Re: [tram] Adam Roach's Yes on draft-ietf-tram-turnbis-27: (with COMMENT)

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 10 July 2019 12:48 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FE4E1201AA for <tram@ietfa.amsl.com>; Wed, 10 Jul 2019 05:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id esnYXIkENsJ2 for <tram@ietfa.amsl.com>; Wed, 10 Jul 2019 05:48:00 -0700 (PDT)
Received: from us-smtp-delivery-210.mimecast.com (us-smtp-delivery-210.mimecast.com [216.205.24.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 45C50120153 for <tram@ietf.org>; Wed, 10 Jul 2019 05:47:56 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1562762178; h=ARC-Seal: ARC-Message-Signature:ARC-Authentication-Results: From:To:CC:Subject:Thread-Topic:Thread-Index: Date:Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-ms-exchange-purlcount:x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-ms-exchange-senderadcheck: x-microsoft-antispam-message-info:Content-Type: Content-Transfer-Encoding:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-CrossTenant-mailboxtype: X-MS-Exchange-CrossTenant-userprincipalname: X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Level: X-NAI-Spam-Threshold:X-NAI-Spam-Score:X-NAI-Spam-Version; bh=S4ZOrgv3S/qMXxPATjrxOXaelnm7l5vg/3KBQi PKozg=; b=eC97pau9w0IY94xi+f8TpEeNo6WE+YFJmRccTY7W UVSDbFiw+CCifoQ1g4Wm/PIqPXQZ5GY57GoYXEh4TVub9ahHB6 4lbT0b5Z1FhaLmixPRdvS00r0dw5uvZF8ziq7ncGMd4coLG5sS 7G7xfNqfreNvJj3XUEEKQYSxG8g9CsU=
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-137-CRZ7qwlHNQyp075D9M7vYw-1; Wed, 10 Jul 2019 08:46:48 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6fce_8093_bf7170fc_b22f_40d2_ba5e_a84fccaedc88; Wed, 10 Jul 2019 06:36:16 -0600
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 10 Jul 2019 06:46:43 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Wed, 10 Jul 2019 06:46:43 -0600
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 10 Jul 2019 06:46:41 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KWXaFCEKll1SCTBoCz42U57yLwWKHb7YMDser4v+jFWbDoJ/Hz6/jEgyaDEc42YyxKNBUHmUp62TzZzeXliBLioHVX0aivLOI1yisyCqGgZi/z2SLNYa9YKMpzBJ1qtlcID/wUqkFoKd3MyTp1zf4tsbCNZdsLRaJSR2gK46Jjf0KXUAY5/qOyEea65927lI25alC1/eCBAATzdtAP8AShtMINqV7ehggfz7P7k/WVxwpdsujFFMh0NV/QU+9QxeAb4ZhRnrQhsYtUx32pmxLl0TO0oTXykxKCyqydHWscHu37W3lnEQ+9isLB/LZv8dFhTETePRKe3dZZWtlkN8kw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S4ZOrgv3S/qMXxPATjrxOXaelnm7l5vg/3KBQiPKozg=; b=oXwvkvthVceMDm5hboNYz3iB5s3GbbGg/aDE+6twSV9gLTIi22kFphq8CDI0v8Sp29ScjPe+KsY36mn68l1qCYa5lrT/+h47WNZ3waRzRZQ7zlrTuIrlyeaMLqsQy26d7MmqL2c0sxL8Qh+Kku3Z7zsH4mnATBIyf/6QPznXlKjPNfvIHTdSINko0rA292HETffvxAmurNBYWacLlMcpvUFdeyBxHafVZkapsT8C8YpVv9wcYRXJ2LC0XCJyVT0Wb+fSN37ySiGhYe/ZOljM2jIO6rc6eveBXYofmsjQPu5Ejx/hgGRffoE9V+yQSDwmfK5rPuYU5XD882ylwnSAPQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=mcafee.com;dmarc=pass action=none header.from=mcafee.com;dkim=pass header.d=mcafee.com;arc=none
