Re: [tram] Comments on draft-ietf-tram-stun-bis-01
Marc Petit-Huguenin <petithug@acm.org> Thu, 19 March 2015 11:14 UTC
Return-Path: <petithug@acm.org>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEC691A897D for <tram@ietfa.amsl.com>; Thu, 19 Mar 2015 04:14:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.236
X-Spam-Level:
X-Spam-Status: No, score=-1.236 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dwJFm1nRSQhL for <tram@ietfa.amsl.com>; Thu, 19 Mar 2015 04:14:22 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id D139A1A8974 for <tram@ietf.org>; Thu, 19 Mar 2015 04:14:21 -0700 (PDT)
Received: from [IPv6:2602:43:2da:6400:f9c1:b626:6a91:92e2] (unknown [IPv6:2602:43:2da:6400:f9c1:b626:6a91:92e2]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 34F6B203C1; Thu, 19 Mar 2015 12:14:20 +0100 (CET)
Message-ID: <550AAF8A.9080205@acm.org>
Date: Thu, 19 Mar 2015 05:14:18 -0600
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.5.0
MIME-Version: 1.0
To: Alan Johnston <alan.b.johnston@gmail.com>, "tram@ietf.org" <tram@ietf.org>
References: <CAKhHsXEcvr8W7qk3Czx1E+DqqVOk_8V_+Bn3ZB5yjXdf=7aGJQ@mail.gmail.com>
In-Reply-To: <CAKhHsXEcvr8W7qk3Czx1E+DqqVOk_8V_+Bn3ZB5yjXdf=7aGJQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/q6ubQbdilr52ACASchix31PckFo>
Subject: Re: [tram] Comments on draft-ietf-tram-stun-bis-01
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 11:14:23 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Thank for the comments. See my answers inline. On 03/17/2015 08:11 AM, Alan Johnston wrote: > All, > > Here are some comments on STUNbis. Minor comments are listed below, but > the most important one is listed here: > > Does the use of salted SHA256 for passwords match up with what is planned > for SIP? See: > > https://tools.ietf.org/html/draft-yusef-sipcore-digest-scheme > > Does H(A1) match up? Also, I'm not aware if this draft is moving forward: > > https://tools.ietf.org/html/draft-veltri-sip-alt-auth It is not, which is sad because I find it better than draft-yusef-sipcore-digest-scheme. It also fits better with STUN where the hash algorithm (SHA-1 and now SHA256) has been split off the password hash algorithm (MD5) from the beginning. draft-yusef-sipcore-digest-scheme does not even talk about the password algorithm, continuing the (I think) rather bad idea of linking the two together. I put salted SHA256 as an example of the kind of password hash algorithm we could use, but I'll let the WG decide on what they prefer. > > while the other one is under active discussion in SIPCORE and HTTPAUTH - > see https://tools.ietf.org/html/draft-ietf-httpauth-digest-update > > I think it is important that STUNbis is aligned with the changes to digest > being worked on in SIP and HTTP. > > - Alan - > > Shouldn't STUNbis reference ICEbis instead of ICE? It's an informational reference, so I have no problem in referencing ICEbis. Will fix in -03. > > I presume "obMatJos2" is just a random string used to indicate support for > STUNbis - it might be worth stating this in 9.2.3. Generated with apg. I'll add some text. > > Section 11 Backwards Compatibility with RFC 3489: do we really need to > still be backwards compatible? Is anyone still using RFC 3489 that hasn't > upgraded? Do we leave ourselves open to any downgrade attacks by doing so? This has already be changed in -02 to "backwards compatibility with RFC 5389". > > Section 14 says only first of multiple attributes are processed. (“Any > attribute type MAY appear more than once in a STUN message. Unless > specified otherwise, the order of appearance is significant: only the first > occurrence needs to be processed by a receiver, and any duplicates MAY be > ignored by a receiver.”) I guess this rules out multiple ORIGIN > attributes, which is fine since we had chosen that path forward. However, > this means that no future STUN attributes can really appear more than > once. Do we need to emphasize this more? I think that the intent was that a future attribute may be defined as supporting to be inserted multiple times, and this rule just makes parsing a STUN packet more resilient (i.e. do not reject a STUN packet because there is more than one instance of a specific attribute). I would leave the text as it is. > > In Section 14.2 what are the x's in |x x x x x x x x|? That's a good question. I supposed that should all 0's. Will change it in -03. > > The text in Section 15.3. Hash Agility Plan seems to be out of date now. Why? > > Section 17.5 says “The UDP port is not currently defined; however, it is > reserved for future use.” What port? The port is in fact allocated now. I will fix the text in -03. > > The change log says that STUNbis normatively references > draft-ietf-tram-stun-origin, but I don't see it listed in the references. > Perhaps a mention of ORIGIN in section 9.2 or 9.2.3 would be good, too. > Section 6.1 of -02. - -- Marc Petit-Huguenin Email: marc@petit-huguenin.org Blog: http://blog.marc.petit-huguenin.org Profile: http://www.linkedin.com/in/petithug -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVCq+JAAoJECnERZXWan7EjecQAL3y56oBKz88Ac34tPyG3VG3 jrsiCkzy5V8uAiK6/4xYM1SFSz7w7P0DkmVL0JexMroOhD44BeDIPmsXZQdbnwpI Uf7IFwrLUd2fF4OD9hgMEC8sXM50Uvs2JZp6XvJoT9tCbjlB7vQGF3h/l9R+29Rz y1UibiVHfTLs7X6uyKLHJdWqCItkkDJG5qNlRx6sRfofP9a/AkeRZ1KhXr0EqauG ZNOQ/U19ufKppp5QXWPS98UrpeIyAXrTY8M1Ar65Sm4Qpqo2BTgMZrN1jwyW1MiE rHU1gQ1tyQ1dXDsPbPJBINQC7IKq77aKO33qqd9QIYB/Fu7qj3pFuhwcpug7EqGF q7r4lc8H7jfmbmuFghnmTrfIpza/3uD1TW24gExTonUPzyYTVwYrxgJ7AkzgKcT8 W60kDpaYqKE9GK5To9BRG9iC6S2TzEGp98G5TDcudX4t2Cw0+YjgWr1vNEyOrN0g eYegQTusc5qqDoXgov2QKLmBM2huaqrOE3RSNtIJEN6fupyM2xSS+4m22F8cBzv4 hW1yZNhPvqGrlXMfxi6U1e3g3umkEw34nggQzBxkhpah3aTeEmlkqJo35RJt9jrf jFdRYWz4PbWyPnT+7quPMMsaNjVoOmsy8khcaVtsYaWk3rN+YuI8AK/70zJFGoFY 8IVBW1QuZIEVj38XX0Mn =93pO -----END PGP SIGNATURE-----
- [tram] Comments on draft-ietf-tram-stun-bis-01 Alan Johnston
- Re: [tram] Comments on draft-ietf-tram-stun-bis-01 Marc Petit-Huguenin
- [tram] Sync STUN and SIP auth Simon Perreault
- Re: [tram] Sync STUN and SIP auth Marc Petit-Huguenin
- Re: [tram] Sync STUN and SIP auth Alan Johnston