Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations

Dan Wing <> Tue, 24 September 2013 15:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 92FFC11E813A for <>; Tue, 24 Sep 2013 08:38:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -110.647
X-Spam-Status: No, score=-110.647 tagged_above=-999 required=5 tests=[AWL=-0.204, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SUBJECT_FUZZY_TION=0.156, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WgbXgr+DmWjd for <>; Tue, 24 Sep 2013 08:38:03 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 9F7EA11E8138 for <>; Tue, 24 Sep 2013 08:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=4389; q=dns/txt; s=iport; t=1380037081; x=1381246681; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=Pmg/uRy7NpZFqodbBAZqLjKzr2oKCLF/FMQmPpWVOOM=; b=hbSRWYT0WekHORstVTbWeG+RIfuhBHoYLtNFDJaGJZwygM5iJNMSoZM5 g0WkN3k6Wz47R9pIKMKdyy40N5ibeaownSJrjhHpBCHdZRt89ttYBdcH+ NEJukDuCAuE87Ke9qTv/Nqm85W7bE4Ynk2CeY7u8dkGesITTe4G1AdH1Y s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.90,971,1371081600"; d="scan'208";a="92965039"
Received: from ([]) by with ESMTP; 24 Sep 2013 15:38:01 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r8OFc0xI028529; Tue, 24 Sep 2013 15:38:00 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dan Wing <>
In-Reply-To: <>
Date: Tue, 24 Sep 2013 08:38:58 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Melinda Shore <>
X-Mailer: Apple Mail (2.1508)
Cc: "" <>
Subject: Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Sep 2013 15:38:08 -0000

On Sep 23, 2013, at 10:02 PM, Melinda Shore <> wrote:

> I think you really need to be clearer about the distinction
> between NAT and firewall, and that firewalls are policy
> enforcement devices.  NATs arguably are (address policy)
> but to the extent they're deployed as access control
> mechanisms that function is incidental to their design.
> This matters a lot when you're talking about ICE, since
> it was designed as a *NAT* traversal mechanism, not a
> firewall traversal mechanism.  There's been a long history
> of highly contentious middlebox work in the IETF and
> it's probably better to address those questions sooner
> rather than later, as I think they're bound to come up.
> So, you're extending ICE to firewall traversal, because
> ... ?
> In particular I'd put some text in section 1 addressing
> the difference between NATs and firewalls, the policy
> enforcement role of firewalls, that it is explicitly
> not the intention of this draft to propose a mechanism
> for violating local firewall policy, and that you recognize
> a need to give the network administrator control over
> what does and does not enter their network.  That said,
> if they do wish to allow WebRTC traffic, this is how to
> do it.  I think that will help fend off irritating questions
> from people like, say, me.
> I think there's probably a lot more that can be said about
> addressing and policy, particularly around authenticity, but
> I'm going to save that for after having re-read the WebRTC
> documents.  But I'd like to skip ahead to the security
> considerations section, because that's really critically
> important and can't be left empty (to be honest I'm considering
> proposing to my own working group and others that we not
> adopt any working group draft that has an empty security
> considerations section - it's a big problem).
> I think there are two broad classes of security issues here:
> 1) the security of the mechanism itself, and
> 2) security in the context of the environment
> In this case the two are not cleanly separable, to the
> extent that presumably the reason for subverting the
> security of a WebRTC traversal mechanism would be to
> compromise the firewall (with one prominent exception, which
> I'll get to below).
> As I mentioned in previous email, you cannot allow the
> WebRTC firewall traversal technology to be subverted
> to allow "unauthorized" pinholing.  This is kind of a
> messy problem, since it can involve port numbers (which
> doesn't apply in the creation of real-time media
> streams), stateful traffic inspection (which doesn't
> work in the presence of encrypted signaling traffic),
> and so on.  It *may* be the case that there's an authoritative,
> trusted entity somewhere in the application architecture
> that can make authoritative statements about what's
> allowed, and you could leverage a third-party mechanism
> like OAuth if you can live with the added latency.
> I can give you a long, long list of reasons I don't like
> STUN (and, to a lesser extent, TURN), but prominent among
> them is that without some sort of application-layer
> authentication it is trivially easy to use it to hijack media
> streams.  All you have to do is send a bogus STUN or
> TURN response with an address of your choosing, since the
> answer is unauthenticated.  

* The bogus response has to match STUN's 96-bit transaction ID (which is generated by the client and supposed to be random), or else the bogus response is ignored.
* All WebRTC media traffic is encrypted (SRTP) and all WebRTC non-media traffic ("data traffic") is DTLS-protected (SCTPoDTLSoUDP).


> Using TCP as the TURN
> transport makes an attack more challenging but it doesn't
> eliminate it entirely.  In VoIP scenarios, what they typically
> do is accept the response but then authenticate the
> application traffic, so if they get a bogus response
> the media streams can't be established, anyway.
> So, either think about how to protect against an insertion
> attack, or make it clear that you've got protection
> available at the application layer.
> Melinda
> _______________________________________________
> pntaw mailing list