I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs
 should treat these comments just like any other last call comments.








I consider this draft to be 




Ready with nits.










TURN servers are used to connect devices running Peer-to-Peer applications, such as real-time communication. Typically these TURN servers are not under a local network’s administrative control (e.g., the enterprise or ISP hosting the communicating
 devices. This draft provides a server discovery method to a TURN server that is under the administrative control of the local network. There are some security and operational advantages to the use of a local TURN server, since the local service can tend to
 keep the real-time communication (or other application) messages from leaving the local network. This is useful. The methods for auto-discovering local TURN servers discussed in the document include DNS Service Resolution, DNS Service Discovery,  and Anycast.










The main security consideration of using using server discovery methods would seem to be ensuring that an authorized local STUN server has been reached. The Security Considerations section mentions STUN authentication as OPTIONAL for “TURN servers
 provided by the local network or by the access network”, but "it is RECOMMENDED that the TURN client use one of the following techniques with (D)TLS”. When (D)TLS is used, several mechanisms are described whereby the client can determine that a STUN server
 is authorized. The requirements language is a bit obscure, but the result is recommending that (D)TLS authentication and authorization is used, which is fine.










The Security Considerations section also recommends what a client ought to do when authenticated (D)TLS isn’t possible. The paragraph just before Section 9.1 contains good advice, but it could be clearer. For example the paragraph confuses privacy
 goals with the security goal of mitigating on-path injection of spoofed packets. I suggest rewording this paragraph with text something like this:













   In some auto-discovery scenarios, it might not be possible for the




   TURN client to use (D)TLS authentication to validate the TURN server.




   However, fall-back to clear text in such cases could leave the TURN




   client open to on-path injection of spoofed TURN messages. 




   Instead, a TURN client SHOULD fall-back to encryption-only




   (D)TLS when (D)TLS authentication is not available. Another reason




   to fall-back to encryption-only is for privacy, which is




   analogous to SMTP opportunistic encryption




   [RFC7435]  where one does not require privacy but one desires privacy




   when possible.  










   It is suggested that a TURN client attempt (D)TLS with




   authentication and encryption, falling back to encryption-only if the




   TURN server cannot be authenticated via (D)TLS.  The TURN server




   could fall back to clear text if it  does not support unauthenticated (D)TLS, 




   but fallback to clear text is NOT RECOMMENDED because it makes




   the client more susceptible to man-in-the-middle attacks and on-path




   packet injection.










The Security Considerations in each of the sub-sections is good as written.










Brian