Re: [tram] ALPN identifiers for STUN and TURN
Justin Uberti <juberti@google.com> Thu, 31 July 2014 19:03 UTC
Return-Path: <juberti@google.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE32B1A000A for <tram@ietfa.amsl.com>; Thu, 31 Jul 2014 12:03:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rvuL6h6zxJ3A for <tram@ietfa.amsl.com>; Thu, 31 Jul 2014 12:03:10 -0700 (PDT)
Received: from mail-vc0-x22c.google.com (mail-vc0-x22c.google.com [IPv6:2607:f8b0:400c:c03::22c]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 050601A002D for <tram@ietf.org>; Thu, 31 Jul 2014 12:03:06 -0700 (PDT)
Received: by mail-vc0-f172.google.com with SMTP id im17so5001300vcb.17 for <tram@ietf.org>; Thu, 31 Jul 2014 12:03:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=7A7f/vagZEUjlh7L3YKL6IZb/Jo6hDHJlcl8L+MgANs=; b=USAMCLA2/epxrGlrtoZQPkhymQLLqP9IHoCXISh864EtSTtNCpvPcxpzmadRxZKAwu gsYGMnJM6tBVscQGnllZi8oXhBoZcEe/FdLclOowp8PdUU8bNcLrN209Yb3+MQzEp7rq QiJjOehIIMmB73FUJjvWkMfdaEzVtM0v3oMW5DTyqjYeSYslRgcr12AQ8n/bPXzLtA87 TSXj2ihSye/QKFFYvllkl0tDha4S1GIhbZtq5gO3hYd3toN/X/q0S4Oi3XerBPyChyHh YMNaKpM9x2qRxdNeZgqqWXrLxaKCZr+E+UqSA1gPqHchj5hJtmVYtzewRZ66OH+7YSO9 kdww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=7A7f/vagZEUjlh7L3YKL6IZb/Jo6hDHJlcl8L+MgANs=; b=nNYGzOVUfeUrM9pYVLay6kPXUhYNRBuDt4+lkG0Uz/h3Q6hurQdd7nh0rvrVSCkvu5 Y+/rBL2OIJnORntdpar/p36BnHA2BWc8vggLW5rqOssE7vVMFWnk7cP17v2T9rRCNmxR raXT/56Fwdw0eYD2jE+T6+/ymE0kCb5vxhbL3wpJFQNImv56s8RWy6k0IiyshheN8qto 65AVlaVLPgHLixrtjtuLnGDQx9sMjASpVfacO4t4dwcPo97RCYxIVeJw06yrY5l7h2jH YAa/o/O2fDHqAhCtHswhwc/3L0LojLJtMxdelFofuI7t3iDHauZdvwtIHbpYbBX6ynlI E5nw==
X-Gm-Message-State: ALoCoQkyqCW0J4J72COKoeeGUVZ962C+FQfhm7wHIO0iwDvzUGYRcKsU+whPCMUgCq3bOuAFYdz/
X-Received: by 10.220.49.10 with SMTP id t10mr287041vcf.34.1406833386171; Thu, 31 Jul 2014 12:03:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.133.193 with HTTP; Thu, 31 Jul 2014 12:02:46 -0700 (PDT)
In-Reply-To: <CABkgnnUPOX0=gD0de2j4P=uvw5q4tGjbOj8YFeC+DtK2_Qx-jg@mail.gmail.com>
References: <D0008149.45B7F%praspati@cisco.com> <CABkgnnUPOX0=gD0de2j4P=uvw5q4tGjbOj8YFeC+DtK2_Qx-jg@mail.gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Thu, 31 Jul 2014 12:02:46 -0700
Message-ID: <CAOJ7v-22Nw6Wu16CYv6z_fehvFRHaxjrZSiEGtH1sYUYVtVRCg@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="089e0163412c3de6bf04ff81ecfe"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/_y8J0RlrIxy-51iz-YxBk0ci73Q
Cc: "Prashanth Patil (praspati)" <praspati@cisco.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] ALPN identifiers for STUN and TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jul 2014 19:03:12 -0000
On Thu, Jul 31, 2014 at 11:26 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 31 July 2014 10:57, Prashanth Patil (praspati) <praspati@cisco.com> > wrote: > > There was some discussion on the need for separate STUN and TURN > identifiers > > during the TRAM session. Separate identifiers could be useful when middle > > boxes such as a firewall want protocol identification e.g as described in > > > http://tools.ietf.org/html/draft-hutton-httpbis-connect-protocol-00#section-1 > . > > I raised this concern previously, and it has been bothering me > somewhat. I'll try to make this a little clearer, and apologies for > the rambling post. > > The application that you are using is what matters in this context. > That's why we have ALPN identifiers for WebRTC. > > Identifying as TURN or STUN isn't as useful, particularly when it > comes to enforcing policy, because they are effectively blank cheques. > "You are establishing a tunnel to a relay, great, what for?" > > For the server that terminates TURN over DTLS identifying TURN is > useful. It means that the TURN server doesn't have to know about > "webrtc" and all the other potential uses of TURN in order to > determine that this is a client that wants to talk TURN (and not some > other strange protocol). After all, when you talk TURN over DTLS, the > server you talk to is talking TURN. > > TURN in the clear with DTLS inside is a no brainer, you always > identify that as something other than TURN at the DTLS layer. > > STUN on the other hand, when used in the peer-to-peer sense, doesn't > work that way. You know about "webrtc" or whatever other application > protocol you might be using. You can identify the actual application > protocol. I don't think that we need an identifier for STUN at all. > Agreed. While one could certainly do STUN over DTLS, it's not clear why one would want to do so. That said, it should work, and so I don't have an issue with defining an ALPN for STUN. > > The only question I have then is what you do for TURN over DTLS. In > the draft-hutton- sense, as well as in the DTLS ClientHello. I've > been saying now for a while that these two points should include the > same information, but it might make sense to have the real usage > (e.g., "webrtc") visible to both proxy and TURN server. > > Or, we could consider the case of TURN over DTLS as a measure that > intentionally protects the usage from intermediaries, and explicitly > not include information about what might be carried inside of this > tunnel. After all, the primary security advantage provided by TURN > over DTLS is protection of meta information about what tunnels are > being created to where. > > Clearly the local proxy cares to distinguish between 'http' and 'webrtc', but that is handled by the HTTP CONNECT ALPN, and not any DTLS ALPN. It's not clear to me that a DTLS ALPN would be that useful for at the TURN server - it already knows it is getting TURN traffic. The primary advantage of a DTLS ALPN would seem to be for local DPI firewalls to understand that the DTLS flow is in fact carrying TURN traffic.
- [tram] ALPN identifiers for STUN and TURN Prashanth Patil (praspati)
- Re: [tram] ALPN identifiers for STUN and TURN Oleg Moskalenko
- Re: [tram] ALPN identifiers for STUN and TURN Martin Thomson
- Re: [tram] ALPN identifiers for STUN and TURN Justin Uberti
- Re: [tram] ALPN identifiers for STUN and TURN Martin Thomson
- Re: [tram] ALPN identifiers for STUN and TURN - w… Paul Kyzivat
- Re: [tram] ALPN identifiers for STUN and TURN Brandon Williams
- Re: [tram] ALPN identifiers for STUN and TURN Brandon Williams
- Re: [tram] ALPN identifiers for STUN and TURN Prashanth Patil (praspati)
- Re: [tram] ALPN identifiers for STUN and TURN Martin Thomson
- Re: [tram] ALPN identifiers for STUN and TURN Tirumaleswar Reddy (tireddy)