Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations

"Tirumaleswar Reddy (tireddy)" <> Tue, 24 September 2013 15:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 23C6411E815B for <>; Tue, 24 Sep 2013 08:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.146
X-Spam-Status: No, score=-10.146 tagged_above=-999 required=5 tests=[AWL=0.296, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SUBJECT_FUZZY_TION=0.156]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s9Woom7D32Gm for <>; Tue, 24 Sep 2013 08:07:57 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D854911E8164 for <>; Tue, 24 Sep 2013 08:07:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=22893; q=dns/txt; s=iport; t=1380035275; x=1381244875; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=K6kknZGJZfnGFJMUmKPdTN3692ImXGHCYSmkXFjqYJM=; b=S/s0qMIWGeoFlhvW8vGdFcPVO2TZUkHPp9E466BapLBFOgTviuh9u/pt ZpWh2e9nh/HSC0hIyzgtmLmmGyQ4anaRejOqABY2r19uSBedA65hUO8rt V0l7LU8RjOZe3632zKZKto0rkbGFh/wnWfXDYGR4n2M0ypiRzO9FYH1jM k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos; i="4.90,971,1371081600"; d="scan'208,217"; a="263833990"
Received: from ([]) by with ESMTP; 24 Sep 2013 15:07:53 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r8OF7rQm029083 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 24 Sep 2013 15:07:53 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Tue, 24 Sep 2013 10:07:52 -0500
From: "Tirumaleswar Reddy (tireddy)" <>
To: Oleg Moskalenko <>
Thread-Topic: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations
Thread-Index: AQHOuONCg4GUhi2DtUuPO48aTcUBQ5nUzxSA///HSoCAALLXAP//sBug
Date: Tue, 24 Sep 2013 15:07:52 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_913383AAA69FF945B8F946018B75898A1907DF6Fxmbrcdx10ciscoc_"
MIME-Version: 1.0
Cc: Melinda Shore <>, "" <>
Subject: Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discussion list for practices related to proxies, NATs, TURN, and WebRTC" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Sep 2013 15:08:02 -0000

Hi Oleg,

ICE connectivity checks will take care of the attack. Only the parties involved the WebRTC call will be aware of the short-term credential (ice-ufrag, ice-pwd). ICE connectivity checks use the short-term credentials. So though the peer will send STUN Binding Request (ICE check) to the attacker. The attacker will not be able to compute the message-integrity for STUN Binding Response since it will not be aware of the password.

TURN authentication is more important because resources will be allocated on the server. we are discussing in BEHAVE WG the need for stronger authentication mechanism in draft

From: [] On Behalf Of Oleg Moskalenko
Sent: Tuesday, September 24, 2013 8:07 PM
To: Tirumaleswar Reddy (tireddy)
Cc: Melinda Shore;
Subject: Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations

Hi Tiru,
Melinda was talking about a different area of concern. She was considering an attack when a malicious party sends a fake STUN Binding response to the client. Then, the client will have wrong value of its own reflexive IP address and the client will use that wrong address in, say, SDP. Then the peer will be sending the media stream to the attacker's IP address.
As STUN Binding request/response dialog is usually implemented without authentication in the STUN/TURN servers, that may be really a concern.

On Tue, Sep 24, 2013 at 2:19 AM, Tirumaleswar Reddy (tireddy) <<>> wrote:
We had discussed in BEHAVE WG to change TURN REST API draft to use OAuth. With OAuth, the WebRTC client will get self-contained token with lifetime, session key etc in the signaling protocol which will be used by the TURN client to compute message integrity for the TURN request. TURN server will use the token to get the session key, validate the TURN request and also compute the message integrity for the TURN response. This solves the problem of not exposing long-term credentials to the java script.

