Re: [tram] Review of draft-johnston-tram-stun-origin-02
"Hutton, Andrew" <andrew.hutton@unify.com> Thu, 05 June 2014 14:50 UTC
Return-Path: <andrew.hutton@unify.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7AC1A0239 for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 07:50:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.651] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPBV4Ovs9ZD8 for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 07:50:00 -0700 (PDT)
Received: from mx11.unify.com (mx11.unify.com [62.134.46.9]) by ietfa.amsl.com (Postfix) with ESMTP id 0FC2C1A0269 for <tram@ietf.org>; Thu, 5 Jun 2014 07:49:01 -0700 (PDT)
Received: from MCHP02HTC.global-ad.net (unknown [172.29.42.235]) by mx11.unify.com (Server) with ESMTP id 47AF91EB8635; Thu, 5 Jun 2014 16:48:54 +0200 (CEST)
Received: from MCHP04MSX.global-ad.net ([169.254.1.222]) by MCHP02HTC.global-ad.net ([172.29.42.235]) with mapi id 14.03.0174.001; Thu, 5 Jun 2014 16:48:54 +0200
From: "Hutton, Andrew" <andrew.hutton@unify.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Thread-Topic: [tram] Review of draft-johnston-tram-stun-origin-02
Thread-Index: AQHPahzB4IMeNSxSMk2xnnCULaae0JtivROQ///haoCAACdVAA==
Date: Thu, 05 Jun 2014 14:48:53 +0000
Message-ID: <9F33F40F6F2CD847824537F3C4E37DDF17DE3355@MCHP04MSX.global-ad.net>
References: <5368BF90.2070307@getjive.com> <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net> <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com>
In-Reply-To: <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.29.42.225]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/fOM2T9zYgWJzmh7q9efSUq9zWS0
Cc: Alan Johnston <alan.b.johnston@gmail.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 14:50:02 -0000
Multiple Origins for HTTP Requests are covered in http://tools.ietf.org/html/rfc6454#section-7.2 I just assumed the same would apply to the usage in this context. Andy > -----Original Message----- > From: Oleg Moskalenko [mailto:mom040267@gmail.com] > Sent: 05 June 2014 15:26 > To: Hutton, Andrew > Cc: Alan Johnston; tram@ietf.org > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 > > What would be the purpose of multiple origins ? > > Oleg > > On Jun 5, 2014, at 7:19 AM, "Hutton, Andrew" <andrew.hutton@unify.com> > wrote: > Hi, > > I had another read through this draft and hope we can move this forward > and adopt the draft soon. > > I only have one additional comment at this time and that is that I > assume it should be possible for the client to include more than one > origin in the Origin header field and if so the procedures around this > should explained in the draft. > > Regards > Andy > > > > > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston > Sent: 07 May 2014 18:50 > To: Marc Petit-Huguenin > Cc: tram@ietf.org > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 > > Marc, > > Thanks for the review. See my comments below. > > - Alan - > > On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin > <marcph@getjive.com> wrote: > A1. Intended Status: Informational > > Shouldn't this be Standard Track? > > Yes. > > A2. Section 1, 2nd paragraph, last sentence: "as generating the > response..." > > I do not think that the reason for no authentication for the NAT > Discovery Usage is because it is less work, but because there is no > resource to protect so adding more work does not make sense. > > I disagree that there is *no* resource to protect. A STUN server might > be minimal resources, but not none. If a simple authentication scheme > were available, I'm sure some people would use it so they could > minimize the cost of their server footprint by ensuring that only > authenticated users were utilizing it. I will add some text pointing > out that the minimal resources. > > A3. Section 1, 8th paragraph > > I do not think that the ORIGIN should be used to select the certificate > when (D)TLS is used. First it does not work with DANE, as when an SRV > (and probably NAPTR too, but that's undefined yet) RR redirects to a > different domain, the domain to be checked with is the host name, not > the service domain (see draft-ietf-dane-srv). For non-DANE cases, I > think that the correct way to select the certificate is to use SNI. > > The draft does not suggest that ORIGIN be used to select certificates - > as Oleg pointed out it isn't possible. This paragraph was describing > how RFC 6066 does not solve the problem, as had been suggested on the > list. > > > So I would suggest to restrict the normative use of ORIGIN only to > select realms. > > A4. Section 2.2. ORIGIN attribute usage > > The text does not say if the ORIGIN attribute should/can be provided > after the authentication (i.e. refresh, data packets, etc...) > > Currently, the text says SHOULD include, for a conformant client. For > logging, it has value even after the initial authentication. > > > A5. Section 2.2. Mandatory support for server > > How a TURN server that requires the usage of ORIGIN can signal this? > > Right now there is no way to do this. I agree with Oleg that it is up > to the server what to do if ORIGIN is no present. > > A6. Section 2. Other Usages > > I think that other STUN Usages should be listed after section 2.3: > > - Media Keep-Alive Usage (Section 20 of RFC5245) > - SIP Keep-Alive Usage (RFC 5626) > - NAT Behavior Discovery Usage (RFC 5780) > > I'll take a look at these scenarios. I suspect that it would be a > reasonable usage for client-to-server usages, but not for peer-to-peer > usages. > > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute > is present, the contents of the ORIGIN attribute are integrity > protected." > > Which never happen in the usages listed in the document: for section > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is > needed to select the realm, so the ORIGIN is sent before it can be > protected. Perhaps 2.2 should say that if ORIGIN was sent to select > the > realm, it MUST be repeated at identical on the second Allocate (the one > that has an M-I) and that the server MUST reject it if it is not > identical to the first one. Not sure it matters though. > > I agree that there is no integrity protection of the ORIGIN attribute > (or any other attribute) until after authentication. However, ORIGIN > can be used both before and after authentication. I'll review this > text and make sure this is clear. I don't believe we need any special > rules, as this applies to any STUN attribute. > > Nits > ---- > > - Section 2, 2nd paragraph: "The number used for the this in the ..." > > Does not parse. > > The middle "the" shouldn't be there. > > > -- > Marc Petit-Huguenin > Developer | Jive Communications, Inc. > Jive.com | marcph@getjive.com > > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] Review of draft-johnston-tram-stun-origin-… Marc Petit-Huguenin
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston