Re: [tram] Path Forward for STUN ORIGIN
Alan Johnston <alan.b.johnston@gmail.com> Wed, 26 August 2015 21:07 UTC
Return-Path: <alan.b.johnston@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 156351A8A66 for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 14:07:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNPujNb8EYWg for <tram@ietfa.amsl.com>; Wed, 26 Aug 2015 14:07:07 -0700 (PDT)
Received: from mail-vk0-x231.google.com (mail-vk0-x231.google.com [IPv6:2607:f8b0:400c:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 283F91A888E for <tram@ietf.org>; Wed, 26 Aug 2015 14:07:07 -0700 (PDT)
Received: by vkm66 with SMTP id 66so95692641vkm.1 for <tram@ietf.org>; Wed, 26 Aug 2015 14:07:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NCzOo/UtrhE23YWN8OZTdzq3tTPdA9rY7y8mvTN2sDU=; b=yJpvOmIJuhHSpgL4+tMEBx4is6Pmizbf/Z28kn/wuKFpAx8f29qYky/5CXQVPQ1N8c 4xG4Q3wxrg8t02yv0QLugPqYzHc/1v0QuBZH6DiTfOJbE5RyDottFKfshjIxM1u+02OI EKy4sAXAQko3QShJmfE5EPS1HBkUaYA0zgTaMDEMqUAd4q/UqXD7oOzZHWXCyjlRZJG8 uBIn0sZkLd76Tz/nAf5v0pGC/gO/54hw6Ww+i+PB3Qfc2UBIDU03HfPSbF+EJxRQmEaZ UUOYbpig6EkB8ZzoLzYUn8aMLBtsJr05sqUlEdHFieLRlaunM9OWh14q0WPA1jK72QGj zAQQ==
MIME-Version: 1.0
X-Received: by 10.52.187.196 with SMTP id fu4mr818250vdc.33.1440623226418; Wed, 26 Aug 2015 14:07:06 -0700 (PDT)
Received: by 10.31.153.206 with HTTP; Wed, 26 Aug 2015 14:07:06 -0700 (PDT)
In-Reply-To: <CALe60zCuFR-refCESNBTYDSypB6QviwKC7=Swh2OnHuXRx5=TA@mail.gmail.com>
References: <CAKhHsXGwB1vovKQYaGnoZ1MuzREbDA8cTp4sCePNc6=saKN5BA@mail.gmail.com> <CALe60zCuFR-refCESNBTYDSypB6QviwKC7=Swh2OnHuXRx5=TA@mail.gmail.com>
Date: Wed, 26 Aug 2015 16:07:06 -0500
Message-ID: <CAKhHsXFyK0VvyiVB+8XWuBhh2RpnLOa-DqnbjWiiuxxU8nF4TQ@mail.gmail.com>
From: Alan Johnston <alan.b.johnston@gmail.com>
To: Justin Uberti <justin@uberti.name>
Content-Type: multipart/alternative; boundary="bcaec548a4e9aa7b19051e3d3bcd"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/ssZk1nFwFkif8ljzvn8Wkq9xSVA>
Cc: "tram@ietf.org" <tram@ietf.org>, "draft-ietf-tram-stun-origin@tools.ietf.org" <draft-ietf-tram-stun-origin@tools.ietf.org>
Subject: Re: [tram] Path Forward for STUN ORIGIN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 21:07:10 -0000
Justin, It is an important question for the WG on whether ORIGIN is a useful solution to the use cases. Hopefully we'll get more feedback on this. Your comments seem mainly directed towards a solution for use case #2 below (REALM selection for TURN authentication), right? I'm not sure if use case #3 applies or not. I don't think OAuth helps with #1 or #4 or #5. I know we have discussed it before, but I also don't think that everyone believes that OAuth means that ORIGIN is no longer needed. There have been suggestions that a multi-tenanted TURN server using OAuth might still use ORIGIN. And using domain-specific USERNAME attributes sounds a bit like the problem that Martin mentioned of simply working around the approach. - Alan - On Tue, Aug 25, 2015 at 3:50 PM, Justin Uberti <justin@uberti.name> wrote: > Overall, I think most/all of the goals that ORIGIN is trying to accomplish > would be better handled by STUN OAuth ( > https://datatracker.ietf.org/doc/draft-ietf-tram-turn-third-party-authz/) > > Generally, it's not clear that ORIGIN is a great solution for any of the > use cases listed. > 1) is easily accomplished via oauth, without any of the restrictions > present here > 2) can be dealt with using other means (e.g. oauth, or supplying domain > info in USERNAME) > 3) is fairly weak control, and can be done better through oauth, or > domained USERNAMEs > > Of course, as noted by others, use of domained USERNAMEs creates a > quasi-ORIGIN value within the USERNAME attribute, which makes OAuth more > attractive. > > On Tue, Aug 25, 2015 at 12:57 PM Alan Johnston <alan.b.johnston@gmail.com> > wrote: > >> All, >> >> Based on feedback during IETF-93 in