IETF Logo Mail Archive

Re: [tram] I-D Action: draft-ietf-tram-turnbis-17.txt

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 29 May 2018 10:18 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52EA4129C6E for <tram@ietfa.amsl.com>; Tue, 29 May 2018 03:18:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C17Vts4cylvD for <tram@ietfa.amsl.com>; Tue, 29 May 2018 03:18:31 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AB7112D7E2 for <tram@ietf.org>; Tue, 29 May 2018 03:18:31 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1527589114; h=From: To:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-microsoft-antispam: x-ms-traffictypediagnostic:x-microsoft-antispam-prvs: x-exchange-antispam-report-test:x-ms-exchange-senderadcheck: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Office365-Filtering-Correlation-Id:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=y CEX6v9Vw9mTyEa8/nlnozlkHOro5W3qtVjulJD4nL o=; b=cCR/VFVmtWO6i7PiAj3hVX4Uh8hrK/pLvWJ48zuROHq0 76Quq8sJTSP6YVbo0vjJQ+8HoB+cI4uYRXZQ0ysOJKXxgtshsO wOdRq2p9Taxfs2+PNBCLohWTMMOozIYbTB81cp/qJKoX3hv5pb 696KefIbIfReJXN8OduW63sHOXs=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 4a35_7bd5_b6f822aa_1d17_45b2_8c07_147b219289cd; Tue, 29 May 2018 05:18:34 -0500
Received: from DNVEXUSR1N11.corpzone.internalzone.com (10.44.48.84) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 29 May 2018 04:17:53 -0600
Received: from DNVEXUSR1N09.corpzone.internalzone.com (10.44.48.82) by DNVEXUSR1N11.corpzone.internalzone.com (10.44.48.84) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 29 May 2018 04:17:52 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXUSR1N09.corpzone.internalzone.com (10.44.48.82) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 29 May 2018 04:17:52 -0600
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 29 May 2018 04:17:51 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1538.namprd16.prod.outlook.com (10.172.208.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.797.11; Tue, 29 May 2018 10:17:49 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::601e:a909:b9fe:31bd%8]) with mapi id 15.20.0797.018; Tue, 29 May 2018 10:17:49 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Brandon Williams <brandon.williams@akamai.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [tram] I-D Action: draft-ietf-tram-turnbis-17.txt
Thread-Index: AQHT2w5k5Ye43UtxsU6plD0Ba+ptDKQOZzcQgCErlgCAFyJkAA==
Date: Tue, 29 May 2018 10:17:49 +0000
Message-ID: <BN6PR16MB14258EF3AF6B3B735C2196CCEA6D0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <152449325211.21886.16366690442756908271@ietfa.amsl.com> <BN6PR16MB1425426EB89F135FF50FCA5AEA890@BN6PR16MB1425.namprd16.prod.outlook.com> <347de982-54c5-4156-e406-0aa13ed4446c@akamai.com>
In-Reply-To: <347de982-54c5-4156-e406-0aa13ed4446c@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.300.84
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1538; 7:hXtS+NJwlBy3QZRN2hoaWKT/QOAjEqQMczeSG9RxYuLWsxmTEk/9A1uvubPhx4AlfBSPTMjfDYbCbNo6GdD87LztA9/240sv+lRTszutrZD+B1NoQVK/ylscK5YSFb4ThugbW9YKUxVP3Cc/eySIYGgPYWz4TMik0oLVcfqIs0ck+QqLAMlrIuxQrG3PUj3xhazFmX6liw6JKQ1RVrc4P3yX26ZQGpQa1am/hM7bVeADBWylEozR5RvGy6oLfllB
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1538;
x-ms-traffictypediagnostic: BN6PR16MB1538:
x-microsoft-antispam-prvs: <BN6PR16MB15381BA14C777E320B40479CEA6D0@BN6PR16MB1538.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(123452027830198);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(93006095)(93001095)(3002001)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(6072148)(201708071742011)(7699016); SRVR:BN6PR16MB1538; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1538;
x-forefront-prvs: 0687389FB0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(396003)(376002)(346002)(39380400002)(39860400002)(199004)(189003)(32952001)(377424004)(15404003)(13464003)(8676002)(7736002)(5250100002)(5890100001)(99286004)(2501003)(316002)(6306002)(66066001)(5660300001)(305945005)(110136005)(9686003)(8936002)(3280700002)(3660700001)(74316002)(81156014)(81166006)(53936002)(11346002)(72206003)(966005)(446003)(478600001)(6246003)(6436002)(2906002)(86362001)(486006)(55016002)(14454004)(33656002)(7696005)(476003)(68736007)(2900100001)(6116002)(3846002)(76176011)(229853002)(26005)(102836004)(80792005)(186003)(97736004)(25786009)(106356001)(53546011)(105586002)(59450400001)(6506007)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1538; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: mczwkyyiMzsnB+dMr3yD4yHUtFXQjMwz8pZJMpVIvbEqYJOfu5J7iHE+4UEvoyhF5GJLAOhSsEdhC0EIU/duVlLAMzwOQCyR5uOYtjtU0KACsnWhqS3zhI8XEgrOWbcA9Gk7r7IyBkLRoN6QOCH04ifqvL77yK84zPiHoiyoobvWm7hpEdy23wWoZ+nQLaQwiVbl7FlDPy5UgSlxEU51OA==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 9344a662-ebb3-4bca-8fa0-08d5c54d6e53
X-MS-Exchange-CrossTenant-Network-Message-Id: 9344a662-ebb3-4bca-8fa0-08d5c54d6e53
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 May 2018 10:17:49.5354 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1538
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6295> : inlines <6663> : streams <1788130> : uri <2649091>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/_E3EnjmGzVdXO1_-EPRDAb8Humg>
Subject: Re: [tram] I-D Action: draft-ietf-tram-turnbis-17.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2018 10:18:34 -0000

