Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 15 April 2015 16:06 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DCDD1B2C98; Wed, 15 Apr 2015 09:06:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x19LRH605Teo; Wed, 15 Apr 2015 09:06:26 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FF9F1B2BCB; Wed, 15 Apr 2015 09:06:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5144; q=dns/txt; s=iport; t=1429113987; x=1430323587; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=cqMKFRfTWpcH6Mg2PYWtIsQfqEs1gk+yQsRIxviC+Jo=; b=OlHS7oieTeike7WqtBWEML07YVaKYtvCfzsA2ozrcpKbacN02mHP7ay9 srbZw9ydBZJ9NwTpgg4QaDwntVLIT86rWUTHZbieAE5LsiVNqDjmO7Mh7 RKD1T2FAST6qtOslDRbRlXEVpGtzoHEpgrTzb8GvGe5NEIIFAN6xRUSha Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BUBQDJiy5V/4wNJK1cgwyBLgWDEMFniEECHIEfTAEBAQEBAX6EIAEBAQQjEUUMBgEIEQQBAQECAgYZBAMCBDAUAQgJAQQBDQUIiCKvFZYAAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4EhigqEMRoWGw2CYi+BFgWRDoYlhQmDN4JmjTUigjOBPG+BRH8BAQE
X-IronPort-AV: E=Sophos;i="5.11,582,1422921600"; d="scan'208";a="412080481"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-5.cisco.com with ESMTP; 15 Apr 2015 16:06:26 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t3FG6PMP023794 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 15 Apr 2015 16:06:25 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.220]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0195.001; Wed, 15 Apr 2015 11:06:25 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Brandon Williams <brandon.williams@akamai.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
Thread-Index: AdB3ljKzAA33GpUaTLec5SjFMg7ybg==
Date: Wed, 15 Apr 2015 16:06:24 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A4120E55C@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.73.110]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/oK_jBEASskx7paaIB0V-d7ok7js>
Cc: "tram-chairs@ietf.org" <tram-chairs@ietf.org>, "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-turn-third-party-authz@ietf.org" <draft-ietf-tram-turn-third-party-authz@ietf.org>, "gonzalo.camarillo@ericsson.com" <gonzalo.camarillo@ericsson.com>, "draft-ietf-tram-turn-third-party-authz.ad@ietf.org" <draft-ietf-tram-turn-third-party-authz.ad@ietf.org>, "draft-ietf-tram-turn-third-party-authz.shepherd@ietf.org" <draft-ietf-tram-turn-third-party-authz.shepherd@ietf.org>
Subject: Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Apr 2015 16:06:28 -0000
> -----Original Message----- > From: Brandon Williams [mailto:brandon.williams@akamai.com] > Sent: Tuesday, April 14, 2015 6:36 PM > To: Tirumaleswar Reddy (tireddy); Stephen Farrell; The IESG > Cc: tram-chairs@ietf.org; tram@ietf.org; draft-ietf-tram-turn-third-party- > authz@ietf.org; gonzalo.camarillo@ericsson.com; draft-ietf-tram-turn-third- > party-authz.ad@ietf.org; draft-ietf-tram-turn-third-party- > authz.shepherd@ietf.org > Subject: Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third- > party-authz-13: (with DISCUSS and COMMENT) > > On 04/10/2015 11:07 PM, Tirumaleswar Reddy (tireddy) wrote: > >> -----Original Message----- > >> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > >> Sent: Saturday, April 11, 2015 1:08 AM > >> To: The IESG > >> Cc: tram-chairs@ietf.org; tram@ietf.org; > >> draft-ietf-tram-turn-third-party- authz@ietf.org; > >> gonzalo.camarillo@ericsson.com; draft-ietf-tram-turn-third- > >> party-authz.ad@ietf.org; draft-ietf-tram-turn-third-party- > >> authz.shepherd@ietf.org > >> Subject: Stephen Farrell's Discuss on > >> draft-ietf-tram-turn-third-party-authz- > >> 13: (with DISCUSS and COMMENT) > >> > >> > >> (2) Please consider whether a signature based scheme that does not > >> require pre-shared keys between the TURN and (in particular) WebRTC > >> server could be useful to support. (Either in this document or > >> elsewhere.) There should be use cases where that offers sufficient > >> accountability for use of TURN and it ought allow some deployments > >> that are less easy with this kind of pre-shared keys approach. The > >> DISCUSS here is to check if the WG want to take that approach, either > now or later. > > > > Passive attacks could occur in TURN due to lack of integrity protection. For > example, a passive attacker could monitor Allocate request/response > between the client and TURN server and make a Refresh request with a > requested lifetime of 0 to delete the allocation. Message integrity of TURN > messages ensures that passive attacker cannot spoof subsequent TURN > messages. > > > > I think Stephen was thinking primarily about cases with (D)TLS involved > between the UA and the STUN server. If there's already a security layer then > perhaps it's enough to prove that the auth server approved the > communication and it's OK to skip STUN integrity protection altogether. > My experience suggests that even in a case where (D)TLS isn't involved some > application providers will not consider the risk of skipping STUN HMACs big > enough to justify doing it. Got it, thanks. > > > >> - 9: Figure 2 should be way up at the top of the document and not > >> here > > > > In the previous versions it was in the top of the document but moved > down after comments received from the WG that WebRTC is only an > example usage of third party authorization. > > A few people from outside the WG have commented on having trouble > following the flow of the document on their first read, primarily due to the > lack of a high-level picture early in the document. Moving section 9 back up > toward the top of the document would help by giving readers such a high- > level overview early on. The discussion might need to be generalized a bit in > order to serve this purpose, but comments we've received on the > document's usability indicate that this change would be helpful. Section 9 is specific to TURN and the ask from the WG is to discuss it in a separate section after third party authorization with STUN protocol is explained. -Tiru > > --Brandon > > -- > Brandon Williams; Senior Principal Software Engineer Emerging Products > Engineering; Akamai Technologies Inc.
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Brandon Williams
- [tram] Stephen Farrell's Discuss on draft-ietf-tr… Stephen Farrell
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Salz, Rich
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Martin Thomson
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Brandon Williams
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Brandon Williams
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Martin Thomson
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Martin Thomson
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Martin Thomson
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Oleg Moskalenko
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Brandon Williams
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Brandon Williams
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Brandon Williams
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Salz, Rich
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Salz, Rich
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Salz, Rich
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Spencer Dawkins at IETF
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Spencer Dawkins at IETF
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Tirumaleswar Reddy (tireddy)
- Re: [tram] Stephen Farrell's Discuss on draft-iet… Salz, Rich