Re: [tram] stun-origin status==? Is it dead?
Mészáros Mihály <misi@niif.hu> Wed, 18 January 2017 14:49 UTC
Return-Path: <misi@niif.hu>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D7F0129466 for <tram@ietfa.amsl.com>; Wed, 18 Jan 2017 06:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HlYoBrYDxj89 for <tram@ietfa.amsl.com>; Wed, 18 Jan 2017 06:49:07 -0800 (PST)
Received: from linzer.ki.iif.hu (linzer.ki.iif.hu [193.224.163.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68E0B12985C for <tram@ietf.org>; Wed, 18 Jan 2017 06:49:07 -0800 (PST)
Received: from cirkusz.lvs.iif.hu (cirkusz.lvs.iif.hu [193.225.14.182]) by linzer.ki.iif.hu (Postfix) with ESMTP id D02494060F3; Wed, 18 Jan 2017 15:49:05 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at cirkusz.lvs.iif.hu
Received: from linzer.ki.iif.hu ([IPv6:::ffff:193.224.163.7]) by cirkusz.lvs.iif.hu (cirkusz.lvs.iif.hu [::ffff:193.225.14.72]) (amavisd-new, port 10024) with ESMTP id 6g8D482tiU1S; Wed, 18 Jan 2017 15:48:57 +0100 (CET)
Received: from [IPv6:2001:738:0:401:8476:a736:d2fd:5b66] (unknown [IPv6:2001:738:0:401:8476:a736:d2fd:5b66]) by linzer.ki.iif.hu (Postfix) with ESMTPSA id E33624060DF; Wed, 18 Jan 2017 15:48:55 +0100 (CET)
To: Alan Johnston <alan.b.johnston@gmail.com>
References: <d11e7647-2c3b-f9bd-1228-ac5532835b8b@niif.hu> <CAKhHsXGBXHO0pmtt9M_y96_2LPvwD=ASm84C2pXQNmzdy6qf4A@mail.gmail.com>
From: Mészáros Mihály <misi@niif.hu>
Message-ID: <9de5a4ca-95a2-7829-08ac-1610c9814c7b@niif.hu>
Date: Wed, 18 Jan 2017 15:48:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CAKhHsXGBXHO0pmtt9M_y96_2LPvwD=ASm84C2pXQNmzdy6qf4A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------1855F8A9CF669E7FF33DBB06"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/qu4a80Ho3789f4bIjjIzrYnBt44>
Cc: deadbeef@webrtc.org, Oleg Moskalenko <mom040267@gmail.com>, juberti@webrtc.org, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] stun-origin status==? Is it dead?
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Harald Alvestrand <hta@google.com>
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 14:49:10 -0000
Hi Alan et al. Many thanks for your fast reply! Do you know any alternatives/workaround to use TURN server with multiple realms? What if a client sends in the first STUN request the preferred realm (which the client's username/credential belongs to) instead of the web origin? (In practice the Web ORIGIN is almost useless AFAIU for the TURN server, it is only used to map it to a realm.) Add a new attribute in STUN, e.g. "PREFERRED_REALM" So instead of sending origin, what if we add a new STUN attribute with the preferred REALM and so, if the client adds it to the first STUN request then the STUN/TURN server use this realm (instead of default realm) during the response with the nonce? (and may add a new optional attribute "realm" in stun/turn credential in WebRTC STUN/TURN iceServer to indicate for TURN server which realm the user credential belongs to.) This hopefully address the origin based too much info leakage. Could be the idea above a possible acceptable workaround way forward to continue work on multi domain turn? Any alternatives? What are Your thoughts? Thx, Misi 2017-01-18 14:39 keltezéssel, Alan Johnston írta: > Hi Misi, > > Yes, it is dead. While the mechanism is convenient, it leaks too much > meta-data so the working group abandoned the effort. > > - Alan - > > On Wed, Jan 18, 2017 at 3:45 AM, Mészáros Mihály <misi@niif.hu > <mailto:misi@niif.hu>> wrote: > > Hi, > > I am planning to build a multi realm TURN service that would use > multi realm feature in coturn. > > But I sadly realized that there was some for me not very clear > IETF concerns and somehow writing draft-ietf-tram-stun-origin has > been stopped.. > > I am wondering what is the WG position about this draft status and > future? > > I need this multi domain to avoid server duplication: > > * I need to use multi realm to reuse TURN servers and separate > user credential domains, to avoid TURN server duplication for > every realm in every region. > * If this origin way could not be fixed then then I don't see > any way to make a multi realm TURN service. > (coTURN name is based on this feature AFAIK.) > * If we don't send any information from client side that could > be use on coTURN side to identify user credential realm than > coTRUN multidomain feature could not be used at all.. :( > > I am wondering if you know what was the main concern about in > IESG/IETF tram? > > And if this is final or not? Could it be somehow work it out? > > Why is it a show stopper concern? > > Is it possible to make any workaround to make it possible to send > any realm related info to to turn server ? > > I read the connected tram list mails and the ballot > <https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/>, > but still not clear for me the main concern, and the actual status. > > (The hardest concern was I think Stephen Farrell concerns, but I > feel it could be addressed.) > > Unfortunately I saw all WebRTC browsers stopped implementing it. > > * https://bugzilla.mozilla.org/show_bug.cgi?id=1123722 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1123722> > * https://bugs.chromium.org/p/webrtc/issues/detail?id=4091#c10 > <https://bugs.chromium.org/p/webrtc/issues/detail?id=4091#c10> > > All in all I would like to know the reasons behind Justin statement: > > This feature is dead. We should plan to remove the code when convenient. > > I would like to turn it back if possible and find a way to make > multi realm TURN work. > > Any comments would be highly appreciated! > > Thanks, > Misi > > _______________________________________________ > tram mailing list > tram@ietf.org <mailto:tram@ietf.org> > https://www.ietf.org/mailman/listinfo/tram > <https://www.ietf.org/mailman/listinfo/tram> > >
- [tram] stun-origin status==? Is it dead? Mészáros Mihály
- Re: [tram] stun-origin status==? Is it dead? Alan Johnston
- Re: [tram] stun-origin status==? Is it dead? Mészáros Mihály
- Re: [tram] stun-origin status==? Is it dead? Simon Perreault
- Re: [tram] stun-origin status==? Is it dead? Mészáros Mihály
- Re: [tram] stun-origin status==? Is it dead? Jonathan Lennox
- Re: [tram] stun-origin status==? Is it dead? Harald Alvestrand
- Re: [tram] stun-origin status==? Is it dead? Mészáros Mihály