IETF Logo Mail Archive

Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness

Bernard Aboba <bernard.aboba@gmail.com> Thu, 21 May 2015 23:55 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D64571A90F3; Thu, 21 May 2015 16:55:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DzyZQlKrzuqt; Thu, 21 May 2015 16:55:15 -0700 (PDT)
Received: from mail-wg0-x229.google.com (mail-wg0-x229.google.com [IPv6:2a00:1450:400c:c00::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F8A61A8AF0; Thu, 21 May 2015 16:55:14 -0700 (PDT)
Received: by wgbgq6 with SMTP id gq6so2525564wgb.3; Thu, 21 May 2015 16:55:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=N+wf94Zkd8CoRlrsxjPgZP4OCcv8GWvInvxyLaSDI08=; b=ULXEWUPWkLaM1YVjsJ70FbjUS448IbxIak5G9GI8rE2qeTgCSvFThkgQqYCAqKY+Mp sIc+03GotrR7RvlXUVigY/ckZJoEv05o9GfLaW0Py70RfFlzH4O28VCw9gMaJhCH67DN R6sIHQpoHz0tPaljRj491ZpzKp6SFq2IryLhZmDbneP2+zIKR8PEvq8P5u/QnlxHdAX+ tUVfBGWDGXX4gRIn4ImgqC41ctot9gSZfJXlNMy2Wdij//0lmiFKdtOhAW+c5K2u/Uea e/8Wc2kyLQ/DruMg9pPwBX82ySelnHgvJmY1ixQtTJI/JfIwRWrF0NSoY+VgKgqKjCUI N6+g==
X-Received: by 10.181.13.165 with SMTP id ez5mr2002316wid.77.1432252513305; Thu, 21 May 2015 16:55:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.54.16 with HTTP; Thu, 21 May 2015 16:54:52 -0700 (PDT)
In-Reply-To: <CABkgnnWgpSYDjRQpk16Z0mCLietUcK1dSiNL-Y+jmFCpqan4Gg@mail.gmail.com>
References: <CAOW+2dsv8CVpaKoBsUvc5MGh2s3xD2J5NiXPAnFUMOhYqSmjzQ@mail.gmail.com> <CABkgnnWgpSYDjRQpk16Z0mCLietUcK1dSiNL-Y+jmFCpqan4Gg@mail.gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Thu, 21 May 2015 16:54:52 -0700
Message-ID: <CAOW+2dtDBxBBC7ToBGvP8cqYjGKUAYuR-5uL=NSjzE5iVwLRrA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="f46d043c80d048c81e0516a04613"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/1eVHy4tOAGa7TRDsLFxw4hCNHKI>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, The IESG <iesg@ietf.org>
Subject: Re: [rtcweb] Review of draft-ietf-rtcweb-stun-consent-freshness
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2015 23:55:20 -0000

Martin said:
> 1. Adaptation of the RTO via RTT measurement

[Martin] I agree that this is a concern, but we have a means of determining
RTO, so we just need to add text that says something like: The initial
STUN transaction produces a value for RTO on any given candidate pair.
That value is used in determining how long to await a STUN response,
it is updated as new STUN responses are received.

[BA] If you cite the RFC 5389 text relating to initial RTO, caching,
estimation algorithm, etc. you can then use the calculated value to
determine how long to await a STUN response.

> 2. Consistent number of requests sent without a response (Rc) before
> transaction failure
> 3. Total time to transaction failure robust against routing transients

I don't agree that either of these is a problem.  It's a design,
certainly, but it suffers from a dire lack of determinism in running
time, something that might be exploited to increase denial of service
exposure time.

[BA] The effective transmission rate matters in DDOS more than running time
- which is why the RFC 5389 backoff algorithm makes a difference.  Here an
Rc value of 7 is not as critical as having it be a constant.

> 1. No RTT/RTO estimation - and given that responses to a request that
arrive
> after a new request is sent are ignored, no ability to make use of the
> information that is available. Effectively, the specification sets the RTO
> to be a random value between 4 and 6 seconds, with no relationship to
> network characteristics.