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB1801.namprd16.prod.outlook.com (10.174.176.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Wed, 10 Jul 2019 12:46:42 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::570:2208:75c2:5f17]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::570:2208:75c2:5f17%8]) with mapi id 15.20.2052.019; Wed, 10 Jul 2019 12:46:42 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>
CC: "tram-chairs@ietf.org" <tram-chairs@ietf.org>, "draft-ietf-tram-turnbis@ietf.org" <draft-ietf-tram-turnbis@ietf.org>, "tram@ietf.org" <tram@ietf.org>, "brandon.williams@akamai.com" <brandon.williams@akamai.com>
Thread-Topic: [tram] Adam Roach's Yes on draft-ietf-tram-turnbis-27: (with COMMENT)
Thread-Index: AQHVNuNvk6w2nRIeqkCYsEyuEMwziqbDjUlA
Date: Wed, 10 Jul 2019 12:46:42 +0000
Message-ID: <DM5PR16MB1705E353A97BAE888CD859AFEAF00@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <156273781850.15858.12819016613039810127.idtracker@ietfa.amsl.com>
In-Reply-To: <156273781850.15858.12819016613039810127.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.16
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 31cc8d32-befc-420e-dac8-08d70534a8c2
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB1801;
x-ms-traffictypediagnostic: DM5PR16MB1801:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <DM5PR16MB18013390581598E317851D3BEAF00@DM5PR16MB1801.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0094E3478A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(346002)(396003)(136003)(376002)(39860400002)(189003)(32952001)(51914003)(199004)(13464003)(476003)(6306002)(11346002)(74316002)(55016002)(9686003)(486006)(229853002)(305945005)(446003)(71190400001)(53936002)(71200400001)(6436002)(81166006)(80792005)(25786009)(8676002)(81156014)(478600001)(8936002)(966005)(33656002)(7736002)(256004)(14444005)(4326008)(68736007)(14454004)(66476007)(66446008)(66946007)(64756008)(7696005)(66556008)(99286004)(6246003)(186003)(26005)(3846002)(76116006)(76176011)(53546011)(6506007)(102836004)(52536014)(316002)(6116002)(110136005)(86362001)(5660300002)(54906003)(2906002)(66066001)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB1801; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: CjN0Hyt6dmPpDjqscCNNvXk5fCjvt/W/zsr7t3hURjGuq1nMZyysvXNK5faMFaTxLO4QY1lrpKgwpS2zSyOGYVUWANyxdV5gaHHxQI+zuG3wzBs/6x7fS3HfUuU07fWYitgaatNFkGYudBCsg0phs/YLzVUCv3M98ig2JN4ox4K5v20m3f6p+zkbEZXe8B4lkYTxcCmfofuNOXPrfHxYfO+nKKBhpnfvzwTO3PkML6bLyX0WEjCn3RhsNmDePHDEeAd5+LqXMc0OlHR19ImgBDgw2NDMZuZCcYassp7OuH2+jf4mGKY8HsGWDgFJcgV1bSEn7sCY0ec24qGt51eOUOjY+1yK+hf1c239k5FtNocnroOj2pSxAWRF4h1nZ5C2sZ1xPbp71WWKT+QkQHasUDBoo9KnZwVzlGRL+5sdIu4=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 31cc8d32-befc-420e-dac8-08d70534a8c2
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jul 2019 12:46:42.2233 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB1801
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Level:
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0.3
X-NAI-Spam-Version: 2.3.0.9418 : core <6586> : inlines <7115> : streams <1826946> : uri <2865939>
X-MC-Unique: CRZ7qwlHNQyp075D9M7vYw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/x3vSOvGfJE3VmRzhgHYle9gCnUo>
Subject: Re: [tram] Adam Roach's Yes on draft-ietf-tram-turnbis-27: (with COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 12:48:03 -0000

