IETF Logo Mail Archive

Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 19 June 2019 14:31 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A7CC1204D5; Wed, 19 Jun 2019 07:31:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.308
X-Spam-Level:
X-Spam-Status: No, score=-4.308 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OH4nFvQ5-Nu9; Wed, 19 Jun 2019 07:31:30 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E683120629; Wed, 19 Jun 2019 07:31:29 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1560954111; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=V hD89EI+SrcCcLTiHKJuq0IVv/WyrupfcMct3OlrYb M=; b=nKblaLyQUIX9kEvu8Hy8mPNj6HJTSrT8hqC/pvAAnyDZ 7ILnIE9bhy8HPLiMHKkPVwouxU/dSUwL5/OCklpR+c/HiKt+8I qffld+9mDCXqi+XugokL/AykZ6NAsWdtpLrk5/Z5gFNcC3FYH0 GMJ5Wysq016RvXctI0VhKM6/pXQ=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 2c94_5ed3_0d965e9e_ba50_4e54_94c2_0ba80d71ac61; Wed, 19 Jun 2019 08:21:51 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 19 Jun 2019 08:30:57 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 19 Jun 2019 08:30:57 -0600
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 19 Jun 2019 08:30:55 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB0057.namprd16.prod.outlook.com (10.172.89.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.10; Wed, 19 Jun 2019 14:30:55 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::3d0a:95ec:9842:68f7]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::3d0a:95ec:9842:68f7%9]) with mapi id 15.20.1987.014; Wed, 19 Jun 2019 14:30:55 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Joe Touch <touch@strayalpha.com>
CC: Magnus Westerlund <magnus.westerlund@ericsson.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, Brandon Williams <brandon.williams@akamai.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25
Thread-Index: AQHVJeLARC6n0ucJHkeMQsIbR9Bl76ai+JZQgAAP9QCAAAGloA==
Date: Wed, 19 Jun 2019 14:30:55 +0000
Message-ID: <DM5PR16MB1705339D00B060CC7D8366FAEAE50@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <155971464360.28104.6837263931145163343@ietfa.amsl.com> <F306B122-79F3-4C7A-8CE2-1C094D9F0FCC@strayalpha.com> <DM5PR16MB1705A4C370C4405AFFD63546EA100@DM5PR16MB1705.namprd16.prod.outlook.com> <5F2F8A3B-2887-4107-81E2-B4E222A4044E@strayalpha.com> <DM5PR16MB1705BD4E31370D2F5A179F17EA130@DM5PR16MB1705.namprd16.prod.outlook.com> <2C6B5776-CB95-4607-8D0C-07FDE2F6D515@strayalpha.com> <DM5PR16MB1705638AD29F3288E4AC0952EAED0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB252250AE4E7C158F985B0CC895ED0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <D9A01E28-F9FB-4C86-AFD3-A2BA8D89C340@strayalpha.com> <a3bbeb17-e768-9ab2-9f34-3d179fa8fe38@akamai.com> <E41C125D-F3B4-475E-8AD0-124F531F1DC9@strayalpha.com> <DM5PR16MB170564C0438321CC3FDD0ACFEAEF0@DM5PR16MB1705.namprd16.prod.outlook.com> <4C41A2BC-0CBC-42D5-B313-22F9A9D51F6E@strayalpha.com> <DM5PR16MB1705874C023145D26DCB58E6EAEE0@DM5PR16MB1705.namprd16.prod.outlook.com> <edcd66c2-0dfb-8f89-d6a3-53482c433d4e@strayalpha.com> <DM5PR16MB17057CCD4D2543D84254EFD1EAEB0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522DCB2459055A6319C439B95EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <DM5PR16MB1705E3EF8260B456A9B02C10EAEA0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522C0A1063877D45985619795EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <BD41AC2D-3925-4E11-B1EC-AD24680376AE@strayalpha.com> <DM5PR16MB1705F636477B6234FEA35A04EAE50@DM5PR16MB1705.namprd16.prod.outlook.com> <A47BFD15-B787-484D-A678-698B2C7D77A6@strayalpha.com>
In-Reply-To: <A47BFD15-B787-484D-A678-698B2C7D77A6@strayalpha.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.8
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 90128195-1a0a-43d2-d159-08d6f4c2bd1d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB0057;
x-ms-traffictypediagnostic: DM5PR16MB0057:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR16MB0057906FA4642AB319BA2081EAE50@DM5PR16MB0057.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-forefront-prvs: 0073BFEF03
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(39860400002)(346002)(396003)(136003)(366004)(189003)(32952001)(199004)(7696005)(2906002)(3846002)(6116002)(790700001)(229853002)(486006)(476003)(186003)(71190400001)(71200400001)(11346002)(33656002)(446003)(53546011)(66946007)(66446008)(66556008)(64756008)(66476007)(5660300002)(76116006)(6246003)(52536014)(73956011)(99286004)(478600001)(6506007)(25786009)(4326008)(53936002)(102836004)(86362001)(7736002)(72206003)(8676002)(5024004)(316002)(6436002)(26005)(14444005)(256004)(6916009)(81166006)(81156014)(66066001)(80792005)(76176011)(54906003)(74316002)(14454004)(9686003)(236005)(54896002)(6306002)(9326002)(55016002)(8936002)(68736007)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB0057; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 3ETzbCyZA+1JB8B0NrNWNbC4VYoARO9dszbyJ2n99y/4MFEIfNML13CLdTuH/4zDKkJJezZmWhdVDN8UHu9CrFTT/zO1yRKra+iXeUFyGjU7Eouc6ZqJuqAJT+MQQaMyexX9RcOEbncVvNPCznl2xJmdlhu3NvGhWffFQrLFmGYd6+xf+ZTqlHD90Xwf3mSsGYvyPliS4luU/YKB2SAFDNya0c/Rf+06aBOkqomcOgN0FHpCuA92C0EfL1ktvN5TMIZ6R8hk1Zuygs4yPeJRccJC+c7tjZRvdlmS04vbTUAAG3viDJvNSz8yaF8uCQ61ALBp4dqNBxRyd8BCKrNpEFIalMe6guiFsfV8nS30SsKSv3C23qfjjFbCx6jngdxSkdXCVLeU7sskd+/2IGYE0YbOAiX61DhLbczsLH1AwNA=
Content-Type: multipart/alternative; boundary="_000_DM5PR16MB1705339D00B060CC7D8366FAEAE50DM5PR16MB1705namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 90128195-1a0a-43d2-d159-08d6f4c2bd1d
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jun 2019 14:30:55.2193 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB0057
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6572> : inlines <7107> : streams <1824949> : uri <2857812>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/vypVfZ-rZ1OMcDOSosX9nLOmeQg>
Subject: Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jun 2019 14:31:33 -0000

