Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf-behave-turn-11, draft-ietf-behave-turn-ipv6-05)
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 11 November 2008 10:12 UTC
Return-Path: <behave-bounces@ietf.org>
X-Original-To: behave-archive@optimus.ietf.org
Delivered-To: ietfarch-behave-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2AACD28C154; Tue, 11 Nov 2008 02:12:26 -0800 (PST)
X-Original-To: behave@core3.amsl.com
Delivered-To: behave@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 38E5A28C150 for <behave@core3.amsl.com>; Tue, 11 Nov 2008 02:12:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.649
X-Spam-Level:
X-Spam-Status: No, score=-5.649 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, HELO_EQ_SE=0.35, J_CHICKENPOX_31=0.6, J_CHICKENPOX_91=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WpBk-Ez5cOzs for <behave@core3.amsl.com>; Tue, 11 Nov 2008 02:12:23 -0800 (PST)
Received: from mailgw4.ericsson.se (mailgw4.ericsson.se [193.180.251.62]) by core3.amsl.com (Postfix) with ESMTP id C6C2228C14E for <behave@ietf.org>; Tue, 11 Nov 2008 02:12:22 -0800 (PST)
Received: from mailgw4.ericsson.se (unknown [127.0.0.1]) by mailgw4.ericsson.se (Symantec Mail Security) with ESMTP id 6587B22176; Tue, 11 Nov 2008 11:12:22 +0100 (CET)
X-AuditID: c1b4fb3e-aaf7ebb00000537b-99-49195a868116
Received: from esealmw127.eemea.ericsson.se (unknown [153.88.254.122]) by mailgw4.ericsson.se (Symantec Mail Security) with ESMTP id 1D4A42179D; Tue, 11 Nov 2008 11:12:22 +0100 (CET)
Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Nov 2008 11:12:17 +0100
Received: from [147.214.183.48] ([147.214.183.48]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Nov 2008 11:12:16 +0100
Message-ID: <49195A80.4070205@ericsson.com>
Date: Tue, 11 Nov 2008 11:12:16 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>, draft-ietf-behave-turn@tools.ietf.org
References: <00fb01c9402b$f0b169e0$c3f0200a@cisco.com>
In-Reply-To: <00fb01c9402b$f0b169e0$c3f0200a@cisco.com>
X-Enigmail-Version: 0.95.7
X-OriginalArrivalTime: 11 Nov 2008 10:12:16.0915 (UTC) FILETIME=[F97E5E30:01C943E5]
X-Brightmail-Tracker: AAAAAA==
Cc: 'Behave WG' <behave@ietf.org>
Subject: Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf-behave-turn-11, draft-ietf-behave-turn-ipv6-05)
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: behave-bounces@ietf.org
Errors-To: behave-bounces@ietf.org
Dan Wing skrev: > BEHAVE is initiating working group last call (WGLC) on TURN and TURN-IPv6. > This is the first WGLC for these documents. The WGLC will finish in three > weeks on Friday, November 28. Please send comments to the BEHAVE mailing > list, behave@ietf.org. > > * draft-ietf-behave-turn-11.txt > http://tools.ietf.org/html/draft-ietf-behave-turn-11 Here is my review of the TURN main spec. I have some comments: 1. In figure 2, shouldn't the allocation return a port from the dynamic range? Using the CSlistener port (9000) may be interpreted in this case to have meaning and also don't follow the recommenation. 2. Section 11: Channel data bit-error vulnerability. For stream transport there seems to be a bit-error vulnerability. If an error gets through the internet checksum and strikes the length field then the receiver will become out of synch with the sender and only provide garbage packets. To me it looks like there is no possibility to get into synch other than closing the TCP connection and restart from scratch. This issue seems to belong in the TURN TCP spec but the text here might prevent certain type of solutions. 3. TURN Loop attack: This seems to be a bad attack, but not that simple to perform. Prerequisite for the attack is the following: - Two Turn servers A and B - If the servers require authentication the attacker (C) needs valid credentials on each of them. - C needs to be able to spoof source address of IP/UDP packets - C need to be able to read the response from both servers when sending spoofed request to either of A and B - At least one the TURN servers implement the alternative TTL behavior Attack flow: 1. C->A: Allocation Request (Src=B's server transport address) 2. A->B: Allocation response (C needs allocation address) B receives the response which lacks context. 3. C->B: Allocation Request (Src=A's server transport address) 4. B->A: Allocation Response (C needs allocation address) 5. C->A: Channelbinding request Src=B (Channelnr=X, Peer-address=Allocation on B) 6. C->B: Channelbinding request Src=A (channelnr=X, Peer-address=Allocation on A) 7. C->A: Channeldata with channel nr =X and Src=B If one is allowed to setup this loop then the data packet in step 7 will loop until it is lost or bindings timeout. Due to the following process: 1. arriving at A's server transport address it contains channelnr=X. 2. A sends out the packet without the channelheader to B's relayed address. 