Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations

Oleg Moskalenko <> Tue, 24 September 2013 06:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 494AC21F9468 for <>; Mon, 23 Sep 2013 23:46:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.405
X-Spam-Status: No, score=-2.405 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001, SUBJECT_FUZZY_TION=0.156]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vE4XCn4eT999 for <>; Mon, 23 Sep 2013 23:46:19 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c01::22e]) by (Postfix) with ESMTP id 0E0EB21F9385 for <>; Mon, 23 Sep 2013 23:46:16 -0700 (PDT)
Received: by with SMTP id rq2so4172441pbb.19 for <>; Mon, 23 Sep 2013 23:46:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=tA8HwP7lUNVae3fWgNAUJQlyHNG4h3fgOVPswdwiGXQ=; b=IWv297wZlE8SsH/vZ3DKxBi8oA0jw1LH9qVdCwH6OWm5Ovslljb3OLw5s6ruVSqlJm QfRv9XcXm/y5ltLD0cPSlwR10fdJO0baz0xdBQ18GipPDDbs1ETANTUHBQAk7YyevLG3 7+H66C6bchvdM9eGIjOYdGbswyL0LmzNNeeT62gAzuVEeD+fyyhzx/ON5B4nM2VCVoJw 6jrrV2axuBb7VVkYPT5nEffpQccV9Rc0ZLO+RFF/jifvzRsIAqasbnGhLF7lAOxOKDSw xMROyXJ1y6QO8ImVUeiCrAR1SfWUmAhkDM7eHwE+7N9b63GL76cD+Qlxlr95fPCq2CHs 2atw==
MIME-Version: 1.0
X-Received: by with SMTP id ef4mr3322768pbb.27.1380005174976; Mon, 23 Sep 2013 23:46:14 -0700 (PDT)
Received: by with HTTP; Mon, 23 Sep 2013 23:46:14 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Mon, 23 Sep 2013 23:46:14 -0700
Message-ID: <>
From: Oleg Moskalenko <>
To: Melinda Shore <>
Content-Type: multipart/alternative; boundary=047d7b6d85f23e28d504e71b7e9a
Cc: "" <>
Subject: Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Sep 2013 06:46:23 -0000

On Mon, Sep 23, 2013 at 10:02 PM, Melinda Shore <>wrote;wrote:

> I think you really need to be clearer about the distinction
> between NAT and firewall, and that firewalls are policy
> enforcement devices.

this distinction is a sort of academic exercise. I am not sure that
concentrating on that theoretical distinction has much of practical value
in the real world.

> I can give you a long, long list of reasons I don't like
> STUN (and, to a lesser extent, TURN),

For a person who does not "like" STUN and TURN you are dedicating too much
efforts to discussing them.

> but prominent among
> them is that without some sort of application-layer
> authentication it is trivially easy to use it to hijack media
> streams.  All you have to do is send a bogus STUN or
> TURN response with an address of your choosing, since the
> answer is unauthenticated.

TURN responses are always authenticated, if any security mechanism is
chosen. The client must check the integrity-field to authenticate the
response. Only the entity who knows the user password can construct a valid

The only unauthenticated response (usually) is STUN "binding" response.
This is just an implementation convention that it is usually
unauthenticated. Nothing in RFC requires it to be unauthenticated. That's
only a common practice to leave it unauthenticated. For secure
environments, we can always enforce authentication of the BINDING response.

> Using TCP as the TURN
> transport makes an attack more challenging but it doesn't
> eliminate it entirely.  In VoIP scenarios, what they typically
> do is accept the response but then authenticate the
> application traffic, so if they get a bogus response
> the media streams can't be established, anyway.
> So, either think about how to protect against an insertion
> attack, or make it clear that you've got protection
> available at the application layer.

In very secure environments, the short-term authentication TURN mechanism
can be used. Each TURN Send and Data indications are authenticated in that
case. Then no application level authentication is necessary.

TURN is really a neat and clever tool, when you do understand how it works.