IETF Logo Mail Archive

Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 25 June 2019 12:27 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01EE12000E; Tue, 25 Jun 2019 05:27:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydkvPwYXPiXq; Tue, 25 Jun 2019 05:27:56 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50057.outbound.protection.outlook.com [40.107.5.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A621200D6; Tue, 25 Jun 2019 05:27:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=testarcselector01; d=microsoft.com; cv=none; b=g2Z1WRFCeaXkbVpUw6WMYlKNjViEfhogTphzLxALFDITDEHBNaP8BFj6P5w8pfgjjumzABzPQfwKJ+1l9aAGuE2RRY88/ACsVKrY9d7kUpcamXwrPfWiMvTq20BUeNnecFNZ7oNrO9vGNcCV9o9JCohtPd7neja/PuY+jSXEuWs=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=testarcselector01; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mJ4NIEZVAXWcGh3Go13EvJf6+ei3ojnb8HaoneInCDk=; b=WLPnvbxHRaV7cDqUa3pJ8CzYldhtbp5N3CfKqN3cJTa9FQrWoAJ3OeWhU1ZmnPtcTLivooJRZO04pTGqceeVV1akC/6qMgB1ME0Y1k8kC/6eZXoEGGUI0YxCHSmE/RHKPcycgu7QtyBGn2uRqeYR+YFhO/xvZ7wbTbTzY7njpgI=
ARC-Authentication-Results: i=1; test.office365.com 1;spf=none;dmarc=none;dkim=none;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mJ4NIEZVAXWcGh3Go13EvJf6+ei3ojnb8HaoneInCDk=; b=f+YzNnIfEVZuOy2IzMqrn/Rw6vB5oaetzoTCP4c1v3tu4EIWoFgwgSxDErg+ofTvE54Q2dCFQxTslSWLntWWLu91mNP8UVMGN74DnpQRWrGhZlamMP6fe1V1RNt/TsW93qWMWQ9CTTJtIBwwt3ou9jVnWl2aJHxuiE1xddDB9k8=
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com (10.168.128.149) by HE1PR0701MB2443.eurprd07.prod.outlook.com (10.168.126.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.11; Tue, 25 Jun 2019 12:27:50 +0000
Received: from HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::98a6:615b:5699:1cf2]) by HE1PR0701MB2522.eurprd07.prod.outlook.com ([fe80::98a6:615b:5699:1cf2%7]) with mapi id 15.20.2008.014; Tue, 25 Jun 2019 12:27:50 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "kaduk@mit.edu" <kaduk@mit.edu>, "TirumaleswarReddy_Konda@mcafee.com" <TirumaleswarReddy_Konda@mcafee.com>
CC: "touch@strayalpha.com" <touch@strayalpha.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "brandon.williams@akamai.com" <brandon.williams@akamai.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25
Thread-Index: AQHVJeK7XPnFjcA1ZUeEfurtBnFtm6ai+O8AgAiGoQCAANVtUA==
Date: Tue, 25 Jun 2019 12:27:50 +0000
Message-ID: <HE1PR0701MB25224C8F0585C940B8DBFFF695E30@HE1PR0701MB2522.eurprd07.prod.outlook.com>
References: <DM5PR16MB170564C0438321CC3FDD0ACFEAEF0@DM5PR16MB1705.namprd16.prod.outlook.com> <4C41A2BC-0CBC-42D5-B313-22F9A9D51F6E@strayalpha.com> <DM5PR16MB1705874C023145D26DCB58E6EAEE0@DM5PR16MB1705.namprd16.prod.outlook.com> <edcd66c2-0dfb-8f89-d6a3-53482c433d4e@strayalpha.com> <DM5PR16MB17057CCD4D2543D84254EFD1EAEB0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522DCB2459055A6319C439B95EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <DM5PR16MB1705E3EF8260B456A9B02C10EAEA0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB2522C0A1063877D45985619795EA0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <BD41AC2D-3925-4E11-B1EC-AD24680376AE@strayalpha.com> <DM5PR16MB1705F636477B6234FEA35A04EAE50@DM5PR16MB1705.namprd16.prod.outlook.com> <20190624233637.GF48838@kduck.mit.edu>
In-Reply-To: <20190624233637.GF48838@kduck.mit.edu>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=magnus.westerlund@ericsson.com;
x-originating-ip: [176.10.164.40]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8a48081d-4e6a-4329-14ba-08d6f96889d0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:HE1PR0701MB2443;
x-ms-traffictypediagnostic: HE1PR0701MB2443:
x-microsoft-antispam-prvs: <HE1PR0701MB244395BD1877D39312AD570895E30@HE1PR0701MB2443.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0079056367
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(366004)(396003)(346002)(376002)(13464003)(199004)(189003)(68736007)(486006)(316002)(110136005)(446003)(53936002)(25786009)(66946007)(4326008)(8676002)(8936002)(73956011)(6116002)(66556008)(5660300002)(256004)(52536014)(64756008)(53546011)(66066001)(14444005)(71200400001)(71190400001)(7696005)(6506007)(9686003)(76176011)(2906002)(476003)(99936001)(3846002)(14454004)(76116006)(55016002)(86362001)(186003)(54906003)(229853002)(66476007)(2501003)(44832011)(7736002)(478600001)(99286004)(6436002)(81166006)(6246003)(66616009)(102836004)(11346002)(66446008)(81156014)(26005)(74316002)(33656002)(2171002)(305945005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2443; H:HE1PR0701MB2522.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: fUt++Gu4l9SOpnyYtUJE9lBDIvj9rd9qnZ+looPRrMaL/6ekl98hp+D4ZZ6jqwVkIa7Qkzhi0/+Kw2pH15UtNs1JIWzcUmM/zKdzvlupIBq/WGMf322ot/W5J6QTbFcon93mGuH5d+Q8LWFVvovKRN8ty/kodH5swhjlXvJw+7O/W5c8eUDbLPKYIkiH/sISD/qAy2AWBfFeQdcEUdn7JOaXxgyUd7VjAUVkeEjFH0clactR+JFvRNtdDK8ESBTPdzsy5X0BH/poZ6sdBydQfiP8KUweBg1AC7LV1A9qkT0vmQJLd61ApS3mH+tsyS2I/cmS7akAUaZgcpVb+FOnl+79yEG8MFmrgTuNKtmKYxiAZ0/yg3ryv5tXdOjUWL1P/CkgyetYW2P+724eXU+HLr4yfWg9B/dVNlX6i/CpXDM=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_00A8_01D52B62.2A2784C0"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8a48081d-4e6a-4329-14ba-08d6f96889d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 12:27:50.2383 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: magnus.westerlund@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2443
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/RmNphCSigJIf0ms-5A9LYJDqMhA>
Subject: Re: [tram] [Tsv-art] Tsvart last call review of draft-ietf-tram-turnbis-25
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 12:28:00 -0000

