IETF Logo Mail Archive

Re: [AVTCORE] [R-C] Fwd: I-D Action: draft-perkins-avtcore-rtp-circuit-breakers-00.txt

Colin Perkins <csp@csperkins.org> Wed, 07 March 2012 09:43 UTC

Return-Path: <csp@csperkins.org>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA53221F8792 for <avt@ietfa.amsl.com>; Wed, 7 Mar 2012 01:43:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.879
X-Spam-Level:
X-Spam-Status: No, score=-102.879 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, J_CHICKENPOX_84=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WRtcEqdnr4su for <avt@ietfa.amsl.com>; Wed, 7 Mar 2012 01:43:54 -0800 (PST)
Received: from lon1-msapost-2.mail.demon.net (lon1-msapost-2.mail.demon.net [195.173.77.181]) by ietfa.amsl.com (Postfix) with ESMTP id E538B21F878E for <avt@ietf.org>; Wed, 7 Mar 2012 01:43:53 -0800 (PST)
Received: from mangole.dcs.gla.ac.uk ([130.209.247.112]) by lon1-post-2.mail.demon.net with esmtpsa (AUTH csperkins-dwh) (TLSv1:AES128-SHA:128) (Exim 4.69) id 1S5DPR-0005ah-aE; Wed, 07 Mar 2012 09:43:49 +0000
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset="iso-8859-1"
From: Colin Perkins <csp@csperkins.org>
In-Reply-To: <4F5728C0.8040803@alvestrand.no>
Date: Wed, 07 Mar 2012 09:43:46 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <88E14028-090E-4482-85F3-863C32647EA0@csperkins.org>
References: <20120305201759.24406.49431.idtracker@ietfa.amsl.com> <766FE318-7DE3-4481-B3C4-C45F2A94C881@csperkins.org> <4F55C25A.9010407@alvestrand.no> <CAEbPqry_wqrj0AHL9cjtYbiDc3xwL_fUoAVg8U91Lo9rkMrFrA@mail.gmail.com> <4F55DE35.6060104@alvestrand.no> <CAEbPqrwmF_cGupn6dX0k_1=Vc+rfO8UJp9689WUEXeE_0ebjNQ@mail.gmail.com> <4F5728C0.8040803@alvestrand.no>
To: Harald Alvestrand <harald@alvestrand.no>
X-Mailer: Apple Mail (2.1257)
Cc: rtp-congestion@alvestrand.no, "avt@ietf.org WG" <avt@ietf.org>
Subject: Re: [AVTCORE] [R-C] Fwd: I-D Action: draft-perkins-avtcore-rtp-circuit-breakers-00.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2012 09:43:55 -0000

On 7 Mar 2012, at 09:22, Harald Alvestrand wrote:

> On 03/06/2012 02:26 PM, Varun Singh wrote:
>> Hi Harald,
>> 
>> Comment inline.
>> 
>> On Tue, Mar 6, 2012 at 11:51, Harald Alvestrand<harald@alvestrand.no>  wrote:
>>> On 03/06/2012 10:21 AM, Varun Singh wrote:
>>>>> Security considerations (missing section): For an end node that
>>>>> implements
>>>>> this specification, an active attacker can cut the transmission by faking
>>>>> two RTCP packets that get accepted instead of the recipient's RTCP
>>>>> packets.
>>>>> This may be worthy of a note, and pointer to appropriate defenses.
>>>> This is a valid attack. However, if we consider no early-feedback (the
>>>> draft currently only follows RFC3550 timing rules) then the attacker's
>>>> second fake report may be ignored by the sender because it is too
>>>> early. Meanwhile, the actual receiver may get to deliver its RTCP RR.
>>>> 
>>>> 
>>>> Example:
>>>> SR               |                          |
>>>>         |                      I
>>>> 
>>>> ----------------------------------------------------------------------------------------------------------->
>>>> time
>>>> RR   |                   F          |              F          |
>>>>    F              F      |
>>>> 
>>>> | are valid SR and RR, F are Fake RTCPs (replaying the last valid RTCP
>>>> report). So, instead of waiting for 3 RTCP reports to arrive the
>>>> sender MUST wait two RTCP intervals?
>>> Yes, I think stating that the sender waits two RTCP intervals before drawing
>>> a conclusion is a reasonable defense against this version of the attack.
>>> 
>>> Another interesting version is what happens if the attacker bumps up the
>>> "highest sequence number received" - the security considerations may want to
>>> say that RRs with a "highest sequence number received" larger than the
>>> highest sequence number sent MAY be part of an attack, so SHOULD be
>>> disregarded.
>> I am not sure if an endpoint reporting a HSN_received larger than the
>> HSN_sent trips any circuit breaker, but if the endpoint doesn't ignore
>> the report then the endpoint may reset its timeout counter.
> What could happen is this:
> 
> Victim receiver:RTCP, HSN(low)
> Attacker: RTCP, HSN(high)
> Victim sender: OK, HSN is (high)
> Victim receiver:RTCP,  HSN(low+some)
> Victim sender: Oops, HSN did not increase
> Victim receiver:RTCP, HSN(low+some+some)
> Victim sener: Oops, HSN did not increase for two RTCP intervals. Shut down.
> 
> One-packet denial of service.
> 
> If HSN is always verified against last-sent, and the report is discarded as erroneous if it is higher than last-sent, this attack cannot occur.


Sure - the Extended Highest Sequence Number received needs to be compared with the sequence numbers being sent. This is also why you can get away with only using two RTCP packets to determine if there's persistent loss: you don't just check that the highest sequence numbers in the packets are non-increasing in isolation, you check that they don't increase to match the sequence number you send. 

Maybe the draft need clarifying on this.


-- 
Colin Perkins
http://csperkins.org/

v2.23.0 | Report a Bug | By Email