IETF Logo Mail Archive

Re: [tram] Chime in on attched redlined version-12 WAS: I-D Action: draft-ietf-tram-turn-server-discovery-12.txt

Karl Stahl <karl.stahl@ingate.com> Mon, 13 February 2017 19:53 UTC

Return-Path: <karl@ingate.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 193221298A6 for <tram@ietfa.amsl.com>; Mon, 13 Feb 2017 11:53:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_MULTIPLE_AT=1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ingate.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sTATgpuDrWkp for <tram@ietfa.amsl.com>; Mon, 13 Feb 2017 11:53:03 -0800 (PST)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0045.outbound.protection.outlook.com [104.47.1.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E03091298A3 for <tram@ietf.org>; Mon, 13 Feb 2017 11:53:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ingate.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=FgaGp6T75Kwqn1ibf0YesGZlI9loVgU9ApwAiSvM/cQ=; b=q/+JmlE8Bz0LgsPOxK7+9TLd3qSsgLbywIyjswhTVk4Rn0fiODCTM4fN8Pmp2Pdd8hsk9zKw43eG3uwnGKpAk4+LuqZl+dSHhjloGFY90tG3IFeaqwJPWgimr60dFZrrSOIkTblqqg6QiiEdiON4lMNBm5TX0+8LwVPSyMO11rs=
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=karl@ingate.com;
Received: from Kallei7 (90.227.80.227) by AM4PR01MB1826.eurprd01.prod.exchangelabs.com (10.167.85.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.888.16; Mon, 13 Feb 2017 19:52:58 +0000
From: Karl Stahl <karl.stahl@ingate.com>
To: 'Brandon Williams' <brandon.williams@akamai.com>, "'Tirumaleswar Reddy (tireddy)'" <tireddy@cisco.com>, 'Simon Perreault' <sperreault@jive.com>, 'Spencer Dawkins at IETF' <spencerdawkins.ietf@gmail.com>
References: <148427986357.3020.7793783112924549744.idtracker@ietfa.amsl.com> <a4aaffdefb794fb0a1b96f0252b862a9@XCH-RCD-017.cisco.com> <CAKKJt-fUzJJS9SXvbG2=T7PDz6nvHnhBqvHRtm-41BoGJsJC6Q@mail.gmail.com> <b139c913-a052-9397-c5df-7cd7c884cf71@jive.com> <CAKKJt-eh8ZZ=5J0KoY9zUpOhj=r9+ATSOk_hEF=G7qTt78_4-Q@mail.gmail.com> <5893bf99.0699370a.55c1f.0964SMTPIN_ADDED_BROKEN@mx.google.com> <bfd3ab0f-dbd5-2f95-1830-fc869a29d7c6@jive.com> <4547122c1f244f4db631dfda97404561@XCH-RCD-017.cisco.com> <028401d2812d$6b02c220$41084660$@stahl@ingate.com> <70420ebfeccb4c0086f946628cdc4daf@XCH-RCD-017.cisco.com> <03aa01d281d8$b4d5df80$1e819e80$@stahl@ingate.com> <c29a9ea6c4064365b05f988add8b9c63@XCH-RCD-017.cisco.com> <048f01d282d3$58c74390$0a55cab0$@stahl@ingate.com> <57e18bb6f5394f61b5c7200d521dd3b2@XCH-RCD-017.cisco.com> <055101d2833c$299e43c0$7cdacb40$@stahl@ingate.com> <2c2e50c5ab474493b71cf5c68df01c94@XCH-RCD-017.cisco.com> <05b801d283a0$743852e0$5ca8f8a0$@stahl@ingate.com> <2909fdfc-cc13-c6bb-c26d-1f5262774847@ak amai.com>
In-Reply-To: <2909fdfc-cc13-c6bb-c26d-1f5262774847@akamai.com>
Date: Mon, 13 Feb 2017 20:52:50 +0100
Message-ID: <075401d28632$c48d3140$4da793c0$@stahl>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdKFTIYK9xbOsUllSOiXRzzW6yP3ZwAy85iA
Content-Language: sv
X-Originating-IP: [90.227.80.227]
X-ClientProxiedBy: VI1PR09CA0056.eurprd09.prod.outlook.com (10.174.49.24) To AM4PR01MB1826.eurprd01.prod.exchangelabs.com (10.167.85.24)
X-MS-Office365-Filtering-Correlation-Id: 172faec5-b851-4fed-8650-08d45449e937
X-Microsoft-Antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:AM4PR01MB1826;
