IETF Logo Mail Archive

[AVTCORE] Re: STUN SHA-256 usage in WebRTC (ICE and TURN)

Roman Shpount <roman@telurix.com> Wed, 29 April 2026 16:24 UTC

Return-Path: <roman@telurix.com>
X-Original-To: avt@mail2.ietf.org
Delivered-To: avt@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 100EAE5CB532 for <avt@mail2.ietf.org>; Wed, 29 Apr 2026 09:24:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1777479851; bh=7TjdBnfIqYwiqJpzC+44l+N204ubHIebDSiUpgYcFCM=; h=References:In-Reply-To:From:Date:Subject:To:Cc; b=sjS6Q0WMQVt0URKJGdvruYZPw2KKKY95QfIpsOFg+Tj9LowwdSpUJx6ENpwLJtjow jdlT3+HP5MQaO4o4fmat1Q58kBIqY0chHKJfHrNqwhuo/5MW2/f0E1WbNX1NoRY+yo l7HvXC+Pr4INPIb3RiiNBIw6KzVOQv6RcLZhdijg=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=telurix.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FvPOsYO1XY1H for <avt@mail2.ietf.org>; Wed, 29 Apr 2026 09:24:06 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BB4AAE5CA868 for <avt@ietf.org>; Wed, 29 Apr 2026 09:21:12 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-5a74741d8c4so259314e87.0 for <avt@ietf.org>; Wed, 29 Apr 2026 09:21:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix.com; s=google; t=1777479671; x=1778084471; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=rGVhwBBlXTNCT04u8jvS5jT8bC4OsGTm7TkFJ96nQT8=; b=NbwRgHkbMPXWZlzduCeWO8LRIJDY+1vGmCqP4IDGJlfhUocXqecxpySk7Uue3yUu2v vtiGpFJsRMpUUYQro4D8YULil1ZUCxGQ3JbsZSOKGHdikZAPhva0ckciXRuBaDeF5KsW zZg0hTE+VkY8C6OaUlWSctNs/bHxkcfopJ2MA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777479671; x=1778084471; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=rGVhwBBlXTNCT04u8jvS5jT8bC4OsGTm7TkFJ96nQT8=; b=oNWSadLUqoUSKPf2tAoJpAnkwDjT4+j/yaTOshQ5FJUJDpRlmpNub8Tqet1BQrt5EQ geWoOIPVWlewr8JXXXgZ91l1QqhizOdedDj2QW91XVTK185DrJtgCUswuMvDA5iCGrUD r+O/CKGhDhB06oi3CTtUcs6mu7Ph+/FEqgmk2TrvW5+HzTClSsNCLRiige+wTEMtMROe wDaIAR+jn5i6YXvFyGQeSVhvzekuqfbjL7c7K5Ciy2GtkUwZGzXMI5hmSCjks1gej7rF U23WrSYruvI9yJjigXqwxO2Qx1KgHhNyGFal58B8GsNtLnYSFbGAvD9HZDQpTcFgLt8K AHug==
X-Gm-Message-State: AOJu0YzWhCcY+L+MkH20sT/YfWtKEESd/atgsCcJYDPkkc7YRtOiE+lm ruVwb789VD549JeGAb/7ZvseCqM2TCdOzogG93GJCKeaR2hlmNAc8Lrv6QO8jKt8LRJtYCG+QFr jtx6h5+4=
X-Gm-Gg: AeBDieuB0FXWlZLlNYhyMXWxJHj8nUpVW+SC933wlxtff7FoaWcIzXmLSRG3RTwmaRh cfeWGQIh8l/ruFYjbUYoglmnrDs9SHrlrQ2hC6fP+8JAfQdLZnu85izD9zRdcQ8aCgstumJ7lWk inIXDXryKugnZ8bdh+Pm12aiIJTRay1ODYh5Lm8heqUYnkvuVkB3L9b+2JwPLx/C50xbvrwoCcq j2HUq73n7cPcjB1rf0gNp+exXFZ6RFJ5M6+Uteqhxyv2gSO511Nu1WGBdo5lYxBaRjekmKPX0P3 l+OhnTLjRksoKYVcDa1JsTuXggSkCBElSEBSxXmmffSpjKAj7MVljaLtatrE22hRz+M81mK8M2a gVJcO/bMTSV7n4yRCaEVat9eMrxwp107GqDEwiBEQqrkkSz4RfDrRUJWuP7UU/3p8DcwWzlpycN J/777RdBqRwdLJpdjxIkLFvwBriubdm8pORTfv5LVa/SCvjxYdpkpnecdpi0cRgnD4iB5Lr3BVD o7Ncg==
X-Received: by 2002:a05:6512:3e0c:b0:5a7:4048:af21 with SMTP id 2adb3069b0e04-5a74605ca65mr1512372e87.7.1777479671112; Wed, 29 Apr 2026 09:21:11 -0700 (PDT)
Received: from mail-lf1-f48.google.com (mail-lf1-f48.google.com. [209.85.167.48]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-3924fa7c903sm6545541fa.19.2026.04.29.09.21.10 for <avt@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 29 Apr 2026 09:21:10 -0700 (PDT)
Received: by mail-lf1-f48.google.com with SMTP id 2adb3069b0e04-5a2c77c62d7so13627563e87.0 for <avt@ietf.org>; Wed, 29 Apr 2026 09:21:10 -0700 (PDT)
X-Received: by 2002:a05:6512:3d92:b0:5a3:e7d7:659 with SMTP id 2adb3069b0e04-5a74640e41amr3514788e87.15.1777479670415; Wed, 29 Apr 2026 09:21:10 -0700 (PDT)
MIME-Version: 1.0
References: <CADxkKiLYgvD55xnBQCXMVqrzSepkA5VjLshAheCXtg7+G9BHpg@mail.gmail.com>
In-Reply-To: <CADxkKiLYgvD55xnBQCXMVqrzSepkA5VjLshAheCXtg7+G9BHpg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Wed, 29 Apr 2026 12:20:56 -0400
X-Gmail-Original-Message-ID: <CAD5OKxuc-eadFOG8GgqXa9QyJ6THeoRhR2G=q9vRi0_UEjqmJA@mail.gmail.com>
X-Gm-Features: AVHnY4JOF9Ori1HrC1P8S45krMXfMV-E4TtVMf3wFMJlaf5rNT6XxkJHGISbrBo
Message-ID: <CAD5OKxuc-eadFOG8GgqXa9QyJ6THeoRhR2G=q9vRi0_UEjqmJA@mail.gmail.com>
To: Philipp Hancke <philipp.hancke=40googlemail.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="00000000000059cb7306509bbc96"
Message-ID-Hash: BHCAQA733KCNF7KSCO377LEPJIVGZ53Q
X-Message-ID-Hash: BHCAQA733KCNF7KSCO377LEPJIVGZ53Q
X-MailFrom: roman@telurix.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-avt.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF AVTCore WG <avt@ietf.org>, tsvwg@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [AVTCORE] Re: STUN SHA-256 usage in WebRTC (ICE and TURN)
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/v0Ds6YZSMk6Wknpzb4vZd4InshQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Owner: <mailto:avt-owner@ietf.org>
List-Post: <mailto:avt@ietf.org>
List-Subscribe: <mailto:avt-join@ietf.org>
List-Unsubscribe: <mailto:avt-leave@ietf.org>

