>>
>> Can you please clarify if one would get all the remaining bytes of the IP packet
>> payload or only the number of bytes the UDP length field indicates ?
>>
>> The reason I ask is that there is possibility that there are a discrepancy between
>> these fields, something the proposal for an experimental specification for UDP
>> options attempt to utilize.
>> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-udp-options/
>>
>> Note, I only want you to clarify what is actually included. I would assume using
>> the UDP length field makes sense in this case.
> The application data does not include the options discussed in draft-ietf-tsvwg-udp-options.  
> Please clarify the specific update you are looking in this section. 

My intention here was not to bring in UDP options, only to ensure that
the specification text is clear. As UDP options draft points out there
could be a discrepancy between the UDP length and IP length. Thus, I
think there is a point to make it clear that the data includes UDP
length -8 bytes of UDP payload. Possible include a informative reference
for why there might be a discrepancy.

AC. Section 16.12:
>> Reason Phrase (variable). This field is under defined. First of all the format of
>> the text string is not defined, which it is in Stunbis Error-Code attribute is
>> defined as.
>>
>>    The reason phrase MUST be a UTF-8 [RFC3629] encoded
>>    sequence of less than 128 characters (which can be as long as 509
>>    bytes when encoding them or 763 bytes when decoding them).
> Thanks, updated section to use UTF-8 encoding.  
>
>> Secondly, I think it might be worth pointing out the padding here. It is not clear
>> if there is any form of string termination and how the padding which will be
>> interpreted as NULL characters 0-3 depending on the alignment. I note this
>> later issue appears to be existing in STUNBis also.
> Padding is discussed in STUN for variable length attributes, please see https://tools.ietf.org/html/draft-ietf-tram-stunbis-18#section-14.  

Thanks, missed that. I think that is clear.


>
>> AD. Section 16.2:
>>
>> Why isn't the text here say that this attribute may also be used to indicate the
>> desired lifetime in allocation requests?
> https://tools.ietf.org/html/rfc5766#section-14.2 did not discuss desired lifetime. Anyways, added the following line:
> The TURN client can include the LIFETIME attribute with the desired lifetime in Allocate and Refresh requests.

Good.

>
>> AE. Section 16.9: DONT-FRAGMENT
>>
>> I think it would be good to indicate the use of the attribute in Allocate Requests
>> also.
> The above point is discussed in Section 7.1:
>
> <snip>
>    If the client wishes to later use the DONT-FRAGMENT attribute in one
>    or more Send indications on this allocation, then the client SHOULD
>    include the DONT-FRAGMENT attribute in the Allocate request.  This
>    allows the client to test whether this attribute is supported by the
>    server.
> </snip>

Yes, but I think it is inconsistent when the text says:

This attribute is used by the client to request that the server set
   the DF (Don't Fragment) bit in the IP header when relaying the
   application data onward to the peer.

And there the is additional usage of it. When a minor change would
indicate that alternative use also.

This attribute is used by the client to request that the server set
   the DF (Don't Fragment) bit in the IP header when relaying the
   application data onward to the peer, and for determining the
capability in Allocate requests.


>
>> AF. Section  24.2
>>
>> [Protocol-Numbers]
>>               "IANA Protocol Numbers Registry", 2005,
>>               <http://www.iana.org/assignments/protocol-numbers>.
>>
>> This is a normative reference based on how it is used in Section 16.8.
> Okay, moved as Normative reference.
Good.
>> AG. Seciton 18.
>>
>>    Sometime before the 20 minute lifetime is up, the client refreshes
>>    the allocation.  This is done using a Refresh request.  As before,
>>    the client includes the latest username, realm, and nonce values in
>>    the request.  The client also includes the SOFTWARE attribute,
>>    following the recommended practice of always including this attribute
>>    in Allocate and Refresh messages.  When the server receives the
>>    Refresh request, it notices that the nonce value has expired, and so
>>    replies with 438 (Stale Nonce) error given a new nonce value.  The
>>    client then reattempts the request, this time with the new nonce
>>    value.  This second attempt is accepted, and the server replies with
>>    a success response.  Note that the client did not include a LIFETIME
>>    attribute in the request, so the server refreshes the allocation for
>>    the default lifetime of 10 minutes (as can be seen by the LIFETIME
>>    attribute in the success response).
>>
>> I notice that this part nor the text before appears to discuss the permission
>> lifetime that will expire after 5 minutes. Thus, it needs to be refreshed prior to
>> the Allocation.
> I have added text to discuss refreshing the channel binding, https://tools.ietf.org/html/rfc5766#section-16 did not discuss refreshing the permissions and channel bindings.  
Ok.
>
>> AH. Section 18.
>>
>> I am missing any example having to do with Address Family interactions.
> There was no ask from the WG members to add an example and even https://tools.ietf.org/html/rfc6156 did not have an translation example.
Ok, let skip this for now. But, it will be commented on again most
likely by other reviewers.
>
>> AI. DTLS Cipher Suits
>>
>> Am I understanding it correct that the definition of what DTLS cipher suit that a
>> TURN Server currently is to support is the ones in RFC 7525 ?
> No, the cipher suites and (D)TLS profile is discussed in https://tools.ietf.org/html/draft-ietf-tram-stunbis-21#section-6.2.3 and it follows the recommendations in RFC7525. 

Ahaa, of course. But, maybe an explicit reference to STUNbis in section
2.1 that the transports for TURN and STUN messages are defined there?

>
>> In that case, I think the wording is a bit weak as the only reference I find are in
>> Section 2.1:
>>
>> If (D)TLS transport is
>>    used between the TURN client and the TURN server, the guidance given
>>    in [RFC7525] MUST be followed to avoid attacks on (D)TLS.
> RFC7525 provides various recommendations to avoid attacks on (D)TLS.

It was really the text in STUNbis that I was looking for.


Cheers

Magnus Westerlund 

----------------------------------------------------------------------
Network Architecture & Protocols, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------