Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
Martin Thomson <martin.thomson@gmail.com> Wed, 08 April 2015 16:58 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B5501B3462 for <tram@ietfa.amsl.com>; Wed, 8 Apr 2015 09:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xq5ch11FIRK0 for <tram@ietfa.amsl.com>; Wed, 8 Apr 2015 09:58:34 -0700 (PDT)
Received: from mail-ob0-x229.google.com (mail-ob0-x229.google.com [IPv6:2607:f8b0:4003:c01::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B17F11A88EF for <tram@ietf.org>; Wed, 8 Apr 2015 09:58:34 -0700 (PDT)
Received: by obbgh1 with SMTP id gh1so139431758obb.1 for <tram@ietf.org>; Wed, 08 Apr 2015 09:58:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=T+z1B55yHtt+K8GPGphXkhPK6AGjD5B22C9+i5WfS+A=; b=uGBAtrSom//c75uCR/2Pi5fB4l67GYN7YmkfIjIpADMU+JR3zAEfm3GJyQv7S10ujL iSeh2BeqApQvnxi3SOcQsBb6l7TpTvk6e4U8+6Dsq4SXpyNCnFPzM0GVOcDZXZi6ZjKi J7Tlz7+bKW87ly5avQUG0mWcrZAbe57NKN0ZyZZ8HQY/C2wD5wT+YJncS0NWs+xHmioM 06VcauVyFzh3T9MJoyieBQ3Afc6dbbSWiJ67wMDO8+N2ffAsQYSl/j1bap7zoZei087W Wzql9QChvYz+Qdf85tXWNf8r81LeiSWLwYfxIRwJ4z+IQZB/PejS3AE4rFvC59VV1VAB WLwQ==
MIME-Version: 1.0
X-Received: by 10.182.63.3 with SMTP id c3mr2055984obs.1.1428512307597; Wed, 08 Apr 2015 09:58:27 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Wed, 8 Apr 2015 09:58:27 -0700 (PDT)
In-Reply-To: <CAHbrMsD1T8U=ZBFXjtfCOwUSiSHLOyxwr=74f7u-DCpj0+iafA@mail.gmail.com>
References: <6042868B-57EB-4C5A-B93E-C58D846E14E4@cisco.com> <55251A5B.5040909@jive.com> <913383AAA69FF945B8F946018B75898A411FE350@xmb-rcd-x10.cisco.com> <CAHbrMsD1T8U=ZBFXjtfCOwUSiSHLOyxwr=74f7u-DCpj0+iafA@mail.gmail.com>
Date: Wed, 08 Apr 2015 09:58:27 -0700
Message-ID: <CABkgnnWM6KrJdYeXNNg3tfM5yD_S1=eztajU+AZ_+LT4+avEOQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Benjamin Schwartz <bemasc@webrtc.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/ll0W5Tp03qRQXdRbZNLZC3hH1jo>
Cc: Simon Perreault <sperreault@jive.com>, "tram@ietf.org" <tram@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-return
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Apr 2015 16:58:36 -0000
On 8 April 2015 at 07:27, Benjamin Schwartz <bemasc@webrtc.org> wrote: > If the TURN server's identity is discovered over mDNS, then how can the > client authenticate the TURN server, except to prove that it's the same one > advertised over mDNS? Assuming mDNS is trivial to forge on a broadcast > network, this does not seem like sufficient protection. Maybe you are > saying that the TURN server's "real identity" is configured by some other > mechanism, and only its address is distributed by mDNS? That's one way to deal with the problem. I certainly agree with the view that you should not permit other users on the same network to capture and potentially block traffic. We care more about blocking here than anything other abuse because we have (D)TLS. It's annoying in a sense, because in many cases mDNS would be a perfect solution: networks where you trust the devices not to misbehave in this fashion (i.e., my home) and networks where there are no local broadcast capabilities (i.e., most ISP access networks). If you want a more nuanced view of this, I think that the primary concern is that methods like mDNS allow network users in some cases to block traffic that they would not otherwise be able to do. An equally "unauthenticated" discovery mechanism could rely on capture of a route (something very different from being able to receive and send link-layer broadcast packets). That method would not degrade security. The text, as proposed, fails to allow for that possibility. An anycast-based mDNS discovery method is a potential way of achieving that goal. --Martin (p.s., mDNS + DNSSEC isn't worth pondering too hard, in my opinion.)
- [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcweb-re… Simon Perreault
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Benjamin Schwartz
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: Re: [rtcweb] draft-schwartz-rtcwe… Martin Thomson