Last Call Review of draft-ietf-tram-stun-origin-05

Request Review of draft-ietf-tram-stun-origin
Requested rev. no specific revision (document currently at 06)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2015-03-17
Requested 2015-03-04
Authors Alan Johnston, Justin Uberti, John Yoakum, Kundan Singh
Draft last updated 2015-03-21
Completed reviews Genart Last Call review of -05 by David Black (diff)
Secdir Last Call review of -05 by Tero Kivinen (diff)
Opsdir Last Call review of -05 by Tim Chown (diff)
Assignment Reviewer David Black
State Completed
Review review-ietf-tram-stun-origin-05-genart-lc-black-2015-03-21
Reviewed rev. 05 (document currently at 06)
Review result Ready with Issues
Review completed: 2015-03-21


I am the assigned Gen-ART reviewer for this draft. For background on
Gen-ART, please see the FAQ at


Please resolve these comments along with any other Last Call comments
you may receive.

Document: draft-ietf-tram-stun-origin-05
Reviewer: David L. Black
Review Date: March 20, 2015
IETF LC End Date: March 17, 2015

Summary: This draft is on the right track, but has open issues
 		described in the review.

This draft describes the addition of a web origin attribute to STUN and
usage of that attribute in several protocol contexts.  The draft is well-
written and easy to read.  I found one minor issue which may be editorial.

Major issues: None.

Minor issues:

Section 2.7 discusses use of multiple STUN origins with Web RTC and
concludes by imposing a "MUST" requirement on use of multiple STUN
origins with HTTP in general (use first origin, ignore others).  While
Web RTC may be the predominant or only current use of STUN and TURN with
HTTP, this "MUST" could foreclose the use of STUN origins with other
uses of HTTP.  I'm not sure what those possible future uses might be,
but at a minimum this draft ought to more tightly scope its discussion
of use of STUN origins with HTTP to limit that usage to Web RTC.  If
there's a good way for a STUN or TURN server to detect Web RTC usage,
requiring STUN and TURN servers to look for Web RTC as the use of
HTTP, and only impose this "MUST" requirement if Web RTC is detected
would better align that requirement with the discussion in this draft.

Nits/editorial comments:

idnits 2.13.01 turned up a reference problem:

  == Unused Reference: 'RFC7350' is defined on line 490, but no explicit
     reference was found in the text

That RFC should be cited somewhere.  In addition, there are no RFCs cited
or referenced for TLS and DTLS - they should be added (I believe that
RFC 5246 and RFC 6347 are appropriate, respectively). 

David L. Black, Distinguished Engineer
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786 at        Mobile: +1 (978) 394-7754