X-Microsoft-Exchange-Diagnostics: 1; AM4PR01MB1826; 3:0uVImll/x+ttGeHcSCTUXGTbZ/hecttB45/0CZ7CQAGrgfXxzViYGmQoBWna+r2/Y7WCZqWaeKKlAwsn4S/aGs8bsWr5QmEskST9x7SV90nGNT0/rdmWPtl4GebDNe4xlx+PqhDuYYVcTd8tl2PVEwY/Gby48gYFwHoW9Snepi+YSiSYJsUnmgauoGLySbI+lwdFW8rCDQVUodNBLCtcvUGkikWYD3FBr0/E8t222ReZECjr3b3mfhT0qQ9HzQ+5UU5C9Pfv0hYsBM+Sctmtsw==; 25:BvdAvf5/Y8CfCUWioIY7wOgqZLGDDekWCzV3DCDEBghDbRZEHMO/ui1RJf/vL1wemuoxmvaQjWXec2SrL1ITXYnFdabdvLVTpJUdn30dP6dO/wOhMIDunL9ckImMGM5j0j/JDH/E8UKuu2sc8llQVGl2iUUklGb8NR8H3x1l/pH4tQLjo/QZsOFMB2SguDBdvqnR88wtXrGw5aLbQFNBUULZiSkhbv8R225j5clEG4kdUmH9Wr6EHKmACPJ9nl5BbgLB+IHAE6o78FGu6hvYCOZdt9rrdgdhqaGlYfpoz5hl/Xo7BNOdowUMnHeSxcO6te9J1o4IlF0wMcAWzXh+9Uh9vcRFI1w1DV+krRXXQ0k2NsiD5evZOvUrxzh7W1lvmocFJDQHfOdWkb1MHnzsOZybZWB0WLe97Eb2CINvS1qZfYLv55WT52oj/tlMjkrX56p6kilNEy0OQU1r3TiSvQ==
X-Microsoft-Exchange-Diagnostics: 1; AM4PR01MB1826; 31:JGcZU09S3C+7tODp0AQEHltX6LW/2wrIkBp0NOYCAtlsiL63MkFW0uVWR2PqOZGEBVbEIdklNX0kGpEVouXFVfx4CzljGqV47ByQpWOrfxHQLy5gs6E953mApUH30n5pXhBzynjiU15MuY1yALkoRAdUrVDTMt1+lWxraqtKD2IbGqB5BIw7c58nKHhRDcHgGbI7S4H/3fZZFKEmIxw2K8FEUvVwBcwgng5SlHBmI57mQ/eXUMWY17ynoQ9xO3IplntxQ4wU9jdF+QoxWTF89EJ2PKZgcSWu7yYx59+jBmM=
X-Microsoft-Antispam-PRVS: <AM4PR01MB182660FA90EDE658DB487E91B1590@AM4PR01MB1826.eurprd01.prod.exchangelabs.com>
X-Exchange-Antispam-Report-Test: UriScan:(158342451672863)(10436049006162)(192374486261705)(100405760836317)(95692535739014);
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(2016111802025)(20161123560025)(20161123562025)(20161123555025)(20161123558025)(6072148)(6043046); SRVR:AM4PR01MB1826; BCL:0; PCL:0; RULEID:; SRVR:AM4PR01MB1826;
X-Microsoft-Exchange-Diagnostics: 1; AM4PR01MB1826; 4:Al3EpsWhGL9L3GiY56E/f/pl48wMCV5t3tcMEbni9ryibw4g3+97U/NsFfgTGnyvHJ5ZVKf163bvYoyZZAf86bLSKziigNMrEvxu1UJlmSGIZT3UEoPP4TJPFTJac0+l1Xj8ZuJiO5yF0tuMm/tfNGOF+wHKpoYmOmq5pq51CN1lUI2dys1I/r0oX8fX0QNVRWI3Umch6EnVRetcyQEBpafSvU44NqIv56kYFe/L4vklSkUz8Xrr4L9BHXJ+eymQ6g8PkpU1e4g+gg9+XyigxIcRo4ZniLxdn/a8CBerF6LeSLhSGpaxUEOTKn5xp1LgZHW1j05gI33ymiQ8hryD/Y4wj5fXUgYzhLoDLv8u0MY8btZw1gyx1GjSJR1frAkirgKwem8ManGbt04a4CBxdkhnSJJvcq4OYyLyD2MuPXV6AOdL5Ty71qk+LrQWhG+YH1tO6QYwLppj5JUGlznhhhnWgxjnj5SVPtlgPUIVL+vFBn8ovE3TVVy1FhzGd0mbQuaor05uVL0WbCupvCRgEljAGIRDDGS38ZMRO0LJcwHJeLYsWixCAzs52GE+ziyV4LfQaoxdVjhRXLKUasi4IL2hdtcCy+kxvjl9xTflDYcORrlT9FuauaZtSUgrjTBHcR7Swa1s1kSf88Oo2D/JBMehaOwkzAL15eaZTnSPXauIRcIZJsWJDgUKdKRMStit4Q+6RySo5dhcX1xoQ2jFfowXK+0MdXIVYp5xM0tUzG9z5Gw3sD6IBXzBdS2IxwG/dfj5XaXQ9dMpssiWvmSpIXCNu0HqvibWTcbIAbFgOjgYK51eE/0ok3W8KZbvGdFAjZ4Ox/rnlR29o0BVnGpcdg==
X-Forefront-PRVS: 02176E2458
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009020)(4630300001)(6009001)(7916002)(39450400003)(39840400002)(39410400002)(199003)(38534002)(189002)(377424004)(24454002)(377454003)(13464003)(51914003)(7736002)(305945005)(53946003)(5660300001)(23756003)(66066001)(61296003)(106356001)(53936002)(6496005)(9686003)(101416001)(6486002)(44736005)(47776003)(5890100001)(92566002)(84116002)(53546003)(2950100002)(42186005)(14726001)(50466002)(38730400002)(97736004)(25786008)(6306002)(6666003)(230783001)(8746002)(96836002)(61793004)(105586002)(50226002)(189998001)(93886004)(81166006)(68736007)(33646002)(81156014)(8676002)(1420700001)(36756003)(4326007)(2906002)(102836003)(3846002)(6116002)(50986999)(76176999)(575784001)(568814002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR01MB1826; H:Kallei7; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received-SPF: None (protection.outlook.com: ingate.com does not designate permitted sender hosts)
