Re: [MMUSIC] RTP denial of service
Jonathan Rosenberg <jdrosen@dynamicsoft.com> Wed, 16 July 2003 22:39 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA21593 for <mmusic-archive@odin.ietf.org>; Wed, 16 Jul 2003 18:39:46 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19cuvX-00032G-8k for mmusic-archive@odin.ietf.org; Wed, 16 Jul 2003 18:39:11 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h6GMdBmg011664 for mmusic-archive@odin.ietf.org; Wed, 16 Jul 2003 18:39:11 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19cuvX-000323-4P for mmusic-web-archive@optimus.ietf.org; Wed, 16 Jul 2003 18:39:11 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA21549 for <mmusic-web-archive@ietf.org>; Wed, 16 Jul 2003 18:39:04 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19cuvU-0004FD-00 for mmusic-web-archive@ietf.org; Wed, 16 Jul 2003 18:39:08 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19cuvO-0004FA-00 for mmusic-web-archive@ietf.org; Wed, 16 Jul 2003 18:39:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19cuvM-0002yv-Rt; Wed, 16 Jul 2003 18:39:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19cuuZ-0002y9-9D for mmusic@optimus.ietf.org; Wed, 16 Jul 2003 18:38:11 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA21528 for <mmusic@ietf.org>; Wed, 16 Jul 2003 18:38:04 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19cuuW-0004Ew-00 for mmusic@ietf.org; Wed, 16 Jul 2003 18:38:08 -0400
Received: from [63.113.44.69] (helo=mail3.dynamicsoft.com) by ietf-mx with esmtp (Exim 4.12) id 19cuuL-0004Er-00 for mmusic@ietf.org; Wed, 16 Jul 2003 18:37:57 -0400
Received: from dynamicsoft.com ([63.113.46.115]) by mail3.dynamicsoft.com (8.12.8/8.12.1) with ESMTP id h6GMbAiB011368; Wed, 16 Jul 2003 18:37:11 -0400 (EDT)
Message-ID: <3F15D390.80506@dynamicsoft.com>
Date: Wed, 16 Jul 2003 18:37:04 -0400
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Organization: dynamicsoft
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
CC: mmusic@ietf.org
Subject: Re: [MMUSIC] RTP denial of service
References: <3F026A96.5000907@dynamicsoft.com> <3F095C79.7070109@ericsson.com>
In-Reply-To: <3F095C79.7070109@ericsson.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sorry for the delay in responding, Magnus. Responses inline. Magnus Westerlund wrote: > Hi Jonathan, > > I have now had time to read your draft. It summaries the problem of the > attack fairly well. However I think one can elaborate a bit more on some > use cases and in relation to NAT traversal. > > First, the problem of destination addresses in combination with NATs > that use multiple addresses. If a NAT would assign different NAT > mappings to different external addresses there is a problem with the > limiting text that RTSP has. This also is present for a single RTP > session where RTP and RTCP will be separate flows. This leads to that > simple limitations can't be used while still NAT traversal or TURN > servers are in use. Yes, I agree. That is a general RTSP issue. > > Secondly the RTCP prevention that you mention in chapter 3 has more > flaws then you describe, but not one of them you describe I would say. OK, well I'm glad we agree even though its for the wrong reasons... > I > don't see a reason to force the sending side to have this stop and go > behaviour you describe. I would more work in the terms of how TFRC > behave, I think. If no RTCP reports are received the sending bit-rate is > throttled back, to almost non existing levels. This will limit the > severity of the attack. However with using many sessions it might still > be possible to achieve enough force amplification. I'm not that familiar with TFRC. How is the initial rate set? That could make a big difference too. > > The flaw you missed in your description of using RTCP as limiting factor > is first that if the attacker directs a RTCP stream to itself and only > the RTP stream to the target, it can simple generate false RTCP reports. Ah - good point. I hadnt thought of that. Normally its not possible, but draft-ietf-mmusic-sdp4nat will allow this. > The senders RTCP reports contains the number of packets sent, which > makes it easy to increase the RTCP receiver reports extended counter. > The initial RTP sequence number are usually transmitted in RTSP's > RTP-Info header. Therefore all necessary information for faking a > perfect reception pattern exist, keeping any congestion control based on > RTCP reports happy. Right. > > Third, the solution space. As you mention an alternative to using STUN > in this requesting mechanism would be to develop a RTP payload format > and RTCP packet type to contain necessary information of granting a > media stream. What may be missing in STUN is the possibility to provide > information about the media stream that the receiver accepts. That information is conveyed in the signaling protocol. Clearly this information is only useful when there is NOT an attack, so the recipient would be privy to the signaling. > > However I don't know if such a solution would be any better. Maybe on > the paper it would have a clearer demultiplexing than between STUN and > RTP. However STUN can be used with any media protocol that can be > differentiated on the first byte, while a RTP/RTCP solution would be > limited to that protocol. Right. > > Fourth, have you looked at what solutions DCCP would provide to this > problem? I think that the session establishment could ensure that the > client accepts the media stream. Yes, I believe it would. However, we have some time to go before that really becomes deployable. > > Fifth, what is the current status of ICE? Can we expect any progress for > ICE within the IETF. We will be discussing this today in mmusic. Yesterday, sipping re-affirmed its desire to move forward with ICE. We agreed that there are really two documents. One is the actual ICE mechanism, which is not sip specific at all. The other is use cases that show how ICE is used with SIP. THe latter will be happening in sipping, as an alternative to the current draft-ietf-sipping-nat-scenarios document. The former, however, appeared to be more of an mmusic issue. So, the sipping group wants mmusic to take ICE as a work item, in fact. > > Sixth, doesn't one need to use STUN with authentication to prevent other > security attacks that based on falsifying STUN responses, even when the > session establisher is not an attacker? Yes, and thats why there is authentication in stun. Mostly the authenticaiton is of the SERVER - the client identity is not that important. Thanks, Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Chief Technology Officer Parsippany, NJ 07054-2711 dynamicsoft jdrosen@dynamicsoft.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.dynamicsoft.com _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] RTP denial of service Jonathan Rosenberg
- RE: [MMUSIC] RTP denial of service Hearty, John
- RE: [MMUSIC] RTP denial of service philippe.gentric
- Re: [MMUSIC] RTP denial of service Jonathan Rosenberg
- Re: [MMUSIC] RTP denial of service Jari Arkko
- Re: [MMUSIC] RTP denial of service Magnus Westerlund
- Re: [MMUSIC] RTP denial of service Jonathan Rosenberg
- RE: [MMUSIC] RTP denial of service Thomas Zeng
- Re: [MMUSIC] RTP denial of service Jonathan Rosenberg
- Re: [MMUSIC] RTP denial of service Jonathan Rosenberg