Re: [tram] Review of draft-johnston-tram-stun-origin-02
Oleg Moskalenko <mom040267@gmail.com> Thu, 05 June 2014 14:26 UTC
Return-Path: <mom040267@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D6C1A016C for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 07:26:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0zUZaqXyYPR for <tram@ietfa.amsl.com>; Thu, 5 Jun 2014 07:26:36 -0700 (PDT)
Received: from mail-pd0-x229.google.com (mail-pd0-x229.google.com [IPv6:2607:f8b0:400e:c02::229]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3EE8D1A0167 for <tram@ietf.org>; Thu, 5 Jun 2014 07:26:34 -0700 (PDT)
Received: by mail-pd0-f169.google.com with SMTP id w10so1157700pde.28 for <tram@ietf.org>; Thu, 05 Jun 2014 07:26:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=nynNX0a7jdlJquX1d+gH+rsW8Dw/69KVTK6Es9drHhs=; b=UnYe2wuyR3xdAxAQvUlEN0NpJRgnUi0YRpUW6Ln6NyasmBa6TjAuSCTRtyVDmjzKIc 0nftqFmsD4XaA5ELfIK5RgVf1z3Pm6TtDjNmnNEuyl9xL30lLTupE8UakDXphqCA42Eg Nnck5qyC4TZG/QEmUf9R1ynQjKv8L+T5btitM34p5SacLSzoap6t4XPefL8X212q8xEK m+7H2NCDEDIbYrfpxzESBYnPY9qAfmjv9rPCdlUT/K9pcwGTkP0cfZLPyb+yJf8F1HhF s8TtFA5fGi2DLzfwMT5utpbf4rEvjXUHIzi/dPKMCnH54SD9IGh8uTmR1nsmC/YmSn1M 0Ovg==
X-Received: by 10.68.135.100 with SMTP id pr4mr10689444pbb.46.1401978387783; Thu, 05 Jun 2014 07:26:27 -0700 (PDT)
Received: from [172.17.17.106] (c-76-126-9-134.hsd1.ca.comcast.net. [76.126.9.134]) by mx.google.com with ESMTPSA id qj3sm23490561pbc.91.2014.06.05.07.26.25 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 05 Jun 2014 07:26:26 -0700 (PDT)
References: <5368BF90.2070307@getjive.com> <CAKhHsXFqvySLXqFddBCtYmosN=6GqrO7X_JDnFtqiA+C38x5ug@mail.gmail.com> <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net>
Mime-Version: 1.0 (1.0)
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF17DE3241@MCHP04MSX.global-ad.net>
Content-Type: multipart/alternative; boundary="Apple-Mail-68668793-D0EB-4E6B-B6F4-3439ACCFECA7"
Content-Transfer-Encoding: 7bit
Message-Id: <166C39DF-CA68-4C9C-8553-197C2C75B382@gmail.com>
X-Mailer: iPhone Mail (11D201)
From: Oleg Moskalenko <mom040267@gmail.com>
Date: Thu, 05 Jun 2014 07:26:21 -0700
To: "Hutton, Andrew" <andrew.hutton@unify.com>
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/sKySV2ddg_65IjVDiNL9Y5HXph4
Cc: Alan Johnston <alan.b.johnston@gmail.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jun 2014 14:26:38 -0000
What would be the purpose of multiple origins ? Oleg > On Jun 5, 2014, at 7:19 AM, "Hutton, Andrew" <andrew.hutton@unify.com> wrote: > > Hi, > > I had another read through this draft and hope we can move this forward and adopt the draft soon. > > I only have one additional comment at this time and that is that I assume it should be possible for the client to include more than one origin in the Origin header field and if so the procedures around this should explained in the draft. > > Regards > Andy > > > > > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Alan Johnston > Sent: 07 May 2014 18:50 > To: Marc Petit-Huguenin > Cc: tram@ietf.org > Subject: Re: [tram] Review of draft-johnston-tram-stun-origin-02 > > Marc, > > Thanks for the review. See my comments below. > > - Alan - > > > On Tue, May 6, 2014 at 5:55 AM, Marc Petit-Huguenin <marcph@getjive.com> wrote: > A1. Intended Status: Informational > > Shouldn't this be Standard Track? > > > Yes. > > A2. Section 1, 2nd paragraph, last sentence: "as generating the response..." > > I do not think that the reason for no authentication for the NAT > Discovery Usage is because it is less work, but because there is no > resource to protect so adding more work does not make sense. > > > I disagree