X-Microsoft-Exchange-Diagnostics: 1; AM4PR01MB1826; 23:Ky7yQ5d6SYX8xCsPhhVIdGLFKsIueE080u7waNoHooIST/0t0fu4pkWBoomopdRGinpDdh1Qp9Lb9Mnt2akMqRaF8I4qOe44B/RH8QAQNz5cx0COpEY1COCl1Vr6CNf2EPCYlp7BQ7eyQeChAJPjgrYIYZxKU+2Qt9WzbT/YHT9A4lgwkr4ajPKW72MqIqYSaKSNL/B2BA5SbJ9dX1H6+emrHwQzEFUmY5Dip+mSxbsRA/TQoqt7LnMGMC2mKQiMaJpSIuezZOLES8bv62639qP42soP+fH6g8eDHvhil6s0Kfp+ciu9GshH4aNM4h45moz0TuHp4gT2QP6jP/AxNdyEBVMUV9kDf3e5F231lwQXG6qqaCkt2iE6/BSYwi951rg0yvZ8gPHLPiTjlSBRxNQO5S7tXumnfmdUFgL4NiFczDvf/YNgHMWyU5pOQ9JjmuSiy6x0vOYa+NqOfs1X1SfsGVX1cr0qiWecStgsi3vmYgl7X/oCmZ7vOfhxyJFFD2DclNfnSqClAHMvFmHV+el4uL6pXCSIK4WpDmsuTuIt1aUnrHhXep0T47TTnFMDAA2gGgi7UAz8gBw/FKu2evc7dZFyihyckoAFnmVlefrsZXKcJ47Smd/Btvlpm6WYOWfkaMOYH0Vr6Lni8Zqz1Q3imE82YnEgAKoKYNwDCSpd6KP+nle7MrFwgwYNC81k4xbW/hu9YO+gntwQfb8NmB+/pplHnv7ajSJDAyFo2TPrKuCbxa15q+mAQMFHo4QKSe0wuc5HvHJBpcgRE4icbwGEN8KKeOkYTIJeRv5mJLyzrXRQXFRJ3jm99OlsnC145FF2WPch0STbxD9T1q0FwyQ6P0RD8u46jbsSXF3c3bmYsCpUt+0TzkG8JO4ydC/iOSfhFjyUtWkasBQ/rTRi1I4r5ZXU4RS4CXMZosqLluAxczpwEm1iDtOiMsGTCpU0eYl8yt1kFXqYDDq2sAuI/2pDZBJEJkRMkjxDhWm4IUT7X25S5SLiiYmFb3WZe5ht8KhrQz5AUOgGuTyx9t96pA1ZfJBSuEq2RqynoeBCBhQR+bmNxnS2pdtypTykipanXYdGt3FQ52p0so3bVT9oQiYYAqK5lgGnewXJ0Pt1nzIZMLzux3mrSYXhcfHHBnmeSifgIfl7Yq8vXz+y3kbFxhWxZzJh0JGrAD3Cfk695SDi3qTdZlOjgEThOZ0TJ+CAvHNKsDWmRKGnpForpqnrv57DKpC4WC8y/jkdU8rTgBBZE9i6OoCUk0TplXAkhrqDckF0+c0bKinYs68ikXQcGsPIF7yqmYps5To9z6cmc3Cnr9SJXcTqCrqdlK7W0s6Do2h5rMcJ5L59SGl+7FaOtclhMRuPj+5m0W1PT7YIZk1Uij7Mfff0V4cWkggv3aRmANkpZ1Ix+rdjz0LABtMXEmclHKPy/18lx9xuuShsdrjXitfaALEoYLlKx9TUuGHmIJWEVP06EE5xaxTTzaAZydNlfM//wwxhkZZ3UC3/48FCa1YLa9nO/VwiWjclHrYCvEvYZoen0ou4tjjQqJ/XRIeOejGhdRBSkurpQ1AQBjA=
X-Microsoft-Exchange-Diagnostics: 1; AM4PR01MB1826; 6:8Q5zA1GrY0d6WbNHo4ciInohgN2ypnzlT7oofWrMK2IwhN/e2OH4rMfJZTrj5nKKyEgGQzFKNc/i/VWaR9Up9PH1uFu1EsJVXG02Azv5RpXNYJotwhxeN2hMH5pIA7Vt5/rSUcCa+UNnqmUyuvaWnv6/GGRh6rJDkqyPmVJ+DPnUIVqGQEwx/+OmAxUkn7hQt77wSR8UDY9JV5faCq/diZgHzNrXWn/ye2AijtFkPTUD+e2jG/H4cg+67Chm6dZoLVogZdt3KRETMfSLJ0lmfNYG6LrpjCS5wKNtDE7kfXuDx+pGBpMWSsLH/OlI8zQh6d4xcP8IMdhIHSbBjWpUG241Qo96vEJCumq/0EGhvnFOczA8EUgRX2X3hrUdfgGDWIYu7vpecaskvNh7aEC45w==; 5:HmT90xuM5Xcm8/CUdRJzC+7GEgL5GUMIASnYSNBQzj3MpJa3iTd+5qFkMBDUZMsNMy8Y2hyihpof8joPjyzfjuIjpAGLb3Ocp3ozLDImskO4jiZ5kVqiWMHr8yUMzaMI8GMt95AbBGTdJIe8RATpd2mplcDbtstmH5/kM2vsQfw=; 24:nZtFVTJQCXaSc6Q4la7W90cw/3EPF9hD6Dh9oa11eJS6P2Xfq+MbxIfd4z4easPgH0ocIJ0BjDZOSnCERH99jgmC75NDq9htNlNR5bZv968=
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-Microsoft-Exchange-Diagnostics: 1; AM4PR01MB1826; 7:pG5gf2js9uPp+ei5e+FIHWK4LWqVI52CZQiuXpgJP1t/CoK5Gmw7d9QJrCw+SLt93PtQZzmtxDRMlk1qcB7jTz1CiPUECpKZrWxqSp0n6ugMlA9Lys9w7ALuCJr/vQ8As2GPonOUHLvdDCoEsu+3hAMEEt3rLiMoS37VewQZCpIP00trU/OakzgB187u5KQuqK10d5BlKiMEiMqyx5TaBecCirghbYBGbjhmgcrtPGJFd285EqtxKOcIuh5jpRZtA2mIXkDXTfRxnG7ZkLdIHGlXVS9/qX7YYyn6pVKN4nHAnEalXwq1XFROs2pQIvK7LxN6MzV302RtX5Bmvjyk2gLyKFLcOp44p40yPAB6rKzhkUgmD9cF6o7X4uVqjBPrFcS9LDIiUvtAP0hG2RG4Hrbza1nwSfS9bcqKJUZjAHwOzYFZf9LDDZoZn+E4IA0XQz1x83JDm++es5e8LM6TZ6x5Af1Ol3BHlLfVTqGWzOBKnlBD/IazCwNogFdis2LF1vaWdRhR08bJDriP/GxEQw==
X-OriginatorOrg: ingate.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Feb 2017 19:52:58.2774 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR01MB1826
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/y0gM1CJoAjHxBszgzqxD3PWI6-Y>
Cc: tram@ietf.org
Subject: Re: [tram] Chime in on attched redlined version-12 WAS: I-D Action: draft-ietf-tram-turn-server-discovery-12.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 19:53:08 -0000