If response i arrives after i+1, that's not going to provide any
useful information about RTO itself (RTO jitter perhaps).

[BA] That is true if the transaction ID doesn't change (e.g. RFC 5389).
But if the transaction ID changes, then you can use the arrival time of
response i to get a better RTO estimate, even if i+1 arrives first. This is
valuable since it is most likely to happen when the originally calculated
RTO value is too low, making a false retransmission timeout more likely.
RFC 5682 describes some of the concerns relating to F-RTO.

Note that
the original STUN design doesn't even allow you to detect this sort of
reordering, since the transaction ID is reused, so that's strictly
worse.

[BA] Right.  So by changing the transaction ID on each request, it is
possible to do better - particularly if F-RTO can be taken into account.

> 2. Inconsistent number of requests before failure.  Given the
randomization,
> 4 to 6 requests might be sent within the 30 seconds.

That doesn't bother me.

[BA] Varying Rc will produce a false retransmission probability that will
vary by network conditions, particularly if Rc can be small (e.g. only a
few retransmissions prior to declaring consent revocation).

> 3. Unclear timer behavior.  Does an implementation continue to send
requests
> until 30 seconds has elapsed, or does it stop before then so as to allow
for
> a response to the last request to arrive?  One could interpret the above
to
> imply that requests continue to be sent for up to 30 seconds, but the last
> request is considered failed as soon as the 30 second timer expires.

How can we make this clearer?

[BA] If consent expires at 30 seconds + RTO (or better, at last request
sending time plus RTO) then that would clarify things.

It says:

   Consent expires after 30 seconds.

I like that.  Note that "excessive traffic" was intended to be in
time, not volume.

[BA] Why would time matter if consent packets aren't being sent (e.g.
backoff)?

>
> [BA] The last sentence seems to imply that consent checks are scheduled
> before ICE completes, and would therefore interact with the scheduling and
> pacing mechanism specified in RFC 5245.  This does make some sense, since
in
> Trickle ICE, trickling all the candidates might take a while, and media
> might be sent after a successful response, so that consent would be in
> order.  However, if that is the intent, then it needs to be explicitly
> stated, and this document
> needs to contain an Updates: RFC 5245 header.

That's easy, let's just say that this process applies *after* consent
has been acquired.  maybe we could move this up to Section 4:

[BA] The question is when consent is acquired. I'd assume that this begins
when media starts being sent - which according to RFC 5245 can occur after
a successful connectivity check response.  So ICE isn't necessarily
complete.

... is needed to obtain consent to send *on that candidate pair*.

[BA] That part makes sense - but if there is another valid pair, it should
be possible to start sending media on that pair without having to do an ICE
restart.  That is allowed under RFC 5245.


