IETF Logo Mail Archive

Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt

"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Fri, 26 April 2013 13:05 UTC

Return-Path: <tireddy@cisco.com>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE20321F9883 for <behave@ietfa.amsl.com>; Fri, 26 Apr 2013 06:05:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XiMAXLPU0qse for <behave@ietfa.amsl.com>; Fri, 26 Apr 2013 06:05:35 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) by ietfa.amsl.com (Postfix) with ESMTP id 6746721F983F for <behave@ietf.org>; Fri, 26 Apr 2013 06:05:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4862; q=dns/txt; s=iport; t=1366981535; x=1368191135; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=qgXWDDIRSemLrUj576+m84TNZpVkYJNIIMT+tNfweyM=; b=Ob1b3XaoyDX7c26wl56Jo83uBhfcYwz8sLkZwWWHm7BMjMkn85GopX5d EVCdouwCkWu5/5uFw9TdcJaJlBEzDto5SxIfvTbEXgTprlcmLO9lzZU68 PNHreCTu0CpfNpmXJP4vzdX5WPG4N8U0Jwpb1hzN1nJK7yVaD5GES7Mwq Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhgFAG16elGtJV2Z/2dsb2JhbABRgwc2vjSBAxZ0gh8BAQEDASdQAgwEAgEIEQQBAQsODwcyFAgBCAIEDgUIE4dzBr8NjwQxBwYSglVhA4hZj2iPfYFYgTaCKA
X-IronPort-AV: E=Sophos;i="4.87,558,1363132800"; d="scan'208";a="203235463"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-1.cisco.com with ESMTP; 26 Apr 2013 13:05:27 +0000
Received: from xhc-aln-x01.cisco.com (xhc-aln-x01.cisco.com [173.36.12.75]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r3QD5RCv007263 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 26 Apr 2013 13:05:27 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.150]) by xhc-aln-x01.cisco.com ([173.36.12.75]) with mapi id 14.02.0318.004; Fri, 26 Apr 2013 08:05:27 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Simon Perreault <simon.perreault@viagenie.ca>
Thread-Topic: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
Thread-Index: AQHOQlW91m3CzIDE2Eqi368ZoPAl75joXRjw
Date: Fri, 26 Apr 2013 13:05:26 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A1497986F@xmb-rcd-x10.cisco.com>
References: <913383AAA69FF945B8F946018B75898A149778C5@xmb-rcd-x10.cisco.com> <5177968F.6050805@viagenie.ca> <913383AAA69FF945B8F946018B75898A14978FF1@xmb-rcd-x10.cisco.com> <517A36D2.6040504@viagenie.ca>
In-Reply-To: <517A36D2.6040504@viagenie.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.39.65.23]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 13:05:36 -0000

> -----Original Message-----
> From: Simon Perreault [mailto:simon.perreault@viagenie.ca]
> Sent: Friday, April 26, 2013 1:42 PM
> To: Tirumaleswar Reddy (tireddy)
> Cc: behave@ietf.org
> Subject: Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-
> turn-auth-00.txt
> 
> Le 2013-04-25 20:44, Tirumaleswar Reddy (tireddy) a écrit :
> >> - "TURN authentication" doesn't exist. It's "STUN authentication"
> >> that you're talking about. TURN just uses STUN auth.
> >
> > Yes, TURN uses the authentication mechanism specified in STUN. TURN
> > authentication is required because resources will be allocated on the
> > TURN server, whereas with STUN there are no resources allocated on
> > the STUN server. The STUN server is stateless and is only responding
> > to the request from the client. Though both techniques need
> > authentication for integrity protection of request and response. But
> > there are STUN servers deployed without authentication and if the
> > endpoints use DTLS-SRTP then there may not be a problem even if
> > man-in-middle device modifies the STUN response.
> >
> > But TURN servers let's say deployed in DMZ need authentication.
> 
> I understand all that, but that's not the point.
> 
> The point is that "TURN authentication" does not *exist*. All the
> problems you have identified apply to *STUN* authentication, which is
> defined in the *STUN* RFC.

Agreed, will update in the next version to say it's a problem with STUN Authentication.

> 
> The fact that the Allocate request is more likely than the Binding
> request to be identified by a server administrator as needing auth
> protection is completely irrelevant, except perhaps in the introduction,
> or an operational considerations section.

Yes, will highlight that point.

> 
> >> - In section "4. Problems with TURN Authentication", what's the
> >> difference between problems 1 and 2 ?
> >
> > [TR] Problem 1 seem to be possible even if strong password is used.
> > since password does not change frequently, the attacker could keep
> > trying a number of candidate passwords. [/TR]
> 
> Doesn't that characteristic also apply to problem 2 ?

Yes it does, Do you want us to merge problem 1 and 2 ?

> 
> >> - About the above: wasn't this all well known and accepted at the
> >> time STUN auth was being designed ?
> >
> > May be the authors of STUN/TURN could answer this question, if these
> > attacks were previously discussed or not in WG. If TURN over TLS is
> > used it would solve the problem; but it would impact sending media
> > over TCP and could introduce delays which are directly noticeable.
> 
> DTLS?

Yes, that is one possibility to use EAP over DTLS and multiplex the channelData also on the same 5-tuple (for fate sharing).
we are yet to evaluate if it works, any problems with multiplexing etc.

> 
> - Problem 4 could also include the REALM attribute, which could be
> snooped and harvested similarly.

Do you have an attack or privacy problem in mind with REALM that we can add ? 

> 
> >> - I have encountered another problem: it's impossible to host
> >> multiple realms on a single IP address. When the server needs to
> >> send the REALM attribute in response to an unauthenticated request,
> >> it has no useful information for determining which realm it should
> >> send, except the destination address of the request. This sucks,
> >> IPv4 addresses being not exactly free...
> >
> > Good point. For web Authentication, destination IP address helps to
> > pick different REALM, but with TURN the only information available is
> > the Source IP.
> 
> Exactly!
> 
> I guess (D)TLS would solve that issue with the server_name extension
> [RFC6066].

Yes, it will solve the problem. will add the problem you mentioned in the next version, so that it will help coming up with a solution.

> 
> >> I'm very interested in hearing about any solution you may have in
> >> mind...
> >
> > we are still discussing the solutions, some of them already being
> > discussed in PCP WG that needs to be evaluated for TURN are
> > EAP-over-TURN, PANA etc.
> 
> I don't think we can rely on the PCP stuff also applying to STUN. The
> environments are very different, both on servers and clients.

Agreed, though there could be some scenarios where PCP capable Firewall and TURN server could be co-located. 

> 
> Anyway, I would appreciate being involved in that discussion.

sure, will be happy to involve you in the discussion.

Regards,
--Tiru.

> 
> Thanks,
> Simon
> --
> DTN made easy, lean, and smart --> http://postellation.viagenie.ca
> NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
> STUN/TURN server               --> http://numb.viagenie.ca

v2.23.0 | Report a Bug | By Email