Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN)
draft-ietf-behave-turn-16

[Ballot comment]
Seems weird that we can negotiate lifetimes of allocations but not permissions or channels bindings. Why?

Padding up the Channel Data messages over TCP is a waste of bandwidth - why is it needed?

[Ballot discuss]
Refresh's, allocations, permission, and channel bindings request MUST be authenticated to meet the security requirements. The changes made from previous version don't fix this and seem to be what the Philip had always argued for in the WG and not what the WG agreed to.

The lack of authentication on the  redirect response makes it trivial to DDOS any set of clients trying to use a STUN server by just redirecting them to a server that does not work.

Section 10.3 needs to say the server MUST discard the packet if there is no permission to meet the security requirements.

petithug@acm.org pointed out there is no guidance on what transports need to be implemented.

[Ballot discuss]
Refresh's, allocations, permission, and channel bindings request MUST be authenticated to meet the security requirements.

The lack of authentication on the  redirect response makes it trivial to DDOS any set of clients trying to use a STUN server by just redirecting them to a server that does not work.

Section 10.3 needs to say the server MUST discard the packet if there is no permission to meet the security requirements.

petithug@acm.org pointed out there is no guidance on what transports need to be implemented.

[Ballot comment]
There are several invariant times called out in this document without motivation (default lifetimes MUST be 300 seconds, clients SHOULD wait at least one minute before doing some things and MUST wait 5 minutes before doing others). It would be nice to let the implementors know, if possible, why these values were chosen.

The text in the NOTE on page 25 will not age well after this is published as an RFC

(Comment to version -14): I think it's likely that a client implementer will miss noticing that the client needs to set a separate timer for refreshing the permission and the channelbind when a channelbind request succeeds. You could help avoid some interop problems by explicitly calling this out in the "processing channelbind responses" section.

[Ballot discuss]
Because TURN doesn't translate the ICMP messages necessary for PMTU discovery,
persistent fragmentation can occur. When we discussed this in the WG, I thought
we had come to an agreement that the document should say that TURN is
NOT RECOMMENDED for applications that frequently exchange UDP packets larger than
the minimum PMTU (500-odd bytes), unless they implement RFC4821.

[Ballot comment]
In Section 6.2:

  5.  The server checks if the request contains an EVEN-PORT attribute.
      If yes, then the server checks that it satisfy the request.

Missing word: ... that it *can* satisfy ...

I am also agreeing with Russ' DISCUSS.

[Ballot discuss]
Refresh's, allocations, permission, and channel bindings request MUST be authenticated to meet the security requirements.

The lack of authentication on the  redirect response makes it trivial to DDOS any set of clients trying to use a STUN server by just redirecting them to a server that does not work.

Section 10.3 needs to say the server MUST discard the packet if there is no permission to meet the security requirements.

[Ballot comment]
Seems weird that we can negotiate lifetimes of allocations but not permissions or channels bindings. Why?

Padding up the Channel Data messages over TCP is a waste of bandwidth - why is it needed?

[Ballot discuss]
As I understand it, this specification mandates client support for STUN authentication, but
this is not a MUST implement for TURN servers.  The specification provides good reasons
to include that support in servers (section 2.2, "since relaying data may require lots of
bandwidth..."), the protocol *requires* authentication to install or refresh permissions (section
2), and authentication is identified as the solution for several threats in the security
considerations.  This makes me wonder if STUN authentication shouldn't be a MUST
implement for servers.

Are there significant deployment scenarios where a TURN server could be deployed safely,
and meet all the operational requirements without supporting authentication?  If not, I would
suggest making authentication a MUST implement for servers.  (If significant scenarios exist
where authentication would not be used, then I would leave things as is...)

[Ballot discuss]
As I understand it, this specification mandates client support for STUN authentication, but
this is not a MUST implement for TURN servers.  The specification provides good reasons
to include that support in servers (section 2.2, "since relaying data may require lots of
bandwidth...") and *requires* authentication to install or refresh permissions (section 2), and
is identified as the solution for several threats in the security considerations.  This makes me
wonder if STUN authentication shouldn't be a MUST implement for servers.

Are there significant deployment scenarios where a TURN server could be deployed safely,
and meet all the operational requirements without supporting authentication?  If not, I would
suggest making authentication a MUST implement for servers.

[Ballot discuss]
Because TURN doesn't translate the ICMP messages necessary for PMTU discovery,
persistent fragmentation can occur. When we discussed this in the WG, I thought
we had come to an agreement that the document should say that TURN is
NOT RECOMMENDED for applications that exchange UDP packets larger than
the minimum PMTU (500-odd bytes), unless they implement RFC4821.

[Ballot discuss]
In section 11.2, I'm not finding where it's explicitly specified what the lifetime of a Permission established by a ChannelBind is. I think both the server and client are expected to use the lifetime of the ChannelBind as the lifetime of the Permission, but this should be explicitly stated.

----

The text defining how the lifetimes of permissions and allocations are established say to use either the value requested by the client, or the default lifetime (see the bottom of page 25, top of page 26 for example). The example shows the server choosing a value (20 minutes) between those. Was the intent of the normative text to allow the server to choose any value between the default and requested value, or only the endpoints?

----

I think there is an unintended problem in the way the processing for Allocate requests is spelled out on pages 23 and 24. As written, a request that contains both a RESERVATION-TOKEN and an EVEN-PORT attribute that the server couldn't satisfy, step 5 will cause a 508 error (which will lead to the client trying the same request again). The intended check to reject this with a 400 doesn't occur until step 6.

----

Should the text in 17.2.3 say that the TURN server will never accept traffic from a peer which the client has not installed a permission for, rather than which the client has not yet contacted?

[Ballot comment]
There are several invariant times called out in this document without motivation (default lifetimes MUST be 300 seconds, clients SHOULD wait at least one minute before doing some things and MUST wait 5 minutes before doing others). It would be nice to let the implementors know, if possible, why these values were chosen.

The text in the NOTE on page 25 will not age well after this is published as an RFC

[Ballot discuss]
In section 11.2, I'm not finding where it's explicitly specified what the lifetime of a Permission established by a ChannelBind is. I think both the server and client are expected to use the lifetime of the ChannelBind as the lifetime of the Permission, but this should be explicitly stated.

----

The text defining how the lifetimes of permissions and allocations are established say to use either the value requested by the client, or the default lifetime (see the bottom of page 25, top of page 26 for example). The example shows the server choosing a value (20 minutes) between those. Was the intent of the normative text to allow the server to choose any value between the default and requested value, or only the endpoints?

----

I think there is an unintended problem in the way the processing for Allocate requests is spelled out on pages 23 and 24. As written, a request that contains both a RESERVATION-TOKEN and an EVEN-PORT attribute that the server couldn't satisfy, step 5 will cause a 508 error (which will lead to the client trying the same request again). The intended check to reject this with a 400 doesn't occur until step 6.

----

Should the text in 17.2.3 say that the TURN server will never accept traffic from a peer which the client has not installed a permission for, rather than which the client has not yet contacted?

[Ballot discuss]
In section 11.2, I'm not finding where it's explicitly specified what the lifetime of a Permission established by a ChannelBind is. I think both the server and client are expected to use the lifetime of the ChannelBind as the lifetime of the Permission, but this should be explicitly stated.

[Ballot discuss]
The IAB Considerations in RFC 3424 have not been changed, and it
  is clear to me that TURN has an indefinite lifetime.  So, the first
  two IAB UNSAF criteria cannot realistically be satisfied.  I do not
  want to delay the document, but I do think it should include a
  recognition of this conflict.  I'm happy with an IESG note or text
  in the body of the document.

[Ballot comment]
I understand that other-then-UDP mechanisms for server-peer communications will follow, but I find it confusing that the Introduction discusses client-server TCP and TLS services since the client is presumably actually interested in client-peer delivery. Also that Figure 1 shows a peer behind a NAT and the text comments that some firewalls block UDP entirely.

Would it be helpful to draw out more clearly what deployments and service functions are not possible with the UDP-only variety of TURN? (There is some discussion in section 2.4 of the security of the server-peer data being the protected through encryption or similar.)

[Ballot comment]
In Section 6.2:

  5.  The server checks if the request contains an EVEN-PORT attribute.
      If yes, then the server checks that it satisfy the request.

Missing word: ... that it *can* satisfy ...

IANA questions/comments:

- In sections 11.4-11.6 you define a ChannelData message, but
nowhere do you register it. Do you need to register the
ChannelData in some registry?


Action 1:

Upon approval of this document, IANA will make the following
assignments in the "STUN Methods" registry at
http://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml

Value Name Reference
----- ----- ---------
0x003 Allocate [RFC-behave-turn-12]
0x004 Refresh [RFC-behave-turn-12]
0x006 Send [RFC-behave-turn-12]
0x007 Data [RFC-behave-turn-12]
0x008 CreatePermission [RFC-behave-turn-12]
0x009 ChannelBind [RFC-behave-turn-12]


Action 2:

Upon approval of this document, IANA will make the following
assignments in the "STUN Attributes" registry at
http://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml

Value Name Reference
----- ----- ---------
0x000C CHANNEL-NUMBER [RFC-behave-turn-12]
0x000D LIFETIME [RFC-behave-turn-12]
0x0010 Reserved (was BANDWIDTH) [RFC-behave-turn-12]
0x0012 XOR-PEER-ADDRESS [RFC-behave-turn-12]
0x0013 DATA [RFC-behave-turn-12]
0x0016 XOR-RELAYED-ADDRESS [RFC-behave-turn-12]
0x0018 EVEN-PORT [RFC-behave-turn-12]
0x0019 REQUESTED-TRANSPORT [RFC-behave-turn-12]
0x001A DONT-FRAGMENT [RFC-behave-turn-12]
0x0021 Reserved (was TIMER-VAL) [RFC-behave-turn-12]
0x0022 RESERVATION-TOKEN [RFC-behave-turn-12]


