IETF Logo Mail Archive

Re: [tram] Comments on draft-patil-tram-turn-serv-selection-00

Justin Uberti <juberti@google.com> Mon, 12 January 2015 20:23 UTC

Return-Path: <juberti@google.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66D91ACDEE for <tram@ietfa.amsl.com>; Mon, 12 Jan 2015 12:23:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.788
X-Spam-Level:
X-Spam-Status: No, score=-0.788 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_44=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B0i0muhnWqQ8 for <tram@ietfa.amsl.com>; Mon, 12 Jan 2015 12:23:28 -0800 (PST)
Received: from mail-ig0-x22e.google.com (mail-ig0-x22e.google.com [IPv6:2607:f8b0:4001:c05::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF5121ACDE9 for <tram@ietf.org>; Mon, 12 Jan 2015 12:23:27 -0800 (PST)
Received: by mail-ig0-f174.google.com with SMTP id hn15so13434339igb.1 for <tram@ietf.org>; Mon, 12 Jan 2015 12:23:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=suB8dw5XDQhaldJqjVGDtNw9+gILw+avSWoNJQV1M7w=; b=PASe2aVScLWh+c4QOVq42Ev78+gZtaiNNtCjNMMNkDOsxtKbrqKXoMcRAJ/n4RBkC+ mXKgUO2fcPCTx1/pL3JDxMahmrvsNW8mCjDqS7nMyAXMG7+iutpt+p5F1KfIwqH7w1+E /DWoZpf4Nlb19gjTVBQHiarBS0JMObeTl7D+OrT9aeA4zn7UhEdxsjQb+EmF7DpNu/nJ s8kGyvhivH9wEjouGQS3LMts+++jx/3YEYbKORml65R111fR3VpLR6qdoJzxakQajskx c9vtddAHEAf0Bgw2mF9XpEAA2uGImWtHE3jdzjzyaefOtaLeGT3WoG2xBr9WbJZ1PLEN gC8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=suB8dw5XDQhaldJqjVGDtNw9+gILw+avSWoNJQV1M7w=; b=Giyg8Zn8NGnWoYtmuxE20+e5R3viv/LXmvfupgr4ckvGindJG31uvZdpwKZZabaX00 KORa5GQ0mJbHy7t8VCbp/6ZHRLFCe0wQnAxLsSJpDE6YtBQSd+mCz3PwHI1kVo59NevL awvbH1Tzh16hiilE/LzexFBC/YggLbH7q4HhZhGmRVspHfJO7FyBeoNgjw7KRkau7jn8 uE0l+QwKh6dYpSA3wUjOIL/VtPkUBmitMilCxbGAxrxtV1r3AWDqYLVn6+8C8delN/sS bpHUt6xM2X7OMX1gNdqhgcyYdLVFa8g7UjaXS9cLt1noohpWC00YhCziqveLmgqQ0Rxz Lprw==
X-Gm-Message-State: ALoCoQmAq7fX7YlqNZoSeiuKUUdd10raukYBPiG0htcIkJorrb50WXtYqPm2HkISKUy6Wxs6eU61
X-Received: by 10.51.18.99 with SMTP id gl3mr16877401igd.6.1421094206959; Mon, 12 Jan 2015 12:23:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.59.40 with HTTP; Mon, 12 Jan 2015 12:23:06 -0800 (PST)
In-Reply-To: <00d301d02e31$9f79a8d0$de6cfa70$@org.cn>
References: <913383AAA69FF945B8F946018B75898A3552A606@xmb-rcd-x10.cisco.com> <00d301d02e31$9f79a8d0$de6cfa70$@org.cn>
From: Justin Uberti <juberti@google.com>
Date: Mon, 12 Jan 2015 12:23:06 -0800
Message-ID: <CAOJ7v-3UvAV6HWYWQOJoHmiMmMvGUsRCjOeF+aNFHBBokTg8KQ@mail.gmail.com>
To: Aijun Wang <wangaijun@tsinghua.org.cn>
Content-Type: multipart/alternative; boundary="001a1134b4fc664bf0050c7a476f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/uttO5DTZXpIz1JiNSkOFiEHGfkk>
Cc: "tram@ietf.org" <tram@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Subject: Re: [tram] Comments on draft-patil-tram-turn-serv-selection-00
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jan 2015 20:23:32 -0000

On Sun, Jan 11, 2015 at 10:32 PM, Aijun Wang <wangaijun@tsinghua.org.cn>
wrote:

> Hi,
>
>
>
> Do you refer to the draft
> http://www.ietf.org/id/draft-schwartz-rtcweb-return-04.txt as RETURN
> draft? This draft describes only TURN-in-TURN, not TURN-to-TURN. It does
> not describe the situation that the communication peers select the
> different public TURN server, and need the TURN server to relay the app
> data(TURN to TURN).
>

That is just normal UDP.

