[Perc] SSRC splicing attach in perc double when MID/BUNDLE is used (i.e. WebRTC)
Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Thu, 21 February 2019 17:57 UTC
Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 200DB131011 for <perc@ietfa.amsl.com>; Thu, 21 Feb 2019 09:57:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aiBs4Cn9j4Kd for <perc@ietfa.amsl.com>; Thu, 21 Feb 2019 09:57:51 -0800 (PST)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25124130F99 for <perc@ietf.org>; Thu, 21 Feb 2019 09:57:51 -0800 (PST)
Received: by mail-wr1-x432.google.com with SMTP id i12so31700664wrw.0 for <perc@ietf.org>; Thu, 21 Feb 2019 09:57:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version :content-language; bh=7u5LuoN/ouBsYgUW7mVJrRHi5Ecj449kT7jkyR15V5s=; b=Yah0Ncsjdb88EQ3GkXpveacRciwJJWSA8msOwUYPAKh1dVA8It2LLsRSd8rATNlN+h NgSo9atpPZsBpCDXSH7f79zbrAVKg7YZwPh1sTG278XU5gPDiIDFINEUycsdffRpJiKs EJRFTq9uj0FeJo9dcAaxi+UeZArYNsZEplROMf0aszFfqr5ylgS60qK19BaqqYiONXLz /qH9awhipje6jw35HRsVStvXpzXgXX2iEgyZd/YciT80M6MMqkhj1Hqa0zeGKEpAgY9Q 9bVEFFu8FDwm2gJzxDbrLLyVUhcuApfEol+c0G/RR9QM/R30g5P1TzTqrzFgr/2ulvLZ 5Efw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-language; bh=7u5LuoN/ouBsYgUW7mVJrRHi5Ecj449kT7jkyR15V5s=; b=KTSbHYywzrr8yysTTukAxW30a2J+ruubAPLDcpFkFNzPKJwtYtUrSIzby+8BzFT/EY eD+85aCDPM5xzpgJ2yCv66N0jMjNxs4wAJWWP5/5PtUKHkoLYdRQ84tpRsPbkjwhrhdH Y+ZqQbZidebIL668piFVdREczq8k1gaT07lJwTuR6SzYU23naj1viNbLFk2Ylt++maFi gvEmIDj/0kHWRFF+3PRWypVup6f48pbMBTvRAEQff1+52XTepQUZHj8YvCM6XDnjgPgy 3/nj46LMc9y1yYCzMtkslo4whh0rOm13gRCzI7dridZTm5QmbMrnYnVxwcAG5t1aR7w2 6NRA==
X-Gm-Message-State: AHQUAubckjFN5Ur38yLVnicWGdwl4CmIh4pQMZwkbORFqomKNo6YLH5E +re5KWbsT/Yfr3BfjpNAwULtaVyE
X-Google-Smtp-Source: AHgI3IYAJgN+jP/qmpobxYVRL0jJmx7qBfyxbGHc05QEUpzeAcliXwiqyiDb2VA4Pw2h1JxZVf1GQQ==
X-Received: by 2002:adf:8447:: with SMTP id 65mr28117747wrf.328.1550771869249; Thu, 21 Feb 2019 09:57:49 -0800 (PST)
Received: from [192.168.0.111] (37.red-80-28-109.staticip.rima-tde.net. [80.28.109.37]) by smtp.googlemail.com with ESMTPSA id 132sm25028587wmd.27.2019.02.21.09.57.48 for <perc@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Feb 2019 09:57:48 -0800 (PST)
To: "perc@ietf.org" <perc@ietf.org>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <91eeccf6-d09e-2542-3d63-18f09ee073ed@gmail.com>
Date: Thu, 21 Feb 2019 19:02:39 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------7B41591198D2DED906317F9E"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/K2jFqTwc249dPmk8rRq8H0WVxxI>
Subject: [Perc] SSRC splicing attach in perc double when MID/BUNDLE is used (i.e. WebRTC)
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2019 17:57:53 -0000
In the media framework it is stated the following regarding SSRC splicing attacks: The splicing attack is an attack where a Media Distributor receiving multiple media sources splices one media stream into the other. If the Media Distributor is able to change the SSRC without the receiver having any method for verifying the original source ID, then the Media Distributor could first deliver stream A and then later forward stream B under the same SSRC as stream A was previously using. By not allowing the Media Distributor to change the SSRC, PERC mitigates this attack. However, if BUNDLE and MID are used, and there is no ssrc signaling done in SDP, the following RTP demuxing rules from BUNDLE spec applies: If the packet has a MID, and the packet's extended sequence number is greater than that of the last MID update, as discussed in [RFC7941], Section 4.2.6 <https://tools.ietf.org/html/rfc7941#section-4.2.6>, update the MID associated with the RTP stream to match the MID carried in the RTP packet, then update the mapping tables to include an entry that maps the SSRC of that RTP stream to the "m=" section for that MID. Given that MID is by definition HBH as it must match the negotiated SDP O/A, then the MD could arbitrarily change the MID for an RTP packet and associate it with whatever transceiver it wishes, effectively having the same effect than the SSRC splicing attack (at least in perc double where all participants share the same inner e2e key and there). Best regards Sergio
- [Perc] SSRC splicing attach in perc double when M… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Bernard Aboba
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Cullen Jennings
- Re: [Perc] SSRC splicing attach in perc double wh… Alexandre GOUAILLARD
- Re: [Perc] SSRC splicing attach in perc double wh… Cullen Jennings
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Bernard Aboba
- Re: [Perc] SSRC splicing attach in perc double wh… Emil Ivov
- Re: [Perc] SSRC splicing attach in perc double wh… Justin Uberti
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo
- Re: [Perc] SSRC splicing attach in perc double wh… Magnus Westerlund
- Re: [Perc] SSRC splicing attach in perc double wh… Sergio Garcia Murillo