On Thu, May 21, 2015 at 4:10 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 20 May 2015 at 16:48, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> > This is a review of draft-ietf-rtcweb-stun-consent-freshness.
> ...
> > 1. Adaptation of the RTO via RTT measurement
>
> I agree that this is a concern, but we have a means of determining
> RTO, so we just need to add text that says something like: The initial
> STUN transaction produces a value for RTO on any given candidate pair.
> That value is used in determining how long to await a STUN response,
> it is updated as new STUN responses are received.
>
> > 2. Consistent number of requests sent without a response (Rc) before
> > transaction failure
> > 3. Total time to transaction failure robust against routing transients
>
> I don't agree that either of these is a problem.  It's a design,
> certainly, but it suffers from a dire lack of determinism in running
> time, something that might be exploited to increase denial of service
> exposure time.
>
> > 1. No RTT/RTO estimation - and given that responses to a request that
> arrive
> > after a new request is sent are ignored, no ability to make use of the
> > information that is available. Effectively, the specification sets the
> RTO
> > to be a random value between 4 and 6 seconds, with no relationship to
> > network characteristics.
>
> If response i arrives after i+1, that's not going to provide any
> useful information about RTO itself (RTO jitter perhaps).  Note that
> the original STUN design doesn't even allow you to detect this sort of
> reordering, since the transaction ID is reused, so that's strictly
> worse.
>
> > 2. Inconsistent number of requests before failure.  Given the
> randomization,
> > 4 to 6 requests might be sent within the 30 seconds.
>
> That doesn't bother me.
>
> > 3. Unclear timer behavior.  Does an implementation continue to send
> requests
> > until 30 seconds has elapsed, or does it stop before then so as to allow
> for
> > a response to the last request to arrive?  One could interpret the above
> to
> > imply that requests continue to be sent for up to 30 seconds, but the
> last
> > request is considered failed as soon as the 30 second timer expires.
>
> How can we make this clearer?
>
> It says:
>
>    Consent expires after 30 seconds.
>
> And:
>
>    [...] a STUN binding request can be sent
>    periodically [at] a default interval of 5 seconds, [...]
>
> Those are independent.  If you are under the impression that these are
> somehow coupled, we can add "This timer is independent of the consent
> expiry timeout."
>
> > My suggested rewording is as follows:
> >
> > "To prevent browsers supporting WebRTC from being used to launch denial
> of
> > service attacks by sending media to unsuspecting victims, periodic
> consent
> > needs to be obtained from remote endpoints."
>
> I like that.  Note that "excessive traffic" was intended to be in
> time, not volume.
>
> > Section 4.1
> >
> > An endpoint MUST NOT send data other than paced STUN connectivity checks
> or
> > responses toward any transport address  unless the receiving endpoint
> > consents to receive data. That is, no application data (e.g., RTP or
> DTLS)
> > can be  sent until consent is obtained. After a successful ICE
> connectivity
> > check on a particular transport address, consent MUST be maintained
> > following the procedure described in this document.
> >
> > [BA] The last sentence seems to imply that consent checks are scheduled
> > before ICE completes, and would therefore interact with the scheduling
> and
> > pacing mechanism specified in RFC 5245.  This does make some sense,
> since in
> > Trickle ICE, trickling all the candidates might take a while, and media
> > might be sent after a successful response, so that consent would be in
> > order.  However, if that is the intent, then it needs to be explicitly
> > stated, and this document
> > needs to contain an Updates: RFC 5245 header.
>
> That's easy, let's just say that this process applies *after* consent
> has been acquired.  maybe we could move this up to Section 4:
>
>    Initial consent to send traffic is obtained using ICE.  Consent
>    expires after 30 seconds.  An endpoint maintains consent as
> described in Section 4.2.
>
> The second sentence can stay where it is to provide context.
> Repetition of that point is harmless.
>
> > Each STUN binding request for consent MUST use a new cryptographically
> > strong [RFC4086] STUN transaction ID.
> >
> > [BA] I think that RFC 5389 Section 6 says what is in intended here in a
> more
> > precise way, so it should be referenced instead:
> >
> >    As such, the transaction ID MUST be uniformly
> >    and randomly chosen from the interval 0 .. 2**96-1, and SHOULD be
> >    cryptographically random.
>
> WFM.  We can cite that instead.
>
> > After consent is lost for any reason, the same ICE credentials MUST NOT
> be
> > used on the affected 5-tuple again. That means that a new session, or an
> ICE
> > restart, is needed to obtain consent to send.
> >
> > [BA] The second sentence does not follow from the first. RFC 5245 enables
> > sending of media once a successful ICE connectivity check has been
> received.
> > If multiple successful candidate pairs have been identified, why should
> > failure of consent on one candidate pair require an ICE restart if
> another
> > operational candidate pair exists?
>
> ... is needed to obtain consent to send *on that candidate pair*.
>
> There was a long discussion about this point, the conclusion of which
> was "use it or lose it".  This captures that conclusion.  I can't
> remember the details of the discussion, but I think that it wasn't a
> security concern but a robustness one.
>
> > Also, it is not clear what "any reason" means -
>
> We can drop those words.
>

v2.23.0 | Report a Bug | By Email