Regarding (D)TLS: 

Brandon, the "explicit administrator choice" text in version -12 is the only
thing I have attributed to you as "I don’t think Brandon or anyone asked for
such impossibilities" and I think what you say below is just that. Let's not
make too much about that.


The real things about the STUN Authentication (in addition to introducing
this (D)TLS "impossibility use case" ) are:

1) (D)TLS mandate was thrown in during the DISCUSS and broke the -07 text
consensus, where STUN Authentication was not required for network provided
TURN servers in the local or access network (no (D)TLS was suggested - that
is for validation, not for authentication) 

2) The STUN Authentication downgrade was (correctly) declared first during
discuss (although it happened with version -07), and the "IP Authentication"
(that automatically the users belonging to the local or access network have,
was (correctly) spelled out during the discuss as "A TURN server in such
cases must be configured to only process STUN
   requests from the trusted local network or subscribers of the access
   network.  Operational measures must be taken in order protect the
   TURN server; some of these measures include, but not limited to,
   access control by means of access-lists, firewalls, subscriber quota
   limits, ingress filtering etc."
  
3) The (D)TLS mandate thrown in during the discuss does other things than
compensate for the STUN Authentication, and was later (by Authors) reduced
to fixing vulnerability for spoofing (-12 text), and the -12 text's
mandating (D)TLS in some situations.

4) However, for eliminating the spoofing vulnerability, introduced (D)TLS is
still not good (CPU hunger, thus DOD/DDOS vulnerable, trust anchor or
certificate seldom available), while Oleg's Dummy Authentication does the
job and has none of the drawbacks. 

This is introduced in the red-lined version -12 and is a way bring back
consensus if agreed upon.

/Karl




-----Ursprungligt meddelande-----
Från: Brandon Williams [mailto:brandon.williams@akamai.com] 
Skickat: den 12 februari 2017 17:25
Till: Karl Stahl; 'Tirumaleswar Reddy (tireddy)'; 'Simon Perreault';
'Spencer Dawkins at IETF'
Kopia: tram@ietf.org
Ämne: Re: [tram] Chime in on attched redlined version-12 WAS: I-D Action:
draft-ietf-tram-turn-server-discovery-12.txt

Hi Karl,

Regarding the "explicit administrator choice" part of the text, I think 
the point is not that an application MUST NOT blindly fall back to 
cleartext, but instead MUST give the admin and/or user some control. 
There are a variety of ways this could be accomplished. Tiru's 
suggestion in the earlier e-mail is just one of those. I don't think the 
draft needs to describe a specific method; it's up to the application 
developer to choose a method that best meets user needs.

