Re: [tram] First post
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Sat, 01 February 2014 03:20 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D841A0508 for <tram@ietfa.amsl.com>; Fri, 31 Jan 2014 19:20:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.035
X-Spam-Level:
X-Spam-Status: No, score=-10.035 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sC-SHWPAXOmk for <tram@ietfa.amsl.com>; Fri, 31 Jan 2014 19:20:41 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) by ietfa.amsl.com (Postfix) with ESMTP id 3D4511A04D6 for <tram@ietf.org>; Fri, 31 Jan 2014 19:20:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=34052; q=dns/txt; s=iport; t=1391224837; x=1392434437; h=from:to:cc:subject:date:message-id:mime-version; bh=3gCsyztccBmY58Y++uqGSNx+PhergwgR6/XRdkCNaj8=; b=SwhNP9Egs8CpqLtLOPWrlWkG0wcWaSmK1budvX4f8qR6wSJ00tua0qT/ WYAz5bUB0yzJKOPwEeJ4tmCWRGPI43ON8bP3lZla9wKJ02YtwpVSmr4oz Erwv7ybSwFGaLeHcRMUMjou803QqIyUm0F8QPiuSLwGQ+RnbYLcWg6+Ni s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgHAGZn7FKtJXG//2dsb2JhbABZgkhEOFeqQ4pAiFaBChZ0giUBAQEEAQEBFw0GQQsSAQgOAwMBAQELAgkLBygGCxQJCQEECgQFCAyHXQMRDcQFDYkxF4xsgT4TFCANBAYHAwGDGoEUBJY+gx6LLIVDgy2BaAIeBhw
X-IronPort-AV: E=Sophos; i="4.95,760,1384300800"; d="scan'208,217"; a="17132170"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by alln-iport-1.cisco.com with ESMTP; 01 Feb 2014 03:20:35 +0000
Received: from xhc-aln-x11.cisco.com (xhc-aln-x11.cisco.com [173.36.12.85]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id s113KZWu014546 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sat, 1 Feb 2014 03:20:35 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.227]) by xhc-aln-x11.cisco.com ([173.36.12.85]) with mapi id 14.03.0123.003; Fri, 31 Jan 2014 21:20:35 -0600
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Oleg Moskalenko <mom040267@gmail.com>
Thread-Topic: [tram] First post
Thread-Index: Ac8e/I22FvNhqIOzRkeRAwPVMGrm7g==
Date: Sat, 01 Feb 2014 03:20:34 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A24297693@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.43.151]
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A24297693xmbrcdx10ciscoc_"
MIME-Version: 1.0
Cc: Simon Perreault <simon.perreault@viagenie.ca>, "tram@ietf.org" <tram@ietf.org>, Justin Uberti <juberti@google.com>
Subject: Re: [tram] First post
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 01 Feb 2014 03:20:46 -0000
Hi Oleg, I will add the details in next revision. Thanks, -Tiru. From: Oleg Moskalenko [mailto:mom040267@gmail.com] Sent: Saturday, February 01, 2014 12:05 AM To: Tirumaleswar Reddy (tireddy) Cc: Simon Perreault; tram@ietf.org<mailto:tram@ietf.org>; Justin Uberti Subject: Re: [tram] First post Hi Tiru in regard to Mobile ICE, I filled the RFC 6982 template - you can add it as "implementation status" section to the draft, please see below. Thanks Oleg ============================== o The organization responsible for the implementation, if any. This is a public project, the full list of authors and contributors here: http://turnserver.open-sys.org/downloads/AUTHORS o The implementation's name and/or a link to a web page describing the implementation. http://code.google.com/p/rfc5766-turn-server/ o A brief general description. A mature open-source TURN server specs implementation (RFC 5766, RFC 6062, RFC 6156, etc) designed for high-performance applications, especially geared for WebRTC. o The implementation's level of maturity: research, prototype, alpha, beta, production, widely used, etc. widely used (the TURN server itself). The Mobile ICE feature implementation can be qualified as "production" - it is well tested and fully implemented, but not widely used, yet. o Coverage: which parts of the protocol specification are implemented and which versions of the Internet-Draft were implemented. Fully implements MICE with TURN protocol o Licensing: the terms under which the implementation can be used. For example: proprietary, royalty licensing, freely distributable with acknowledgement (BSD style), freely distributable with requirement to redistribute source (General Public License (GPL) style), and other (specify). BSD: http://turnserver.open-sys.org/downloads/LICENSE o Implementation experience: any useful information the implementers want to share with the community. MICE implementation is somewhat challenging for a multi-threaded performance-oriented application (because the mobile ticket information must be shared between the threads) but it is doable. ======================================================================== On Tue, Nov 19, 2013 at 4:26 AM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: Hi Oleg, Please see inline [TR] From: tram-bounces@ietf.org<mailto:tram-bounces@ietf.org> [mailto:tram-bounces@ietf.org<mailto:tram-bounces@ietf.org>] On Behalf Of Oleg Moskalenko Sent: Monday, November 18, 2013 12:19 PM To: Tirumaleswar Reddy (tireddy) Cc: Simon Perreault; pcp@ietf.org<mailto:pcp@ietf.org>; tram@ietf.org<mailto:tram@ietf.org>; Justin Uberti Subject: Re: [tram] First post Dan and Tiru, while contemplating the MICE implementation, I stumbled upon a potential problem in the MICE draft. According to the section 5.2.2, the server compares the encoded NONCE with the stored NONCE for the "old" 5-tuple session. But the problem is, a NONCE may expire. Its possible to have an expiration time for the NONCE (an enhanced security feature). In a non-mobility TURN implementation, that creates no problem: the server simple sends 438 error (stale nonce) back to the client together with the new generated NONCE value, and the client just re-calculates and re-sends the request. With wording in the section 5.2.2, that becomes rather complicated in the mobility case. I am not sure that I understand the exact action sequence when the session NONCE expires with mobility feature. I think that the problem can be fixed if the draft would not include wording about the MOBILE-TICKET internal structure. In one place it is saying that the ticket is opaque and implementation-dependent; but in other places it suggests how the ticket must be constructed and how it must be encoded. I think that this is unnecessary. Let's just say that the ticket is opaque and its structure has meaning only for the server - and that the server uses it as a unique identifier. I see no reason why the server must encode any meaningful information in the ticket, like 5-tuple and NONCE. That's totally up to the server. The server, for example, may just keep a hashtable with all that information and the ticket may be just a random unique key in that table. As we are using message integrity authentication anyway, and the ticket is transferred openly over the Internet, the ticket does not create any new level of defense. This is, basically, just a session ID - to match the "old" session with the "new" session. [TR] Agreed with your assessment will update the draft accordingly. Thanks and Regards, -Tiru. A similar approach is used in RFC 6062. They are solving a similar logical task: they are matching a new client network endpoint with an existing TURN session. They also are using a ticket, but they do not encode any information in it - that is just an opaque unique string. For protection, they also are validating the MESSAGE INTEGRITY. And they have no problem with the NONCE expiration because there is no NONCE encoded in the ticket. Let me know please what do you think about that. Thanks Oleg On Sun, Nov 17, 2013 at 5:36 AM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: Hi Oleg, It has some similarities but is a lot different from PCP third party authorization. For example for TURN the Authorization Server will be providing session key, MAC algorithm etc which is not required with the PCP third party authorization. There are various other differences like PCP server would need to communicate with the Authorization Server to determine the token bound authorization data (like the number of mappings permitted, flow characteristics allowed etc) which may not be required with TURN authorization. PCP-controlled Firewall will most likely be in the same administrative domain as the endpoint but that may not be true with TURN. we are working on the details and will have something concrete in couple of weeks. Cheers, -Tiru. From: tram-bounces@ietf.org<mailto:tram-bounces@ietf.org> [mailto:tram-bounces@ietf.org<mailto:tram-bounces@ietf.org>] On Behalf Of Oleg Moskalenko Sent: Saturday, November 16, 2013 12:56 PM To: Tirumaleswar Reddy (tireddy) Cc: Simon Perreault; tram@ietf.org<mailto:tram@ietf.org>; Justin Uberti Subject: Re: [tram] First post Tiru, I suppose that will be similar to this draft: http://tools.ietf.org/html/draft-wing-pcp-third-party-authz-01 That would be a significant addition to the TURN server. Regards, Oleg On Fri, Nov 15, 2013 at 7:20 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: Hi Oleg, I am co-author of the MICE, draft-reddy-behave-turn-auth drafts and we are interested in TURN evolution. Justin and we are working on TURN Extension for Third Party Authorization using OAuth which will address some of the problems discussed in above draft. Cheers, -Tiru. From: Oleg Moskalenko <mom040267@gmail.com<mailto:mom040267@gmail.com>> Subject: Re: [tram] First post Date: November 15, 2013 11:01:24 AM PST To: Simon Perreault <simon.perreault@viagenie.ca<mailto:simon.perreault@viagenie.ca>> Cc: <tram@ietf.org<mailto:tram@ietf.org>> MMUSIC has an interesting draft on TURN mobility (MICE) that I am watching and I am going to implement. I wonder whether the authors of the draft may be interested in the TURN evolution. On Fri, Nov 15, 2013 at 10:55 AM, Simon Perreault <simon.perreault@viagenie.ca<mailto:simon.perreault@viagenie.ca>> wrote: All, Any objection against sending the following to rtcweb, pntaw, and behave? Any other lists that should be included? Simon ==================== All, A few of us have been working on a proposal for a new working group that would focus on enhancements to STUN and TURN. The proposed name is TRAM (Turn Revised And