IETF Logo Mail Archive

Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)

Simon Perreault <sperreault@jive.com> Tue, 12 May 2015 16:02 UTC

Return-Path: <sperreault@jive.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3808F1A8F45 for <tram@ietfa.amsl.com>; Tue, 12 May 2015 09:02:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kd432RA8Ebx0 for <tram@ietfa.amsl.com>; Tue, 12 May 2015 09:02:32 -0700 (PDT)
Received: from mail-qg0-f45.google.com (mail-qg0-f45.google.com [209.85.192.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66D791ACD75 for <tram@ietf.org>; Tue, 12 May 2015 09:02:29 -0700 (PDT)
Received: by qgdy78 with SMTP id y78so6659160qgd.0 for <tram@ietf.org>; Tue, 12 May 2015 09:02:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :cc:subject:references:in-reply-to:content-type :content-transfer-encoding; bh=zkmJ2OiuWb9fhWj3F2gOjDznfxnlb67lD30R6C5KpNU=; b=BvTIcvtaaXxLkPhU1c7q5/yHaRjlc+RlZH3YmAIrbLQcEgRmt7Yd8cH5ME9Y2A7Cl1 K/TPUCdhhN6CDYISbJDttBXAGcyEn+2zsLXgqV6C5ue050RVjaBs7yDkzkfLk36mlYSa BWO+g5vLx5HgQNyeXy6RRBwr05SnRWzX7JxLVFMUOTPhT/DfLjehY7pVfaz9oRc6tzFi ktbG3W4EHAzpUstQYwYonsRmz4HvVlr3dy0HcV4+hDwuBM78a346P5+PXALMAKPwWbLH OY5BGumquML1MFk+lY6Bnd1a+LIusQdEB9QsCoCOup9mKol6aXlw3ywJtJPWAiNaJmdZ 2QUg==
X-Gm-Message-State: ALoCoQlW8uwHXNARuO6A3PY/d5ACNLaE/98moyjDLwzQkd70bchSEcgazU+cAquMdQ9ii6D6JWcC
X-Received: by 10.55.31.137 with SMTP id n9mr34480605qkh.91.1431446548617; Tue, 12 May 2015 09:02:28 -0700 (PDT)
Received: from [192.168.1.131] ([24.53.47.130]) by mx.google.com with ESMTPSA id f9sm13500235qhe.34.2015.05.12.09.02.26 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 May 2015 09:02:27 -0700 (PDT)
Message-ID: <55522411.10104@jive.com>
Date: Tue, 12 May 2015 12:02:25 -0400
From: Simon Perreault <sperreault@jive.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Alissa Cooper <alissa@cooperw.in>, Oleg Moskalenko <mom040267@gmail.com>
References: <20150511233012.17046.42319.idtracker@ietfa.amsl.com> <CALDtMr+x2Mi8v0jwFUscryccjc7Zf0o-mPo64S2dpHPqnnoXUA@mail.gmail.com> <A14F5400-21EB-4EE0-B988-CDA929EAE5A2@cooperw.in> <555153F0.4050204@cs.tcd.ie>
In-Reply-To: <555153F0.4050204@cs.tcd.ie>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/gLdAdQRqUYJZatPL87g4AuN-y9c>
Cc: tram-chairs@ietf.org, "tram@ietf.org" <tram@ietf.org>, draft-ietf-tram-stun-origin.shepherd@ietf.org, draft-ietf-tram-stun-origin.ad@ietf.org, IESG <iesg@ietf.org>, draft-ietf-tram-stun-origin@ietf.org
Subject: Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 16:02:33 -0000

Le 2015-05-11 21:14, Stephen Farrell a écrit :
> There's also this issue. If user credentials can collide over >1
> "realm" (where authentication realm means in the HTTP basic/digest
> sense) then those are almost certainly human memorable (why else
> could they collide with non-negligible probability?) and in the
> case of STUN/TURN and, in particular, WebRTC, setting up to use
> human memorable credentials is just basically broken given that
> the humans aren't actually logging in to the STUN/TURN server.

In the case where a single entity controls the authentication databases
for all tenants of a single server, you're right. However, that
condition does not hold in general. That is, we really do need to
properly handle username collisions across realms.

That is a pain point that is currently being handled with a number of
operational hacks. Clever username generation is one of them. It does
work for some use cases, but not in general.

What you're describing is current practice, and we don't like it.

I'd appreciate if we could recognize that there is a problem with
current practice, and actually discuss the merits of the ORIGIN
solution. I understand the privacy concerns, but I don't get two things:

1) Are those concerns identical or different from those applying to,
e.g., the Host HTTP header, or the SNI TLS extension? If they're
different, how are they different?

2) Is there a proposal that could fix the privacy issue? So far I've
seen IESG members pointing out the issue, authors acknowledging the
issue, but no discussion of solutions.

Simon

v2.23.0 | Report a Bug | By Email