From:<> [<>] On Behalf Of Oleg Moskalenko
Sent: Tuesday, September 24, 2013 12:50 PM
To: Melinda Shore
Subject: Re: [pntaw] More on draft-hutton-rtcweb-nat-firewall-considerations

Melinda raised some valid TURN security concerns. I'd suggest to add two optional recommendations for the secure TURN environments:
1) Enforce authentication of STUN Binding request/response;
2) Short-term authentication mechanism.
The problems with those recommendations are:
1) The existing STUN, TURN, WebRTC and ICE implementations do not support authenticated STUN Binding request/responses; this is an implementation problem, this is not a standard problem. I personally can say that adding an option of authenticated STUN request/response to our TURN server (rfc5766-turn-server) is an easy 1-hour work, but this is rather a convention problem. My experience is that once this option is enabled, the WebRTC stops working - it is not expecting a challenge response from the STUN server. It can be considered as a bug of the existing WebRTC libraries.
2) As of now, WebRTC does not support short-term authentication mechanism.
3) The new TURN REST API standard (under development) is revolving around the long-term authentication mechanism.

On Mon, Sep 23, 2013 at 10:02 PM, Melinda Shore <<>> wrote:
I think you really need to be clearer about the distinction
between NAT and firewall, and that firewalls are policy
enforcement devices.  NATs arguably are (address policy)
but to the extent they're deployed as access control
mechanisms that function is incidental to their design.
This matters a lot when you're talking about ICE, since
it was designed as a *NAT* traversal mechanism, not a
firewall traversal mechanism.  There's been a long history
of highly contentious middlebox work in the IETF and
it's probably better to address those questions sooner
rather than later, as I think they're bound to come up.

So, you're extending ICE to firewall traversal, because
... ?

In particular I'd put some text in section 1 addressing
the difference between NATs and firewalls, the policy
enforcement role of firewalls, that it is explicitly
not the intention of this draft to propose a mechanism
for violating local firewall policy, and that you recognize
a need to give the network administrator control over
what does and does not enter their network.  That said,
if they do wish to allow WebRTC traffic, this is how to
do it.  I think that will help fend off irritating questions
from people like, say, me.

I think there's probably a lot more that can be said about
addressing and policy, particularly around authenticity, but
I'm going to save that for after having re-read the WebRTC
documents.  But I'd like to skip ahead to the security
considerations section, because that's really critically
important and can't be left empty (to be honest I'm considering
proposing to my own working group and others that we not
adopt any working group draft that has an empty security
considerations section - it's a big problem).

I think there are two broad classes of security issues here:
1) the security of the mechanism itself, and
2) security in the context of the environment

In this case the two are not cleanly separable, to the
extent that presumably the reason for subverting the
security of a WebRTC traversal mechanism would be to
compromise the firewall (with one prominent exception, which
I'll get to below).

As I mentioned in previous email, you cannot allow the
WebRTC firewall traversal technology to be subverted
to allow "unauthorized" pinholing.  This is kind of a
messy problem, since it can involve port numbers (which
doesn't apply in the creation of real-time media
streams), stateful traffic inspection (which doesn't
work in the presence of encrypted signaling traffic),
and so on.  It *may* be the case that there's an authoritative,
trusted entity somewhere in the application architecture
that can make authoritative statements about what's
allowed, and you could leverage a third-party mechanism
like OAuth if you can live with the added latency.

I can give you a long, long list of reasons I don't like
STUN (and, to a lesser extent, TURN), but prominent among
them is that without some sort of application-layer
authentication it is trivially easy to use it to hijack media
streams.  All you have to do is send a bogus STUN or
TURN response with an address of your choosing, since the
answer is unauthenticated.  Using TCP as the TURN
transport makes an attack more challenging but it doesn't
eliminate it entirely.  In VoIP scenarios, what they typically
do is accept the response but then authenticate the
application traffic, so if they get a bogus response
the media streams can't be established, anyway.
So, either think about how to protect against an insertion
attack, or make it clear that you've got protection
available at the application layer.

pntaw mailing list<>