IETF Logo Mail Archive

Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)

"Salz, Rich" <rsalz@akamai.com> Sat, 11 April 2015 11:26 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D25C21ACED1; Sat, 11 Apr 2015 04:26:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7lJoLGMQvV0; Sat, 11 Apr 2015 04:26:02 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id 35AFF1ACED0; Sat, 11 Apr 2015 04:26:02 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 436251658DD; Sat, 11 Apr 2015 11:26:01 +0000 (GMT)
Received: from prod-mail-relay08.akamai.com (prod-mail-relay08.akamai.com [172.27.22.71]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id 37EB21658CF; Sat, 11 Apr 2015 11:26:01 +0000 (GMT)
Received: from email.msg.corp.akamai.com (ustx2ex-cas5.msg.corp.akamai.com [172.27.25.34]) by prod-mail-relay08.akamai.com (Postfix) with ESMTP id 3361E980A3; Sat, 11 Apr 2015 11:26:01 +0000 (GMT)
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com (172.27.27.102) by ustx2ex-dag1mb3.msg.corp.akamai.com (172.27.27.103) with Microsoft SMTP Server (TLS) id 15.0.913.22; Sat, 11 Apr 2015 06:25:47 -0500
Received: from USTX2EX-DAG1MB2.msg.corp.akamai.com ([172.27.6.132]) by ustx2ex-dag1mb2.msg.corp.akamai.com ([172.27.6.132]) with mapi id 15.00.0913.011; Sat, 11 Apr 2015 06:25:28 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "Williams, Brandon" <bowill@akamai.com>
Thread-Topic: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
Thread-Index: AQHQc8ipz12ySXkWT06k1SM3uWcWXJ1HYikAgABKddA=
Date: Sat, 11 Apr 2015 11:25:28 +0000
Message-ID: <0f0ac93b5a1d4d66b560ba7e4728d3ae@ustx2ex-dag1mb2.msg.corp.akamai.com>
References: <20150410193813.20376.40907.idtracker@ietfa.amsl.com> <55282B4E.4000409@akamai.com> <913383AAA69FF945B8F946018B75898A411FFC5F@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A411FFC5F@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.19.56.199]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/hLsX55gIkot56kYDbRbJe8-KlPY>
X-Mailman-Approved-At: Mon, 13 Apr 2015 08:37:26 -0700
Cc: "rlb@ipv.sx" <rlb@ipv.sx>, "tram-chairs@ietf.org" <tram-chairs@ietf.org>, "tram@ietf.org" <tram@ietf.org>, "Stephen Farrell (stephen.farrell@cs.tcd.ie)" <stephen.farrell@cs.tcd.ie>
Subject: Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Apr 2015 11:26:05 -0000

Great.  Brandon, I'm not sure if you still need me, but let's sync up next week :)

I will read the new draft pretty soon.

--  
Senior Architect, Akamai Technologies
IM: richsalz@jabber.at Twitter: RichSalz