Hi Joe,

I have added the following line to address your other comment:

Note that the server does not perform per-packet translation for TCP-to-UDP relaying and vice-versa. For TCP-to-UDP relaying from client to peer, the TURN server sets the DF field in the outgoing UDP packet based on the presence of DONT-FRAGMENT attribute in the TURN message. For UDP-to-TCP relaying from peer to client, the TURN server sets IP header fields in the TCP packets on a per-connection basis for the TCP connection.

Cheers,
-Tiru

From: Joe Touch <touch@strayalpha.com>
Sent: Wednesday, June 19, 2019 7:51 PM
To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>; tsv-art@ietf.org; draft-ietf-tram-turnbis.all@ietf.org; ietf@ietf.org; Brandon Williams <brandon.williams@akamai.com>; tram@ietf.org
Subject: Re: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25


CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

________________________________
Hi, Tiru,

You still appear to be ignoring the issue about implying per-packet adjustment of IP options and parameters during a TCP connection, in specific.

Joe


On Jun 19, 2019, at 6:24 AM, Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>> wrote:

Hi Joe,

I have added the following lines to address your comment:

   TCP multi-path [RFC6824] is not supported by this version of TURN
   because TCP multi-path is not used by both SIP and WebRTC protocols
   [RFC7478] for media and non-media data.  If the TCP connection
   between the TURN client and server uses TCP-AO [RFC5925] or TLS, the
   client must secure application data (e.g. using SRTP) to provide
   confidentially, message authentication and replay protection to
   protect the application data relayed from the server to the peer
   using UDP.  Attacker attempting to spoof in fake data is discussed in
   Section 20.1.4.  Note that TCP-AO option obsoletes TCP MD5 option.
   Unlike UDP, TCP without the TCP Fast Open extension [RFC7413] does
   not support 0-RTT session resumption.  The TCP user timeout [RFC5482]
   equivalent for application data relayed by the TURN is the use of RTP
   control protocol (RTCP).  As a reminder, RTCP is a fundamental and
   integral part of RTP.

Cheers,
-Tiru

From: Joe Touch <touch@strayalpha.com<mailto:touch@strayalpha.com>>
Sent: Tuesday, June 18, 2019 8:03 PM
To: Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Cc: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com<mailto:TirumaleswarReddy_Konda@McAfee.com>>; tsv-art@ietf.org<mailto:tsv-art@ietf.org>; draft-ietf-tram-turnbis.all@ietf.org<mailto:draft-ietf-tram-turnbis.all@ietf.org>; ietf@ietf.org<mailto:ietf@ietf.org>; Brandon Williams <brandon.williams@akamai.com<mailto:brandon.williams@akamai.com>>; tram@ietf.org<mailto:tram@ietf.org>
Subject: Re: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25

CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
________________________________




On Jun 18, 2019, at 6:47 AM, Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>> wrote:

[TR] The comment from Joe is : if TCP-AO is used, application data is authenticated in the TCP leg but the data can be faked when relayed from the server to the peer using UDP. I tried to address this comment by saying if secure application data (SRTP) is used message authentication is available at the application layer even if UDP does not support authentication option.
Sure, but this is equivalent to the case of TURN over TCP/TLS that also only have the security model to the middle. So pointing that aspect out is fine, but I think TURN is quite clear on that client to peer security are the responsibility of the end-to-end application using TURN. Like the statement in the Third paragraph of 20.1.4:

   These attacks are more properly mitigated by application-layer

   authentication techniques.  In the case of real-time traffic, usage

   of SRTP [RFC3711] prevents these attacks.

FWIW, even with this statement, if you’re going to talk about preserving IP options and settings then it’s equally important to discuss how you preserve or interfere with TCP options and settings - and maybe other layers like TLS too - in the same place in the document.

It’s not just whether this is a security issue; it’s that the semantics are broken in half.

Joe

v2.23.0 | Report a Bug | By Email