Re: [BEHAVE] ALTERNATE-SERVER and anycast
Cullen Jennings <fluffy@cisco.com> Thu, 03 April 2008 14:22 UTC
Return-Path: <behave-bounces@ietf.org>
X-Original-To: behave-archive@optimus.ietf.org
Delivered-To: ietfarch-behave-archive@core3.amsl.com
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C0B9728C64F; Thu, 3 Apr 2008 07:22:35 -0700 (PDT)
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AD41328C64B for <behave@core3.amsl.com>; Thu, 3 Apr 2008 07:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.615
X-Spam-Level:
X-Spam-Status: No, score=-3.615 tagged_above=-999 required=5 tests=[AWL=2.984, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jPqyMZrz1WOR for <behave@core3.amsl.com>; Thu, 3 Apr 2008 07:22:33 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 659D628C226 for <behave@ietf.org>; Thu, 3 Apr 2008 07:22:33 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.25,599,1199692800"; d="scan'208";a="10154191"
Received: from sj-dkim-2.cisco.com ([171.71.179.186]) by sj-iport-4.cisco.com with ESMTP; 03 Apr 2008 07:22:36 -0700
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m33EMZjF015176; Thu, 3 Apr 2008 07:22:35 -0700
Received: from [192.168.4.177] (sjc-fluffy-vpn1.cisco.com [10.25.236.82]) by sj-core-1.cisco.com (8.13.8/8.13.8) with SMTP id m33EMZ2U022636; Thu, 3 Apr 2008 14:22:35 GMT
From: Cullen Jennings <fluffy@cisco.com>
To: Philip Matthews <philip_matthews@magma.ca>
In-Reply-To: <DF8A2ED2-0757-44DC-8C85-8992995EDFBF@magma.ca>
Impp: xmpp:cullenfluffyjennings@jabber.org
References: <FEB98E11-0C6A-4662-AFAD-3184080A07B5@magma.ca> <0C580D3D-27FD-4E56-9450-0AE3286E2037@cisco.com> <DF8A2ED2-0757-44DC-8C85-8992995EDFBF@magma.ca>
Message-Id: <4E07EE1A-330E-4457-9F5C-16E5A265E0E5@cisco.com>
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Thu, 03 Apr 2008 07:22:16 -0700
X-Mailer: Apple Mail (2.919.2)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6769; t=1207232555; x=1208096555; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:=20Cullen=20Jennings=20<fluffy@cisco.com> |Subject:=20Re=3A=20ALTERNATE-SERVER=20and=20anycast |Sender:=20; bh=gfQhEHbUQhFVp/OtMDMB3OjMHgYEBMkVAczCogm0Wfs=; b=M1jY9vzW1VZBX9zPsop5P6DytXputECkDPV9NLCKv3/tDdZbW/Nz+ThyrW YW/84EhZtnyEiOycSgFnxPT4la5QhAC4ItKFx3NZHWpaADsyzfKzIASc7Vef EVhCXBMFzG;
Authentication-Results: sj-dkim-2; header.From=fluffy@cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: "Dave Oran (oran)" <oran@cisco.com>, Behave WG <behave@ietf.org>, David Ward <dward@cisco.com>, "Mark Townsley (townsley)" <townsley@cisco.com>
Subject: Re: [BEHAVE] ALTERNATE-SERVER and anycast
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: behave-bounces@ietf.org
Errors-To: behave-bounces@ietf.org
On Apr 3, 2008, at 6:43 AM, Philip Matthews wrote: > > On Thu, 3-Apr-08, at 06:54 , Cullen Jennings wrote: > > > > On Apr 2, 2008, at 7:22 PM, Philip Matthews wrote: > >> At the last BEHAVE meeting, it was suggested that one use of > >> ALTERNATE- > >> SERVER was to support anycast discovery of TURN servers. I have > been > >> doing some inquiries, and it seems that there might be a problem > with > >> this idea. > >> > >> The way I had been thinking this would work is that a client would > >> send an Allocate request to an anycast address, and would receive > an > >> error response back with an error code of 300 Try Alternative and > an > >> ALTERNATE-SERVER attribute giving the unicast address of the server > >> to > >> contact. > >> > >> The problem is that it seems there is no guarantee that two > >> consecutive packets will be delivered to the same anycast server. > The > >> only thing that is guaranteed is a single round-trip exchange[1]. > >> This > >> means that the above idea does not work because: > >> a) It is not possible to contact an anycast TURN server using TCP > or > >> TLS over TCP, since the handshake will not necessarily complete > with > >> the same server. > >> b) It is also not possible to contact an anycast TURN server using > >> UDP, since STUN says that an ALTERNATE-SERVER reply must be > >> authenticated, and authentication in TURN requires a 4-packet > >> exchange. > >> > >> So this straight-forward method of doing anycast lookup in TURN > does > >> not seem to work. > >> > >> There are probably ways to fix this by changing how ALTENATE-SERVER > >> works in TURN, but I am currently inclined to forget about anycast > >> for > >> TURN right now, and let someone add it later. > >> > >> Comments? > >> > > Sure, what you are proposing here won't work for the reasons you > > point out. I don't know when the WG decided the ALTERNATIVE-ERVER > > reply MUST be authenticated but that seems like it is not going to > > work for anycast. > > Sorry. I should have provided a reference. draft-ietf- > behave-3489bis-15, section 11 says: > > 11. ALTERNATE-SERVER Mechanism > > This section describes a mechanism in STUN that allows a server to > redirect a client to another server. This extension is optional, > and > a usage must define if and when this extension is used. To > prevent > denial-of-service attacks, this extension MUST only be used in > situations where the client and server are using an authentication > and message-integrity mechanism. > > A server using this extension redirects a client to another server > by > replying to a request message with