>
>
> In situation that mentioned in RETURN draft, Why not to let ICE or App
> Server to select the appropriate TURN server(corporate private TURN server
> or public TURN server) based on the information of the two communication
> parts? This can even eliminate the solution of  RETURN:  two peer will use
> the corporate TURN server when they are both within corporate, and will use
> the public TURN server when one of them is located outside the corporation?
>

a) The TURN server isn't needed when both endpoints are within the
enterprise. The TURN server sits on the enterprise border, and is used for
inter-enterprise traffic.
b) The public TURN server may not be reachable from the enterprise. This is
why the corporate TURN server is needed on the border.
c) The app may require use of its own TURN server for location privacy
purposes, so both TURN servers may be used in this case.

This is all spelled out in
https://tools.ietf.org/html/draft-schwartz-rtcweb-return-04#section-1.

>
>
> Best Regards.
>
>
>
>
>
> *From:* Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> *Sent:* Monday, January 12, 2015 1:35 PM
> *To:* Aijun Wang; 'Justin Uberti'
> *Cc:* tram@ietf.org
> *Subject:* RE: [tram] Comments on draft-patil-tram-turn-serv-selection-00
>
>
>
> As Justin has pointed out we will be updating the draft with more details
> on the decisions that could be made by ICE and the application to select
> the TURN server. TURN-in-TURN communication is already explained in RETURN
> draft.
>
>
>
> -Tiru
>
>
>
> *From:* tram [mailto:tram-bounces@ietf.org <tram-bounces@ietf.org>] *On
> Behalf Of *Aijun Wang
> *Sent:* Monday, January 12, 2015 7:08 AM
> *To:* Tirumaleswar Reddy (tireddy); 'Justin Uberti'
> *Cc:* tram@ietf.org
> *Subject:* Re: [tram] Comments on draft-patil-tram-turn-serv-selection-00
>
>
>
> Hi, Reddy and Justin:
>
>
>
> I suggest the TURN server selection should be made by ICE, not the client
> itself.  This can eliminate the needs for the communication between
> different TURN server that selected by communication peer. ICE has more
> information about the communication situation, and is suitable to make this
> decision.
>
>
>
> There are several issues needed to be solved when the communication peers
> select the different TURN server, for example, how to find the second TURN
> server, what is the communication mechanism between different TURN servers,
> the channel connection among different data segments: client/first TURN
> server, first TURN server/second TURN server, and second TURN server/peer
> etc.
>
>
>
> Best Regards.
>
>
>
> *From:* tram [mailto:tram-bounces@ietf.org <tram-bounces@ietf.org>] *On
> Behalf Of *Tirumaleswar Reddy (tireddy)
> *Sent:* Sunday, January 11, 2015 1:40 PM
> *To:* Justin Uberti
> *Cc:* tram@ietf.org
> *Subject:* Re: [tram] Comments on draft-patil-tram-turn-serv-selection-00
>
>
>
> Inline [TR]
>
>
>
> *From:* Justin Uberti [mailto:juberti@google.com <juberti@google.com>]
> *Sent:* Sunday, January 11, 2015 2:17 AM
> *To:* Tirumaleswar Reddy (tireddy)
> *Cc:* tram@ietf.org
> *Subject:* Re: [tram] Comments on draft-patil-tram-turn-serv-selection-00
>
>
>
>
>
>
>
> On Fri, Jan 9, 2015 at 7:38 PM, Tirumaleswar Reddy (tireddy) <
> tireddy@cisco.com> wrote:
>
> Hi Justin,
>
>
>
> Enterprise-provided TURN server cannot provide location privacy may not be
> always true. For example Enterprise network could use TURN server provided
> by a cloud service and the user needs to know that the Enterprise TURN
> server can provide location privacy and not proceed with TURN-in-TURN.
>
>
>
> We will have to discuss if TURN server can advertise that it can provide
> location privacy in a new attribute or this info can be conveyed
> out-of-band (e.g. PAC).
>
>
>
> The other problem not discussed in the draft is, what if the user wants
> privacy against the calling site and let’s say uses Tor for privacy. In
> this scenario app TURN server must not be selected.
>
>
>
> RETURN handles this situation fine, since the traffic will be routed
> through the network-provided TURN server before being routed to the app
> TURN server. Of course, if the application does not try to provide location
> privacy, only the network-provided TURN server will be used.
>
>
>
> [TR] But the problem is how will the endpoint how if network-provided TURN
