[BEHAVE] Using TLS with a "turn:" URI [was Re: Opsdir Review of draft-ietf-behave-turn-uri-03.txt]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[BEHAVE] Using TLS with a "turn:" URI [was Re: Opsdir Review of draft-ietf-behave-turn-uri-03.txt]

To: Behave WG <behave at ietf.org>
Subject: [BEHAVE] Using TLS with a "turn:" URI [was Re: Opsdir Review of draft-ietf-behave-turn-uri-03.txt]
From: Marc Petit-Huguenin <petithug at acm.org>
Date: Mon, 02 Nov 2009 12:25:46 -0800
Cc: Margaret Wasserman <mrw at lilacglade.org>
Delivered-to: behave at core3.amsl.com
In-reply-to: <9009E8A3-5FFE-4692-8EC6-BD038C5E728D at lilacglade.org>
List-archive: <http://www.ietf.org/mail-archive/web/behave>
List-help: <mailto:behave-request@ietf.org?subject=help>
List-id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-post: <mailto:behave@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
References: <01c101ca509f$f314a8c0$8e27460a at china.huawei.com> <61FFB311-CA42-4EE4-A6F9-3DE0581A9E8F at lilacglade.org> <4ADE0BAB.1040402 at acm.org> <FF53CDBF-9204-490D-8D04-9DF806EFE275 at lilacglade.org> <4AE0A9F0.2010106 at acm.org> <839B17D7-0BDE-4F11-8DC6-BDF694F7521D at lilacglade.org> <4AE4A119.5050007 at acm.org> <9009E8A3-5FFE-4692-8EC6-BD038C5E728D at lilacglade.org>
User-agent: Mozilla-Thunderbird 2.0.0.22 (X11/20090701)

Margaret Wasserman wrote:
> 
> Hi Marc,
> 
> On Oct 25, 2009, at 3:03 PM, Marc Petit-Huguenin wrote:
>>>
[...]
>> You are absolutely right, this is a bug in the spec, the ordered list
>> of TURN
>> transports should have been filtered by the <scheme> used.
>>
>> I propose to replace "...the TURN transports supported by the
>> application..." by
>> "...the filtered TURN transports supported by the application..." in
>> step #1 and
>> #2 and to add the following paragraph before paragraph 6:
>>
>> "After verifying the validity of the URI elements, the algorithm
>> filters the list of TURN transports supported by the application by
>> keeping only the UDP and TCP TURN transports if the <scheme> is
>> defined as "turn" and by keeping only the TLS TURN transport if the
>> <scheme> is defined as "turns".  If the list of TURN transports is
>> empty after this filtering, the resolution MUST stop with an error."

I think that this is not completely correct.

The reason to have TLS in the leg between the TURN client and the TURN server in
the first place was not for security reasons, but because this is the only way
to be sure that a NAT that knows about the XOR trick will not modify the IP
addresses in the TURN messages.  Because TURN is the lowest priority protocol in
ICE, it was designed in a way that it is always possible to find a path for the
media (This is why I think that do not make TLS mandatory in TURN was a mistake,
but that's another topic).

On the other hand, there is no security downside of "upgrading" a TURN
connection from TCP or UDP to TLS, so I think that a "turn:" URI should be able
to use a TLS connection if available.  The new text would become this:

"After verifying the validity of the URI elements, the algorithm
 filters the list of TURN transports supported by the application by
 removing the UDP and TCP TURN transport if the <scheme> is defined as
 "turns".  If the list of TURN transports is empty after this
 filtering, the resolution MUST stop with an error."

I am interested on feedback from the WG on this.  If there is no feedback by
November 9th, the next release will contain this text.

Thanks.

-- 
Marc Petit-Huguenin
Personal email: marc at petit-huguenin.org
Professional email: petithug at acm.org
Blog: http://blog.marc.petit-huguenin.org

References:
- [BEHAVE] Opsdir Review of draft-ietf-behave-turn-uri-03.txt
  - From: Margaret Wasserman
- Re: [BEHAVE] Opsdir Review of draft-ietf-behave-turn-uri-03.txt
  - From: Marc Petit-Huguenin
- Re: [BEHAVE] Opsdir Review of draft-ietf-behave-turn-uri-03.txt
  - From: Marc Petit-Huguenin
- Re: [BEHAVE] Opsdir Review of draft-ietf-behave-turn-uri-03.txt
  - From: Margaret Wasserman

Prev by Date: [BEHAVE] draft-qin-v6ops-icp-transition [was RE: Using DNS64 to load balance to NAT64]
Next by Date: Re: [BEHAVE] How to set the DF and the ID values for IPv4 packets (was Re: Amount of fragmentation resulting from translation
Previous by thread: Re: [BEHAVE] Opsdir Review of draft-ietf-behave-turn-uri-03.txt
Next by thread: [BEHAVE] TURN URI implicit processing [was Re: Opsdir Review of draft-ietf-behave-turn-uri-03.txt]
Index(es):
- Date
- Thread

[BEHAVE] Using TLS with a "turn:" URI [was Re: Opsdir Review of draft-ietf-behave-turn-uri-03.txt]

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.