[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MMUSIC] RE: [BEHAVE] Re: STUN/ICE: Username length inconstency

To: "'Rémi Denis-Courmont'" <remi.denis-courmont at nokia.com>, "'ext Jonathan Rosenberg'" <jdrosen at cisco.com>
Subject: [MMUSIC] RE: [BEHAVE] Re: STUN/ICE: Username length inconstency
From: "Dan Wing" <dwing at cisco.com>
Date: Tue, 4 Sep 2007 16:40:47 -0700
Authentication-results: sj-dkim-2; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim2002 verified; );
Cc: behave at ietf.org, mmusic at ietf.org
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2299; t=1188949248; x=1189813248; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[BEHAVE]=20Re=3A=20STUN/ICE=3A=20Username=20length=20 inconstency |Sender:=20; bh=WVuo6CjAWmttmQ+EYgKHLKHTQtfWkHi42219rMZTi+A=; b=Fisb59Xh7tqicEe9tAT77QS3Jo2asSfq+de0rnlpOAG1IcORsGiZ4astYsSBkHqBYd+4/iFD +4X0mqkJU3Rf+L1P0h5TgKtC1Wgd0eK9iDjVd3Ix+Q95ILFBRPJYqeK4;
In-reply-to: <200708210926.45072.remi.denis-courmont@nokia.com>
List-help: <mailto:mmusic-request@ietf.org?subject=help>
List-id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-post: <mailto:mmusic@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
References: <200708201437.55515.remi.denis-courmont@nokia.com><46CA12C7.6020302@cisco.com> <200708210926.45072.remi.denis-courmont@nokia.com>
Thread-index: AcfjvFfQAQ1nWRnvQTeK2kTsQGUTVgLkF7BA

(Sorry for the delay, I just returned from vacation.)

It's useful to have a long username (for things like the now-expired
draft-wing-session-auth-00), but I agree we don't want to exceed the MTU with
the ICE connectivity checks.  ICE should probably mention that somewhere (it
doesn't contain the string "MTU", but I didn't search elsewhere).

-d


> -----Original Message-----
> From: Rémi Denis-Courmont [mailto:remi.denis-courmont at nokia.com] 
> Sent: Monday, August 20, 2007 11:27 PM
> To: ext Jonathan Rosenberg
> Cc: behave at ietf.org; mmusic at ietf.org
> Subject: [BEHAVE] Re: STUN/ICE: Username length inconstency
> 
> On Tuesday 21 August 2007 01:16:39 ext Jonathan Rosenberg wrote:
> > This is a good catch. I recently introduced the limit in 
> STUN based on
> > last call comments, forgetting that we had ICE use cases that could
> > result in values longer than 127. I had picked 127 thinking 
> about human
> > readable usernames. My bad. I think the limit in STUN should be
> > increased to match ICE, not the other way around.
> 
> Hmm, I am not sure 1023 character long username are that 
> great really. For a 
> start, after concatenation (2047 characters), you'll get 
> connectivity checks 
> that exceed the typical Internet MTU. That brings either problem:
> - NATs will not handle fragmented packets, or
> - ICE implementation will refuse to send at all (packet too big).
> 
> Second, I wonder if if makes sense to have a higher entropy 
> for the username 
> (12,000 bits here!) than we have for the message integrity (160 bits 
> currently) or the shared secret password. But that's 
> something for security 
> gurus to judge. Even if we switched to SHA512, we'd still 
> have more than 
> enough username entropy with just 63 characters from each 
> sides (756 bits).
> 
> Third, we do not want to drain the entropy pool of 
> ICE-capable device too 
> badly. There are better stuff to dedicate entropy to that ICE 
> connectivity 
> checks, such as generating TLS parameters.
> 
> -- 
> Rémi Denis-Courmont
> 
> 
> _______________________________________________
> Behave mailing list
> Behave at ietf.org
> https://www1.ietf.org/mailman/listinfo/behave

_______________________________________________
mmusic mailing list
mmusic at ietf.org
https://www1.ietf.org/mailman/listinfo/mmusic

Follow-Ups:
- [MMUSIC] Re: [BEHAVE] Re: STUN/ICE: Username length inconstency
  - From: Jonathan Rosenberg

References:
- [MMUSIC] STUN/ICE: Username length inconstency
  - From: Rémi Denis-Courmont
- [MMUSIC] Re: STUN/ICE: Username length inconstency
  - From: Jonathan Rosenberg
- [MMUSIC] Re: STUN/ICE: Username length inconstency
  - From: Rémi Denis-Courmont

Prev by Date: [MMUSIC] Re: [Tsvwg] I-D Action:draft-ietf-tsvwg-udp-guidelines-02.txt
Next by Date: Re: [MMUSIC] RTSP timeout issue
Previous by thread: [MMUSIC] Re: STUN/ICE: Username length inconstency
Next by thread: [MMUSIC] Re: [BEHAVE] Re: STUN/ICE: Username length inconstency
Index(es):
- Date
- Thread