--Brandon

On 02/10/2017 08:20 AM, Karl Stahl wrote:
> Hi Tiru, below again
>
>
>
> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> *Skickat:* den 10 februari 2017 05:57
> *Till:* Karl Stahl; 'Simon Perreault'; 'Spencer Dawkins at IETF'
> *Kopia:* tram@ietf.org
> *Ämne:* RE: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
> Hi Karl,
>
>
>
> Please see inline [TR2]
>
>
>
> *From:*Karl Stahl [mailto:karl.stahl@ingate.com]
> *Sent:* Friday, February 10, 2017 6:53 AM
> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com
> <mailto:tireddy@cisco.com>>; 'Simon Perreault' <sperreault@jive.com
> <mailto:sperreault@jive.com>>; 'Spencer Dawkins at IETF'
> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>>
> *Cc:* tram@ietf.org <mailto:tram@ietf.org>
> *Subject:* SV: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
> Hi Tiru, please see [Karl] inlines after your inlines.
>
>
>
> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> *Skickat:* den 9 februari 2017 15:34
> *Till:* Karl Stahl; 'Simon Perreault'; 'Spencer Dawkins at IETF'
> *Kopia:* tram@ietf.org <mailto:tram@ietf.org>
> *Ämne:* RE: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
> Hi Karl,
>
>
>
> Please see inline
>
>
>
> *From:*Karl Stahl [mailto:karl.stahl@ingate.com]
> *Sent:* Thursday, February 9, 2017 6:22 PM
> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com
> <mailto:tireddy@cisco.com>>; 'Simon Perreault' <sperreault@jive.com
> <mailto:sperreault@jive.com>>; 'Spencer Dawkins at IETF'
> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>>
> *Cc:* tram@ietf.org <mailto:tram@ietf.org>
> *Subject:* SV: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
> Tiru,
>
>
>
> Each of your three sentences are incorrect.
>
>
>
> And,
>
>> updated in 12 version to say that (D)TLS is not mandatory to use if the
> network infrastructure can defend against the attacks discussed in
RFC5766.
>
>
>
> --- And in addition It breaks the version -07 consensus text regarding
> (D)TLS usage in this situation, by introducing “MUST” for (D)TLS usage
> under 9:
>
> ...and therefore MUST NOT be used for privacy sensitive communication.
>
> ...but MUST NOT fall back without explicit administrator choice.
>
> ...but MUST NOT fall back without explicit administrator choice.
>
> and my question how the “explicit administrator choice”  is supposed to
> happen in an enterprise environment or at an internet café is not
answered.
>
>
>
> [TR] Explicit administrator choice means the user is notified about the
> failure and fallback happens only after consent from the user (i.e. the
> user needs to know that fallback happens to a less secure mechanism).
>
> [Karl] I suggest “administrator” is then changed to “user” so it is not
> interpreted as the network administrator, in a version -13 of the draft.
>
>
>
> [TR2] Sure, I can update draft.
>
> [Karl2] But please notice, that this only clarifies the draft, it is
> still a nuisance for a user and a general webRTC browser (that will be
> used under such conditions) and that was not what Brandon or anyone else
> asked for. Recommending the STUN dummy authentication instead, resolves
> the (D)TLS break of consensus of the version -07 text, including the
> performance concerns raised by Pal-Erik and others, as well as other
> objections.
>
>
>
> - I don’t think Brandon or anyone asked for such impossibilities (which
> again seem to be created to make this specification unusable for its
> purpose).
>
>
>
> Please note that to my knowledge, (D)TLS usage is not mandated  for any
> usage of TURN servers anywhere, and (again) this draft – that should
> specify DISCOVERY – cannot MANDATE USAGE. None of the discovery methods
> do (and cannot)  use (D)TLS (that discussion is for USAGE, AFTER the
> DISCOVERY).
>
>
>
> [TR2] Other drafts do not mandate (D)TLS because RFC5766 mandates STUN
> authentication, this draft updates RFC5766 by saying STUN authentication
> is not mandatory hence it is mandating (D)TLS.
>
> [Karl2] Yes, we agree. It is only this draft, version -10 to -12 draft
> that suggests to mandate usage of (D)TLS (Please free us from that)
>
>
>
> [TR] No, (D)TLS is only mandated if the network infrastructure cannot
> defend against the attacks discussed in RFC5766.
>
> [Karl] That is already clear in the -12 version. My comment remains (In
> addition to being wrong, I meant it is also strange (and unnecessary,
> considering that dummy authentication can achieve it better) if this
> DISCOVERY draft would mandates (D)TLS for TURN server usage in a certain
> situation, when no other draft mandates (D)TLS for usage of TURN servers.)
>
>
>
> [TR2] I don’t agree with your comments and don’t plan to make any
> changes to (D)TLS related text in the draft unless I hear otherwise from
> other WG members and chairs.
>
>
>
> [Karl] While producing the above suggested -13 of the draft, I also
> suggest you also include all the redlining I proposed (and no one has
> objected against) and I think we will have a draft that can be accepted
> to become an RFC.
>
>
>
> [TR2] I reject your all your other proposed changes including anycast,
> don’t see any merit in your arguments
>
> [Karl2] … and ignoring Brandon’s:
>
>> It is true that you have provided a justification for the change.
>
>> My  point is that the small set of people…
>
> As responded to:
>
>>> [Karl Justification is in the (A), (B), (C) and (D) of
>
>>> https://www.ietf.org/mail-archive/web/tram/current/msg02254.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02254.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=6wGc9_uIIPqbsHUbmZTBpKSjwodRuQSnNsTmPnRd33Q&e=>
>
>
>>> where saying Binding instead Allocate, is necessary to achieve (A) and
(B), and improves (C) and (D).
>
>
>
> and will let the WG chairs decide how to proceed with the draft.
>
>
>
> [Karl2] Well, we need a specification that is defined and fulfill its
> purpose and thus can be made an RFC.
>
> Can you specify what and explain why any of the red lined suggestions to
> the version -12 text would go against this (or is there nothing)?
>
> (As a guidance to those you ask for “decide how to proceed with the
draft.”)
>
>
>
> /Karl
>
>
>
> -Tiru
>
>
>
> Thanks,
>
> Karl
>
>
>
> -Tiru
>
>
>
> The read lined -12 version is cleared from these and other flaws or
> mistakes.
>
>
>
> We should focus on whether the red lined version is anything but
> improvements and adds no drawbacks over version -12 of the draft.
>
>
>
> /Karl
>
>
>
> PS: Regarding the non working anycast method, **since I highlighted in
> August 8, 2016, all from the Author’s at the WG list is**:
>
> October 18, 2016 (from Prashanth to me and others during the discuss):
>  We intend to add the following to explain server behavior a little
better:
>
> “A TURN anycast server performs checks 1 to 7 discussed in Section 6.2
> of RFC5766. If all checks pass, the TURN anycast server MUST respond