3. Packet arrive at B's relayed address 4. Packet sent by B to A's server transport address with a Channel header with channel number X 5. Return to 1 Thus amplification of this attack is in theory infinite but depends on the packet drop rate and that at least one of the TURN server use the alternative TTL behavior. But for a modest continued flow of spoofed data packets and channel and allocation refresh this data loop can maintained at high load for the servers. To me it seems the obvious mitigation to this attack is to disallow the 5-tuple remote IP-address to equal any peer IP address. This will potentially create problems if IP addresses are shared. And it will also fail as mitigation when you have IPv4 and IPv6 capable TURN relays. Because then you have one data leg over IPv4 and one over IPv6 preventing the matching operation to be done. Mitigation would also fail if the TURN server uses multiple IP addresses. Another mitigation for this attack is to have traffic policiers in the the relay that discard unusual high traffic volumes over any allocation. I also found an alternative version of this attack that requires that one guess what the allocation is going to be on one of the servers. In fact if one can guess the allocation and the server doesn't require authorization from the client then this attack can be setup by an off-path attacker. Which seems to be a really serious attack. Should we consider mandating the usage of authorization? As a minimum we need to be clear that this risk exist. I also think we should be clearer on the recommendation for randomization of the port in the allocation. In this case port randomization is reasonably strong. As you need to close the loop for the attack to be effective you need to correctly setup state that include the guess of each TURN server allocation. So for each attempt to build a loop you need to correct guess both ports and then build a channel towards each of the allocation on the other server. So the number of channels needed to be setup on each server becomes N^2. The question here is how big N is and that depends on the TURN servers allocation policy and how hard is it is to guess what possible port number ones allocation gets. 4. Section 12: IPv4 fragmentation field: I think the preferred behavior needs to mention the need to refuse sending a packet if it requires fragmentation and the DF was set on the incoming packet. Which also includes the need to generate an ICMP message. This should never happen in the client to peer direction but may happen in the reverse direction due to the encapsulation. 5. The Don't Fragment mechanism should have a explicit mention that it will not get a ICMP message for the packet, instead it may be lost due to the DF setting. Thus path MTU discovery using this mechanism needs to implement a mechanism like the one in RFC 4821. 6. Section 1: A client using TURN must have some way to communicate the relayed- transport-address to its peers. How this is done is out of the scope of the TURN protocol. One way this might be done is for the client to post the relayed-transport-address up on a web page. Another way is for the client to send an e-mail message containing the relayed- transport-address to its peers. A third way is for the client and its peers to use a special-purpose 'introduction' or 'rendezvous' protocol (see [RFC5128] for more details). I think the first two ways really works. There needs to be a two way communication channel between the TURN client and the Peer. Email would allow for a return channel, but not the webpage. Editorial: E1. Figure 1: Seem to have some remnant of a width checking bar. E2. Section 12, ECN: I think the text should use the names Congestion Experienced (CE), ECN-Capabalt Transport ECT) for the code-points. E3. Section 14.3 and 14.5: Please put in a reference to where XOR-MAPPED-ADDRESS is defined. Cheers Magnus Westerlund IETF Transport Area Director & TSVWG Chair ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ---------------------------------------------------------------------- _______________________________________________ Behave mailing list Behave@ietf.org https://www.ietf.org/mailman/listinfo/behave
- [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf-beh… Dan Wing
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Magnus Westerlund
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Magnus Westerlund
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Stephane Bortzmeyer
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Peter Saint-Andre
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Philip Matthews
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Philip Matthews
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Magnus Westerlund
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Philip Matthews
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Magnus Westerlund
- Re: [BEHAVE] WGLC: TURN and TURN-IPv6 (draft-ietf… Gonzalo Camarillo