an error response message > with an > error code of 300 (Try Alternate). The server MUST include a > ALTERNATE-SERVER attribute in the error response. The error > response > message MUST be authenticated, which in practice means the request > message must have passed the authentication checks. > > [Rest of section omitted] > > right - thanks > > There are more than a few things wrong with this - for one I suspect > > the authentication you are talking about is for the server to > > authenticate the client not for the client to authenticate the > > server. As an alternative you might want to consider is something > > like what I had previously email you - I'm sure lots of other ways > > would work too and I don't really care which way we do it. No doubt > > the thing I emailed has some issues that would need to be worked out > > but I think it is closer to working. > > > > On Apr 2, 2008, at 3:41 PM, Cullen Jennings wrote: > >> > >> > >> 1) client is configured with TURN server of turn.example.com > >> > >> 2) client does an SRV lookup and finds there is no TCP service but > >> there is a UDP service at 1.1.1.1 > >> > >> 3) client sends an UDP packet to 1.1.1.1 which happens to be an > >> anycast IP. > >> > >> 4) Some server gets this and responds with a redirect to 2.2.2.2 > >> along with info to use TLS. The address 2.2.2.2 is not an anycast > >> address but goes to a single machine with a TURN server > >> > >> 5) client does TLS to 2.2.2.2. Server presents certificate with > >> name turn.example.com > >> > >> 6) client check certificate matches the name that it has in it's > >> config. > >> > >> This approach is susceptible to being DOSed by a well timed > >> response to the UDP request to 1.1.1.1 but seemed like a risk we > >> were willing to live with. Presumably some secret material would be > >> copied from request in step 3 to the response in step 4 to force > >> the attacker to be on-path. > > > > > > If the client doesn't care about server authentication, then it can > > ignore TLS and do much the same with just UDP. > > > > It's going to be very difficult to add something like this in later > > so I would argue we should deal with having at least enough > > placeholders in the base draft that we can add it later - to do this > > we will likely need to figure it out well enough that we should just > > add it to the base draft instead of trying to do it as an extension. > > > > Cullen <with my individual contributor hat on> > > This works if the client can contact the server using both UDP and > TCP. As you know, we are separately discussing the case of a client > that can only contact TURN servers using TCP -- this is the proposed > justification for TCP transport for a UDP allocation. If we decide to > keep TCP transport for a UDP allocation (and right now, I am seeing > more support for keeping it than dropping it -- but we will discuss > this next week on the conf call), then I have a problem with something > like this as the proposed anycast solution. > > I will note that there are a couple of ways to achieve something very > similar to this without using anycast. The first option is that > 1.1.1.1 is not an anycast address, but is a unicast address of a TURN > server that doesn't actually accept allocations, but always redirects > clients to other servers (using ALTERNATE-SERVER). The second is to > use DNS to direct the client to a closer or otherwise appropriate > server. > The point of the anycast is not to just spread stuff over multiple servers - a DNS A record could do that. The point is to solve in some way the "close" problem where the client ends up using a TURN server that is topologically close to the client. Anycast is a one appealing way to address that. What you are proposing does not seem to address the issues of getting to a TURN server that is topologically close to the client. > > > - Philip > > _______________________________________________ Behave mailing list Behave@ietf.org https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] ALTERNATE-SERVER and anycast Philip Matthews
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Cullen Jennings
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Philip Matthews
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Philip Matthews
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Cullen Jennings
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Cullen Jennings
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Mark Townsley
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Philip Matthews
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Philip Matthews
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Dan Wing
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Dan Wing
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast David R Oran
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Cullen Jennings
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Spencer Dawkins
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Eric Rescorla
- [BEHAVE] ALTERNATE-SERVER inclusion Hadriel Kaplan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER inclusion Dan Wing
- Re: [BEHAVE] ALTERNATE-SERVER inclusion Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Jiri Kuthan
- Re: [BEHAVE] ALTERNATE-SERVER and anycast Bill Woodcock