Modernized) and discussion is happening in <tram@ietf.org<mailto:tram@ietf.org>>. Subscribe link: <https://www.ietf.org/mailman/listinfo/tram> Here is the charter we have been working on. If you would like to comment and/or get involved, please do so on the TRAM mailing list. Simon (and many others!) Turn Revised And Modernized (tram) ---------------------------------- Traversal Using Relays around NAT (TURN) was published as RFC 5766 in April 2010. Until recently the protocol had only a rather limited deployment. This is primarily because its primary use case is as one of the NAT traversal methods of the Interactive Connectivity Establishment (ICE) framework (RFC 5245). This inherent dependency on ICE combined with the fact that ICE itself was slow to achieve widespread adoption because other alternative mechanisms were historically used by the VoIP industry were the causes of the initial lack of interest. This situation has changed drastically as ICE, and consequently TURN, are mandatory to implement in WebRTC, which is a set of technologies developed at the IETF and W3C aiming to enable Real Time Communication on the Web. Because of the ubiquity of the Web and of the new opportunities created by the arrival of WebRTC, there is a renewed interest in TURN and ICE, as evidenced by the recent work updating the ICE framework, as well as standardizing the URIs used to access a STUN [RFC7064] or TURN [RFC7065] server. The goal of the TRAM Working Group is to consolidate the various initiatives to update TURN and STUN, including the definition of new transport and authentication mechanisms that make STUN and TURN more suitable for the WebRTC environment. The Working Group will closely coordinate with the appropriate Working Groups, including RTCWEB, MMUSIC, and HTTPBIS. The current list of deliverable is: - DTLS transport for TURN Candidate draft: draft-petithuguenin-tram-turn-dtls TURN defines three transports: UDP, TCP, and TLS. A straightforward extension of this set is DTLS, enabling secure datagram-oriented transport. - New authentication mechanism for TURN Problem analysis: draft-reddy-behave-turn-auth Candidate draft: draft-uberti-behave-turn-rest, OAuth has also been suggested The current authentication mechanism for TURN, which is reused from STUN, has been designed with a SIP account database in mind. The new RTCWEB usages, which are mostly based on web applications, do not fit that model. A new authentication mechanism optimized for such web applications will be created. - TURN server auto-discovery mechanism for enterprise and ISPs Candidate draft: TBD Current TURN server discovery is based on the presence of SRV and/or NAPTR DNS records. These records are usually under the administrative control of the application or service provider, not the enterprise or the ISP on whose network the client is situated. Enterprises or ISPs wishing to provide their own TURN server, in an attempt to reduce so-called "triangle routing", need a new auto-discovery mechanism. - STUN-bis Candidate draft: TBD A new revision of RFC 5389 will contain: - Various bug fixes - STUN hash algorithm agility (currently only SHA-1 is allowed) - TURN-bis Candidate draft: TBD A new revision of RFC 5766 will contain: - Various bug fixes - Support for multi-tenant servers (Servers always send the same REALM attribute. No realm negotiation phase currently exists.) Goals and Milestones: [TBD] -- DTN made easy, lean, and smart --> http://postellation.viagenie.ca NAT64/DNS64 open-source --> http://ecdysis.viagenie.ca STUN/TURN server --> http://numb.viagenie.ca _______________________________________________ tram mailing list tram@ietf.org<mailto:tram@ietf.org> https://www.ietf.org/mailman/listinfo/tram _______________________________________________ tram mailing list tram@ietf.org<mailto:tram@ietf.org> https://www.ietf.org/mailman/listinfo/tram
- [tram] First post Simon Perreault
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Gonzalo Salgueiro (gsalguei)
- Re: [tram] First post Paul Kyzivat
- Re: [tram] First post Justin Uberti
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Justin Uberti
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Dan Wing
- Re: [tram] First post Gonzalo Salgueiro (gsalguei)
- Re: [tram] First post Tirumaleswar Reddy (tireddy)
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Tirumaleswar Reddy (tireddy)
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Paul Kyzivat
- Re: [tram] First post Simon Perreault
- Re: [tram] First post Gonzalo Salgueiro (gsalguei)
- Re: [tram] First post Tirumaleswar Reddy (tireddy)
- Re: [tram] First post Oleg Moskalenko
- [tram] TURN/RTP via HTTP Proxy (was: First post) Hutton, Andrew
- Re: [tram] TURN/RTP via HTTP Proxy (was: First po… Gonzalo Salgueiro (gsalguei)
- Re: [tram] TURN/RTP via HTTP Proxy Paul Kyzivat
- Re: [tram] TURN/RTP via HTTP Proxy Gonzalo Salgueiro (gsalguei)
- Re: [tram] TURN/RTP via HTTP Proxy Paul Kyzivat
- Re: [tram] First post Oleg Moskalenko
- Re: [tram] First post Tirumaleswar Reddy (tireddy)