Re: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25

Joe Touch <touch@strayalpha.com> Tue, 11 June 2019 22:05 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED75612006A; Tue, 11 Jun 2019 15:05:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.22
X-Spam-Level:
X-Spam-Status: No, score=-1.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5SmbGy513YnO; Tue, 11 Jun 2019 15:05:00 -0700 (PDT)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D672F12001E; Tue, 11 Jun 2019 15:04:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=To:References:Message-Id: Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Subject:Mime-Version: Content-Type:Sender:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nB7yiLVBhf4GjDic0gm8jFSK+2mZCu6ztkgNbhwezzQ=; b=qctPL5vfa5WkwCIPUWvZ/a77Z MUGXPAS4bwq0uEsPMBZ5LNXns+WMBSazztPpwYVh+XQdGwLQozILSR7r/kZrYELOika70QHjbmTUJ TW4BdX/oMpcidHWS3N0n2m7ilhC+7vM04bTn7UcTNK/5QzY2Bh+z8c3VZ31Xp4WqK6xor7j8pNG42 XhQT1ef/WUUi4Xd1aBc1b0JY67kgEmRLNZ7LUJKyDDAoemKSxoXmyoduYaPI9bjc+FRqQQ0FmediA xNRkvhZLCWiw55+72/pW0iaWzhd8Qb+WMzcf4ZrL0CvhfWNqjI2eWRzOZQoew7tw6l7N5SbIUEDvt OZYECukbA==;
Received: from [38.64.80.138] (port=58840 helo=[172.21.13.154]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <touch@strayalpha.com>) id 1haosv-000PdP-6e; Tue, 11 Jun 2019 18:04:58 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Joe Touch <touch@strayalpha.com>
In-Reply-To: <a3bbeb17-e768-9ab2-9f34-3d179fa8fe38@akamai.com>
Date: Tue, 11 Jun 2019 15:04:52 -0700
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "tram@ietf.org" <tram@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <E41C125D-F3B4-475E-8AD0-124F531F1DC9@strayalpha.com>
References: <155971464360.28104.6837263931145163343@ietfa.amsl.com> <DM5PR16MB170560F51A9F7C281A9BC752EA170@DM5PR16MB1705.namprd16.prod.outlook.com> <F306B122-79F3-4C7A-8CE2-1C094D9F0FCC@strayalpha.com> <DM5PR16MB1705A4C370C4405AFFD63546EA100@DM5PR16MB1705.namprd16.prod.outlook.com> <5F2F8A3B-2887-4107-81E2-B4E222A4044E@strayalpha.com> <DM5PR16MB1705BD4E31370D2F5A179F17EA130@DM5PR16MB1705.namprd16.prod.outlook.com> <2C6B5776-CB95-4607-8D0C-07FDE2F6D515@strayalpha.com> <DM5PR16MB1705638AD29F3288E4AC0952EAED0@DM5PR16MB1705.namprd16.prod.outlook.com> <HE1PR0701MB252250AE4E7C158F985B0CC895ED0@HE1PR0701MB2522.eurprd07.prod.outlook.com> <D9A01E28-F9FB-4C86-AFD3-A2BA8D89C340@strayalpha.com> <a3bbeb17-e768-9ab2-9f34-3d179fa8fe38@akamai.com>
To: Brandon Williams <brandon.williams@akamai.com>
X-Mailer: Apple Mail (2.3445.9.1)
X-OutGoing-Spam-Status: No, score=0.3
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/hrlFZ8I3wWtdLWypu4zJHlrty1g>
Subject: Re: [Tsv-art] [tram] Tsvart last call review of draft-ietf-tram-turnbis-25
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jun 2019 22:05:03 -0000

Hi, Brandon,

> On Jun 11, 2019, at 12:47 PM, Brandon Williams <brandon.williams@akamai.com> wrote:
> 
> Hi Joe,
> 
> First, some clarification ... You stated.
> 
>> Finally, I’m quite bothered by the glib idea that transport packets
>> simply be translated into each other either between two TCP
>> connections or between TCP and UDP. The notion is simply false; TCP
>> doesn’t preserve message boundaries and TCP segments are not
>> guaranteed to match application message boundaries.
> 
> There is no TCP-to-TCP relay case here. The side opposite the TURN
> client is always UDP, even if the remote client is also connected to a
> TURN server. The two TURN servers would use UDP in between, and the two
> TURN servers would not even know that the other one is there.
> 
> Also, the spec does not relay "packets" between TCP and UDP. TURN does
> not rely on TCP to maintain message boundaries. Instead, a TURN TCP
> connection frames messages within the stream and that message framing
> allows the TURN server to maintain message boundaries when sending the
> messages within UDP datagrams.

