Last Call Review of draft-ietf-tram-turn-server-discovery-07
review-ietf-tram-turn-server-discovery-07-secdir-lc-weis-2016-08-19-00

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs
 should treat these comments just like any other last call comments.

I consider this draft to be

Ready with nits.

TURN servers are used to connect devices running Peer-to-Peer applications,
such as real-time communication. Typically these TURN servers are not under a
local network’s administrative control (e.g., the enterprise or ISP hosting the
communicating
 devices. This draft provides a server discovery method to a TURN server that
 is under the administrative control of the local network. There are some
 security and operational advantages to the use of a local TURN server, since
 the local service can tend to keep the real-time communication (or other
 application) messages from leaving the local network. This is useful. The
 methods for auto-discovering local TURN servers discussed in the document
 include DNS Service Resolution, DNS Service Discovery,  and Anycast.

The main security consideration of using using server discovery methods would
seem to be ensuring that an authorized local STUN server has been reached. The
Security Considerations section mentions STUN authentication as OPTIONAL for
“TURN servers
 provided by the local network or by the access network”, but "it is
 RECOMMENDED that the TURN client use one of the following techniques with
 (D)TLS”. When (D)TLS is used, several mechanisms are described whereby the
 client can determine that a STUN server is authorized. The requirements
 language is a bit obscure, but the result is recommending that (D)TLS
 authentication and authorization is used, which is fine.

The Security Considerations section also recommends what a client ought to do
when authenticated (D)TLS isn’t possible. The paragraph just before Section 9.1
contains good advice, but it could be clearer. For example the paragraph
confuses privacy
 goals with the security goal of mitigating on-path injection of spoofed
 packets. I suggest rewording this paragraph with text something like this:

   In some auto-discovery scenarios, it might not be possible for the

   TURN client to use (D)TLS authentication to validate the TURN server.

   However, fall-back to clear text in such cases could leave the TURN

   client open to on-path injection of spoofed TURN messages.

   Instead, a TURN client SHOULD fall-back to encryption-only

   (D)TLS when (D)TLS authentication is not available. Another reason

   to fall-back to encryption-only is for privacy, which is

   analogous to SMTP opportunistic encryption

   [RFC7435]  where one does not require privacy but one desires privacy

   when possible.

   It is suggested that a TURN client attempt (D)TLS with

   authentication and encryption, falling back to encryption-only if the

   TURN server cannot be authenticated via (D)TLS.  The TURN server

   could fall back to clear text if it  does not support unauthenticated (D)TLS,

   but fallback to clear text is NOT RECOMMENDED because it makes

   the client more susceptible to man-in-the-middle attacks and on-path

   packet injection.

The Security Considerations in each of the sub-sections is good as written.

Brian