IETF Logo Mail Archive

Re: [tram] Fwd: New Version Notification for draft-johnston-tram-stun-origin-03.txt

Alan Johnston <alan.b.johnston@gmail.com> Mon, 30 June 2014 18:56 UTC

Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688D81A040F for <tram@ietfa.amsl.com>; Mon, 30 Jun 2014 11:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DxPRR-Ri2Yka for <tram@ietfa.amsl.com>; Mon, 30 Jun 2014 11:55:59 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AACB01A03FD for <tram@ietf.org>; Mon, 30 Jun 2014 11:55:58 -0700 (PDT)
Received: by mail-wi0-f181.google.com with SMTP id n3so6556977wiv.14 for <tram@ietf.org>; Mon, 30 Jun 2014 11:55:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5DeNh8uMR6Z7nlyLj2n7sJcaalCwjiorRgNNh8/QPb0=; b=0m/qEXuTYgYjgwrV6k8LukpLLrFE12+F6XAdRAjz/n2rA6JIY9cRJZKMn2D787CZ8G UrmMCS2DPDe/VYRyNXLOi0+B266I44o1iBUkavPUknu5v4Ic3aZ/mPPQuR4+baMO6Gg7 4tt8z6GbbSYbbzN6uKLf60bDPvT8gMNlv8RK335bw/8aDt6BH1MNhCmTT+f41BXe9h28 mNAYNwWr73tThz5oryfKP24e/4/epCUn4xh4WEoIX7GvWrv+pUOO+gcNgT/7JpUmEg/Y igPWsO5C43NYw0HZa13OhoJeqwoDKmtfXfWw45fb8RxBXyUbjLC7CsuZfvw5mHXD+7LN MoSg==
MIME-Version: 1.0
X-Received: by 10.194.133.67 with SMTP id pa3mr4636279wjb.134.1404154557201; Mon, 30 Jun 2014 11:55:57 -0700 (PDT)
Received: by 10.217.152.200 with HTTP; Mon, 30 Jun 2014 11:55:57 -0700 (PDT)
In-Reply-To: <913383AAA69FF945B8F946018B75898A282E82BC@xmb-rcd-x10.cisco.com>
References: <20140628165007.32702.46107.idtracker@ietfa.amsl.com> <CAKhHsXGc_SGo1MSNXJvNL8wt51G8Hs4yOyVt6vh83RKiHpoO1Q@mail.gmail.com> <913383AAA69FF945B8F946018B75898A282E82BC@xmb-rcd-x10.cisco.com>
Date: Mon, 30 Jun 2014 13:55:57 -0500
Message-ID: <CAKhHsXEJ5qpyGRL7psQAx8pmfBQoYP=bLMsjndHzOFwY1tqkQA@mail.gmail.com>
From: Alan Johnston <alan.b.johnston@gmail.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Content-Type: multipart/alternative; boundary="089e012281a697848104fd1235e6"
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/oZK243ba4kO0PLkz2tKJrPjKP40
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Fwd: New Version Notification for draft-johnston-tram-stun-origin-03.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jun 2014 18:56:02 -0000

Hi Tiru,

Thanks for the close reading - see my comments below.

- Alan -


On Mon, Jun 30, 2014 at 1:13 PM, Tirumaleswar Reddy (tireddy) <
tireddy@cisco.com> wrote:

>  Hi Alan,
>
>
>
> My comments:
>
>
>
> [1] Security Considerations:
>
>
>
> Comment> You may want to add that If (D)TLS is used then STURN ORIGIN
> attribute cannot be modified by an intermediary.
>
>
Right.  I'll point this out.


>
>
> [2] This information is often available in other messages sent by the
> browser, such as DNS or HTTP requests.
>
>
>
> Comment>  Yes, but all these problems will most likely be addressed in
> future.  DNSOP WG is discussing various mechanisms for DNS privacy like DNS
> over (D)TLS and HTTP/2.0 mandates TLS.  New TLS extensions are discussed in
> TLS WG to encrypt TLS handshake for privacy reasons
>
>
>

Right.  I can soften this a bit to say "This information can be available
in other messages sent by the browser, such as DNS or HTTP request, unless
those protocols are using encryption."



>  [3] Section 2.4 ICE usage
>
>
>
> Comment> You may also say that for consent checks (
> http://tools.ietf.org/html/draft-ietf-rtcweb-stun-consent-freshness-04),
> STUN ORIGIN attribute is not required.
>
>
>
Agreed.  This is an extension to ICE, so I think it still counts as an ICE
usage, but I think it is worth saying explicitly.


>  [4] 2.4. ICE Usage
>
>
>
> Comment> Any specific reason to say "NOT RECOMMENDED" ? why not say "MUST
> NOT use ORIGIN attribute" ?
>
>
I think NOT RECOMMENDED, effectively SHOULD NOT, is the right level here.
 There is no harm done (i.e. it doesn't cause any interop failures or
issues) if it is included, and we may come up with use cases in the future.
 I think ICE stacks should be prepared to receive an ORIGIN attribute, and
should just ignore it.

