Re: [tram] Path Forward for STUN ORIGIN
Alan Johnston <alan.b.johnston@gmail.com> Wed, 26 August 2015 20:59 UTC
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 989791B2F00 for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 13:59:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9BFax0SXcf-i for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 13:59:07 -0700 (PDT)
Received: from mail-vk0-x22e.google.com (mail-vk0-x22e.google.com [IPv6:2607:f8b0:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D2911B2FE1 for <tram@ietf.org>; Wed, 26 Aug 2015 13:59:07 -0700 (PDT)
Received: by vkd66 with SMTP id 66so95633614vkd.0 for <tram@ietf.org>; Wed, 26 Aug 2015 13:59:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7oxQi9Mm2ULFQj4t1g8LyvisTjkAHI26TSm7jVvM5kc=; b=OfhatbFGloGu2Drkfd8TXrDO9PMH9hA03nLFi22Qgx0P57Xo1PgiojjT8jx6Fr3i6w WF0JDGcg0tCISr3JYLH8RxH3CAYPnL6IVOAhigdcqitQ5RJHU3IglOjdVM8JQXU93C9T 5WoG7/WK31xWuglEgNfEk+Rsq4TGgmBBNXIbybjhZ0aMzJRJ6ZRC3sHEgA0/y+P29sm+ pfxQJNsIB0T0fMnAA6YDZ6ByeRv1zOs7t/Hfac+H+bhjlVLuPmvWL5NRHPgKrgs/9eTl 71mwf1ZNM+J18IxneD9o8HGP4K/wOQfiZm8BUvXKTboEVatgyvIshl5P3dhKHKVam8qY rvYA==
MIME-Version: 1.0
X-Received: by 10.52.227.73 with SMTP id ry9mr776780vdc.82.1440622746386; Wed, 26 Aug 2015 13:59:06 -0700 (PDT)
Received: by 10.31.153.206 with HTTP; Wed, 26 Aug 2015 13:59:06 -0700 (PDT)
In-Reply-To: <CABkgnnVef2voSb1i_uKZPjSimYw7Zxooh5wZh=ZmnuLeFj0Hrw@mail.gmail.com>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com> <CABkgnnVef2voSb1i_uKZPjSimYw7Zxooh5wZh=ZmnuLeFj0Hrw@mail.gmail.com>
Date: Wed, 26 Aug 2015 15:59:06 -0500
Message-ID: <CAKhHsXHjR+-y1w7XgnC+zFTHG-HRGRYAdN0g8mFjumGTnO-xSw@mail.gmail.com>
From: Alan Johnston <alan.b.johnston@gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="089e01176cf30dc92e051e3d1f2c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/mmjTb93_stlokPzztSpI1_PqMiA>
Cc: "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: Re: [tram] Path Forward for STUN ORIGIN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 20:59:10 -0000
Hi Martin, This is a very interesting idea - thanks for raising it. Looking at the referrer-policy document, the proposal here is essentially a default global policy of "origin-only" except not quite as strict. The idea of the STUN or TURN URI suggesting the policy which would be enforced by the browser is an interesting one. Since the application STUN or TURN server is provided by the JavaScript, it effectively means the WebRTC web page would set the policy for inclusion of ORIGIN. I'm trying to think if this makes sense or not in this context. I guess the privacy leakage goes both ways - the STUN or TURN server operator learns about the WebRTC site that the user is using, and it also learns which WebRTC sites are being used. We have mainly been thinking about privacy for the first case, not the second case. Having the WebRTC application decide if ORIGIN should be shared with the STUN or TURN server does provide privacy for the second case Having user agent (i.e. browser user interface) controls for ORIGIN would provide privacy for the first case. Of course, there is still the issue of what to do if the STUN TURN server requires ORIGIN but the user doesn't provide it. The referrer-policy document doesn't make any judgements on the various policy levels it defines. Is the "origin-only" policy considered privacy friendly in HTTP, or is it considered harmful? Do any browsers provide referrer-policy user interface controls? If so, I wonder what the default setting would be? But if the HTTP experience is that the Referrer header field was just that it was a bad idea to begin with, then perhaps we should pay attention to that... - Alan - On Tue, Aug 25, 2015 at 3:41 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > I'm wondering here whether this might be advised by similar work in the > area. > > ORIGIN is analogous to the HTTP Referer [sic] header field. There, > the damage was done long ago, and we aren't sure that it can be fixed. > After several attempts to reduce the information that we expose by > default, I think that browser vendors are basically resigned to status > quo (at least for now). That's the cautionary aspect of this > discussion that we have to be aware of. > > However, what advises this is the secondary controls browsers are > providing for controlling use of Referer. See referrer policy [1]. > All this is driven by a simple principle: if we see an explicit signal > that a site wants to share Referer, then we include it for them. This > is based on the realization that if we don't do this, they will find > another way to exfiltrate the data. Usernames and passwords being the > obvious channels available for TURN, but I'll observe that there are > no winners if you force people to resort to hacks to get the > information