Re: [MMUSIC] Updating the pacing of ICE connectivity checks
"Dan Wing" <dwing@cisco.com> Thu, 14 February 2013 23:43 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82D6D21F871C for <mmusic@ietfa.amsl.com>; Thu, 14 Feb 2013 15:43:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.191
X-Spam-Level:
X-Spam-Status: No, score=-110.191 tagged_above=-999 required=5 tests=[AWL=0.408, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OyvBvoiscs67 for <mmusic@ietfa.amsl.com>; Thu, 14 Feb 2013 15:43:22 -0800 (PST)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 9069221F86FC for <mmusic@ietf.org>; Thu, 14 Feb 2013 15:43:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6560; q=dns/txt; s=iport; t=1360885402; x=1362095002; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=SNh4diAv6R9CwAQKnIFsbo8aLTAVzXUKqdvgq46ztkw=; b=Rwtxq6TICuE5CPivSUsSuIu85mm4JFuFjikUk6/NuYYbclvqKPwDuvxV 7NHElbHM0w9z8TL34XQqnNJK773m06CkqkRbzHBOMs39f+Mg6ASKptcwu EBvcxW7kGjbK5x9Bxd0G0eZXPHUcyo0bfgOmSTVPHINq8HS5LcWHwYXRt o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAPh1HVGrRDoJ/2dsb2JhbABFwFYWc4IfAQEBAwEBAQEFAgJiCwUHAQECAgkRBAEBARUSBxkCDB8DAQUIAgQBEgsFh3wFDb0vBI1BBQGBA4M2A4gwNoUhiB2BHY82gyiBSQgX
X-IronPort-AV: E=Sophos;i="4.84,666,1355097600"; d="scan'208";a="69696544"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-3.cisco.com with ESMTP; 14 Feb 2013 23:43:22 +0000
Received: from DWINGWS01 ([10.154.36.85]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r1ENhL04031474; Thu, 14 Feb 2013 23:43:21 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Magnus Westerlund' <magnus.westerlund@ericsson.com>, 'Emil Ivov' <emcho@jitsi.org>
References: <511CEB64.6070306@ericsson.com> <05a401ce0ac6$db547230$91fd5690$@cisco.com> <511D03A7.1060008@ericsson.com> <511D0498.3030909@jitsi.org> <511D07F1.3070808@ericsson.com>
In-Reply-To: <511D07F1.3070808@ericsson.com>
Date: Thu, 14 Feb 2013 15:43:21 -0800
Message-ID: <085d01ce0b0d$12dbfb10$3893f130$@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQHEzjPbQxUzVAxWufG5eY2LeHo6PAE3VhFkAl3CtsIB+REApAJspBJ/mEyj09A=
Content-Language: en-us
Cc: 'Ari Keränen' <ari.keranen@ericsson.com>, 'mmusic' <mmusic@ietf.org>
Subject: Re: [MMUSIC] Updating the pacing of ICE connectivity checks
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Feb 2013 23:43:23 -0000
> -----Original Message----- > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com] > Sent: Thursday, February 14, 2013 7:51 AM > To: Emil Ivov > Cc: Ari Keränen; 'mmusic'; Dan Wing > Subject: Re: [MMUSIC] Updating the pacing of ICE connectivity checks > > On 2013-02-14 16:36, Emil Ivov wrote: > > Any idea why there had to be different pacing for RTP and non-RTP > > flows in the first place? > > I think our arguments where that in the context of a non-congestion > controlled voice application it would send with 20 ms interval anyway. > For other transports and protocols it was not obvious for what intended > environment it would be used. For example a low power network > application that sends beyond 30 kbps could be problematic. Thus we took > one of our conservative values from the transport books, i.e. 500 ms. > > I would point out that this is a difficult transport issue. Compared to > TCP IW10, that burst occurs first after the initial handshake when one > has actually established that there is a responder. > > With ICE there is a clear issue with an attacker bloating a offer/answer > with candidates that recreates the voice hammer attack using ICE's STUN > checks towards a target address or domain. > > Also the STUN checks will have different source address pairs which in > it self could be an issue for attack prevention firewalls etc. > > Thus I would be careful with speeding up Ta for RTP to much, and I think > someone needs to fine empiric data that it would work. > > For the the 500 ms that can likely be significantly lowered without any > issues. But some considerations around the wider usage needs to be taken > into account. Most of those concerns are for the ICE connectivity checks (to the remote peer). There are different concerns for the initial STUN (and TURN) communications to the STUN/TURN servers, which are the communications that create the NAT (or firewall) mappings. I noticed the two different concerns are nicely written in http://tools.ietf.org/html/rfc5245#appendix-B.1 Question, playing devil's advocate: is the voice hammer attack (or a STUN connectivity check hammer attack) worse than a web page full of HTML IMG tags pointing at a victim's web server, which I believe has no protection or pacing? Has such an HTML IMG attack been a real problem, or do we consider it will be a problem? -d > Cheers > > Magnus > One of the ADs responsible for the pacing in ICE. > > > > > Emil > > > > On 14.02.13, 16:32, Ari Keränen wrote: > >> On 2/14/13 5:20 PM, Dan Wing wrote: > >>>> -----Original Message----- > >>>> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On > >>>> Behalf Of Ari Keränen > >>>> Sent: Thursday, February 14, 2013 5:49 AM > >>>> To: mmusic > >>>> Subject: [MMUSIC] Updating the pacing of ICE connectivity checks > >>>> > >>>> Hi all, > >>>> > >>>> Updating the pacing parameter, Ta, of ICE for non-RTP traffic (for > >>>> background, see [1] and [2]), as discussed at the Atlanta meeting, > >>>> will be one of the important changes in the new version of ICE. > >>>> > >>>> Currently the RFC5245 says (for non-RTP traffic) "Ta SHOULD be > >>>> configurable, SHOULD have a default of 500 ms, and MUST NOT be > >>>> configurable to be less than 500 ms." > >>>> > >>>> This results in very slow pace of starting connectivity checks if > >>>> ICE is used with non-RTP traffic. With RTP, the Ta is calculated > >>>> based on the expected bandwidth used by the RTP stream and can be > down to 20 ms. > >>>> Therefore, many current implementations apparently ignore the "MUST > NOT" > >>>> above and set Ta to something lower. > >>> > >>> That would explain failures claimed to justify the desire for > >>> running over one port. > >> > >> Interesting point. Does anyone know what kind of pacing was actually > >> used when these failures were observed? > >> > >>> The 20ms threshold for the initial connectivity checks is because > >>> some NATs could not create new mappings quickly. This problems > >>> appears to persist today, considering that both Chrome and Windows 8 > >>> limit their number of outstanding DNS queries in an apparent attempt > >>> to work around that very same NAT UDP mapping behavior. > >>> > >>> If trying to create NAT mappings with 0ms pacing, it will certainly > >>> cause NAT mapping failures and force retries. > >> > >> Yes, definitely. So we shouldn't go below 20ms with non-RTP either. > >> Perhaps need to add some more justification/warning text about this > too. > >> > >>>> The quite conservative value of 500 ms was originally chosen > >>>> because of the fear of congesting the links with the connectivity > check messages. > >>>> This is obviously still a valid concern, but would suggesting > >>>> something lower still make sense? How low would it be reasonably > >>>> safe to go? What is currently used in practice? Can we come up with > >>>> a formula similar to RTP (perhaps based on expected bandwidth > usage)? > >>> > >>> A good question for the transport area, which is the origination of > >>> the suggestion to send ICE connectivity checks paced to not exceed > >>> the bandwidth of the subsequent media. Perhaps the arguments that > >>> TCP > >>> IW=10 is not harmful could be brought to the party. > >> > >> FYI, I forwarded the original mail to the Transport ADs too. > >> > >> > >> Cheers, > >> Ari > >> > >>>> > >>>> [1] http://tools.ietf.org/html/rfc5245#appendix-B.1 > >>>> [2] http://tools.ietf.org/html/rfc5245#section-16.2 > >>>> _______________________________________________ > >>>> mmusic mailing list > >>>> mmusic@ietf.org > >>>> https://www.ietf.org/mailman/listinfo/mmusic > >>> > >> > >> _______________________________________________ > >> mmusic mailing list > >> mmusic@ietf.org > >> https://www.ietf.org/mailman/listinfo/mmusic > >> > > > > > -- > > Magnus Westerlund > > ---------------------------------------------------------------------- > Multimedia Technologies, Ericsson Research EAB/TVM > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Färögatan 6 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com > ----------------------------------------------------------------------
- [MMUSIC] Updating the pacing of ICE connectivity … Ari Keränen
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Dan Wing
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Ari Keränen
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Emil Ivov
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Ari Keränen
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Magnus Westerlund
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Ari Keränen
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Emil Ivov
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Dan Wing
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Matthew Kaufman
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Dan Wing
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Dale R. Worley
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Gonzalo Camarillo
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Emil Ivov
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Pal Martinsen (palmarti)
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Dan Wing
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Martin Thomson
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Cullen Jennings (fluffy)
- Re: [MMUSIC] Updating the pacing of ICE connectiv… Ari Keränen