[tram] STUN auth: The endpoint is in control
Simon Perreault <sperreault@jive.com> Thu, 14 May 2015 17:56 UTC
Return-Path: <sperreault@jive.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B7BF81B2CB3 for <tram@ietfa.amsl.com>; Thu, 14 May 2015 10:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1pr8cI5hAZay for <tram@ietfa.amsl.com>; Thu, 14 May 2015 10:56:13 -0700 (PDT)
Received: from mail-qk0-f177.google.com (mail-qk0-f177.google.com [209.85.220.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10E2B1B2C99 for <tram@ietf.org>; Thu, 14 May 2015 10:56:13 -0700 (PDT)
Received: by qkgw4 with SMTP id w4so14285349qkg.3 for <tram@ietf.org>; Thu, 14 May 2015 10:56:12 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; bh=Po6aGn/OW+z3YtlbirXmLtuxFskHKKizfBbT8y7gVdk=; b=NpleZEuzBHA6C1kkVOTCzuvszPUuBBqpv9p5tD7FhYVQtjiYV9cRb349fazZZv+JYw WwhV+kvdMg32oMoBmMOCGVnNlAkafeH6sJHroV1yEju79q0CUxva3YBGGJ4KIfzYEiC6 UmhLk+vAk9jyZfzSP5RdR8wJDL2S+TGqcsoeKFjvEie/rIZeTmo6wZqcW5BxrgRQ+1nM cmBf3wzsUcC+6G4mPCGPPJaxi5Pd1G9fRrUrIj+kUo9+RbOAl4KezoeiWYu11krFU8ZR NBK4Fwhu5ixdFilXungsA7WIHZmQBF3wOys/GvEGxK2JRoX1dkrzqJvCHZImLenTt7Xr pS4g==
X-Gm-Message-State: ALoCoQlZNOvQ6aQ6gBBSuJh511KBSP3NyUJlhIKb6RNaSWrGlyeG1vMxmRlaHZcsbM5554VcS5N5
X-Received: by 10.140.36.137 with SMTP id p9mr7048941qgp.16.1431626172329; Thu, 14 May 2015 10:56:12 -0700 (PDT)
Received: from [192.168.1.131] ([24.53.47.130]) by mx.google.com with ESMTPSA id 93sm18294439qkx.38.2015.05.14.10.56.10 for <tram@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 May 2015 10:56:11 -0700 (PDT)
Message-ID: <5554E1B9.5090201@jive.com>
Date: Thu, 14 May 2015 13:56:09 -0400
From: Simon Perreault <sperreault@jive.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: "tram@ietf.org" <tram@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/lobm2Sb9RBhVEtxLvkxlVSo3h6g>
Subject: [tram] STUN auth: The endpoint is in control
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2015 17:56:14 -0000
TRAMsters, I think it is important, in order to make STUN's authentication model clearer in the face of WebRTC usage, that we start re-emphasizing that the endpoint is in control of its own NAT traversal, independent of call signalling. This is a core design principle of STUN/TURN/ICE. ======================= Exhibit A: <http://numb.viagenie.ca> This is a freely-available STUN/TURN server. You just sign up for an account and start using it with whatever signalling infrastructure you want. With SIP, just configure the server address, username, and password into your SIP client and you're ready to go. With WebRTC you can do the same by configuring those into your browser, which should override any application-provided servers. Notice that the endpoint is fully in charge of its own destiny. It has a relationship with the server, but the signalling infrastructure does not. With this use-case the IP addresses on which the server listens are dedicated to the public service. ORIGIN would be useful in order to co-locate the public service with some class of private services (different auth database) without dedicating new IP addresses for each private service. ======================== Exhibit B: <https://tools.ietf.org/html/draft-ietf-rtcweb-return-00> RETURN is a way for WebRTC endpoints, browsers in particular, to force usage of a particular TURN server, with which the endpoint has a prior trust relationship, in order to ensure some level of privacy for the endpoint. A second layer of non-privacy-providing TURN may be used in order to provide NAT traversal. In this case too the endpoint is fully in control. The signalling infrastructure (i.e., the WebRTC application) has no relationship with the privacy-providing TURN server, and no control over it. ======================== What I'm getting at is that trying to bind STUN auth with the signalling session goes against STUN/TURN/ICE design. Thoughts? Comments? Simon
- [tram] STUN auth: The endpoint is in control Simon Perreault
- Re: [tram] STUN auth: The endpoint is in control Brandon Williams
- Re: [tram] STUN auth: The endpoint is in control Simon Perreault
- Re: [tram] STUN auth: The endpoint is in control Simon Perreault
- Re: [tram] STUN auth: The endpoint is in control Brandon Williams
- Re: [tram] STUN auth: The endpoint is in control Tirumaleswar Reddy (tireddy)
- Re: [tram] STUN auth: The endpoint is in control Brandon Williams
- Re: [tram] STUN auth: The endpoint is in control Tirumaleswar Reddy (tireddy)
- Re: [tram] STUN auth: The endpoint is in control Magnus Westerlund