Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then TLS
EKR <ekr@networkresonance.com> Tue, 27 March 2007 13:03 UTC
Return-path: <mmusic-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWBL5-0003Cb-NS; Tue, 27 Mar 2007 09:03:51 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HWBL4-0003CR-3m for mmusic@ietf.org; Tue, 27 Mar 2007 09:03:50 -0400
Received: from sd-green-bigip-177.dreamhost.com ([208.97.132.177] helo=randymail-a12.g.dreamhost.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HWBL2-0000Yy-RY for mmusic@ietf.org; Tue, 27 Mar 2007 09:03:50 -0400
Received: from delta.rtfm.com (c-71-198-184-110.hsd1.ca.comcast.net [71.198.184.110]) by randymail-a12.g.dreamhost.com (Postfix) with ESMTP id 18C34A8346; Tue, 27 Mar 2007 06:03:48 -0700 (PDT)
Received: from networkresonance.com (localhost.rtfm.com [127.0.0.1]) by delta.rtfm.com (Postfix) with ESMTP id AB26F1CC22; Tue, 27 Mar 2007 06:02:29 -0700 (PDT)
To: Jonathan Rosenberg <jdrosen@cisco.com>
Subject: Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then TLS
In-reply-to: Your message of "Mon, 26 Mar 2007 22:24:49 EDT." <46088071.3020905@cisco.com>
X-Mailer: MH-E 7.4.2; nmh 1.2; XEmacs 21.4 (patch 20)
Date: Tue, 27 Mar 2007 06:02:29 -0700
From: EKR <ekr@networkresonance.com>
Message-Id: <20070327130229.AB26F1CC22@delta.rtfm.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
Cc: IETF MMUSIC WG <mmusic@ietf.org>
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Errors-To: mmusic-bounces@ietf.org
Jonathan Rosenberg <jdrosen@cisco.com> wrote: > STUN then TLS > ------------- > > + avoids doing TLS handshakes except on connections that are selected by ICE > + consistent with how we are doing DTLS where the STUN is clearly not > protected by SRTP and would happen prior to the DTLS handshaking > - Likely to be really hard to implement since most TLS stacks probably > won't let you interleave data like this Let's examine this question a bit. There are two things you have to do to make this work: 1. Insert a shim layer in between the TLS stack and the network to bypass the STUN. Most stacks I'm familiar with allow this. I know OpenSSL does, as does PureTLS. 2. Demux TLS and STUN. This is relatively easy (see the description in draft-mcgrew-tls-srtp). So, I'm not sure this is that hard to do. > - will lose the TLS protection on STUN itself, introducing possible > framing attacks whereby a MITM modifies the STUN lengths to disrupt > frame sync Not sure I understand this issue. It's of course trivial to DoS a TLS over TCP connection by disrupting its frame sync... > TLS then STUN > ------------- > > + easier to implement > + protects STUN messages > - will do TLS handshake even for candidates that are not selected; but > can you perhaps reuse the TLS session? Probably, though there are race conditions (again, discussed in draft-mcgrew-tls-srtp). -Ekr _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Lennox
- [MMUSIC] ICE-tcp: TLS then STUN or STUN then TLS Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Rémi Denis-Courmont
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … EKR
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Eric Cooper
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … EKR
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Lennox
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Eric Cooper
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Rémi Denis-Courmont
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Adam Roach
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Philip Matthews
- RE: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Dan Wing
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Rémi Denis-Courmont
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Rémi Denis-Courmont
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Jonathan Rosenberg
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Philip Matthews
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Eric Rescorla
- Re: [MMUSIC] ICE-tcp: TLS then STUN or STUN then … Eric Rescorla