> with a 300 (Try Alternate) error as described in [RFC5766];”
>
> November 15, 2016  (to something from Brandon): Agreed. -Tiru
>
> November 18, 2016 (to something from Brandon): +1, don't see a need for
> alternate mechanism. -Tiru
>
> December 22, 2016 Hi Karl, I don’t understand why the mechanism where
> TURN server has both anycast and unicast address for re-direction won’t
> work ? Cheers, -Tiru
>
> Now February 7, 8, 2016 See below
>
>
>
>
>
> *Från:*Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> *Skickat:* den 8 februari 2017 09:51
> *Till:* Karl Stahl; 'Simon Perreault'; 'Spencer Dawkins at IETF'
> *Kopia:* tram@ietf.org <mailto:tram@ietf.org>
> *Ämne:* RE: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
> Hi Karl,
>
>
>
> We have gone over the same points over and over again and I don’t see a
> need to document the discussion b/w you and Simon, they are only
> operational considerations and have no impact on the protocol.
>
>
>
> Secondly, there is no consensus on your proposed new anycast mechanism
> and WG members have opposed your new anycast mechanism.
>
>
>
> Regarding (D)TLS, the draft is updated in 12 version to say that (D)TLS
> is not mandatory to use if the network infrastructure can defend against
> the attacks discussed in RFC5766. This update addresses comments
> received from Brandon.
>
>
>
> -Tiru
>
>
>
> *From:*Karl Stahl [mailto:karl.stahl@ingate.com]
> *Sent:* Wednesday, February 8, 2017 12:28 PM
> *To:* Tirumaleswar Reddy (tireddy) <tireddy@cisco.com
> <mailto:tireddy@cisco.com>>; 'Simon Perreault' <sperreault@jive.com
> <mailto:sperreault@jive.com>>; 'Spencer Dawkins at IETF'
> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>>
> *Cc:* tram@ietf.org <mailto:tram@ietf.org>
> *Subject:* SV: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
> 1) The A)+B) method (that Simon and I discussed) is not specified in the
> draft -12 text and further referencing:
>
> [Tiru below]> "https://tools.ietf.org/html/rfc7094#section-3.4
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rf
c7094-23section-2D3.4&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuad
q6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=LE
hCEnJWTs-58S-OzhGCxFlWFoO_AZ4jL2d87B7k3xQ&e=>
> also discusses similar mechanism" does not help:
>
> - It rather states issues coming from not knowing whether a server
> reached by anycast addressing, actually is at a unicast address or
> really is deployed at a anycast address (which I believe is rare).
>
>
>
> 2) Further, there are no deployment considerations for the A)+B) method
> in the –12 draft (compare the redlined version)
>
> It does not even discuss or list  RFC7478 (Web Real-Time Communication
> Use Cases and Requirements) that it is supposed to meet, but which the
> A)+B) method is in conflict with.
>
> https://www.ietf.org/mail-archive/web/tram/current/msg02314.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02314.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=JUvi1vp2Im171VnwziFnhFyKRHdWeOyx5urNi9JOG9w&e=>
> and https://www.ietf.org/mail-archive/web/tram/current/msg02254.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02254.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=6wGc9_uIIPqbsHUbmZTBpKSjwodRuQSnNsTmPnRd33Q&e=>.
>
>
>
>
>
>
> 3) And if the (more complex) A)+B) method would be properly defined and
> described in some future revision, then remains (from
> https://www.ietf.org/mail-archive/web/tram/current/msg02254.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02254.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=6wGc9_uIIPqbsHUbmZTBpKSjwodRuQSnNsTmPnRd33Q&e=>):
>
> “(trying to) exemplify/clarify the high level (important) points why we
>
> need/want anycast discovery by saying Binding instead of Allocate. These
>
> points are:
>
>
>
> (A) We need an anycast discovery method for auto-discovering "a TURN
server"
>
> (not some special TURN server or arrangement of TURN servers "invented"
for
>
> being discoverable by a certain method)
>
>
>
> (B) We need an anycast discovery method for a TURN server that is
>
> setup/installed/configured for its USAGE (which is relaying traffic) - not
>
> requiring a special network configuration just for being discoverable.
(And
>
> more widely, it must be the goal of this specification to provide at least
>
> one discovery method that works for ALL network types and configurations,
>
> where a network provided TURN server may be useful - I see only anycast
>
> using Binding for querying *the TURN server's* unicast address fulfilling
>
> this.)
>
>
>
> (C) Robust (tolerant) deployment is highly preferable.
>
>
>
> (D) Ease of deployment is highly preferable.
>
>
>
> Saying Binding instead Allocate, is necessary to achieve (A) and (B), and
>
> improves (C) and (D).”
>
>
>
> 4) The (D)TLS text in version -12 does not have consensus either.
>
> https://www.ietf.org/mail-archive/web/tram/current/msg02296.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02296.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=3U7eSkgvs4w6NXK3vLX4Dlc7ZAwSIBMZ3bMsJDzqlkc&e=>
> and
>
> https://www.ietf.org/mail-archive/web/tram/current/msg02297.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02297.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=i7d7dLfsouxgahM92augLVbvLcurGOxKgbJ6qnzCIZw&e=>
>
>
> Against my red lined (D)TLS changes, I have heard no objections (just as
> with the red lined anycast method).
>
>
>
> /Karl
>
>
>
>
>
> -----Ursprungligt meddelande-----
> Från: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
> Skickat: den 7 februari 2017 12:02
> Till: Karl Stahl; 'Simon Perreault'; 'Spencer Dawkins at IETF'
> Kopia: tram@ietf.org <mailto:tram@ietf.org>
> Ämne: RE: [tram] Chime in on attched redlined version-12 WAS: I-D
> Action: draft-ietf-tram-turn-server-discovery-12.txt
>
>
>
>> -----Original Message-----
>
>> From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Karl Stahl
>
>> Sent: Tuesday, February 7, 2017 4:02 PM
>
>> To: Tirumaleswar Reddy (tireddy) <tireddy@cisco.com
<mailto:tireddy@cisco.com>>; 'Simon Perreault'
>
>> <sperreault@jive.com <mailto:sperreault@jive.com>>; 'Spencer Dawkins at
IETF'
>
>> <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>>
>
>> Cc: tram@ietf.org <mailto:tram@ietf.org>
>
>> Subject: Re: [tram] Chime in on attched redlined version-12 WAS: I-D
Action:
>
>> draft-ietf-tram-turn-server-discovery-12.txt
>
>>
>
>> Tiru,
>
>>
>
>> That does not make the version -12 text in the draft any clearer about
what
>
>> the draft's anycast method actually is. I am asking you the same question
as I
>
>> asked Simon before (and only he answered):
>
>
>
> I agree with the responses Simon has already provided to all the below
> questions. Further, I also don't see the need to discuss the below
> questions in the draft because they are only operational considerations
> (and have no impact on the actual protocol).
>
>
>
> -Tiru
>
>
>
>>
>
>> Does the draft assume:
>
>>
>
>> (A) a TURN server listening to TWO IP addresses (that are at different
>
>> subnets) that can respond error 300 or make an allocation, distinguished
by
>
>> whether the request was received on its anycast address or its unicast
>
>> address, OR
>
>>
>
>> (B) we really have TWO TURN servers to play with (the one at the anycast
>
>> address being configured to respond with the error 300, OR
>
>>
>
>> (C) the FIRST Allocate is responded to with error 300 and SUBSEQUENT
>
>> Allocates actually are making TURN allocations.
>
>>
>
>>
>
>> We cannot have an RFC, not even being clear about the method specified.
>
>>
>
>> /Karl
>
>>
>
>>
>
>> -----Ursprungligt meddelande-----
>
>> Från: Tirumaleswar Reddy (tireddy) [mailto:tireddy@cisco.com]
>
>> Skickat: den 7 februari 2017 07:18
>
>> Till: Simon Perreault; Karl Stahl; 'Spencer Dawkins at IETF'
>
>> Kopia: tram@ietf.org <mailto:tram@ietf.org>
>
>> Ämne: RE: [tram] Chime in on attched redlined version-12 WAS: I-D Action:
>
>> draft-ietf-tram-turn-server-discovery-12.txt
>
>>
>
>> > -----Original Message-----
>
>> > From: Simon Perreault [mailto:sperreault@jive.com]
>
>> > Sent: Friday, February 3, 2017 7:13 PM
>
>> > To: Karl Stahl <karl.stahl@ingate.com <mailto:karl.stahl@ingate.com>>;
'Spencer Dawkins
> at IETF'
>
>> > <spencerdawkins.ietf@gmail.com <mailto:spencerdawkins.ietf@gmail.com>>
>
>> > Cc: tram@ietf.org <mailto:tram@ietf.org>; Tirumaleswar Reddy (tireddy)
> <tireddy@cisco.com <mailto:tireddy@cisco.com>>
>
>> > Subject: Re: [tram] Chime in on attched redlined version-12 WAS: I-D
>
>> Action:
>
>> > draft-ietf-tram-turn-server-discovery-12.txt
>
>> >
>
>> > Karl,
>
>> >
>
>> > There is no consensus in the working group behind this new anycast
>
>> > mechanism. Therefore it can not be added to the draft, and the
>
>> > mechanism defined in RFC 5766 remains.
>
>>
>
>> Yup, https://tools.ietf.org/html/rfc7094#section-3.4
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rf
c7094-23section-2D3.4&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuad
q6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=LE
hCEnJWTs-58S-OzhGCxFlWFoO_AZ4jL2d87B7k3xQ&e=>
> also discusses similar
>
>> mechanism.
>
>> I don't see the need for a new anycast mechanism.
>
>>
>
>> -Tiru
>
>>
>
>> >
>
>> > Thanks,
>
>> > Simon
>
>> >
>
>> > Le 2017-02-02 à 18:23, Karl Stahl a écrit :
>
>> > > The -12 version of the draft does not include major remedies of
>
>> > > flaws that were un-addressed long before the DISCUSS, nor the latest
>
>> > > regarding the possible use of (D)TLS for auto discovered turn
>
>> > > servers provided the local or access network administrator, see
>
>> > >
>
>> > > https://www.ietf.org/mail-archive/web/tram/current/msg02216.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02216.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=OR288fay15EdJ063J_GCuNOt-SScDC5CylZsleLjXbU&e=>
>
>> > >
>
>> > >
>
>> > >
>
>> > > For the latest discussed, see
>
>> > >
>
>> > >
>
>> > >
>
>> > > https://www.ietf.org/mail-archive/web/tram/current/msg02279.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02279.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=B9ST_TVehqEC-PVjUMsDQsxLBNgTStctSmVvmqi39zo&e=>
>
>> > >
>
>> > >>> However, I think we need agreement on the justification for such a
>
>> > >
>
>> > >> change.
>
>> > >
>
>> > >> [Karl] Justification is in the (A), (B), (C) and (D) of
>
>> > >
>
>> > >> https://www.ietf.org/mail-archive/web/tram/current/msg02254.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02254.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=6wGc9_uIIPqbsHUbmZTBpKSjwodRuQSnNsTmPnRd33Q&e=>
>
>> > >
>
>> > >> where saying Binding instead Allocate, is necessary to achieve (A)
>
>> > >> and
>
>> > > (B), and improves (C) and (D).
>
>> > >
>
>> > >
>
>> > >
>
>> > > Brandon> It is true that you have provided a justification for the
>
>> change.
>
>> > >
>
>> > >
>
>> > >
>
>> > > https://www.ietf.org/mail-archive/web/tram/current/msg02296.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02296.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=3U7eSkgvs4w6NXK3vLX4Dlc7ZAwSIBMZ3bMsJDzqlkc&e=>
>
>> > >
>
>> > > The (D)TLS mandating was Author's idea to throw into version -10
>
>> > > during the discuss and remains in this version -11, breaking the
>
>> > > consensus text since version -7.
>
>> > >
>
>> > >
>
>> > >
>
>> > > https://www.ietf.org/mail-archive/web/tram/current/msg02297.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02297.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=i7d7dLfsouxgahM92augLVbvLcurGOxKgbJ6qnzCIZw&e=>
>
>> > >
>
>> > > STUN dummy authentication instead of (D)TLS as suggested by Oleg
>
>> > > Moskalenko
>
>> > >
>
>> > >
>
>> > >
>
>> > >
>
>> > >
>
>> > > I have inserted my (now edited and adopted to the latest) redlining,
>
>> > > removal of blue options etc. into the -12 draft text as attached,
>
>> > > for the author to copy from and paste.
>
>> > >
>
>> > >
>
>> > >
>
>> > > Without my red lining, current version -12 is in conflict with
>
>> > > RFC7478 (Web Real-Time Communication Use Cases and Requirements)
>
>> > > and does
>
>> > not
>
>> > > meet the need of [I-D.ietf-rtcweb-return] (Recursively Encapsulated
>
>> > > TURN) (see under redlined 7.2)
>
>> > >
>
>> > > and it does not do what was set out in the Charter and "Milestone 3:
>
>> > > TURN server auto-discovery mechanism for enterprise and ISPs"
>
>> > >
>
>> > >
>
>> > >
>
>> > > Further, the authors have in version -12 (compared to from before
>
>> > > DISCUSS)  changed the text "  6.  Discovery using Anycast " to:
>
>> > >
>
>> > > https://tools.ietf.org/rfcdiff?url1=draft-ietf-tram-turn-server-disc
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_rfcdiff
-3Furl1-3Ddraft-2Dietf-2Dtram-2Dturn-2Dserver-2Ddisc&d=DwMFAw&c=96ZbZZcaMF4w
0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4
f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=AMYCMt0k9_YCuab2JldMPgDJsb5neZZkNIlStXCjJGQ&e=>
>
>> > > ov ery-09.txt&url2=draft-ietf-tram-turn-server-discovery-12.txt
>
>> > >
>
>> > > "IP anycast can also be used for TURN service discovery.  A packet
>
>> > >
>
>> > >    sent to an anycast address is delivered to the "topologically
>
>> > >
>
>> > >    nearest" network interface with the anycast address.  Using the
>
>> > > TURN
>
>> > >
>
>> > >    anycast address, the only two things that need to be deployed in
>
>> > > the
>
>> > >
>
>> > >    network for discovery are the two things that actually use TURN.
>
>> > >
>
>> > >
>
>> > >
>
>> > >    When a client requires TURN services, it sends a TURN allocate
>
>> > >
>
>> > >    request to the assigned anycast address.  A TURN anycast server
>
>> > >
>
>> > >    performs checks 1 to 7 discussed in Section 6.2 of [RFC5766].  If
>
>> > > all
>
>> > >
>
>> > >    checks pass, the TURN anycast server MUST respond with a 300 (Try
>
>> > >
>
