Re: [tram] Path Forward for STUN ORIGIN - how to match

[Cullen Jennings <fluffy@iii.ca>]

I think this is close to the right solution but it is different than what I thought we talking about in the room. So I'm basically on board with this approach but think it needs a bit of tweaking ... More inline ...


> On Aug 25, 2015, at 1:57 PM, Alan Johnston <alan.b.johnston@gmail.com> wrote:
> 
> 
> Possible Solution
> =============
> 
> The solution that was discussed in Prague that seems to be the best tradeoff between privacy and functionality is to only include ORIGIN information in a STUN or TURN request if the domain of the Origin matches the domain of the STUN or TURN server in the STUN or TURN URI.  Since web and STUN and TURN run on different ports, and often will resolve to different IP addresses, a full host comparison is not possible.  This proposal is not perfect: it does not provide perfect privacy for subdomains (e.g. sub1.example.com and sub2.example.com will match with this rule, even if they are separate entities.  Of course, subdomain users could always register a new domain and point DNS records to their sub hoster.)
> 

I think we are having some confusions over what we mean by domain in this context. So lets say the TURN URL is

turn:acme.example.com

In the meeting when people said domain, I was thinking acme.example.com and I think you were thinking example.com.  

Probably the word we should use is "host" as defined in RFC 7065 to mean acme.example.com. Let me define "label" as the things between the . in the host. So the above example is a list of three labels, acme, example, com with the com being called the "top" end of the list and the acme being the "last" end of the list. 

I think there are three match policies people might  argue for

A) match only the top two labels

B) match all the the labels except the last 

C) match all the labels

So in the A case, if the browser was at a web site acme.example.com, the origin would be sent if the stun/turn server was stun.examle.com but not if it was stun.org. The problem with this is that if website is facebook.com.uk and the stun / turn server is anything in com.uk, then the origin is sent and that is not really what we wanted. 

So in the B case, if the website is example.com, then we match any stun server in .com which is probably not what we wanted. 

In the case of C, imagine a website called example.com that wants to run it's TURN and STUN and web on different servers. It would configure an DNS SRV record to point at it STUN server, another for the TURN server and perhaps a CNAME to point at the the web server. It might even be outsourcing the TURN server to some other provider that provides TURN for lots of domains on the same server. The only thing this domain needs to do to outsource it is provide the DNS entry. 

I could live with A,B, or C, but I think that C provides the best privacy, is the easiest to understand, and meets the requirements so I favor a match rule where we match the whole host found in the TURN or STUN URI to the host part of the HTTP ORIGIN. I don't care about matching if the origin is secure or not or ports.