IETF Logo Mail Archive

Re: [MMUSIC] Updating the pacing of ICE connectivity checks

"Dan Wing" <dwing@cisco.com> Thu, 14 February 2013 23:43 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D6D21F871C for <mmusic@ietfa.amsl.com>; Thu, 14 Feb 2013 15:43:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.191
X-Spam-Level:
X-Spam-Status: No, score=-110.191 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OyvBvoiscs67 for <mmusic@ietfa.amsl.com>; Thu, 14 Feb 2013 15:43:22 -0800 (PST)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 9069221F86FC for <mmusic@ietf.org>; Thu, 14 Feb 2013 15:43:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6560; q=dns/txt; s=iport; t=1360885402; x=1362095002; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=SNh4diAv6R9CwAQKnIFsbo8aLTAVzXUKqdvgq46ztkw=; b=Rwtxq6TICuE5CPivSUsSuIu85mm4JFuFjikUk6/NuYYbclvqKPwDuvxV 7NHElbHM0w9z8TL34XQqnNJK773m06CkqkRbzHBOMs39f+Mg6ASKptcwu EBvcxW7kGjbK5x9Bxd0G0eZXPHUcyo0bfgOmSTVPHINq8HS5LcWHwYXRt o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAPh1HVGrRDoJ/2dsb2JhbABFwFYWc4IfAQEBAwEBAQEFAgJiCwUHAQECAgkRBAEBARUSBxkCDB8DAQUIAgQBEgsFh3wFDb0vBI1BBQGBA4M2A4gwNoUhiB2BHY82gyiBSQgX
X-IronPort-AV: E=Sophos;i="4.84,666,1355097600"; d="scan'208";a="69696544"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-3.cisco.com with ESMTP; 14 Feb 2013 23:43:22 +0000
Received: from DWINGWS01 ([10.154.36.85]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r1ENhL04031474; Thu, 14 Feb 2013 23:43:21 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Magnus Westerlund' <magnus.westerlund@ericsson.com>, 'Emil Ivov' <emcho@jitsi.org>
References: <511CEB64.6070306@ericsson.com> <05a401ce0ac6$db547230$91fd5690$@cisco.com> <511D03A7.1060008@ericsson.com> <511D0498.3030909@jitsi.org> <511D07F1.3070808@ericsson.com>
In-Reply-To: <511D07F1.3070808@ericsson.com>
Date: Thu, 14 Feb 2013 15:43:21 -0800
Message-ID: <085d01ce0b0d$12dbfb10$3893f130$@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHEzjPbQxUzVAxWufG5eY2LeHo6PAE3VhFkAl3CtsIB+REApAJspBJ/mEyj09A=
Content-Language: en-us
Cc: 'Ari Keränen' <ari.keranen@ericsson.com>, 'mmusic' <mmusic@ietf.org>
Subject: Re: [MMUSIC] Updating the pacing of ICE connectivity checks
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 23:43:23 -0000

> -----Original Message-----
> From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com]
> Sent: Thursday, February 14, 2013 7:51 AM
> To: Emil Ivov
> Cc: Ari Keränen; 'mmusic'; Dan Wing
> Subject: Re: [MMUSIC] Updating the pacing of ICE connectivity checks
> 
> On 2013-02-14 16:36, Emil Ivov wrote:
> > Any idea why there had to be different pacing for RTP and non-RTP
> > flows in the first place?
> 
> I think our arguments where that in the context of a non-congestion
> controlled voice application it would send with 20 ms interval anyway.
> For other transports and protocols it was not obvious for what intended
> environment it would be used. For example a low power network
> application that sends beyond 30 kbps could be problematic. Thus we took
> one of our conservative values from the transport books, i.e. 500 ms.
> 
> I would point out that this is a difficult transport issue. Compared to
> TCP IW10, that burst occurs first after the initial handshake when one
> has actually established that there is a responder.
> 
> With ICE there is a clear issue with an attacker bloating a offer/answer
> with candidates that recreates the voice hammer attack using ICE's STUN
> checks towards a target address or domain.
> 
> Also the STUN checks will have different source address pairs which in
> it self could be an issue for attack prevention firewalls etc.
> 
> Thus I would be careful with speeding up Ta for RTP to much, and I think
> someone needs to fine empiric data that it would work.
> 
> For the the 500 ms that can likely be significantly lowered without any
> issues. But some considerations around the wider usage needs to be taken
> into account.

Most of those concerns are for the ICE connectivity checks (to the remote
peer).  There are different concerns for the initial STUN (and TURN) 
communications to the STUN/TURN servers, which are the communications
that create the NAT (or firewall) mappings.  I noticed the two different
concerns are nicely written in
http://tools.ietf.org/html/rfc5245#appendix-B.1

Question, playing devil's advocate:  is the voice hammer attack (or a
STUN connectivity check hammer attack) worse than a web page full of
HTML IMG tags pointing at a victim's web server, which I believe has
no protection or pacing?  Has such an HTML IMG attack been a real
problem, or do we consider it will be a problem?

-d

> Cheers
> 
> Magnus
> One of the ADs responsible for the pacing in ICE.
> 
> >
> > Emil
> >
> > On 14.02.13, 16:32, Ari Keränen wrote:
> >> On 2/14/13 5:20 PM, Dan Wing wrote:
> >>>> -----Original Message-----
> >>>> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On
> >>>> Behalf Of Ari Keränen
> >>>> Sent: Thursday, February 14, 2013 5:49 AM
> >>>> To: mmusic
> >>>> Subject: [MMUSIC] Updating the pacing of ICE connectivity checks
> >>>>
> >>>> Hi all,
> >>>>
> >>>> Updating the pacing parameter, Ta, of ICE for non-RTP traffic (for
> >>>> background, see [1] and [2]), as discussed at the Atlanta meeting,
> >>>> will be one of the important changes in the new version of ICE.
> >>>>
> >>>> Currently the RFC5245 says (for non-RTP traffic) "Ta SHOULD be
> >>>> configurable, SHOULD have a default of 500 ms, and MUST NOT be
> >>>> configurable to be less than 500 ms."
> >>>>
> >>>> This results in very slow pace of starting connectivity checks if
> >>>> ICE is used with non-RTP traffic. With RTP, the Ta is calculated
> >>>> based on the expected bandwidth used by the RTP stream and can be
> down to 20 ms.
> >>>> Therefore, many current implementations apparently ignore the "MUST
> NOT"
> >>>> above and set Ta to something lower.
> >>>
> >>> That would explain failures claimed to justify the desire for
> >>> running over one port.
> >>
> >> Interesting point. Does anyone know what kind of pacing was actually
> >> used when these failures were observed?
> >>
> >>> The 20ms threshold for the initial connectivity checks is because
> >>> some NATs could not create new mappings quickly.  This problems
> >>> appears to persist today, considering that both Chrome and Windows 8
> >>> limit their number of outstanding DNS queries in an apparent attempt
> >>> to work around that very same NAT UDP mapping behavior.
> >>>
> >>> If trying to create NAT mappings with 0ms pacing, it will certainly
> >>> cause NAT mapping failures and force retries.
> >>
> >> Yes, definitely. So we shouldn't go below 20ms with non-RTP either.
> >> Perhaps need to add some more justification/warning text about this
> too.
> >>
> >>>> The quite conservative value of 500 ms was originally chosen
> >>>> because of the fear of congesting the links with the connectivity
> check messages.
> >>>> This is obviously still a valid concern, but would suggesting
> >>>> something lower still make sense? How low would it be reasonably
> >>>> safe to go? What is currently used in practice? Can we come up with
> >>>> a formula similar to RTP (perhaps based on expected bandwidth
> usage)?
> >>>
> >>> A good question for the transport area, which is the origination of
> >>> the suggestion to send ICE connectivity checks paced to not exceed
> >>> the bandwidth of the subsequent media.  Perhaps the arguments that
> >>> TCP
> >>> IW=10 is not harmful could be brought to the party.
> >>
> >> FYI, I forwarded the original mail to the Transport ADs too.
> >>
> >>
> >> Cheers,
> >> Ari
> >>
> >>>>
> >>>> [1] http://tools.ietf.org/html/rfc5245#appendix-B.1
> >>>> [2] http://tools.ietf.org/html/rfc5245#section-16.2
> >>>> _______________________________________________
> >>>> mmusic mailing list
> >>>> mmusic@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/mmusic
> >>>
> >>
> >> _______________________________________________
> >> mmusic mailing list
> >> mmusic@ietf.org
> >> https://www.ietf.org/mailman/listinfo/mmusic
> >>
> >
> 
> 
> --
> 
> Magnus Westerlund
> 
> ----------------------------------------------------------------------
> Multimedia Technologies, Ericsson Research EAB/TVM
> ----------------------------------------------------------------------
> Ericsson AB                | Phone  +46 10 7148287
> Färögatan 6                | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email