Thanks Brandon for the review. Updated draft to incorporate the proposed changes.

Cheers,
-Tiru

> -----Original Message-----
> From: Brandon Williams [mailto:brandon.williams@akamai.com]
> Sent: Monday, May 14, 2018 10:26 PM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> tram@ietf.org
> Subject: Re: [tram] I-D Action: draft-ietf-tram-turnbis-17.txt
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> Hi Tiru,
> 
> I've got a few editorial suggestions on the new content re:
> permissionless STUN relay. As these are all editorial, you can of course feel
> free to ignore any/all of them. They are simply highlighting some places where
> I had some trouble parsing the text and do not represent substantive changes to
> the proposed content.
> 
> Please let me know if you have any questions about the following.
> 
> --Brandon
> 
> Section 2.3. Permissions
> 
> * "... the UDP datagram is silently discarded. However, a TURN server can be
> configured to permit ..."
> 
> The use of "However" here implies a more significant departure from the
> preceding sentence than you intend. I suggest dropping it. "... the UDP
> datagram is silently discarded. A TURN server can be configured to permit ..."
> 
> * "... speeds up STUN connectivity checks, while the client creates permissions
> in the TURN server for the remote peer IP addresses, the remote peer can
> initiate connectivity checks to the client."
> 
> The use of "while" after the comma makes it seem like a different use of the
> word than you intend. I suggest "... speeds up STUN connectivity checks,
> allowing the remote peer to initiate connectivity checks to the client while the
> client is creating permissions in the TURN server for the remote peer IP
> addresses."
> 
> Section 9. Permissions
> 
> * "... do not match the permissions installed, this configuration knob MUST ..."
> 
> The "," makes this sentence seem like a run-on. I suggest "... do not match the
> permissions installed. This configuration knob MUST ..."
> 
> * "... unless explicitly configured to do so otherwise."
> 
> The "so" is confusing here. I suggest "... unless explicitly configured to do
> otherwise."
> 
> * "If no match is found and the received datagram is not a STUN packet,
> relaying is not permitted, and the server silently discards the UDP datagram. If
> an exact match is found or the received datagram is a STUN packet, then the
> permission check is considered to have succeeded and the server continues to
> process the UDP datagram as specified elsewhere (Section 11.3)."
> 
> Although the correct interpretation of this text is suggested by the preceding
> paragraph, as written it appears to imply that the non-default behavior is the
> normal expected behavior. I think it would be good to clarify. I suggest the
> following text. "If no match is found and the received datagram is not a STUN
> packet, the permission check is considered to have failed. If an exact match is
> found, the permission check is considered to have succeeded. If no match is
> found and the received datagram is a STUN packet, the permission check is
> considered to have failed unless the server is configured to allow STUN packets
> without explicit permission, in which case the permission check is considered to
> have succeeded. If the permission check fails, relaying is not permitted and the
> server silently discards the UDP datagram. If the permission check succeeds,
> the services continues to process the UDP datagram as specified elsewhere
> (Section 11.3)."
> 
> If that text seems unwieldy, the section might be easier to parse if converted to
> a bullet list.
> 
> Section 19.2. Firewall Considerations
> 
> I find the new paragraph to be a little bit difficult to read. I suggest
> reorganizing the text.
> 
> ======
> When a TURN server is configured to permit inbound STUN packets on the