It looks like the details of the MESSAGE-INTEGRITY-SHA256 implementation
were fully considered. What is described in RFC 8489 is counterproductive.
If MESSAGE-INTEGRITY-SHA256 is comprehension-required, including
MESSAGE-INTEGRITY also makes STUN messages less secure. It should have been
in the comprehension-optional range.

You should also consider the increase in STUN message size. Adding
optional MESSAGE-INTEGRITY-SHA256 will result in an extra 32 bytes in each
STUN request.
_____________
Roman Shpount


On Wed, Apr 29, 2026 at 3:02 AM Philipp Hancke <philipp.hancke=
40googlemail.com@dmarc.ietf.org> wrote:

> (cross-posting between tsvwg and avtcore, we need to decide where it fits)
>
> I recently looked into making WebRTC support sha256 message integrity for
> STUN/ICE
> My assumption was that this would be fairly trivial, send both sha-1 and
> sha-256 MI attributes, pick the stronger one after initial responses.
> Which is what
>   https://www.rfc-editor.org/rfc/rfc5389.html#section-16.3
> describes.
>
> However, RFC 8489 which specifies MI-256
>   https://www.rfc-editor.org/rfc/rfc8489#section-14.6
> uses an attribute type 0x1c in the comprehension-required range
>   https://www.rfc-editor.org/rfc/rfc8489#section-18.3.2
> which means the sender can not send the attribute to "discover" (without
> risking a rejection and another round trip; nobdy likes round trips)
>
> Specifying an ice-option for this seems like a possible solution but I did
> not see any attempt of describing one in the IANA registry:
>   https://www.iana.org/assignments/ice/ice.xhtml
>
> I think the same problem applies to TURN. For WebRTC the solution might be
> to add a parameter to the TURN url
>
> Thoughts?
>
> Philipp
> _______________________________________________
> Audio/Video Transport Core Maintenance
> To unsubscribe send an email to avt-leave@ietf.org
>

v2.46.0 | Report a Bug | By Email | System Status