Hi,

> -----Original Message-----
> From: Benjamin Kaduk <kaduk@mit.edu>
> Sent: den 25 juni 2019 01:37
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com>
> Cc: Joe Touch <touch@strayalpha.com>; Magnus Westerlund
> <magnus.westerlund@ericsson.com>; tsv-art@ietf.org; draft-ietf-tram-
> turnbis.all@ietf.org; ietf@ietf.org; Brandon Williams
> <brandon.williams@akamai.com>; tram@ietf.org
> Subject: Re: [Tsv-art] [tram] Tsvart last call review of
draft-ietf-tram-turnbis-
> 25
> 
> Sorry to jump in and hijack the middle of a different thread, but...
> 
> On Wed, Jun 19, 2019 at 01:24:42PM +0000, Konda, Tirumaleswar Reddy
> wrote:
> > Hi Joe,
> >
> > I have added the following lines to address your comment:
> >
> >    TCP multi-path [RFC6824] is not supported by this version of TURN
> >    because TCP multi-path is not used by both SIP and WebRTC protocols
> >    [RFC7478] for media and non-media data.  If the TCP connection
> >    between the TURN client and server uses TCP-AO [RFC5925] or TLS, the
> >    client must secure application data (e.g. using SRTP) to provide
> >    confidentially, message authentication and replay protection to
> >    protect the application data relayed from the server to the peer
> >    using UDP.  Attacker attempting to spoof in fake data is discussed
> > in
> 
> ... this kind of cross-layer security requirement ("if you were using
TCP-layer
> protection, now you have to impose a requirement on the application
> protocol (stack) at a higher layer") has been quite problematic in the
past
> when attempted for other protocols.  Consider this early warning that it
will
> get a careful security area review during IESG evaluation, if not sooner.
Being
> very specific about which component of the system has what requirements
> under which conditions would be helpful, as a start.

And I think this requirement is backwards. Application of TCP-AO or TLS does
not result in an improved security property for the higher layer that
utilizes TURN. That is still regular IP/UDP datagram payloads in this
version. There is nothing in this specification that gives you anything
better on the server to peer leg. Thus, application of TLS/TCP or TCP-AO on
the client to server leg is only to mitigate some threats on this client to
server leg, potentially making it more robust. 

Thus, I would suggest that this requirement is removed. And instead it is
explained that the actual upper layer security properties are not improved
simply the client server leg is less vulnerable to certain attacks. 

/Magnus
> 
> -Ben
> 
> >    Section 20.1.4.  Note that TCP-AO option obsoletes TCP MD5 option.
> >    Unlike UDP, TCP without the TCP Fast Open extension [RFC7413] does
> >    not support 0-RTT session resumption.  The TCP user timeout [RFC5482]
> >    equivalent for application data relayed by the TURN is the use of RTP
> >    control protocol (RTCP).  As a reminder, RTCP is a fundamental and
> >    integral part of RTP.

v2.23.0 | Report a Bug | By Email