>> > >    Alternate) error as described in Section 2.9 of [RFC5766]; The
>
>> > >
>
>> > >    response contains the TURN unicast address in the
>
>> > > ALTERNATE-SERVER
>
>> > >
>
>> > >    attribute.  For subsequent communication with the TURN server,
>
>> > > the
>
>> > >
>
>> > >    client uses the responding server's unicast address.  This has to
>
>> > > be
>
>> > >
>
>> > >    done because two packets addressed to an anycast address may
>
>> > > reach
>
>> > >
>
>> > >    two different anycast servers.  The client, thus, also needs to
>
>> > >
>
>> > >    ensure that the initial request fits in a single packet.  An
>
>> > >
>
>> > >    implementation may choose to send out every new TURN Allocation
>
>> > >
>
>> > >    request to the anycast address to discover the closest and the
>
>> > > most
>
>> > >
>
>> > >    optimal unicast address for the TURN server."
>
>> > >
>
>> > >
>
>> > >
>
>> > > The highlighted "A TURN anycast server"  isnothing known nor
>
>> > > described (in fact there would have to be TWO TURN servers, one
>
>> > > deployed at the anycast address and another TURN server deployed at
>
>> > > the unicast address, reacting differently to the Allocation request)
>
>> > > for this to work as clarified in WG discussions with Simon).
>
>> > >
>
>> > >
>
>> > >
>
>> > > The last sentence "An  implementation may choose to send out every
>
>> > > new TURN Allocation request to the anycast address to discover the
>
>> > > closest and the most optimal unicast address for the TURN server."
>
>> > > violates security and deployment considerations (see red lined
>
>> > > considerations in attached).
>
>> > >
>
>> > >
>
>> > >
>
>> > > Further, the authors have in version -12 (compared to from before
>
>> > > DISCUSS)  changed the text "7.2.  Recursively Encapsulated TURN " to:
>
>> > >
>
>> > > https://tools.ietf.org/rfcdiff?url1=draft-ietf-tram-turn-server-disc
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_rfcdiff
-3Furl1-3Ddraft-2Dietf-2Dtram-2Dturn-2Dserver-2Ddisc&d=DwMFAw&c=96ZbZZcaMF4w
0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4
f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=AMYCMt0k9_YCuab2JldMPgDJsb5neZZkNIlStXCjJGQ&e=>
>
>> > > ov ery-09.txt&url2=draft-ietf-tram-turn-server-discovery-12.txt
>
>> > >
>
>> > > "WebRTC endpoints SHOULD treat any TURN server discovered through
>
>> > the
>
>> > >
>
>> > >    mechanisms described in this specification as an
>
>> > > enterprise/gateway
>
>> > >
>
>> > >    or access network server, in accordance with Recursively
>
>> > > Encapsulated
>
>> > >
>
>> > >    TURN [I-D.ietf-rtcweb-return]."
>
>> > >
>
>> > >
>
>> > >
>
>> > > The text is a contradiction, since the return draft deals with TURN
>
>> > > servers provided by the local or access network, not other TURN
>
>> > > servers discovered by this draft.
>
>> > >
>
>> > >
>
>> > >
>
>> > > *Current -12 draft cannot be considered to be an RFC!*
>
>> > >
>
>> > >
>
>> > >
>
>> > > I suggest the redline version of draft -12 attached is chimed into
>
>> > > now and quickly merged into a version -13, so we can avoid the
>
>> > > "Conflict Resolution and Appeals"process hinted about in
>
>> > >
>
>> > > https://www.ietf.org/mail-archive/web/tram/current/msg02202.html
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Dar
chive_web_tram_current_msg02202.html&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ
-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut
0vfDR2W-L4&s=d3MIEALshSLyuVc0Tp0U_RBYISTdX2sF-YW4oVWzUk4&e=>,
>
>> > > further delaying what is needed for Internet real-time communication
>
>> > > and especially for WebRTC.
>
>> > >
>
>> > >
>
>> > >
>
>> > > /Karl
>
>> > >
>
>> > >
>
>> > >
>
>> > > *Från:*tram [mailto:tram-bounces@ietf.org] *För *Spencer Dawkins at
>
>> > > IETF
>
>> > > *Skickat:* den 1 februari 2017 22:12
>
>> > > *Till:* Simon Perreault
>
>> > > *Kopia:* tram@ietf.org <mailto:tram@ietf.org> <mailto:tram@ietf.org>;
> Tirumaleswar Reddy
>
>> > > (tireddy)
>
>> > > *Ämne:* Re: [tram] I-D Action:
>
>> > > draft-ietf-tram-turn-server-discovery-12.txt
>
>> > >
>
>> > >
>
>> > >
>
>> > > Hi, Simon,
>
>> > >
>
>> > >
>
>> > >
>
>> > > On Thu, Feb 2, 2017 at 6:00 AM, Simon Perreault <sperreault@jive.com
>
>> > > <mailto:sperreault@jive.com>> wrote:
>
>> > >
>
>> > > Le 2017-02-01 à 15:37, Spencer Dawkins at IETF a écrit :
>
>> > >> Dear TRAMsters,
>
>> > >>
>
>> > >> On Fri, Jan 13, 2017 at 12:59 PM, Tirumaleswar Reddy (tireddy)
>
>> > >> <tireddy@cisco.com
>
>> > >> <mailto:tireddy@cisco.com><mailto:tireddy@cisco.com
>
>> > > <mailto:tireddy@cisco.com>>> wrote:
>
>> > >>
>
>> > >>     This revision addresses comments from Brandon.
>
>> > >>
>
>> > >>     -Tiru
>
>> > >>
>
>> > >>
>
>> > >> How close are we to asking Terry to clear the (last remaining)
DISCUSS?
>
>> > >
>
>> > > Thanks for the reminder.
>
>> > >
>
>> > > If my co-chair and the authors have no objection, I think we're
ready.
>
>> > >
>
>> > >
>
>> > >
>
>> > > I'll give this 24 hours for people to chime in, but I do want to
>
>> > > ping Terry.
>
>> > >
>
>> > >
>
>> > >
>
>> > > It's a little-appreciated thing, but AD ballot positions go away
>
>> > > when ADs go away; this document has 12 yes/no objections now, and
>
>> > > you need
>
>> > > 10 for approval, and three are from ADs who are stepping down in
>
>> > > March
>
>> > > ;-)
>
>> > >
>
>> > >
>
>> > >
>
>> > > Spencer
>
>> > >
>
>> > >
>
>> > >
>
>> > > _______________________________________________
>
>> > > tram mailing list
>
>> > > tram@ietf.org <mailto:tram@ietf.org>
>
>> > > https://www.ietf.org/mailman/listinfo/tram
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_l
istinfo_tram&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgw
bBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=vmtm5H-2Ler
_5PEKhheo-ob_Eiz6enqyiOnHkAKZjxQ&e=>
>
>> > >
>
>> >
>
>> >
>
>> > --
>
>> > Simon Perreault
>
>> > Director of Engineering, Platform | Jive Communications, Inc.
>
>> > https://jive.com
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__jive.com&d=DwMFAw&c=96
ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=sqEvIjW
-bn_4s0Ne4f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=6xMRYWWn81v-P_m3BZY8GMOvpo0ygL0wYykEs
xKd66Q&e=>
> | +1 418 478 0989 ext. 1241 | sperreault@jive.com
> <mailto:sperreault@jive.com>
>
>>
>
>> _______________________________________________
>
>> tram mailing list
>
>> tram@ietf.org <mailto:tram@ietf.org>
>
>> https://www.ietf.org/mailman/listinfo/tram
>
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_l
istinfo_tram&d=DwMFAw&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgw
bBVUJa4mZfmEIBXg&m=sqEvIjW-bn_4s0Ne4f7nTfFUk9gw5o1Ut0vfDR2W-L4&s=vmtm5H-2Ler
_5PEKhheo-ob_Eiz6enqyiOnHkAKZjxQ&e=>
>
>
>
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram
>

-- 
Brandon Williams; Chief Architect
Cloud Networking; Akamai Technologies Inc.

v2.23.0 | Report a Bug | By Email