>
>
> [5] Senders MAY include multiple ORIGIN attributes in a request, and
> receivers MUST support parsing and receiving multiple ORIGIN attributes.
>
>
>
> Comment> If path MTU is unknown then STUN messages over IPv4 would need to
> be less than 548 bytes (Section 7.1 of [RFC5389]). Sender must use this
> length restriction to limit the number of ORIGIN attributes in the STUN
> request.
>
>
>

Good point.  I'll mention that including multiple Origin attributes
increases the size of STUN packets.

 [6]   STUN defines three authentication modes, depending on the STUN usage.
>
>
>
> Comment> There are only two authentication modes !
>
>
Well, there are three described in this paragraph: short term credential,
long term credential, and no credential (NULL).  I can make this clearer in
the text.

>
>
> [7] Suggest to split Introduction, have a separate section to discuss the
> problem.
>
>
>
Yes, it is a bit large.  Some of this text, I think, can probably be
dropped, as it discusses alternative approaches which aren't described in
the document.  I can reorganize or condense.


>  [8] In addition to explicitly provisioning the realm value in the java
> script the other problem is exposing the user credentials to the
> JavaScript.
> http://tools.ietf.org/html/draft-reddy-tram-turn-third-party-authz-02
> addresses this problem.
>
>
>
Sure, this draft does nothing to solve that problem - it only addresses the
multi-realm issue.


>  Thanks and Regards,
>
> -Tiru
>
>
>
>
>
> *From:* tram [mailto:tram-bounces@ietf.org] *On Behalf Of *Alan Johnston
> *Sent:* Saturday, June 28, 2014 10:35 PM
> *To:* tram@ietf.org
> *Subject:* [tram] Fwd: New Version Notification for
> draft-johnston-tram-stun-origin-03.txt
>
>
>
> All,
>
>
>
> We have updated the STUN Origin draft.  The major changes relate to:
>
>
>
> 1. Adding sections on media keep-alive and SIP keep-alive usages
>
> 2. Adding a section on multiple origins
>
> 3. Adding a section on Implementation Status about the open source
> implementations of the browser and STUN/TURN server that support the ORIGIN
> attribute
>
> 4. Clarified integrity protection of the attribute in the Security
> Considerations section.
>
>
>
> These changes are based on all recent reviews and mailing list comments.
>
>
>
> As always, comments are most welcome!
>
>
>
> - Alan -
>
>
>
> ---------- Forwarded message ----------
> From: <internet-drafts@ietf.org>
> Date: Sat, Jun 28, 2014 at 11:50 AM
> Subject: New Version Notification for
> draft-johnston-tram-stun-origin-03.txt
> To: Kundan Singh <kundan10@gmail.com>, Alan Johnston <
> alan.b.johnston@gmail.com>, John Yoakum <yoakum@avaya.com>, Justin Uberti
> <justin@uberti.name>
>
>
>
> A new version of I-D, draft-johnston-tram-stun-origin-03.txt
> has been successfully submitted by Alan Johnston and posted to the
> IETF repository.
>
> Name:           draft-johnston-tram-stun-origin
> Revision:       03
> Title:          An Origin Attribute for the STUN Protocol
> Document date:  2014-06-28
> Group:          Individual Submission
> Pages:          13
> URL:
> http://www.ietf.org/internet-drafts/draft-johnston-tram-stun-origin-03.txt
> Status:
> https://datatracker.ietf.org/doc/draft-johnston-tram-stun-origin/
> Htmlized:
> http://tools.ietf.org/html/draft-johnston-tram-stun-origin-03
> Diff:
> http://www.ietf.org/rfcdiff?url2=draft-johnston-tram-stun-origin-03
>
> Abstract:
>    STUN, or Session Traversal Utilities for NAT, is a protocol used to
>    assist other protocols traverse Network Address Translators or NATs.
>    STUN, and STUN extensions such as TURN, or Traversal Using Relays
>    around NAT, and ICE, Interactive Communications Establishment, have
>    been around for many years but with WebRTC, Web Real-Time
>    Communications, STUN and related extensions are about to see major
>    deployments and implementation due to these protocols being
>    implemented in browsers.  This specification defines an ORIGIN
>    attribute for STUN that can be used in similar ways to the HTTP
>    header field of the same name.  WebRTC browsers utilizing STUN and
>    TURN would include this attribute which would provide servers with
>    additional information about the STUN and TURN requests they receive.
>    This specification defines the usage of the STUN ORIGIN attribute for
>    web and SIP contexts.
>
>
>
>
> Please note that it may take a couple of minutes from the time of
> submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> The IETF Secretariat
>
>
>

v2.23.0 | Report a Bug | By Email