Prague, the authors of >> draft-ietf-stun-origin are looking for feedback on a possible path forward >> to solve the privacy/meta data issues and clear the DISCUSSes (see >> https://datatracker.ietf.org/doc/draft-ietf-tram-stun-origin/ballot/). >> There are two areas of feedback: Use Cases and Proposed Solution. >> >> Use Cases >> ======== >> >> First, we want to be sure that we are considering all the use cases for >> STUN ORIGIN. In the draft, three are described: >> >> 1. Logging of usage of STUN/TURN server. An operator of a STUN or TURN >> server would learn the Origin of the web, SIP, and XMPP users. >> >> 2. REALM selection for multi-tenanted TURN server. This avoids having to >> run multiple instances on different ports or IP addresses when more than >> one REALM is in use. >> >> 3. Service determination after authentication. Bandwidth or QoS policy >> can be applied, after authentication, based on the Origin. >> >> Also, the following use cases have also been discussed but are not in the >> draft >> >> 4. Authorization at border TURN server after authentication. An >> enterprise border TURN server can apply policy and allow usage for certain >> Origins (whitelist) or block usage of others (blacklist). >> >> 5. draft-jennings-behave-rtcweb-firewall-01 discusses how a firewall with >> STUN server could use ORIGIN in authorization decisions. >> >> Are there any other use cases we should consider? >> >> Possible Solution >> ============= >> >> The solution that was discussed in Prague that seems to be the best >> tradeoff between privacy and functionality is to only include ORIGIN >> information in a STUN or TURN request if the domain of the Origin matches >> the domain of the STUN or TURN server in the STUN or TURN URI. Since web >> and STUN and TURN run on different ports, and often will resolve to >> different IP addresses, a full host comparison is not possible. This >> proposal is not perfect: it does not provide perfect privacy for subdomains >> (e.g. sub1.example.com and sub2.example.com will match with this rule, >> even if they are separate entities. Of course, subdomain users could >> always register a new domain and point DNS records to their sub hoster.) >> >> In comparing this solution against the use cases above: >> >> 1. Allows logging of your own users on your own TURN server (or one that >> you setup DNS SRV records to point towards). Other users of your STUN or >> TURN server will not be identified by an Origin, but you will at least know >> if others are using your server. >> >> 2. Works for REALM selection as long as you use your own TURN server (or >> one that you setup DNS SRV records to point towards). >> >> 3. Again, works for service determination as long as you use your own >> TURN server (or one that you setup DNS SRV records to point towards). >> Having service-specific TURN credentials is another solution that doesn't >> rely on ORIGIN. >> >> 4. & 5. Does not seem provide a good solution for these use cases. >> >> Does this analysis make sense? >> >> Feedback most welcome so we can move forward with this draft. >> >> - Alan - >> >> >>
- [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN Tirumaleswar Reddy (tireddy)
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - analysis Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - how to … Cullen Jennings
- Re: [tram] Path Forward for STUN ORIGIN - refer p… Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Martin Thomson
- Re: [tram] Path Forward for STUN ORIGIN - how to … Alan Johnston
- Re: [tram] Path Forward for STUN ORIGIN Justin Uberti
- [tram] Oauth vs Origin [Was: Path Forward for STU… Justin Uberti
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Oleg Moskalenko
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Tirumaleswar Reddy (tireddy)
- Re: [tram] Oauth vs Origin [Was: Path Forward for… Brandon Williams