Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 17 January 2020 01:26 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F14E120059; Thu, 16 Jan 2020 17:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsK2lfpOTHj3; Thu, 16 Jan 2020 17:26:54 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FFE512004A; Thu, 16 Jan 2020 17:26:53 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C5EF33897D; Thu, 16 Jan 2020 20:26:24 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8C417E7F; Thu, 16 Jan 2020 20:26:52 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: tram@ietf.org, behave@ietf.org
In-Reply-To: <11345.1579216274@localhost>
References: <DB7PR07MB4572708BEAC771375AC2AF5395380@DB7PR07MB4572.eurprd07.prod.outlook.com> <20200110123841.GD8801@faui48f.informatik.uni-erlangen.de> <29758.1578671195@localhost> <eb6effe49c65b90cf4e6af45b9b701b4f86db608.camel@ericsson.com> <11345.1579216274@localhost>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 16 Jan 2020 20:26:52 -0500
Message-ID: <12509.1579224412@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/WhoecMTIuYEpDDi7jswjGtqSpa8>
Subject: Re: [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 01:26:56 -0000

https://www.rfc-editor.org/errata_search.php?eid=4933

    4933> Section 17.3.3 says:

    4933> An attacker might attempt to disrupt service to other users of the
    4933> TURN server by sending Refresh requests or CreatePermission requests
    4933> that (through source address spoofing) appear to be coming from
    4933> another user of the TURN server.  TURN prevents this by requiring
    4933> that the credentials used in CreatePermission, Refresh, and
    4933> ChannelBind messages match those used to create the initial
    4933> allocation.  Thus, the fake requests from the attacker will be
    4933> rejected.
    4933> Notes:

    4933> When using short-term, credentials expire after a specific amount of time
    4933> (such as 5
    4933> minutes) and clients get new credentials. The restriction imposed at section
    4933> 17.3.3
    4933> prevents from refreshing allocation or permission using the new credentials.

    4933> This RFC approves RFC 5389. So one can use short-term credentials. But
    4933> short-term credentials are useless if it can not be used to refresh
    4933> allocation or permission.

    4933> The goal of 17.3.3 can be achieved by sending 438 with the new nonce.

a) I think we should accept this as verified.
b) It seems that sending with the new nonce will work.  This requires some
   text changes, and we can now perhaps use the errata patcher with XML.
   I've asked for the XML (if there is any), and I'll suggest some changes to
   the text.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-




--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-