IETF Logo Mail Archive

Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt

Simon Perreault <simon.perreault@viagenie.ca> Fri, 26 April 2013 08:12 UTC

Return-Path: <simon.perreault@viagenie.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3255821F97F9 for <behave@ietfa.amsl.com>; Fri, 26 Apr 2013 01:12:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c1C+3g7vv5eL for <behave@ietfa.amsl.com>; Fri, 26 Apr 2013 01:12:15 -0700 (PDT)
Received: from jazz.viagenie.ca (jazz.viagenie.ca [IPv6:2620:0:230:8000::2]) by ietfa.amsl.com (Postfix) with ESMTP id DEDAD21F97F6 for <behave@ietf.org>; Fri, 26 Apr 2013 01:12:03 -0700 (PDT)
Received: from porto.nomis80.org (unknown [193.49.160.97]) by jazz.viagenie.ca (Postfix) with ESMTPSA id F3886469B1; Fri, 26 Apr 2013 04:12:02 -0400 (EDT)
Message-ID: <517A36D2.6040504@viagenie.ca>
Date: Fri, 26 Apr 2013 10:12:02 +0200
From: Simon Perreault <simon.perreault@viagenie.ca>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130402 Thunderbird/17.0.5
MIME-Version: 1.0
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
References: <913383AAA69FF945B8F946018B75898A149778C5@xmb-rcd-x10.cisco.com> <5177968F.6050805@viagenie.ca> <913383AAA69FF945B8F946018B75898A14978FF1@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A14978FF1@xmb-rcd-x10.cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: "behave@ietf.org" <behave@ietf.org>
Subject: Re: [BEHAVE] FW: New Version Notification for draft-reddy-behave-turn-auth-00.txt
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 08:12:17 -0000

Le 2013-04-25 20:44, Tirumaleswar Reddy (tireddy) a écrit :
>> - "TURN authentication" doesn't exist. It's "STUN authentication"
>> that you're talking about. TURN just uses STUN auth.
>
> Yes, TURN uses the authentication mechanism specified in STUN. TURN
> authentication is required because resources will be allocated on the
> TURN server, whereas with STUN there are no resources allocated on
> the STUN server. The STUN server is stateless and is only responding
> to the request from the client. Though both techniques need
> authentication for integrity protection of request and response. But
> there are STUN servers deployed without authentication and if the
> endpoints use DTLS-SRTP then there may not be a problem even if
> man-in-middle device modifies the STUN response.
>
> But TURN servers let's say deployed in DMZ need authentication.

I understand all that, but that's not the point.

The point is that "TURN authentication" does not *exist*. All the 
problems you have identified apply to *STUN* authentication, which is 
defined in the *STUN* RFC.

The fact that the Allocate request is more likely than the Binding 
request to be identified by a server administrator as needing auth 
protection is completely irrelevant, except perhaps in the introduction, 
or an operational considerations section.

>> - In section "4. Problems with TURN Authentication", what's the
>> difference between problems 1 and 2 ?
>
> [TR] Problem 1 seem to be possible even if strong password is used.
> since password does not change frequently, the attacker could keep
> trying a number of candidate passwords. [/TR]

Doesn't that characteristic also apply to problem 2?

>> - About the above: wasn't this all well known and accepted at the
>> time STUN auth was being designed ?
>
> May be the authors of STUN/TURN could answer this question, if these
> attacks were previously discussed or not in WG. If TURN over TLS is
> used it would solve the problem; but it would impact sending media
> over TCP and could introduce delays which are directly noticeable.

DTLS?

>> - I have encountered another problem: it's impossible to host
>> multiple realms on a single IP address. When the server needs to
>> send the REALM attribute in response to an unauthenticated request,
>> it has no useful information for determining which realm it should
>> send, except the destination address of the request. This sucks,
>> IPv4 addresses being not exactly free...
>
> Good point. For web Authentication, destination IP address helps to
> pick different REALM, but with TURN the only information available is
> the Source IP.

Exactly!

I guess (D)TLS would solve that issue with the server_name extension 
[RFC6066].

>> I'm very interested in hearing about any solution you may have in
>> mind...
>
> we are still discussing the solutions, some of them already being
> discussed in PCP WG that needs to be evaluated for TURN are
> EAP-over-TURN, PANA etc.

I don't think we can rely on the PCP stuff also applying to STUN. The 
environments are very different, both on servers and clients.

Anyway, I would appreciate being involved in that discussion.

Thanks,
Simon
-- 
DTN made easy, lean, and smart --> http://postellation.viagenie.ca
NAT64/DNS64 open-source        --> http://ecdysis.viagenie.ca
STUN/TURN server               --> http://numb.viagenie.ca

v2.23.0 | Report a Bug | By Email