[BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 16 January 2020 23:11 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: behave@ietfa.amsl.com
Delivered-To: behave@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 9B8781200CC for <behave@ietfa.amsl.com>; Thu, 16 Jan 2020 15:11:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Dq4sCAiPRh6V for <behave@ietfa.amsl.com>; Thu, 16 Jan 2020 15:11:15 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 636C21200BA for <behave@ietf.org>; Thu, 16 Jan 2020 15:11:15 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id CA3CC3897D for <behave@ietf.org>; Thu, 16 Jan 2020 18:10:46 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8D874D98 for <behave@ietf.org>; Thu, 16 Jan 2020 18:11:14 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "behave\@ietf.org" <behave@ietf.org>
In-Reply-To: <eb6effe49c65b90cf4e6af45b9b701b4f86db608.camel@ericsson.com>
References: <DB7PR07MB4572708BEAC771375AC2AF5395380@DB7PR07MB4572.eurprd07.prod.outlook.com> <20200110123841.GD8801@faui48f.informatik.uni-erlangen.de> <29758.1578671195@localhost> <eb6effe49c65b90cf4e6af45b9b701b4f86db608.camel@ericsson.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Thu, 16 Jan 2020 18:11:14 -0500
Message-ID: <11345.1579216274@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/behave/hw6ETV5Cf47ukNuUVrorNefN3Mk>
Subject: [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/behave/>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Jan 2020 23:11:18 -0000


    4933> Section 17.3.3 says:

    4933> An attacker might attempt to disrupt service to other users of the
    4933> TURN server by sending Refresh requests or CreatePermission requests
    4933> that (through source address spoofing) appear to be coming from
    4933> another user of the TURN server.  TURN prevents this by requiring
    4933> that the credentials used in CreatePermission, Refresh, and
    4933> ChannelBind messages match those used to create the initial
    4933> allocation.  Thus, the fake requests from the attacker will be
    4933> rejected.
    4933> Notes:

    4933> When using short-term, credentials expire after a specific amount of time
    4933> (such as 5
    4933> minutes) and clients get new credentials. The restriction imposed at section
    4933> 17.3.3
    4933> prevents from refreshing allocation or permission using the new credentials.

    4933> This RFC approves RFC 5389. So one can use short-term credentials. But
    4933> short-term credentials are useless if it can not be used to refresh
    4933> allocation or permission.

    4933> The goal of 17.3.3 can be achieved by sending 438 with the new nonce.

a) I think we should accept this as verified.
b) It seems that sending with the new nonce will work.  This requires some
   text changes, and we can now perhaps use the errata patcher with XML.
   I've asked for the XML (if there is any), and I'll suggest some changes to
   the text.

Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-