Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials
"Marc Blanchet" <marc.blanchet@viagenie.ca> Fri, 17 January 2020 00:25 UTC
Return-Path: <marc.blanchet@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 3FEE7120099
for <behave@ietfa.amsl.com>; Thu, 16 Jan 2020 16:25:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=viagenie-ca.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 17w6JSsbJd9q for <behave@ietfa.amsl.com>;
Thu, 16 Jan 2020 16:25:38 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com
[IPv6:2607:f8b0:4864:20::82d])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 6F078120059
for <behave@ietf.org>; Thu, 16 Jan 2020 16:25:38 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id w47so20494305qtk.4
for <behave@ietf.org>; Thu, 16 Jan 2020 16:25:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=viagenie-ca.20150623.gappssmtp.com; s=20150623;
h=from:to:cc:subject:date:message-id:in-reply-to:references
:mime-version; bh=Xwbo1xRcZbhXCBkK7bTAex8pb2zCs3nPuGlGbV5+iG8=;
b=ZZoCQ1SfGk+3AiUobPLGPERGzztjy/Bk7FbrldayM1kcprqX+5gXsRC83nfy+X+o/g
Q5y/WGE7rUlvQu0f+UEbRYykSqE/bgJ6do0ma4L8O1FCQuAu3fjSyTldcavn8lwi/09M
bbn4HALJix1DeyDMtR0biCKMaOyAApiIBESgXNzggSxvBnOjaE/V8Eudl9Lf/J9zxR76
cXrkn6MrJPXaDcd0LqaovzE0KbLhp4oIsfeMqcRv91Fuckj8VVgP47IIr8g1VO/EzeCE
ZHmMzvBraFulDj+tHSHgNzhDnUO1QA+gPw+5m+rK8QMJOTUa/0Ner6etGQpapUotrLud
bWNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
:references:mime-version;
bh=Xwbo1xRcZbhXCBkK7bTAex8pb2zCs3nPuGlGbV5+iG8=;
b=LNYWYZMjTbyW07XBKvhhNmsEXzzwAUp92PJbJhY3d2LOoUQaUp92sPqG7PAhYGeJtd
AKnMBfu438hzCouRusbhlUWueD91D6s8/irWK8BX97PO6Yb6WL6C1z99HUGDPHbVwg9Q
wCTxj3/brJo9BbvvCNNkvNH2pY49TtUY5bfaklpD7gWoexmbyBrEQPZVYhnwjfNsqzxU
0XBXl2u/6Po/APW+aKFAOWzc89h2Sx2AoS5UW9JK7hp1dqHJngrkbiieWoLHvtudTHkr
AE8LLkEbC8pPZj6wveXEMnIKAXWS1Udm94P1JFDAULZ5t2QDoXTj65XJDPGvnjNwdOYQ
s11A==
X-Gm-Message-State: APjAAAWlRiCN+5YKJ02fzDkoseUYoF3Ia5Xn7D+FJ5m5LlSTCltCCcmx
9zI28TtWk/ZC5Yq5rr9Hv/rgbub496c6uQ==
X-Google-Smtp-Source: APXvYqwgsAn87t/J3Y998pZKVkxvhcitsMA0KPllf7To5tFuj7d8sOcAEUfN6vNgfuG7TDaZqcKH+w==
X-Received: by 2002:ac8:1e05:: with SMTP id n5mr5109752qtl.227.1579220737262;
Thu, 16 Jan 2020 16:25:37 -0800 (PST)
Received: from [192.168.1.103] (modemcable016.82-162-184.mc.videotron.ca.
[184.162.82.16])
by smtp.gmail.com with ESMTPSA id x6sm10844148qkh.20.2020.01.16.16.25.35
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Thu, 16 Jan 2020 16:25:36 -0800 (PST)
From: "Marc Blanchet" <marc.blanchet@viagenie.ca>
To: "Michael Richardson" <mcr+ietf@sandelman.ca>
Cc: behave@ietf.org
Date: Thu, 16 Jan 2020 19:25:32 -0500
X-Mailer: MailMate (1.13.1r5671)
Message-ID: <F07DFAFD-7C75-4B76-8B46-A46D3D093340@viagenie.ca>
In-Reply-To: <11345.1579216274@localhost>
References: <DB7PR07MB4572708BEAC771375AC2AF5395380@DB7PR07MB4572.eurprd07.prod.outlook.com>
<20200110123841.GD8801@faui48f.informatik.uni-erlangen.de>
<29758.1578671195@localhost>
<eb6effe49c65b90cf4e6af45b9b701b4f86db608.camel@ericsson.com>
<11345.1579216274@localhost>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/8CbzOE98082OyQjghG-1Vkx78Xw>
Subject: Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests
when using short-term credentials
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>,
<mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>,
<mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 00:25:40 -0000
as there is a turn-related working group (tram) alive, I suggest you also post to the tram ml. Marc. On 16 Jan 2020, at 18:11, Michael Richardson wrote: > https://www.rfc-editor.org/errata_search.php?eid=4933 > > 4933> Section 17.3.3 says: > > 4933> An attacker might attempt to disrupt service to other users > of the > 4933> TURN server by sending Refresh requests or CreatePermission > requests > 4933> that (through source address spoofing) appear to be coming > from > 4933> another user of the TURN server. TURN prevents this by > requiring > 4933> that the credentials used in CreatePermission, Refresh, and > 4933> ChannelBind messages match those used to create the initial > 4933> allocation. Thus, the fake requests from the attacker will > be > 4933> rejected. > 4933> Notes: > > 4933> When using short-term, credentials expire after a specific > amount of time > 4933> (such as 5 > 4933> minutes) and clients get new credentials. The restriction > imposed at section > 4933> 17.3.3 > 4933> prevents from refreshing allocation or permission using the > new credentials. > > 4933> This RFC approves RFC 5389. So one can use short-term > credentials. But > 4933> short-term credentials are useless if it can not be used to > refresh > 4933> allocation or permission. > > 4933> The goal of 17.3.3 can be achieved by sending 438 with the > new nonce. > > a) I think we should accept this as verified. > b) It seems that sending with the new nonce will work. This requires > some > text changes, and we can now perhaps use the errata patcher with > XML. > I've asked for the XML (if there is any), and I'll suggest some > changes to > the text. > > -- > Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > _______________________________________________ > Behave mailing list > Behave@ietf.org > https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] Closing the mailing list Magnus Westerlund
- Re: [BEHAVE] Closing the mailing list Toerless Eckert
- Re: [BEHAVE] Closing the mailing list Michael Richardson
- Re: [BEHAVE] Closing the mailing list Dave Thaler
- Re: [BEHAVE] Closing the mailing list Dan Wing
- Re: [BEHAVE] Closing the mailing list Marc Petit-Huguenin
- Re: [BEHAVE] Closing the mailing list Toerless Eckert
- Re: [BEHAVE] Closing the mailing list Rob Evans
- Re: [BEHAVE] Closing the mailing list Toerless Eckert
- Re: [BEHAVE] Closing the mailing list Magnus Westerlund
- Re: [BEHAVE] Closing the mailing list Magnus Westerlund
- Re: [BEHAVE] Closing the mailing list Magnus Westerlund
- Re: [BEHAVE] Closing the mailing list Michael Richardson
- [BEHAVE] errata 4933: RFC 5766 prevent spoofed re… Michael Richardson
- Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofe… Marc Blanchet
- Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofe… Michael Richardson
- Re: [BEHAVE] Closing the mailing list Michael Richardson
- Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofe… Justin Uberti
- Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofe… Magnus Westerlund
- Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofe… Konda, Tirumaleswar Reddy