Re: [MMUSIC] RTSP and NATs
Magnus Westerlund <magnus.westerlund@era.ericsson.se> Fri, 14 February 2003 16:12 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25841 for <mmusic-archive@odin.ietf.org>; Fri, 14 Feb 2003 11:12:36 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h1EGFNZ04205 for mmusic-archive@odin.ietf.org; Fri, 14 Feb 2003 11:15:23 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1EGFNp04202 for <mmusic-web-archive@optimus.ietf.org>; Fri, 14 Feb 2003 11:15:23 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25804 for <mmusic-web-archive@ietf.org>; Fri, 14 Feb 2003 11:11:09 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1EGFHp04194; Fri, 14 Feb 2003 11:15:17 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h1EGCap04116 for <mmusic@optimus.ietf.org>; Fri, 14 Feb 2003 11:12:36 -0500
Received: from penguin.wise.edt.ericsson.se (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25749 for <mmusic@ietf.org>; Fri, 14 Feb 2003 11:08:21 -0500 (EST)
Received: from esealnt613.al.sw.ericsson.se (esealnt613.al.sw.ericsson.se [153.88.254.72]) by penguin.wise.edt.ericsson.se (8.12.1/8.12.1/WIREfire-1.4) with ESMTP id h1EGC6Av026796; Fri, 14 Feb 2003 17:12:06 +0100 (MET)
Received: from era.ericsson.se (research-nnng7k.ki.sw.ericsson.se [147.214.34.46]) by esealnt613.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id 18WY13P6; Fri, 14 Feb 2003 17:12:06 +0100
Message-ID: <3E4D1556.2080400@era.ericsson.se>
Date: Fri, 14 Feb 2003 17:12:06 +0100
From: Magnus Westerlund <magnus.westerlund@era.ericsson.se>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: philippe.gentric@philips.com
CC: IETF MMUSIC WG <mmusic@ietf.org>
Subject: Re: [MMUSIC] RTSP and NATs
References: <OF96D727B2.7BD1763E-ONC1256CCD.003A7911-C1256CCD.0051E470@diamond.philips.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Thanks Philippe, The attack you describe is possible unless we have a way of positively identify a entity from two ways. First we must be able to establish the identity of the host that are located at the given media destination IP address/port. Secondly that host must be able to prove that it is that entity. In slightly more detail: When a client asks the server to send media to a given destination, the server must be able to get an global unique identifier of the destination from a trusted party. Then the server uses this global identifier in the security challenge to the destination. The destination answers the challenge and proves that it is really the given entity. The first step of getting a global host entity based on IP will never work with an NATed address. It seem to be possible to make it work when you use an public IP address. In basic any NAT traversal mechanism will allow for an attack by a man in the middle, see: http://www.ietf.org/internet-drafts/draft-dupont-transient-pseudonat-01.txt In fact today's RTSP is definitely not safe against man in the middle attacks. The man in the middle must only be able to receive the servers response to SETUP request to get the session ID: Then it can control the server from any place by simply spoof the sender address to that of the target. If you use TCP the attacker must be able to receive the TCP flows response. That it is all it takes to use RTSP as a DOS tool. Best Regards Magnus Westerlund philippe.gentric@philips.com wrote: >Magnus you write: > > > >>By having the receiver sign the message going from client >>to server with keys that are transported through other ways we can >>ensure that no other than the intended receiver can verify that it >>agrees. This makes it possible to protect also against man in the middle >>attacks. It will of course requires secure RTSP signaling. >> >> > >I dont see how a "secure RTSP session" solves the case I was thinking about is: > >your server thinks that the client is behind a NAT, >because the IP addresses for RTSP and RTP are different, >but in fact that client is a Bad Guy who wants to induce >your server to flood someone else. > >if Mr Bad Guy is also a man-in-the-middle you are in real trouble because: > >1) your attacker is initiating that RTSP session so > >A) your server cannot trust "a different IP address" indicated in that session, even if the session is TLS-ized ! > >B) you cannot use that session to convey crypto stuff for a separate UDP challenge either because: > >2) this guys is also a man-in-the-middle who can trap/spoof UDP traffic >i.e. a challenge/response at that "different IP address". > >I dont know how to solve that one (help security experts?) > >regards, > >Philippe Gentric >Software Architect >Philips MP4Net >"philippe dot gentric at philips dot com" >http://www.platform4.philips.com > > > -- Magnus Westerlund Multimedia Technologies, Ericsson Research ERA/TVA/A ---------------------------------------------------------------------- Ericsson AB | Phone +46 8 4048287 Torshamsgatan 23 | Fax +46 8 7575550 S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@era.ericsson.se _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Colin Perkins
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Jonathan Rosenberg
- Re: [MMUSIC] RTSP and NATs Tom Marshall
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund
- Re: [MMUSIC] RTSP and NATs philippe.gentric
- Re: [MMUSIC] RTSP and NATs Magnus Westerlund