they need or think they need. > > Maybe all we need to do here is recognize that we need to provide > adequate controls. Make it clear that you expect someone else (hello > browser vendors) to apply the policies. If a TURN server is > configured with a special flag (call it "includeOrigin" for argument's > sake), then we might send the ORIGIN attribute. Then, I think that > the concerns raised around privacy can be addressed by having ORIGIN > omitted by default. Privacy-preserving by default is perhaps the most > relevant concern here. > > I realize that this might be less than ideal for you because it means > talking to a whole new set of people over @w3.org, but I think that > option is likely to be less cumbersome than your proposed solution. > > [1] http://w3c.github.io/webappsec/specs/referrer-policy/ > > On 25 August 2015 at 12:57, Alan Johnston <alan.b.johnston@gmail.com> > wrote: > > All, > > > > Based on feedback during IETF-93 in Prague, the authors of > > draft-ietf-stun-origin are looking for feedback on a possible path > forward > > to solve the privacy/meta data issues and clear the DISCUSSes (see > > https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/). > > There are two areas of feedback: Use Cases and Proposed Solution. > > > > Use Cases > > ======== > > > > First, we want to be sure that we are considering all the use cases for > STUN > > ORIGIN. In the draft, three are described: > > > > 1. Logging of usage of STUN/TURN server. An operator of a STUN or TURN > > server would learn the Origin of the web, SIP, and XMPP users. > > > > 2. REALM selection for multi-tenanted TURN server. This avoids having to > > run multiple instances on different ports or IP addresses when more than > one > > REALM is in use. > > > > 3. Service determination after authentication. Bandwidth or QoS policy > can > > be applied, after authentication, based on the Origin. > > > > Also, the following use cases have also been discussed but are not in the > > draft > > > > 4. Authorization at border TURN server after authentication. An > enterprise > > border TURN server can apply policy and allow usage for certain Origins > > (whitelist) or block usage of others (blacklist). > > > > 5. draft-jennings-behave-rtcweb-firewall-01 discusses how a firewall with > > STUN server could use ORIGIN in authorization decisions. > > > > Are there any other use cases we should consider? > > > > Possible Solution > > ============= > > > > The solution that was discussed in Prague that seems to be the best > tradeoff > > between privacy and functionality is to only include ORIGIN information > in a > > STUN or TURN request if the domain of the Origin matches the domain of > the > > STUN or TURN server in the STUN or TURN URI. Since web and STUN and TURN > > run on different ports, and often will resolve to different IP > addresses, a > > full host comparison is not possible. This proposal is not perfect: it > does > > not provide perfect privacy for subdomains (e.g. sub1.example.com and > > sub2.example.com will match with this rule, even if they are separate > > entities. Of course, subdomain users could always register a new domain > and > > point DNS records to their sub hoster.) > > > > In comparing this solution against the use cases above: > > > > 1. Allows logging of your own users on your own TURN server (or one that > you > > setup DNS SRV records to point towards). Other users of your STUN or > TURN > > server will not be identified by an Origin, but you will at least know if > > others are using your server. > > > > 2. Works for REALM selection as long as you use your own TURN server (or > one > > that you setup DNS SRV records to point towards). > > > > 3. Again, works for service determination as long as you use your own > TURN > > server (or one that you setup DNS SRV records to point towards). Having > > service-specific TURN credentials is another solution that doesn't rely > on > > ORIGIN. > > > > 4. & 5. Does not seem provide a good solution for these use cases. > > > > Does this analysis make sense? > > > > Feedback most welcome so we can move forward with this draft. > > > > - Alan - > > > > > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org > > https://www.ietf.org/mailman/listinfo/tram > > >
- [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Tirumaleswar Reddy (tireddy)
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - analysis Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - how to … Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Justin Uberti
- [tram] Oauth vs Origin [Was: Path Forward for STU… Justin Uberti
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Oleg Moskalenko
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Tirumaleswar Reddy (tireddy)
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams