Re: [tram] TURN server discovery (please discuss!)
"Karl Stahl" <karl.stahl@intertex.se> Fri, 21 March 2014 20:03 UTC
Return-Path: <karl.stahl@intertex.se>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84A1A1A0808 for <tram@ietfa.amsl.com>; Fri, 21 Mar 2014 13:03:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.855
X-Spam-Level: **
X-Spam-Status: No, score=2.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FRT_DISCOUNT=4.455, MSGID_MULTIPLE_AT=1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A-6E0Zys2pbZ for <tram@ietfa.amsl.com>; Fri, 21 Mar 2014 13:03:44 -0700 (PDT)
Received: from smtp.it-norr.com (smtp.it-norr.com [80.244.64.161]) by ietfa.amsl.com (Postfix) with ESMTP id C2CCC1A034F for <tram@ietf.org>; Fri, 21 Mar 2014 13:03:42 -0700 (PDT)
Received: from ([90.229.134.75]) by smtp.it-norr.com (Telecom3 SMTP service) with ASMTP id 201403212103279374; Fri, 21 Mar 2014 21:03:27 +0100
From: Karl Stahl <karl.stahl@intertex.se>
To: "'Tirumaleswar Reddy (tireddy)'" <tireddy@cisco.com>, 'Simon Perreault' <simon.perreault@viagenie.ca>, 'Brandon Williams' <brandon.williams@akamai.com>, "'Prashanth Patil (praspati)'" <praspati@cisco.com>, tram@ietf.org
References: <913383AAA69FF945B8F946018B75898A242DA18A@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A242DA18A@xmb-rcd-x10.cisco.com>
Date: Fri, 21 Mar 2014 21:03:26 +0100
Message-ID: <014c01cf4540$9f32be00$dd983a00$@stahl>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac9FJbsFTBkECL+eSXabbZ2qD46QCAAAeecw
Content-Language: sv
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/e0XsLjfl0u4RasrYKgFA8u7xaBU
Subject: Re: [tram] TURN server discovery (please discuss!)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 20:03:46 -0000
1) I want to emphasize Simon's view in the authentication discussion: " If the TURN server is provided by the network, couldn't we assume that authentication is network-based? That is, if you succeed in talking to the server, then that means you're good. TURN servers would effectively have "no authentication" in the protocol." The need for this milestone mechanism/RFC is for an enterprise or a an ISP to announce a TURN server for their users of their network. The DHCP method directly reflects this by responding: "Here are your IP address, your default gateway, your DNS servers and now the suggested TURN server to use". (The TURN deployed is a networks resource only available on the local connection - it only has the allocated public port available to the WAN-side. That is TURN server/router/firewall combination more or less integrated.) So the auto discovered turn-server should only be available and offered to those allowed to use it - rather than being authenticated (like an application provided TURN server is). The browser should use the auto discovered TURN server without authentication. 2) The opposite - Can the browser trust the TURN server offered (also raised here)? - is not a problem with the DHCP method (If we get network resources like our IP address, default gateway via DHCP, we should of course also trust and the same DHCP server with giving us the TURN server address to place our real-time traffic at.) However, that may not be the case with the AnyCast method. Simon previously raised: "> Suppose we define well-known anycast TURN server addresses. How would > this not be subject to the same service quality issues that plagued > 6to4? That is, anyone could set up a badly-maintained, > under-provisioned TURN server and announce it over BGP to the world, > as it was done for > 6to4 relays. Or just bad BGP outbound filter configuration. And how > can we prevent triangle routing? There is nothing guaranteeing that > the anycast server you see is being provided to you by your ISP, > rather than a server sitting on the other side of the planet I got an "network-way idea" to address this from a developer of ours that I have not considered/presented yet and I will also read up on draft draft-patil-tram-turn-serv-disc-00, and see it I have some educated thoughts to contribute. It would be good if we can avoid having to introduce certificates or similar here and just stick to the network level. A few other points (maybe a better read of draft-patil-tram-turn-serv-disc-00 obsoletes some of these points and I will know better on Monday, but anyway): 3) Two methods (DHCP and Anycast) are suggested in the draft. I assume the thought is that browsers must implement both and the ISP can use any. Correct? - But if one is good enough, shall we then drop the other to make life easier? 4) In addition to some doubts raised here against the DHCP discovery, there were plenty in the discussion at the September-October discussion at the [rtcweb]-list (summary in http://www.ietf.org/mail-archive/web/tram/current/msg00132.html), mainly: a: concerns whether OSs actually forwards such extended DHCP information for the browser to use - If I remember correctly, only Bernard Aboba from MS confirmed that is was available in Windows. b: I withdrew my own(!) suggestion to use DHCP to find a network provider offered TURN server because DHCP is NOT used in many networks, which instead use (for handing out IP address etc): RA - Router Advertisement - in IPv6, the IPCP protocol for PPPoE and something else for the mobile OTT channel. I tend to focus on the Anycast method only (but will read up on draft-patil-tram-turn-serv-disc-00 until Monday and may be more educated then...) /Karl -----Ursprungligt meddelande----- Från: tram [mailto:tram-bounces@ietf.org] För Tirumaleswar Reddy (tireddy) Skickat: den 21 mars 2014 17:51 Till: Simon Perreault; Brandon Williams; Prashanth Patil (praspati); tram@ietf.org Ämne: Re: [tram] TURN server discovery (please discuss!) > -----Original Message----- > From: Simon Perreault [mailto:simon.perreault@viagenie.ca] > Sent: Friday, March 21, 2014 9:41 PM > To: Tirumaleswar Reddy (tireddy); Brandon Williams; Prashanth Patil > (praspati); tram@ietf.org > Subject: Re: [tram] TURN server discovery (please discuss!) > > Le 2014-03-21 12:07, Tirumaleswar Reddy (tireddy) a écrit : > >> I think that some type of authentication is necessary, even if all > >> it provides is the ability to verify that the two ends of the > >> tunnel remain consistent throughout the life of the allocation. > >> Without at least that, then the service is open to DOS attacks via message injection. > > > > Agreed, some type of authentication is necessary. > > That's not what I would call authentication. [D]TLS without > authentication protects against message injection AFAIK. DTLS without authentication won't protect the TURN server from clients sending huge number of Allocate requests and taking up all the resources in the TURN server. I think both D{TLS} and authentication is required. -Tiru > > Simon > -- > DTN made easy, lean, and smart --> http://postellation.viagenie.ca > NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca > STUN/TURN server --> http://numb.viagenie.ca _______________________________________________ tram mailing list tram@ietf.org https://www.ietf.org/mailman/listinfo/tram
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Prashanth Patil (praspati)
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Cb B
- Re: [tram] TURN server discovery (please discuss!) Paul Kyzivat
- Re: [tram] TURN server discovery (please discuss!) Prashanth Patil (praspati)
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Olle E. Johansson
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Cb B
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Karl Stahl
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Oleg Moskalenko
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Oleg Moskalenko
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Oleg Moskalenko
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Prashanth Patil (praspati)
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Martin Thomson
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Martin Thomson
- Re: [tram] TURN server discovery (please discuss!) Oleg Moskalenko
- Re: [tram] TURN server discovery (please discuss!) Brandon Williams
- Re: [tram] TURN server discovery (please discuss!) Oleg Moskalenko
- Re: [tram] TURN server discovery (please discuss!) Tirumaleswar Reddy (tireddy)
- Re: [tram] TURN server discovery (please discuss!) Prashanth Patil (praspati)
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Prashanth Patil (praspati)
- Re: [tram] TURN server discovery (please discuss!) Karl Stahl
- Re: [tram] TURN server discovery (please discuss!) Karl Stahl
- Re: [tram] TURN server discovery (please discuss!) Simon Perreault
- Re: [tram] TURN server discovery (please discuss!) Karl Stahl