Action 3:

Upon approval of this document, IANA will make the following
assignments in the "STUN Error Codes" registry at
http://www.iana.org/assignments/stun-parameters/stun-parameters.xhtml

Value Name Reference
----- ----- ---------
437 Allocation Mismatch [RFC-behave-turn-12]

441 Wrong Credentials [RFC-behave-turn-12]
442 Unsupported Transport Protocol [RFC-behave-turn-12]

486 Allocation Quota Reached [RFC-behave-turn-12]

508 Insufficient Capacity [RFC-behave-turn-12]


We understand the above to be the only IANA Actions for this document.

  (1.a)  Who is the Document Shepherd for this document?

draft-ietf-behave-turn-12.txt
Dan Wing, dwing@cisco.com

          Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

Yes.


  (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

This document has received significant review from the community,
and there are several implementations using this specification.


  (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization, or XML?

No concerns.


  (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document, or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.

No concerns.


          Has an IPR disclosure related to this document
          been filed?  If so, please include a reference to the
          disclosure and summarize the WG discussion and conclusion on
          this issue.

Yes, "Nortel Networks Statement about IPR claimed in
draft-rosenberg-midcom-turn-06",
https://datatracker.ietf.org/ipr/505/
http://www.ietf.org/ietf/IPR/nortel-ipr-draft-rosenberg-midcom-turn.txt

There has been no significant working group discussion of this IPR
disclosure.


  (1.e)  How solid is the WG consensus behind this document?

Very solid.

          Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

The WG has a good understanding of, and agreement with, this document.


  (1.f)  Has anyone threatened an appeal or otherwise indicated extreme
          discontent?  If so, please summarize the areas of conflict in
          separate email messages to the Responsible Area Director.  (It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

No such threats or appeals.


  (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/.)


Yes.

          Boilerplate checks are
          not enough; this check needs to be thorough.  Has the document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type, and URI type reviews? 

The document does not specify a MIB, media type, or URI, and thus
does not need to meet those review criteria.

          If the document
          does not already indicate its intended status at the top of
          the first page, please indicate the intended status here.

Intended Status:  Proposed Standard


  (1.h)  Has the document split its references into normative and
          informative?

Yes.

          Are there normative references to documents that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

All normative references are upward references, and all are RFCs.


  (1.i)  Has the Document Shepherd verified that the document's IANA
          Considerations section exists and is consistent with the body
          of the document?

Yes.

          If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?

Yes.

          Are the IANA registries clearly identified?

Yes.

          If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?

The document does not create a new IANA registry.

          Does it suggest a
          reasonable name for the new registry?  See [RFC2434].  If the
          document describes an Expert Review process, has the Document
          Shepherd conferred with the Responsible Area Director so that
          the IESG can appoint the needed Expert during IESG Evaluation?

  (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

The document contains no such formal language.


  (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Write-Up.  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

          Technical Summary
            Relevant content can frequently be found in the abstract
            and/or introduction of the document.  If not, this may be
            an indication that there are deficiencies in the abstract
            or introduction.


This specification defines a protocol that allows the host to control the
operation of a relay and to exchange packets with its peers using
the relay.  TURN differs from some other relay control protocols in
that it allows a client to communicate with multiple peers using a
single relay address.

The TURN protocol was designed to be used as part of the ICE
(Interactive Connectivity Establishment) approach to NAT traversal,
though it can be also used without ICE.



          Working Group Summary
            Was there anything in the WG process that is worth noting?
            For example, was there controversy about particular points
            or were there decisions where the consensus was
            particularly rough?


No.

          Document Quality
            Are there existing implementations of the protocol?

Yes.

            Have a
            significant number of vendors indicated their plan to
            implement the specification?

Yes.

            Are there any reviewers that
            merit special mention as having done a thorough review,
            e.g., one that resulted in important changes or a
            conclusion that the document had no substantive issues?

They are listed in the document's acknowledgement section


            If
            there was a MIB Doctor, Media Type, or other Expert Review,
            what was its course (briefly)?  In the case of a Media Type
            Review, on what date was the request posted?

No such reviews were necessary.


          Personnel
            Who is the Document Shepherd for this document?

Dan Wing, dwing@cisco.com

            Who is the
            Responsible Area Director?

Magnus Westerlund, magnus.westerlund@ericsson.com


            If the document requires IANA
            experts(s), insert 'The IANA Expert(s) for the registries
            in this document are .'


The document doesn't require IANA experts.