> allocation's relayed address even if the source IP addresses of the STUN
> packet's does not match the permissions installed, the TURN server MUST have
> a security policy for inbound STUN packets from IP addresses not matching the
> permissions installed in order to prevent an attacker from flooding the TURN
> client with STUN-like packets. The TURN server can limit forwarding to well-
> formed STUN connectivity check packets by looking for the STUN atrributes
> USERNAME and MESSAGE-INTEGRITY and verifying that the message does not
> exceed a specific configurable packet size. Additionally, the TURN server policy
> can be configured with maximum rate-limits for the number of STUN packets
> allowed in a TURN session, STUN packets allowed per second, and IP addresses
> allowed to send STUN packets.
> =====
> 
> On 04/23/2018 10:29 AM, Konda, Tirumaleswar Reddy wrote:
> > Updated draft allows the TURN server to forward inbound STUN connectivity
> checks without permissions and also addresses the comments from Noriyuki
> Torii.
> >
> > -Tiru
> >
> >> -----Original Message-----
> >> From: tram [mailto:tram-bounces@ietf.org] On Behalf Of internet-
> >> drafts@ietf.org
> >> Sent: Monday, April 23, 2018 7:51 PM
> >> To: i-d-announce@ietf.org
> >> Cc: tram@ietf.org
> >> Subject: [tram] I-D Action: draft-ietf-tram-turnbis-17.txt
> >>
> >>
> >>
> >>
> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >> This draft is a work item of the TURN Revised and Modernized WG of the
> IETF.
> >>
> >>          Title           : Traversal Using Relays around NAT (TURN): Relay
> Extensions
> >> to Session Traversal Utilities for NAT (STUN)
> >>          Authors         : Tirumaleswar Reddy
> >>                            Alan Johnston
> >>                            Philip Matthews
> >>                            Jonathan Rosenberg
> >> 	Filename        : draft-ietf-tram-turnbis-17.txt
> >> 	Pages           : 84
> >> 	Date            : 2018-04-23
> >>
> >> Abstract:
> >>     If a host is located behind a NAT, then in certain situations it can
> >>     be impossible for that host to communicate directly with other hosts
> >>     (peers).  In these situations, it is necessary for the host to use
> >>     the services of an intermediate node that acts as a communication
> >>     relay.  This specification defines a protocol, called TURN (Traversal
> >>     Using Relays around NAT), that allows the host to control the
> >>     operation of the relay and to exchange packets with its peers using
> >>     the relay.  TURN differs from some other relay control protocols in
> >>     that it allows a client to communicate with multiple peers using a
> >>     single relay address.
> >>
> >>     The TURN protocol was designed to be used as part of the ICE
> >>     (Interactive Connectivity Establishment) approach to NAT traversal,
> >>     though it also can be used without ICE.
> >>
> >>     This document obsoletes RFC 5766 and RFC 6156.
> >>
> >>
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-tram-turnbis/
> >>
> >> There are also htmlized versions available at:
> >> https://tools.ietf.org/html/draft-ietf-tram-turnbis-17
> >> https://datatracker.ietf.org/doc/html/draft-ietf-tram-turnbis-17
> >>
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-tram-turnbis-17
> >>
> >>
> >> Please note that it may take a couple of minutes from the time of
> >> submission until the htmlized version and diff are available at tools.ietf.org.
> >>
> >> Internet-Drafts are also available by anonymous FTP at:
> >> ftp://ftp.ietf.org/internet-drafts/
> >>
> >> _______________________________________________
> >> tram mailing list
> >> tram@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tram
> >
> > _______________________________________________
> > tram mailing list
> > tram@ietf.org
> > https://www.ietf.org/mailman/listinfo/tram
> >

v2.23.0 | Report a Bug | By Email