> -----Original Message-----
> From: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> Sent: Friday, April 10, 2015 9:58 PM
> To: Williams, Brandon
> Cc: Salz, Rich; tram@ietf.org; tram-chairs@ietf.org; rlb@ipv.sx; Stephen
> Farrell (stephen.farrell@cs.tcd.ie)
> Subject: RE: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-
> party-authz-13: (with DISCUSS and COMMENT)
> 
> Hi Brandon,
> 
> Richard and we have already have discussed the comments further and
> resolved them, attached updated draft with diff.
> Main changes
> 
> [1] Removed DKSPP
> [2] Removed non-AEAD algorithms; using AEAD modes AES-GCM and aead-
> aes-cbc [3] Updated the token format
> 
> -Tiru
> 
> > -----Original Message-----
> > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Brandon
> > Williams
> > Sent: Saturday, April 11, 2015 1:28 AM
> > Cc: Salz, Rich; tram@ietf.org; tram-chairs@ietf.org
> > Subject: Re: [tram] Stephen Farrell's Discuss on
> > draft-ietf-tram-turn-third-
> > party-authz-13: (with DISCUSS and COMMENT)
> >
> > Hi all,
> >
> > I will try to touch base with Rich Salz re: Richard's crypto comments
> > next week in order to help drive getting his feedback.
> >
> > --Brandon
> >
> > On 04/10/2015 03:38 PM, Stephen Farrell wrote:
> > > Stephen Farrell has entered the following ballot position for
> > > draft-ietf-tram-turn-third-party-authz-13: Discuss
> > >
> > > When responding, please keep the subject line intact and reply to
> > > all email addresses included in the To and CC lines. (Feel free to
> > > cut this introductory paragraph, however.)
> > >
> > >
> > > Please refer to
> > > http://www.ietf.org/iesg/statement/discuss-criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > http://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-aut
> > > hz
> > > /
> > >
> > >
> > >
> > > --------------------------------------------------------------------
> > > --
> > > DISCUSS:
> > > --------------------------------------------------------------------
> > > --
> > >
> > >
> > > Edited discuss ballot after chats around Dallas.
> > >
> > > (1) Please fix the crypto as per Richard's discuss. (I think the
> > > plan here is for Rich Salz to help with that, which I'm confident
> > > will work out ok.)
> > >
> > > (2) Please consider whether a signature based scheme that does not
> > > require pre-shared keys between the TURN and (in particular) WebRTC
> > > server could be useful to support. (Either in this document or
> > > elsewhere.) There should be use cases where that offers sufficient
> > > accountability for use of TURN and it ought allow some deployments
> > > that are less easy with this kind of pre-shared keys approach. The
> > > DISCUSS here is to check if the WG want to take that approach,
> > > either now or later.
> > >
> > > (3) I think the plan is to take out some of the options that are not
> > > needed so as make interop more likely.
> > > Please do so. (I think we discussed taking out the DKSPP stuff at
> > > least, but the more options we can get rid of, the better).
> > >
> > >
> > > --------------------------------------------------------------------
> > > --
> > > COMMENT:
> > > --------------------------------------------------------------------
> > > --
> > >
> > >
> > > - COMMENTS below are unchanged since before Dallas.
> > > We can look over then as we go.
> > >
> > > - I really think this would benefit from some wider review and I
> > > don't think it's ready as-is.
> > >
> > > - I agree with Richard's discuss points.
> > >
> > > - intro: "impossible in web applications" isn't really true in
> > > principle, but impossible in WebRTC as it uses JS is true.
> > >
> > > - Assuming the AS that can authorize the user shares a secret with
> > > the STUN server chosen by the WebRTC server seems very brittle. Why
> > > would that be true in general?
> > >
> > > - 4.1.1: Hmmm. How many people use KeyProv I wonder?
> > >
> > > - 4.1.2 - which "two servers"? WebRTC can have more servers than that.
> > >
> > > - 4.1.2 - now we're using TLS mutual auth? And how does the TLS
> > > client know which CA to use that'll work with the TLS server here? I
> > > don't think that'll scale will it?
> > >
> > > - 4.1.3 - this looks like what the WG/authors really want, would
> > > that be a fair statement?
> > >
> > > - 9: Figure 2 should be way up at the top of the document and not
> > > here
> > >
> > > - 9: Why 5 seconds?
> > >
> > >
> > > _______________________________________________
> > > tram mailing list
> > > tram@ietf.org
> > > https://www.ietf.org/mailman/listinfo/tram
> > >
> >
> > --
> > Brandon Williams; Senior Principal Software Engineer Emerging Products
> > Engineering; Akamai Technologies Inc.
> >
> > --
> > Brandon Williams; Senior Principal Software Engineer Emerging Products
> > Engineering; Akamai Technologies Inc.
> >
> > _______________________________________________
> > tram mailing list
> > tram@ietf.org
> > https://www.ietf.org/mailman/listinfo/tram

v2.23.0 | Report a Bug | By Email