IETF Logo Mail Archive

Re: [tram] First post

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Tue, 19 November 2013 12:26 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7C441ADF67 for <tram@ietfa.amsl.com>; Tue, 19 Nov 2013 04:26:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.026
X-Spam-Level:
X-Spam-Status: No, score=-10.026 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxvwNeQ2dInK for <tram@ietfa.amsl.com>; Tue, 19 Nov 2013 04:26:43 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) by ietfa.amsl.com (Postfix) with ESMTP id D5EAE1ADF72 for <tram@ietf.org>; Tue, 19 Nov 2013 04:26:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9646; q=dns/txt; s=iport; t=1384863997; x=1386073597; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=+YFUdkfTjddGBh4OmtFum4Rvtz17ImYn8pIOCx8M7yw=; b=OM3ggcFLfgWwwufRgX/0D4Bt6vxsBXbkOxxGwAl7ueS519z5rtGNZ0hC Mu2jeY3YyGBGGqI7+/LcdphcKzzmqhNIU9oBk05RoUsfTLBdrHPrALHc8 l3JSXn6iAP4JkxXmhZNieGxIWJxntM45a1I0pCyPFh73rOVikLv9khElx s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhIFAO9Xi1KtJXHA/2dsb2JhbABZgwc4U78/gR8WdIIlAQEBBAEBASRHCxACAQgOAwMBAQELAgkSByEGCxQJCAIECgQFCIdnAw8NuH8NiTkXjGOBMhN+MQcGBIMWgRIDiQqNHYMaiyaFOIMogWgCHgYc
X-IronPort-AV: E=Sophos;i="4.93,729,1378857600"; d="scan'208";a="577703"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by alln-iport-3.cisco.com with ESMTP; 19 Nov 2013 12:26:36 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id rAJCQa39007973 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 19 Nov 2013 12:26:36 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.47]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.03.0123.003; Tue, 19 Nov 2013 06:26:35 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Thread-Topic: [tram] First post
Thread-Index: AQHO4nrNOeLu8IlzsEisOVsWZS4tvJon2dyA//+cN3CAA33uAIABi2gQ
Date: Tue, 19 Nov 2013 12:26:34 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A24267B37@xmb-rcd-x10.cisco.com>
References: <CALDtMrK5X4euTOwwdGJNkOGEar1KdCXpZvOnR-MgJfnY1LzAKg@mail.gmail.com> <C17C5187-E20D-4AF5-97D2-B63ABCB2E298@cisco.com> <913383AAA69FF945B8F946018B75898A24264EF5@xmb-rcd-x10.cisco.com> <CALDtMrJW1-6vvkgREWdb-J3p3n2pM9UfULiaqGWMEQeq9Arikw@mail.gmail.com> <913383AAA69FF945B8F946018B75898A24265484@xmb-rcd-x10.cisco.com> <CALDtMrJqpef=i_OQJfLiTAmpMKG_M6ut9YEzhCXKVFTqvMJMtQ@mail.gmail.com>
In-Reply-To: <CALDtMrJqpef=i_OQJfLiTAmpMKG_M6ut9YEzhCXKVFTqvMJMtQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.68.20.108]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Simon Perreault <simon.perreault@viagenie.ca>, "tram@ietf.org" <tram@ietf.org>, Justin Uberti <juberti@google.com>
Subject: Re: [tram] First post
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 12:26:45 -0000

Hi Oleg,

Please see inline [TR]

From: tram-bounces@ietf.org [mailto:tram-bounces@ietf.org] On Behalf Of Oleg Moskalenko
Sent: Monday, November 18, 2013 12:19 PM
To: Tirumaleswar Reddy (tireddy)
Cc: Simon Perreault; pcp@ietf.org; tram@ietf.org; Justin Uberti
Subject: Re: [tram] First post

Dan and Tiru,
while contemplating the MICE implementation, I stumbled upon a potential problem in the MICE draft.
According to the section 5.2.2, the server compares the encoded NONCE with the stored NONCE for the "old" 5-tuple session. But the problem is, a NONCE may expire. Its possible to have an expiration time for the NONCE (an enhanced security feature). In a non-mobility TURN implementation, that creates no problem: the server simple sends 438 error (stale nonce) back to the client together with the new generated NONCE value, and the client just re-calculates and re-sends the request.
With wording in the section 5.2.2, that becomes rather complicated in the mobility case. I am not sure that I understand the exact action sequence when the session NONCE expires with mobility feature.
I think that the problem can be fixed if the draft would not include wording about the MOBILE-TICKET internal structure. In one place it is saying that the ticket is opaque and implementation-dependent; but in other places it suggests how the ticket must be constructed and how it must be encoded. I think that this is unnecessary. Let's just say that the ticket is opaque and its structure has meaning only for the server - and that the server uses it as a unique identifier.
I see no reason why the server must encode any meaningful information in the ticket, like 5-tuple and NONCE. That's totally up to the server. The server, for example, may just keep a hashtable with all that information and the ticket may be just a random unique key in that table. As we are using message integrity authentication anyway, and the ticket is transferred openly over the Internet, the ticket does not create any new level of defense. This is, basically, just a session ID - to match the "old" session with the "new" session.

[TR] Agreed with your assessment will update the draft accordingly.

Thanks and Regards,
-Tiru.

A similar approach is used in RFC 6062. They are solving a similar logical task: they are matching a new client network endpoint with an existing TURN session. They also are using a ticket, but they do not encode any information in it - that is just an opaque unique string. For protection, they also are validating the MESSAGE INTEGRITY. And they have no problem with the NONCE expiration because there is no NONCE encoded in the ticket.

Let me know please what do you think about that.

