Re: [tram] Allow TURN to forward inbound connectivity checks without permission

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 20 March 2018 15:08 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1744F126D74 for <tram@ietfa.amsl.com>; Tue, 20 Mar 2018 08:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.331
X-Spam-Level:
X-Spam-Status: No, score=-4.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p54Vcnv60zwX for <tram@ietfa.amsl.com>; Tue, 20 Mar 2018 08:08:57 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25872126D45 for <tram@ietf.org>; Tue, 20 Mar 2018 08:08:57 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1521558528; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=6udCM0prz6we1xa3gQZ7dCw42l6KdTiwAIFk0U 5TT6I=; b=J8G4p5X34sjUwFklzRIHT9kMKKXJVXjGUjiYaU8B epfI1drAfb+CPp77Z36MUbeTh7MCatATiN80iybif2ZtdlGxd9 C8Vda1x2IcJo2HK3Dwg4gO9efFKBemReKuaLTiLi+mPLxMpSuW dgVKZNOjhTN4Eo8kiE1ZeFOi3CcIiE4=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 5ff1_cc41_0be0b132_18c2_415e_9b83_45478480830d; Tue, 20 Mar 2018 10:08:47 -0500
Received: from DNVEXUSR1N14.corpzone.internalzone.com (10.44.48.87) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 09:08:01 -0600
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXUSR1N14.corpzone.internalzone.com (10.44.48.87) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 09:08:00 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 20 Mar 2018 09:07:59 -0600
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 09:07:56 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1540.namprd16.prod.outlook.com (10.172.208.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.10; Tue, 20 Mar 2018 15:07:57 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([10.172.207.19]) by BN6PR16MB1425.namprd16.prod.outlook.com ([10.172.207.19]) with mapi id 15.20.0588.017; Tue, 20 Mar 2018 15:07:57 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Brandon Williams <brandon.williams@akamai.com>, Simon Perreault <sperreault@jive.com>, Nils Ohlmeier <nohlmeier@mozilla.com>
CC: Cullen Jennings <fluffy@cisco.com>, Eric Rescorla <ekr@rtfm.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [tram] Allow TURN to forward inbound connectivity checks without permission
Thread-Index: AQHTv3BE7H+lEDCzy0aE6LgkPsBdZKPYCNMAgAAflQCAAL9dgIAAUh+AgAAAqKA=
Date: Tue, 20 Mar 2018 15:07:56 +0000
Message-ID: <BN6PR16MB142571E36A8B89196CB7B080EAAB0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <CANO7kWDd8NZ=svBONwzo6sE5YH3Y5MAdWFP2CQMiTg7M-b47AQ@mail.gmail.com> <c9ef837c-bf7c-decb-9542-8a9ddeda67fd@akamai.com> <E3AB81FC-D841-47A6-A0E2-775461779770@mozilla.com> <CANO7kWA4tmK7Di59tsjvCBoDdh-jW83FxMpqQH1-iSPGLS=mpA@mail.gmail.com> <8d57a9e5-5697-38f5-1b85-bf55930c6461@akamai.com>
In-Reply-To: <8d57a9e5-5697-38f5-1b85-bf55930c6461@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.200.100
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [161.69.163.25]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1540; 7:hgdDT7q7sOSJQubPEC8FDgNCWcmA7b+ORSQCcfltI2Lvkp0RPBrIW4NRgLiMBsV/b6D7KMmRI9Xs8hz4kwMyU+6hfhCLQx5aq664VEUvXJ88SikP3Ad4WYo1DfdrEJQuUZxXu6Xk6syyBiqRAgqTUSEk0fOw4xRe+AoNlmQKaI8YupXbITX+xaeoSNFmmzf+/PukkYVb/AppFpueKQ0+214jHumDDUXleAxbv7CteB5SIAuMpA5QoaNi+gU/DGkH
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: f9c71825-7e85-49d4-bb98-08d58e745cfb
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1540;
x-ms-traffictypediagnostic: BN6PR16MB1540:
x-microsoft-antispam-prvs: <BN6PR16MB1540391743BA1A0D5C5B5B69EAAB0@BN6PR16MB1540.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231221)(944501244)(52105095)(10201501046)(3002001)(6041310)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011); SRVR:BN6PR16MB1540; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1540;
x-forefront-prvs: 061725F016
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39380400002)(39860400002)(366004)(396003)(376002)(32952001)(189003)(199004)(13464003)(72206003)(2906002)(106356001)(2900100001)(97736004)(5660300001)(14454004)(6506007)(53546011)(8936002)(53936002)(3846002)(966005)(6116002)(6246003)(93886005)(6436002)(26005)(186003)(55016002)(80792005)(77096007)(99286004)(105586002)(305945005)(316002)(74316002)(7696005)(7736002)(66066001)(102836004)(478600001)(9686003)(6306002)(76176011)(68736007)(33656002)(2950100002)(110136005)(25786009)(86362001)(4326008)(54906003)(229853002)(3280700002)(81166006)(81156014)(3660700001)(8676002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1540; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: z6fBB1TwCpEcGEFNGSpkC9eq6Xiz2kp5Q7SmA0RRASkAs20FSevGwPE9mTUGGw9fxtYZArrzlObhVsAPaFhM27mLsP6MTTrirpJV6lva2DVncS82+zw8XLD3+PCF1+EihhassX42LlDbD/EjiUsP0b6qufeSCbY04GTDXyhcfm523uOPpc/hPWpDSN+wM8WuqcTpRZUG3kqk6lvYlEHhpGs/9YIQlfgpciRqoTCR1h/nlDf90cAyK4jekfmKmw3VlUj1TQk9YHXi6pnxVkKB/9C39XhVXPZb756RF8CK3ShJqElV5pyw8buXLtwbTNYlbDSeafvvAKfksccGpRXp3w==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: f9c71825-7e85-49d4-bb98-08d58e745cfb
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2018 15:07:56.9874 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1540
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.1
X-NAI-Spam-Version: 2.3.0.9418 : core <6246> : inlines <6507> : streams <1781753> : uri <2611694>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/m6fdSGHJZ-zXwIOAgCslBAHP7Bo>
Subject: Re: [tram] Allow TURN to forward inbound connectivity checks without permission
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 15:08:59 -0000


> -----Original Message-----
> From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Brandon Williams
> Sent: Tuesday, March 20, 2018 3:02 PM
> To: Simon Perreault <sperreault@jive.com>om>; Nils Ohlmeier
> <nohlmeier@mozilla.com>
> Cc: Cullen Jennings <fluffy@cisco.com>om>; Eric Rescorla <ekr@rtfm.com>om>;
> tram@ietf.org
> Subject: Re: [tram] Allow TURN to forward inbound connectivity checks without
> permission
> 
> On 03/20/2018 06:07 AM, Simon Perreault wrote:
> > Same opinion here. The point of permissions is to prevent TURN clients
> > from being able to run generic servers. It seems like always allowing
> > STUN packets would preserve this feature while solving the session
> > establishment latency problem. And would be quite a bit simpler to
> > implement than ufrag perms. Have your cake, eat it, and eat it a
> > second time.
> 
> If you want to prevent someone from running a server on the allocation you
> can't assume that a STUN-looking packet is actually legitimate, so some
> additional validations would be required. Perhaps packet size, rate-limiting, and
> max session counts are enough.

TURN server can also check for the presence of username and MI in the 
STUN packets.

-Tiru

> 
> ufrag permissions didn't do enough to be more meaningful there, since it would
> be easy to post the ufrag somewhere public via a mechanism similar to dynamic
> DNS.
> 
> --Brandon
> 
> 
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram