Traversal Using Relays around NAT (TURN) Resolution Mechanism
draft-ietf-behave-turn-uri-10

[Ballot discuss]
I am picking up Cullen's discuss:

Discuss (2010-02-25)

I discussed this with Magnus today and I think we both came to about the same
conclusion.

In the say way that _turn._udp needs a normative ref to TURN, the _turn._tcp
needs a normative ref to TURN-TCP as that defines the protocol that this service
will provide.

On the topic of DNS resolution, TURN defines one way, this draft defines a
different way. Having two ways is not a good thing and will lead to
interoperability problems. The WG has consensus to do it one way or the other
not both. If we want to do it this way, TURN should be yanked out of RFC Ed Q
and changed. If not, this doc should do it the way TURN does. I do not
understand any significant advantages of using the way over the way in TURN.

[Ballot discuss]
I discussed this with Magnus today and I think we both came to about the same conclusion.

In the say way that _turn._udp needs a normative ref to TURN, the _turn._tcp needs a normative ref to TURN-TCP as that defines the protocol that this service will provide.

On the topic of DNS resolution, TURN defines one way, this draft defines a different way. Having two ways is not a good thing and will lead to interoperability problems. The WG has consensus to do it one way or the other not both. If we want to do it this way, TURN should be yanked out of RFC Ed Q and changed. If not, this doc should do it the way TURN does. I do not understand any significant advantages of using the way over the way in TURN.

[Ballot discuss]
I have reviewed draft-ietf-behave-turn-uri-08, and have one concern
that I'd like to discuss before recommending approval of the document:

Opening a TLS connection usually requires knowing the "reference
identity": this is the identity the client expects to find somewhere
in the server's certificate (more details about the "somewhere" part
are in, e.g., RFC 2818 or draft-saintandre-tls-server-id-check, but
those are not really relevant for this discussion).

In some cases, it's fairly obvious what the reference identity is.
For example, in step 2 (in Section 3), the reference identity would
probably be "" (the domain name provided as input). Step 1 is
also probably quite straightforward.

However, in steps 3..5 it's not obvious what the reference identity
would be (and unfortunately, it seems RFC 5389 is also quite ambiguous
here).

The secure choice is "", and that's what RFC 3958 says.

However, this is not necessarily straightforward deployment-wise: if
is "example.com", the server's certificate needs to have name
"example.com" (and not, e.g., "stunserver4.example.com" or
"*.example.com"). And in the scenario considered in Section 1 where a
VoIP provider uses servers deployed by another company, that another
company can't use certificates it has already obtained (e.g.
"server4.anothercompany.example"), but instead has to have one
provided by the VoIP provider (and has to use either its IP address or
TLS "server_name" extension to select which certificate to send to the
client).

At the very least, the document should clearly say that "" is
the reference identity, and explain the implications: if somebody is
currently running "stunserver4.example.com" and using just A/AAAA
lookup to find it (step 2, essentially), they cannot start using
SRV/NAPTR records (steps 3..5) without also changing the server's
certificate.

Other choices for the reference identity (such as "the name in the
final A/AAAA record found through steps 3..5") would not require
changing the certificate, but are basically insecure (or assume
DNSSEC).

(I also looked to see what RFC 5389 says about this, but unfortunately
the text is very ambiguous. Section 7.2.2 says the reference identity
is "the domain name or IP address used in Section 8.1" (should be
Section 9; just a typo/renumbering bug). But Section 9 would typically
use at least three different domain names: (1) the configured domain name,
like "example.com"; (2) the domain name used in the SRV query, like
"_stuns._tcp.example.com"; and (3) the domain name found in the SRV
record and used for A/AAAA lookup, like "stunserver3.foobar.example".
And they have *very* different security implications...)

[Ballot discuss]
It seems like this should normatively reference TURN TCP.

I'd like to talk about how this changes the base TURN spec handling of A and AAAA lookups. It seems like this changes it in a non backwards compatible way that would break existing deployments that are not using SRV. If this is the case, I think we need to change that.

[Ballot comment]
The first mentioning of TLS probably needs an Informative reference to TLS 1.2. Its use in Section 5 probably means that the reference is Normative.

In Section 3:
  After verifying the validity of the URI elements, the algorithm
  filters the list of TURN transports supported by the application by
  removing the UDP and TCP TURN transport if  is true.

Firstly, URI needs an Informative reference. Secondly, this is the first time that the term URI is mentioned, so it is not entirely clear what you mean here (Ok, I can guess, but the point still stands.)

The following Normative reference is no longer used:

  [RFC5234]  Crocker, D. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", STD 68, RFC 5234, January 2008.

The following Informative reference is not used as well:

  [RFC4395]  Hansen, T., Hardie, T., and L. Masinter, "Guidelines and
              Registration Procedures for New URI Schemes", BCP 35,
              RFC 4395, February 2006.

IANA comments:

Upon approval of this document, IANA will make new assignments in
the "Straightforward-NAPTR (S-NAPTR) Parameters" registry at
http://iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml

ACTION 1:

Registry Name: S-NAPTR Application Service Tags

Tag Reference
----- ---------
RELAY [RFC-behave-turn-uri-05]


ACTION 2:

Registry Name: S-NAPTR Application Protocol Tags

Tag Reference
-------- ---------
turn.udp [RFC-behave-turn-uri-05]
turn.tcp [RFC-behave-turn-uri-05]
turn.tls [RFC-behave-turn-uri-05]

New version is in a new WG last call that ends the 11th due to massive changes to the document. Intended to do a new IETF last call also.

IANA comments:

Upon approval of this document, IANA will make the following assignments:

ACTION 1:

In the "Permanent URI Schemes" registry at
http://www.iana.org/assignments/uri-schemes.html

URI Scheme Description Reference
---------- ----------- -------
turn TURN [RFC-behave-turn-uri-03]
turns TURN TLS [RFC-behave-turn-uri-03]


ACTION 2:

In the "S-NAPTR Application Service Tags" registry at
http://iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml

Tag Reference
----- ---------
RELAY [RFC-behave-turn-uri-03]


ACTION 3:

In the "S-NAPTR Application Protocol Tags" registry at
http://iana.org/assignments/s-naptr-parameters/s-naptr-parameters.xhtml

Tag Reference
-------- ---------
turn.udp [RFC-behave-turn-uri-03]
turn.tcp [RFC-behave-turn-uri-03]
turn.tls [RFC-behave-turn-uri-03]

PROTO writeup for draft-ietf-behave-turn-uri-03

  (1.a)  Who is the Document Shepherd for this document?

Dan Wing, dwing@cisco.com

          Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

Yes.


  (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

This document has received review from the community.  The document
shepherd solicited URI review from uri-review@ietf.org but didn't
receive a URI-specific review.


  (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization, or XML?

A URI review would be helpful.  As stated, the document shepherd
attempted to get a URI review but doubts a URI review occurred.

  (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document, or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.

No concerns.


          Has an IPR disclosure related to this document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.


There has been no working group discussion of this IPR
disclosure.


  (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

The WG has a good understanding of it, but most members of the WG
do not need this URI to configure their TURN clients.


  (1.f)  Has anyone threatened an appeal or otherwise indicated extreme
          discontent?  If so, please summarize the areas of conflict in
          separate email messages to the Responsible Area Director.  (It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

No such threats or appeals.


  (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/.)


Yes.

          Boilerplate checks are
          not enough; this check needs to be thorough.  Has the document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type, and URI type reviews? 

A URI review is needed.


          If the document
          does not already indicate its intended status at the top of
          the first page, please indicate the intended status here.

Intended Status:  Proposed Standard


  (1.h)  Has the document split its references into normative and
          informative?

Yes.

          Are there normative references to documents that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

All normative references are upward references, and all are RFCs.


  (1.i)  Has the Document Shepherd verified that the document's IANA
          Considerations section exists and is consistent with the body
          of the document?

Yes.

          If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?

No protocol extensions.

          Are the IANA registries clearly identified?

Yes.

          If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?

The document does not create a new IANA registry.

          Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process, has the Document
          Shepherd conferred with the Responsible Area Director so that
          the IESG can appoint the needed Expert during IESG Evaluation?

  (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

The ABNF parses according to http://www.apps.ietf.org/node/12


  (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up.  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
            Relevant content can frequently be found in the abstract
            and/or introduction of the document.  If not, this may be
            an indication that there are deficiencies in the abstract
            or introduction.


This document defines two URI schemes and the resolution mechanism to
generate a list of server transport addresses that can be tried to
create a Traversal Using Relays around NAT (TURN) allocation.



          Working Group Summary
            Was there anything in the WG process that is worth noting?
            For example, was there controversy about particular points
            or were there decisions where the consensus was
            particularly rough?


No.

          Document Quality
            Are there existing implementations of the protocol?

Yes.

            Have a
            significant number of vendors indicated their plan to
            implement the specification?

Only one.  Another vendor has indicated interest in implementing after
publication as an RFC.


            Are there any reviewers that
            merit special mention as having done a thorough review,
            e.g., one that resulted in important changes or a
            conclusion that the document had no substantive issues?

They are listed in the document's acknowledgement section.


            If
            there was a MIB Doctor, Media Type, or other Expert Review,
            what was its course (briefly)?  In the case of a Media Type
            Review, on what date was the request posted?

We still need a URI review.


          Personnel
            Who is the Document Shepherd for this document?

Dan Wing, dwing@cisco.com

            Who is the
            Responsible Area Director?

Magnus Westerlund, magnus.westerlund@ericsson.com


            If the document requires IANA
            experts(s), insert 'The IANA Expert(s) for the registries
            in this document are .'


The document doesn't require IANA experts.



  The Document Shepherd MUST send the Document Shepherd Write-Up to the
  Responsible Area Director and iesg-secretary@ietf.org together with
  the request to publish the document.  The Document Shepherd SHOULD
  also send the entire Document Shepherd Write-Up to the working group
  mailing list.  If the Document Shepherd feels that information which
  may prove to be sensitive, may lead to possible appeals, or is
  personal needs to be written up, it SHOULD be sent in direct email to
  the Responsible Area Director, because the Document Shepherd Write-Up
  is published openly in the ID Tracker.  Question (1.f) of the
  Write-Up covers any material of this nature and specifies this more
  confidential handling.