Thanks
Oleg
  





On Sun, Nov 17, 2013 at 5:36 AM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:
Hi Oleg,
 
It has some similarities but is a lot different from PCP third party authorization. For example for TURN the Authorization Server will be providing session key, MAC algorithm etc which is not required with the PCP third party authorization.  There are various other differences like PCP server would need to communicate with the Authorization Server to determine the token bound authorization data  (like the number of mappings permitted, flow characteristics allowed etc) which may not be required with TURN authorization.  PCP-controlled Firewall will most likely be in the same administrative domain as the endpoint but that may not be true with TURN. 
 
we are working on the details and will have something concrete in couple of weeks.
 
Cheers,
-Tiru.
From: tram-bounces@ietf.org [mailto:tram-bounces@ietf.org] On Behalf Of Oleg Moskalenko
Sent: Saturday, November 16, 2013 12:56 PM
To: Tirumaleswar Reddy (tireddy)
Cc: Simon Perreault; tram@ietf.org; Justin Uberti

Subject: Re: [tram] First post
 
Tiru, I suppose that will be similar to this draft:

http://tools.ietf.org/html/draft-wing-pcp-third-party-authz-01
That would be a significant addition to the TURN server.
Regards,
Oleg
 
 
On Fri, Nov 15, 2013 at 7:20 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote:
Hi Oleg,

I am co-author of the MICE, draft-reddy-behave-turn-auth drafts and we are interested in TURN evolution. Justin and we are working on TURN Extension for Third Party Authorization using OAuth which will address some of the problems discussed in above draft.

Cheers,
-Tiru.

From: Oleg Moskalenko <mom040267@gmail.com>
Subject: Re: [tram] First post
Date: November 15, 2013 11:01:24 AM PST
To: Simon Perreault <simon.perreault@viagenie.ca>
Cc: <tram@ietf.org>

MMUSIC has an interesting draft on TURN mobility (MICE) that I am watching and I am going to implement. I wonder whether the authors of the draft may be interested in the TURN evolution.

On Fri, Nov 15, 2013 at 10:55 AM, Simon Perreault <simon.perreault@viagenie.ca> wrote:
All,

Any objection against sending the following to rtcweb, pntaw, and behave? Any other lists that should be included?

Simon

====================

All,

A few of us have been working on a proposal for a new working group that would focus on enhancements to STUN and TURN. The proposed name is TRAM (Turn Revised And Modernized) and discussion is happening in <tram@ietf.org>.
Subscribe link: <https://www.ietf.org/mailman/listinfo/tram>

Here is the charter we have been working on. If you would like to comment and/or get involved, please do so on the TRAM mailing list.

Simon (and many others!)
Turn Revised And Modernized (tram)
----------------------------------

Traversal Using Relays around NAT (TURN) was published as RFC 5766 in April
2010.  Until recently the protocol had only a rather limited deployment.  This
is primarily because its primary use case is as one of the NAT traversal
methods of the Interactive Connectivity Establishment (ICE) framework (RFC
5245).  This inherent dependency on ICE combined with the fact that ICE itself
was slow to achieve widespread adoption because other alternative mechanisms
were historically used by the VoIP industry were the causes of the initial
lack of interest.  This situation has changed drastically as ICE, and
consequently TURN, are mandatory to implement in WebRTC, which is a set of
technologies developed at the IETF and W3C aiming to enable Real Time
Communication on the Web.

Because of the ubiquity of the Web and of the new opportunities created by the
arrival of WebRTC, there is a renewed interest in TURN and ICE, as evidenced by
the recent work updating the ICE framework, as well as standardizing the URIs
used to access a STUN [RFC7064] or TURN [RFC7065] server.

The goal of the TRAM Working Group is to consolidate the various initiatives
to update TURN and STUN, including the definition of new transport and
authentication mechanisms that make STUN and TURN more suitable for the WebRTC
environment.  The Working Group will closely coordinate with the appropriate
Working Groups, including RTCWEB, MMUSIC, and HTTPBIS.

The current list of deliverable is:

- DTLS transport for TURN

  Candidate draft: draft-petithuguenin-tram-turn-dtls

  TURN defines three transports: UDP, TCP, and TLS. A straightforward extension
  of this set is DTLS, enabling secure datagram-oriented transport.

- New authentication mechanism for TURN

  Problem analysis: draft-reddy-behave-turn-auth
  Candidate draft: draft-uberti-behave-turn-rest, OAuth has also been suggested

  The current authentication mechanism for TURN, which is reused from STUN, has
  been designed with a SIP account database in mind. The new RTCWEB usages,
  which are mostly based on web applications, do not fit that model. A new
  authentication mechanism optimized for such web applications will be created.

- TURN server auto-discovery mechanism for enterprise and ISPs

  Candidate draft: TBD

  Current TURN server discovery is based on the presence of SRV and/or NAPTR DNS
  records. These records are usually under the administrative control of the
  application or service provider, not the enterprise or the ISP on whose
  network the client is situated. Enterprises or ISPs wishing to provide their
  own TURN server, in an attempt to reduce so-called "triangle routing", need a
  new auto-discovery mechanism.

- STUN-bis

  Candidate draft: TBD

  A new revision of RFC 5389 will contain:

  - Various bug fixes
  - STUN hash algorithm agility (currently only SHA-1 is allowed)

- TURN-bis

  Candidate draft: TBD

  A new revision of RFC 5766 will contain:

  - Various bug fixes
  - Support for multi-tenant servers
    (Servers always send the same REALM attribute. No realm negotiation phase
     currently exists.)

Goals and Milestones:

[TBD]

--
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca
_______________________________________________
tram mailing list
tram@ietf.org
https://www.ietf.org/mailman/listinfo/tram

_______________________________________________
tram mailing list
tram@ietf.org
https://www.ietf.org/mailman/listinfo/tram
 

v2.23.0 | Report a Bug | By Email