The description in the document implies packet-to-packet translation, which seems dangerous (even as a description). This is especially true for the notion that each UDP packet is translated into exactly one TCP frame directly.

The description above in this email implies you’re just receiving “application” messages on one transport and emitting them on another. That makes a lot more sense, but it’s inconsistent with the description in this doc.

> 
>> Overall, the point is that simply ignoring this issue is insufficient
>> - at a minimum, this doc needs to clearly state that this issue is
>> being ignored and why, as well as addressing that issue in the
>> security sections.
> 
> Acknowledging that TCP options are being ignored when messages are
> relayed could be OK. I'm not entirely certain what you're suggesting
> relative to the security considerations though. Are you just pointing to
> the fact that security built into TCP (e.g., tcp-ao, tcp-eno, tcp-crypt)
> cannot be used to provide end-to-end security? In the same way that
> (D)TLS cannot be used for this purpose either? If not that, what else do
> you have in mind?

OK, so given you’re just terminating the connection, you need to talk about the implications of doing so, and yes, the kinds of issues above are relevant. If you were opening your own TCP connection, it would be relevant to discuss how you decide what options to enable as well and whether those options are determined based on the options of the other TCP connection (but you’re not doing that).

I.e., my suggestion would be to make the description of the conversion process match this email’s explanation, i.e., as an application relay rather than as direct packet-to-packet conversion, including:

- adjust your description of how you relay messages to talk about things at the “application” layer
	when you talk about IPv4 or IPv6 properties, the issue is about how you configure those as endpoints on the translator, not how *each packet* is translated
	NOTE - your document is incorrect regarding TTL; only routers drop packets with hopcounts/TTLs of zero. A host MUST NOT (per RFC 1122/8200)

- address how your endpoint deals with TCP options that might have impact, including TCP multiparty, AO, ENO, MD5, fastopen, and user timeout

> 
> Regarding UDP options, I agree with Magnus that it's probably better to
> rely on tsvwg to state something about UDP option relay makes more
> sense, considering that the UDP options draft isn't published yet. It's
> unclear what could be said meaningfully in the TURN draft. If you have a
> suggestion that might help.

The intro to Sec 2.7 could be as follows (clarifying the way in which the IP frag avoidance is introduced as well):

   For reasons described in [Frag-Harmful], applications, especially
   those sending large volumes of data, should try hard to avoid having
   their packets fragmented.  Applications using TCP can more or less
   ignore this issue because fragmentation avoidance is now a standard
   part of TCP, but applications using UDP (and thus any application
   using this version of TURN) need to avoid IP fragmentation by sending
   sufficiently small messages or use UDP fragmentation [draft-ietf-tsvwg-udp-options].

   The application running on the client and the peer can take one of
   two approaches to avoid IP fragmentation until UDP fragmentation support is available. The first
   uses messages that are limited to a predetermined fixed maximum and the second
   relies on network feedback to adapt that maximum.