that there is *no* resource to protect. A STUN server might be minimal resources, but not none. If a simple authentication scheme were available, I'm sure some people would use it so they could minimize the cost of their server footprint by ensuring that only authenticated users were utilizing it. I will add some text pointing out that the minimal resources. > > A3. Section 1, 8th paragraph > > I do not think that the ORIGIN should be used to select the certificate > when (D)TLS is used. First it does not work with DANE, as when an SRV > (and probably NAPTR too, but that's undefined yet) RR redirects to a > different domain, the domain to be checked with is the host name, not > the service domain (see draft-ietf-dane-srv). For non-DANE cases, I > think that the correct way to select the certificate is to use SNI. > > The draft does not suggest that ORIGIN be used to select certificates - as Oleg pointed out it isn't possible. This paragraph was describing how RFC 6066 does not solve the problem, as had been suggested on the list. > > > So I would suggest to restrict the normative use of ORIGIN only to > select realms. > > A4. Section 2.2. ORIGIN attribute usage > > The text does not say if the ORIGIN attribute should/can be provided > after the authentication (i.e. refresh, data packets, etc...) > > Currently, the text says SHOULD include, for a conformant client. For logging, it has value even after the initial authentication. > > > A5. Section 2.2. Mandatory support for server > > How a TURN server that requires the usage of ORIGIN can signal this? > > > Right now there is no way to do this. I agree with Oleg that it is up to the server what to do if ORIGIN is no present. > > A6. Section 2. Other Usages > > I think that other STUN Usages should be listed after section 2.3: > > - Media Keep-Alive Usage (Section 20 of RFC5245) > - SIP Keep-Alive Usage (RFC 5626) > - NAT Behavior Discovery Usage (RFC 5780) > > > I'll take a look at these scenarios. I suspect that it would be a reasonable usage for client-to-server usages, but not for peer-to-peer usages. > > A7. Section 4, 3rd paragraph: "If the STUN MESSAGE-INTEGRITY attribute > is present, the contents of the ORIGIN attribute are integrity protected." > > Which never happen in the usages listed in the document: for section > 2.1, there is never an integrity protection, and for 2.2, the ORIGIN is > needed to select the realm, so the ORIGIN is sent before it can be > protected. Perhaps 2.2 should say that if ORIGIN was sent to select the > realm, it MUST be repeated at identical on the second Allocate (the one > that has an M-I) and that the server MUST reject it if it is not > identical to the first one. Not sure it matters though. > > > I agree that there is no integrity protection of the ORIGIN attribute (or any other attribute) until after authentication. However, ORIGIN can be used both before and after authentication. I'll review this text and make sure this is clear. I don't believe we need any special rules, as this applies to any STUN attribute. > > Nits > ---- > > - Section 2, 2nd paragraph: "The number used for the this in the ..." > > Does not parse. > > The middle "the" shouldn't be there. > > > -- > Marc Petit-Huguenin > Developer | Jive Communications, Inc. > Jive.com | marcph@getjive.com > > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] Review of draft-johnston-tram-stun-origin-… Marc Petit-Huguenin
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Hutton, Andrew
- Re: [tram] Review of draft-johnston-tram-stun-ori… Oleg Moskalenko
- Re: [tram] Review of draft-johnston-tram-stun-ori… Alan Johnston