Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 08 April 2015 15:08 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFF171B3202 for <tram@ietfa.amsl.com>; Wed, 8 Apr 2015 08:08:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KIpqwgNOfvpT for <tram@ietfa.amsl.com>; Wed, 8 Apr 2015 08:08:36 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 183671B3203 for <tram@ietf.org>; Wed, 8 Apr 2015 08:08:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19652; q=dns/txt; s=iport; t=1428505716; x=1429715316; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=0Q7pzskECEs8pMo+izy1LJ461roqRmXkDCOXd+PE5Qg=; b=K2rxfPp1wy60hxfbNv5gBe2dTLlCqP3orDPX1LoWlZ6VXD6qvY38JPqK /puQfVpeI9cQLXufb31Mxjpa6jEzcib2bUA1BNBaUSGyv7gLBzp98bKfe v9ykrjLPdcuAWAy4vkpSE9I2sffVvouUFcU36dUnKEpGaH6lmvZsPd+4U o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CqBgA1QyVV/4gNJK1SAQmCRUNSXAWCSka/cTwqCYFIAQuFLU4CHIEMOBQBAQEBAQEBfYQfAQEBAwEBAQEJFwpBCwwEAgEGAg4DBAEBAQodAwICAiULFAkIAgQOBQgBiBkIDZh6nH+WNgEBAQEBAQEBAQEBAQEBAQEBAQEBAReLK4QfAQQNGhYXBAYBBoJiL4EWBZB0g3iHLDqPOoNKIoNvb4EDAR4GHH8BAQE
X-IronPort-AV: E=Sophos;i="5.11,545,1422921600"; d="scan'208,217";a="139333253"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-3.cisco.com with ESMTP; 08 Apr 2015 15:08:34 +0000
Received: from xhc-aln-x05.cisco.com (xhc-aln-x05.cisco.com [173.36.12.79]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id t38F8Y0a012822 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 8 Apr 2015 15:08:34 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.175]) by xhc-aln-x05.cisco.com ([173.36.12.79]) with mapi id 14.03.0195.001; Wed, 8 Apr 2015 10:08:34 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Benjamin Schwartz <bemasc@webrtc.org>
Thread-Topic: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
Thread-Index: AQHQcZcf28hxyyH3AUSBICjncygYyZ1DWjmA//+ykyCAAHQTAP//scTw
Date: Wed, 08 Apr 2015 15:08:33 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A411FE473@xmb-rcd-x10.cisco.com>
References: <6042868B-57EB-4C5A-B93E-C58D846E14E4@cisco.com> <55251A5B.5040909@jive.com> <913383AAA69FF945B8F946018B75898A411FE350@xmb-rcd-x10.cisco.com> <CAHbrMsD1T8U=ZBFXjtfCOwUSiSHLOyxwr=74f7u-DCpj0+iafA@mail.gmail.com>
In-Reply-To: <CAHbrMsD1T8U=ZBFXjtfCOwUSiSHLOyxwr=74f7u-DCpj0+iafA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.61.25]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A411FE473xmbrcdx10ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/ZBYMYXInoMv6aPjLyMQrWp4stVg>
Cc: Simon Perreault <sperreault@jive.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 15:08:39 -0000
mDNS only helps to discover TURN service in the local network; client and TURN server still have to mutually authenticate each other using the existing long-term authentication mechanism. Trusted pre-configuration is only required to validate the digital signature of the mDNS answer just like it’s done in DNSSEC but if client and TURN server mutually authenticate then digital signature for answers may not be required. -Tiru From: Benjamin Schwartz [mailto:bemasc@webrtc.org] Sent: Wednesday, April 08, 2015 7:57 PM To: Tirumaleswar Reddy (tireddy) Cc: Simon Perreault; tram@ietf.org Subject: Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return If the TURN server's identity is discovered over mDNS, then how can the client authenticate the TURN server, except to prove that it's the same one advertised over mDNS? Assuming mDNS is trivial to forge on a broadcast network, this does not seem like sufficient protection. Maybe you are saying that the TURN server's "real identity" is configured by some other mechanism, and only its address is distributed by mDNS? I'm not familiar with the interaction between mDNS and DNSSEC, or how this would help to identify trusted servers. This seems like another case in which a trusted pre-configuration mechanism is still required. On Wed, Apr 8, 2015 at 8:40 AM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: > -----Original Message----- > From: tram [mailto:tram-bounces@ietf.org<mailto:tram-bounces@ietf.org>] On Behalf Of Simon Perreault > Sent: Wednesday, April 08, 2015 5:39 PM > To: tram@ietf.org<mailto:tram@ietf.org> > Subject: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return > > TRAMsters, > > I'd like to see some discussion on how this impacts the server-discovery > draft. This part in particular... > > "endpoints MUST NOT implement a configuration based on > unauthenticated > network multicast (e.g. mDNS)" > > ...seems at odds with what was decided in Dallas (i.e., define mDNS > discovery). > > Thoughts? Yes. After TURN server is discovered using mDNS, client must authenticate the TURN server to avoid some malicious host advertising that it offers TURN service. Further mDNS http://tools.ietf.org/html/rfc6762#section-21 also refers to using DNSSEC so that the client can ensure that the service is provided by a trusted participant and not a rouge participant. -Tiru > > I see having a coherent story for return and server-discovery as somewhat > required... > > Simon > > -------- Message transféré -------- > Sujet : Re: [rtcweb] draft-schwartz-rtcweb-return Date : Wed, 8 Apr 2015 > 00:58:29 +0000 De : Cullen Jennings (fluffy) <fluffy@cisco.com<mailto:fluffy@cisco.com>> Pour : > rtcweb@ietf.org<mailto:rtcweb@ietf.org> <rtcweb@ietf.org<mailto:rtcweb@ietf.org>> > > > > On Mar 26, 2015, at 9:20 AM, Cullen Jennings <fluffy@cisco.com<mailto:fluffy@cisco.com>> wrote: > > > > I'd like to point out that the combination of ietf-tram-turn-server-discovery > and draft-schwartz-rtcweb-return allow any network you are connected to > more or less MITM your media and do things like rate limit it, generate > analytics on who you are talking to, force your traffic through an > intermediary that is in a different legal jurisdiction and so on. > > We discussed this after the meeting and came up with a way to resolve this > concern. Benjamin has added some text to the -06 to that specifically > addresses this issue > > http://www.ietf.org/rfcdiff?url1=draft-schwartz-rtcweb-return-05&url2=draft- > schwartz-rtcweb-return-06 > > This completely deals with the issue I raised and with that change I support > adopting this as a WG document. > > After adoption, I think the WG should consider if any text is needed around > the issue of TURN credentials. (If you run TURN with no credentials and an > attacker can spoof the IP address in UDP packets, you can end up with the > TURN servers in a nasty forwarding loop that allows an huge amplification > factor for an attacker trying do DOS the turn servers - this is still possible > with authentication but you know who to blame. When TURN was first done > with was one of the reason TURN requires auth and STUN does not). > However, I believe this issue can solved and should not block adopting the > draft. ) > > Cullen > > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org<mailto:rtcweb@ietf.org> > https://www.ietf.org/mailman/listinfo/rtcweb > > > _______________________________________________ > tram mailing list > tram@ietf.org<mailto:tram@ietf.org> > https://www.ietf.org/mailman/listinfo/tram _______________________________________________ tram mailing list tram@ietf.org<mailto:tram@ietf.org> https://www.ietf.org/mailman/listinfo/tram
- [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-re… Simon Perreault
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Benjamin Schwartz
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Martin Thomson