> 
> Thanks,
> --Brandon
> 
> 
> On 6/11/19 2:03 PM, Joe Touch wrote:
>> Hi, all,
>> 
>> Here are my key points:
>> 
>> - whether you deal with TCP options or simply ignore those on incoming
>> connections and use defaults on outgoing, the issue needs to be
>> addressed - as well as its impact on your use.
>> - UDP options are not experimental; they’re standards-track; it could be
>> mentioned here non-normatively as a possible workaround to the IP
>> fragmentation issue.
>> 
>> Finally, IMO, assuming that RTP/RTCP can or should provide extended
>> functions that might already be provided by existing TCP options or
>> emerging UDP options seems like both wasted effort and a failed
>> opportunity to tune the transport as it was intended.
>> 
>> Overall, the point is that simply ignoring this issue is insufficient -
>> at a minimum, this doc needs to clearly state that this issue is being
>> ignored and why, as well as addressing that issue in the security sections.
>> 
>> Finally, I’m quite bothered by the glib idea that transport packets can
>> simply be translated into each other either between two TCP connections
>> or between TCP and UDP. The notion is simply false; TCP doesn’t preserve
>> message boundaries and TCP segments are not guaranteed to match
>> application message boundaries. 
>> 
>> I.e., the transport implications of this “hack” are inadequately addressed.
>> 
>> Joe
>> 
>>> On Jun 11, 2019, at 1:28 AM, Magnus Westerlund
>>> <magnus.westerlund@ericsson.com
>>> <mailto:magnus.westerlund@ericsson.com>> wrote:
>>> 
>>> Hi Joe and Tiru,
>>> 
>>> May I hazard a guess why this have not arisen is that there are no
>>> transport protocol options that makes sense to use end-to-end and are
>>> not protocol specific. Thus, in UDP <-> TCP translations by TURN
>>> server there has so far not been a need to carry any of them over.
>>> Joe, can you think of any that would make sense?
>>> 
>>> For UDP <-> UDP the experimental proposal for UDP options I don't see
>>> that we can require this specification to have to specify that. I do
>>> think it is an interesting question for
>>> https://datatracker.ietf.org/doc/draft-ietf-tsvwg-udp-options/ if that
>>> should write more about what to do with the options when performing
>>> translation operations?
>>> 
>>> When it comes to RTP and RTCP that is widely used over TURN relays
>>> when those applications need extended functionality they have gone
>>> ahead and extended RTP/RTCP rather than attempting to affect lower
>>> layers where other entities than the end-points are required to be
>>> upgraded.
>>> 
>>> Cheers
>>> 
>>> Magnus
>>> 
>>> 
>>> 
>>> 
>>> On 2019-06-11 07:20, Konda, Tirumaleswar Reddy wrote:
>>>> 
>>>> Hi Joe,
>>>> 
>>>>  
>>>> 
>>>> I meant the specifications that use TURN (ICE, SIP and WebRTC) do not
>>>> discuss setting any TCP option for application data (RTP, RTCP and
>>>> WebRTC data channels).  Please note TCP is only used as fallback
>>>> transport only if UDP traffic is blocked to the TURN server.
>>>> 
>>>> TURN has been widely deployed in the field, and there was no
>>>> discussion in the WG to explicitly handle TCP options.
>>>> 
>>>>  
>>>> 
>>>> Cheers,
>>>> 
>>>> -Tiru
>>>> 
>>>>  
>>>> 
>>>> *From:* Joe Touch <touch@strayalpha.com>
>>>> *Sent:* Monday, June 10, 2019 7:59 PM
>>>> *To:* Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
>>>> *Cc:* tsv-art@ietf.org; draft-ietf-tram-turnbis.all@ietf.org;
>>>> ietf@ietf.org; tram@ietf.org
>>>> *Subject:* Re: [Tsv-art] [tram] Tsvart last call review of
>>>> draft-ietf-tram-turnbis-25
>>>> 
>>>>  
>>>> 
>>>> *CAUTION*:External email. Do not click links or open attachments
>>>> unless you recognize the sender and know the content is safe.
>>>> 
>>>> ------------------------------------------------------------------------
>>>> 
>>>> Hi, Tiru,
>>>> 
>>>> 
>>>> 
>>>>    On Jun 9, 2019, at 11:43 PM, Konda, Tirumaleswar Reddy
>>>>    <TirumaleswarReddy_Konda@McAfee.com
>>>>    <mailto:TirumaleswarReddy_Konda@McAfee.com>> wrote:
>>>> 
>>>>     
>>>> 
>>>>        On Jun 7, 2019, at 4:39 AM, Konda, Tirumaleswar Reddy
>>>>        <TirumaleswarReddy_Konda@mcafee.com
>>>>        <mailto:TirumaleswarReddy_Konda@mcafee.com>> wrote:
>>>> 
>>>> 
>>>>                    The specification has two sections 14 and 15 (IP
>>>>                    Header Fields for
>>>>                    UDP-to-
>>>> 
>>>>                UDP translation and IP Header Fields for TCP-to-UDP
>>>>                translation) to
>>>>                discuss direct translations.
>>>>                https://tools.ietf.org/html/rfc5766
>>>>                <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc5766&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=wlJBA0wCj1jIz4f3RegWs8USi6_gsk3fo6HsaHNmDwE&s=zpNv5YDpI2-wPNhWSnCb1VsidyMEg7LYQdn6IeLqdg4&e=>
>>>>                only
>>>>                covered UDP-to- UDP translation in Section 12.
>>>> 
>>>>                Yes, but both sections ignore the impact of transport
>>>>                options - both
>>>>                current for TCP and pending for UDP. These are
>>>>                ignored both when
>>>>                packets with such transport options are received (the
>>>>                input packet to
>>>>                the translation) and whether / how they are used on
>>>>                transmit (the
>>>>                output packet)
>>>> 
>>>> 
>>>>            TURN is used to relay real-time data (e.g. audio and
>>>>            video streams)
>>>>            and the approach taken by VOIP related specifications is
>>>>            to avoid
>>>>            fragmentation for RTP packets
>>>> 
>>>> 
>>>>        Sec 2.8 mentions RTP as one use case envisioned (at this
>>>>        point, it’d be fair to
>>>>        ask this revision to clarify whether that turned out to be
>>>>        true). But it isn’t
>>>>        indicated as the only use case.
>>>> 
>>>> 
>>>>    The draft says TURN is invented to support multimedia sessions
>>>>    signaled using SIP and is typically used with ICE. TURN is also
>>>>    used with WebRTC, and WebRTC data channels also 
>>>>    avoid IP fragmentation
>>>>    (see https://tools.ietf.org/html/draft-ietf-rtcweb-data-channel-13 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Drtcweb-2Ddata-2Dchannel-2D13&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=wlJBA0wCj1jIz4f3RegWs8USi6_gsk3fo6HsaHNmDwE&s=II1OEcj0VllH4yVwB5IyIB0KKiXf42ScemFtYoXUQts&e=>). 
>>>> 
>>>>  
>>>> 
>>>> The application protocols TURN is designed for or typically used for
>>>> is not relevant to my point above, unless you’re claiming that these
>>>> uses never use transport options (which is doubtful for TCP, for
>>>> which some transport options are pervasively used by default).
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>>        Regardless, though, this doesn’t impact the concern raised
>>>>        above. RTP could
>>>>        still employ transport options.
>>>> 
>>>> 
>>>>    I checked again and don't see any RTP, Back-to-Back User Agents
>>>>    (B2BUAs), SIP proxies and WebRTC gateway specifications
>>>>    discussing transport options for translations.
>>>> 
>>>>  
>>>> 
>>>> The fact that others have this gap does not justify continuing to
>>>> fail to address it in this document. If anything, it makes it that
>>>> much more important to address.
>>>> 
>>>>  
>>>> 
>>>> Joe
>>>> 
>>> 
>>> -- 
>>> 
>>> Magnus Westerlund 
>>> 
>>> ----------------------------------------------------------------------
>>> Network Architecture & Protocols, Ericsson Research
>>> ----------------------------------------------------------------------
>>> Ericsson AB                 | Phone  +46 10 7148287
>>> Torshamnsgatan 23           | Mobile +46 73 0949079
>>> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
>>> ----------------------------------------------------------------------
>>> _______________________________________________
>>> Tsv-art mailing list
>>> Tsv-art@ietf.org <mailto:Tsv-art@ietf.org>
>>> https://www.ietf.org/mailman/listinfo/tsv-art
>> 
>> 
>> _______________________________________________
>> tram mailing list
>> tram@ietf.org
>> https://www.ietf.org/mailman/listinfo/tram
>> 
> 
> -- 
> Brandon Williams
> Platform Engineering
> Akamai Technologies Inc.
> 
> _______________________________________________
> Tsv-art mailing list
> Tsv-art@ietf.org
> https://www.ietf.org/mailman/listinfo/tsv-art