Hi Adam,

Thanks for the review. Please see inline

> -----Original Message-----
> From: tram <tram-bounces@ietf.org>; On Behalf Of Adam Roach via
> Datatracker
> Sent: Wednesday, July 10, 2019 11:20 AM
> To: The IESG <iesg@ietf.org>;
> Cc: tram-chairs@ietf.org; draft-ietf-tram-turnbis@ietf.org; tram@ietf.org;
> brandon.williams@akamai.com
> Subject: [tram] Adam Roach's Yes on draft-ietf-tram-turnbis-27: (with
> COMMENT)
> 
> 
> 
> Adam Roach has entered the following ballot position for
> draft-ietf-tram-turnbis-27: Yes
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tram-turnbis/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Thanks for all the work everyone did to update the TURN specification. I am
> balloting "Yes," as I think these are important changes to have published. I do
> have a small handful of comments that, while they don't rise to the level of a
> DISCUSS, are nonetheless rather important to consider before progressing
> this draft to an RFC.
> 
> ---------------------------------------------------------------------------
> 
> §5:
> 
> >  The server SHOULD
> >  include the SOFTWARE attribute in all Allocate and Refresh responses
> > (either success or failure) and MAY include it in other responses or
> > indications.
> 
> The Security Considerations section should probably include some mention
> of this behavior, and the trade-offs between allowing clients to know which
> software (and version) the server is running against providing this
> information to potential attackers who can use it to determine what
> software vulnerabilities may exist in that specific server and version.

Yes, Ben and Christopher raised similar point as part of Secdir review.  I proposed to update Security Considerations section as follows:
SOFWATE attribute can reveal the specific software version of the TURN client and server to eavesdropper and it might possibly allow attacks against vulnerable software that is known to contain security holes. If it is important to prevent an eavesdropper from learning the software version, 
TURN can be run over (D)TLS.

> 
> ---------------------------------------------------------------------------
> 
> §11.5:
> 
> >   It also verifies that the IP
> >   packet in the ICMP packet payload contains a UDP header.
> 
> It's not clear what is being asked of implementations here. Is this just a check
> of the protocol field, or is it more involved than that? Is the intention that the
> server also check that the checksum is valid (i.e., matches the computed
> checksum or is zero)? If so, please spell it out more precisely.
> If this language is intended to imply even more rigorous checks, then it needs
> a lot more text.

The check is only to extract the UDP source and destination ports. I will update the line as follows:
It also verifies that the IP packet in the ICMP packet payload contains a UDP header, and if a UDP header is present, the server extracts the UDP source and destination port information.

> 
> ---------------------------------------------------------------------------
> 
> §12:
> 
> >     0x5000-0xFFFF: Reserved (For DTLS-SRTP multiplexing collision
> >     avoidance, see [RFC7983].
> 
> Given that values through 0x7FFF were permitted by the previous version of
> the protocol, it's unclear what what recovery path this document anticipates
> for legacy clients that might request channels in the 0x5000 - 0x7FFE range.
> The server behavior is well defined (the server sends a 400 response), but
> this seems to represent a fundamental backwards incompatibility, given that
> the client will take this to be a final request error and presumably abandon
> the attempt to use the TURN server.
> 
> If the assumption is that no existing deployed legacy clients use channel
> numbers greater than 0x4FFF, please include that as a note. If the intention is
> instead that we're breaking backwards compatibility in a limited fashion,
> please include that as a note. If the rationale is some explanation other than
> these two, please include it as a note.

Good point, added the following note:
Note that the channel number range is not backwards compatible with RFC5766, and cannot be used in environments where such compatibility is required.

> 
> ---------------------------------------------------------------------------
> 
> §18.12:
> 
> >  Reason Phrase:  The recommended reason phrases for error codes 440
> >     and 508 are explained in Section 19.  The reason phrase MUST be a
> >     UTF-8 [RFC3629] encoded sequence of less than 128 characters
> >     (which can be as long as 509 bytes when encoding them or 763 bytes
> >     when decoding them).
> 
> This doesn't make a lot of sense to me. If arbitrary sequences of 128 UTF-8
> characters are allowed, then the on-the-wire encoding might be as long as
> 512 bytes (rather than 509), even if this would only result from the use of
> unusual strings (e.g., 128 consecutive emoji). I'm even more lost by the
> indication of
> "763 bytes," as I can't figure out what "decoding" operation is being indicated
> here, nor can I figure out what kind of decoded sequence would use 5.96
> bytes per character. Please double-check your numbers, and add more text
> indicating what is meant by "encoding" and "decoding" in this sentence.
> 
> Also, nit: "...fewer than 128 characters..."

We are re-using the reason phrase defined in https://tools.ietf.org/html/draft-ietf-tram-stunbis-21#section-14.8. It says "The reason phrase MUST be a UTF-8 [RFC3629] encoded sequence of less than 128 characters (which can be as long as 509 bytes when 
encoding them or 763 bytes when decoding them)."  

Cheers,
-Tiru

> 
> 
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram