IETF Logo Mail Archive

Re: [BEHAVE] Comments on the TURN REST Server API presentation

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 01 August 2013 07:52 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6125D21F9E02 for <behave@ietfa.amsl.com>; Thu, 1 Aug 2013 00:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.524
X-Spam-Level:
X-Spam-Status: No, score=-10.524 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zV7tdqoplLXB for <behave@ietfa.amsl.com>; Thu, 1 Aug 2013 00:52:29 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 0601121F8D6D for <Behave@ietf.org>; Thu, 1 Aug 2013 00:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6894; q=dns/txt; s=iport; t=1375343533; x=1376553133; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=DV8SpNlkOEZ8TpIEufFno6o2k+9iWjpy03LlCUczbhI=; b=YyPqhwfzLWMYhOYaBHTuZwIr6T3d3zF2Vmg0DlXsw8UU9uG9Ze9yOsFV eFvll2upOOrlCG5dK4f0a4zV3kA2rjFyeKJqOH4vQHEu14fFSduGqoIxc WTQlIOFZcNRarwQLmSvcROMJtL168M3qifqXYm3cLdnShsLxYGDeF7xIl I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAIES+lGtJV2Y/2dsb2JhbABbgwY1UIMQuzwXgQcWdIIkAQEBBAEBASAROgsQAgEIDgMEAQEDAgYODwMCAgIlCxQBCAgCBAENBQiICAynXZFQgSiLX4E4gRcxBwYSgk0zcwOZCJAkgxSBaAcCFyI
X-IronPort-AV: E=Sophos;i="4.89,792,1367971200"; d="scan'208";a="241936853"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-1.cisco.com with ESMTP; 01 Aug 2013 07:52:11 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r717qBXe017938 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 1 Aug 2013 07:52:11 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.159]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.004; Thu, 1 Aug 2013 02:52:11 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Justin Uberti <juberti@google.com>, Marc Petit-Huguenin <petithug@acm.org>
Thread-Topic: [BEHAVE] Comments on the TURN REST Server API presentation
Thread-Index: AQHOjiBFpEo4ItDKvEeFioaMwxZH3Jl/+CSw
Date: Thu, 01 Aug 2013 07:52:10 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A19009729@xmb-rcd-x10.cisco.com>
References: <51F742F8.3070903@acm.org> <CAOJ7v-0adp2eWJsX+q5RkDHhUcOpc-T1n0Qev1_r5o+uc-c=Pg@mail.gmail.com>
In-Reply-To: <CAOJ7v-0adp2eWJsX+q5RkDHhUcOpc-T1n0Qev1_r5o+uc-c=Pg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.54.98]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Cc: "Behave@ietf.org" <Behave@ietf.org>
Subject: Re: [BEHAVE] Comments on the TURN REST Server API presentation
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 07:52:34 -0000

>The others (rtcweb password exposure, TURN credential DB) are addressed by the ephemeral/token based approach. There seems to be a general desire to do >this through OAuth, using either normal tokens that are checked back against the AS, or self-contained tokens which can be checked directly at the TURN >server, so I will look at updating the draft to use OAuth. This will also resolve the issues raised about how separate web and TURN servers can share a >secret. 

OAuth RFC 6819 discusses the pros/cons of self-contained token verses handle token. 

>The main question here is whether this requires an update to the TURN protocol to specify a token-based auth mechanism, or if it is possible to overload >the long-term auth mechanism, since I think they will be fairly similar in operation.

If let's say self-contained/handle token is selected then there is no need to send any USERNAME, new STUN attribute to indicate TURN server supports this new mechanism, new STUN attribute to send the token to TURN server etc. 
PCP http://tools.ietf.org/html/draft-wing-pcp-third-party-authz-00 also uses similar technique.

--Tiru.

From: Justin Uberti [mailto:juberti@google.com] 
Sent: Wednesday, July 31, 2013 5:27 PM
To: Marc Petit-Huguenin
Cc: Behave@ietf.org
Subject: Re: [BEHAVE] Comments on the TURN REST Server API presentation


On Tue, Jul 30, 2013 at 6:37 AM, Marc Petit-Huguenin <petithug@acm.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

About this presentation, I agree with what Martin Thomson said on the
microphone (trying to paraphrase from memory as the audio recording is not
available yet):  There is no need to standardize a RESTful API because the
server can send the username/password in the web page that uses rtcweb, or can
use any proprietary API between the javascript client and the server.  There
is no interoperability issue here.

I think rtcweb (including non-browser clients) would benefit from having a common interface defined to get access to TURN servers, so that it would be easy to use different providers. But perhaps the IETF is not the right forum for this.
 

Second, I do not think that trying to overload the long-term authentication
mechanism is wise - and I take exceptions with the previous presentation that
characterized long-term authentication as having problems.  This is how
long-term authentication works, and that should be left alone.  IMO what is
needed is to design a third authentication option for TURN (probably with new
attributes) that is doing the username/password stateless verification.  Here
there is a need to define how the web server and the turn server can
generate/verify the same username/password, so an I-D is required to ensure
interoperability.

I think it's clear that there are limitations to long-term authentication. Some (cleartext USERNAME, dictionary attacks on M-I) can be largely mitigated if we add support for TURN over DTLS, which I think is a good idea.

The others (rtcweb password exposure, TURN credential DB) are addressed by the ephemeral/token based approach. There seems to be a general desire to do this through OAuth, using either normal tokens that are checked back against the AS, or self-contained tokens which can be checked directly at the TURN server, so I will look at updating the draft to use OAuth. This will also resolve the issues raised about how separate web and TURN servers can share a secret. 

The main question here is whether this requires an update to the TURN protocol to specify a token-based auth mechanism, or if it is possible to overload the long-term auth mechanism, since I think they will be fairly similar in operation.

Finally a small nit:  In the presentation the wrong syntax was used for the
turn uri:  the parameter name is transport=, not proto=.

My mistake. Thanks. 

Thanks.

- --
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBCAAGBQJR90LqAAoJECnERZXWan7EoiMP/R90khv1Ez+2652uCRIBjNhS
JyGpoNNVsqaPFPHo9jJ5pvJu0qYEUKrzXwoZtRn80UFFUojJIFsx0XmzwkDl7qAq
hsz+rPxCvVL3iTBvNGSee8HEZiLzzSkba34nwDoH4qrVEiWX3njcJH1P1bfbrrhk
rOxVMTSoXK7P118RFp0iQYyfTAf5RlH292u9vrCRljW2OjE644APBNgWyEyoi/J5
vJnPPvBSrR5hYftn0DrCRLsOm5PPc+6lZ23BzEa+0yJdp2C4Fez7Z4uHTMhw4bBP
UOpXb88ZpuUlcLUjj+XU9JMYm7VhP+CKZw+AkXMGXAmiMa4jc6Ria1sTkeCXdT8J
cXyyxjBl/CYuhxqMhM3Hxm2ifeV6jQEX5bdk+5y+Qp8Jg++cjjeNYd/Yt8uJPYe3
nFxkKHAK4kr63NIwfPJFWfVE44NwbvmyCsHmTNcDXloq4DFeWGKxsEnngWjeSOIE
3HddtKgcTtL8AtNY9FVlPZMlmDI+Lh9eO+l+05IRIizIDsL8w3WMlpCXiPfrUq1X
SQcCxMBJHSAINqMGT4U0sw+VAI6lCTAnJW9AQFZebdDmf2KAsWDxLGwkW0G47/yg
rwKGAZhi14OuMc8yY8eWIbU+KRxPUkbS3p7AWVh5qNhTXYdllVjzJORvZ584vp0I
RjEwVbloGz5LYN0CCCBh
=L8qI
-----END PGP SIGNATURE-----
_______________________________________________
Behave mailing list
Behave@ietf.org
https://www.ietf.org/mailman/listinfo/behave

v2.23.0 | Report a Bug | By Email