> server can provide location privacy or not ?
>
>          TURN server can convey this information in a new STUN attribute
> to the client.
>
>
>
> However, I think the user is much more likely to trust the application
> than its network provider to provide privacy protection.
>
>
>
> [TR] User may or may not trust the application server.
> https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10 discusses
> users using privacy techniques like Tor so that app server does not learn
> the user's IP address. The Poker example given in the above draft explains
> that the users in the call do not trust the calling service. In this case
> IdP ensures that even if malicious calling service replaces the media
> addresses with its own addresses  and replaces the certificate fingerprint
> in SDP with its own certificate, IdP assertion would ensure that the Poker
> site cannot act as  man-in-middle device. In this scenario user may not
> want to pick app provided TURN server.
>
>
>
> -Tiru
>
>
>
>
>
>
>
> *From:* tram [mailto:tram-bounces@ietf.org] *On Behalf Of *Justin Uberti
> *Sent:* Friday, January 09, 2015 4:04 AM
> *To:* tram@ietf.org
> *Subject:* [tram] Comments on draft-patil-tram-turn-serv-selection-00
>
>
>
> At IETF 91, I promised to send feedback on this document, so here goes.
>
>
>
> Generally, I think many of the issues mentioned in this document are
> important, but the recommendations are confusing and possibly
> contradictory; a developer with little knowledge of TURN will have a hard
> time figuring out exactly what to do. Furthermore, many of the properties
> discussed in this document are dynamic, and should be handled by the ICE
> process, rather than in TURN server selection (for example, the notion of
> RTT as it relates to user experience).
>
>
>
> Therefore, I think this document should take a stronger stance and put
> forth explicit best practices for selection (as opposed to "things to
> consider"), for non-dynamic properties, and leave the decisions on dynamic
> properties to be resolved by ICE.
>
>
>
> For example, I think we should omit the text in Section 3 about what to do
> with non-working TURN servers, and measuring RTT. Same for Section 3.3,
> which also discusses RTT, and Section 3.4, which talks about multiple
> interfaces. This can all be handled by ICE.
>
>
>
> In addition, the sections on local config and location privacy are
> unnecessary when RETURN is used. When RETURN is used, the application can
> always use the app TURN server for location privacy, and the relationship
> between local TURN server and app TURN server is fully spelled out, so
> there is nothing for the application to decide on.
>
>
>
> This leaves only the Security, Authentication, and Mobility sections.
>
>
>
> For security, I think we can give some clear guidance on what applications
> should do. For security, I think the guidance should be to use only DTLS +
> TLS, if both are available, with fallback to UDP or TCP if DTLS or TLS
> aren't available. If privacy is paramount, UDP/TCP fallback may be
> contraindicated, but at this point in time, DTLS deployment isn't
> widespread enough to truly recommend this.
>
>
>
> This relates to the Authentication section - but I think any failures to
> authenticate the server cert should cause the TURN allocation to fail. This
> is just like any other misconfiguration on the TURN server - there's no
> reason we should even allow use of TURN servers whose cert chains don't
> validate. So, this section could probably be removed.
>
>
>
> Lastly, the Mobility section says that if "all other parameters [are]
> equal", a TURN server with mobility should be used. Clearly, all other
> parameters will not be equal (e.g. RTT), and even if they were, the client
> has no way to know if a server is mobility-capable a priori. So I think
> this recommendation ought to be removed, or perhaps turned into some sort
> of recommendation for TURN server developers (e.g. TURN servers SHOULD
> support TLS/DTLS, SHOULD support mobility, SHOULD support redirect),
> probably in a separate doc.
>
>
>
> These recommendations should reduce the size of this document and provide
> much clearer advice to app developers.
>
>
>

v2.23.0 | Report a Bug | By Email