Re: [rtcweb] Consent alternative
Martin Thomson <martin.thomson@gmail.com> Mon, 02 December 2013 22:44 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 224A21ADDAF for <rtcweb@ietfa.amsl.com>; Mon, 2 Dec 2013 14:44:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ieGbspu6gQm for <rtcweb@ietfa.amsl.com>; Mon, 2 Dec 2013 14:44:32 -0800 (PST)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) by ietfa.amsl.com (Postfix) with ESMTP id C50E61AD845 for <rtcweb@ietf.org>; Mon, 2 Dec 2013 14:44:31 -0800 (PST)
Received: by mail-wi0-f171.google.com with SMTP id ca18so5658889wib.4 for <rtcweb@ietf.org>; Mon, 02 Dec 2013 14:44:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=0OPuoDjcmYtwlVGaV98gClwh7xmThwkxsLoMUi9Ybag=; b=NdxDb3Tqxds83IX1g0Mhvs2CByxf/kyZ89I8o/NADZ0FLtSHTH9ejGTLBDAgYXzbHS UG4TbG9TcD07cZe48uucBGesTxMg2LUiu7QTB/mvB5U5KCF1IxNvcuTgJ4Y6PJD5Mh/f T0p/jUNCdnzuGnFWJSsDqNwCvBVXEf3bablfLOSV+t7JkHDFjST6z0cG7d2gNbmhxmE8 kXzGPaX6KZj+glEl2zRmCh1ppxI4pt8hcJcQBYBqiLB3YxVed3eeDoZE3yWTddyboied w8m40r+Fhu1ba55MK+uMGqkVBA/gwNqxNiQvswh0Yh2V0Yf1fW+2TZMWhLM1x/elhjB1 NqoQ==
MIME-Version: 1.0
X-Received: by 10.180.107.193 with SMTP id he1mr20296804wib.50.1386024268933; Mon, 02 Dec 2013 14:44:28 -0800 (PST)
Received: by 10.227.134.195 with HTTP; Mon, 2 Dec 2013 14:44:28 -0800 (PST)
In-Reply-To: <52989933.6000907@ericsson.com>
References: <CABkgnnVNnT8uoWM8T=TqbTmy11CGTeHLP=_7z5KSMSpAsp9SyQ@mail.gmail.com> <52989933.6000907@ericsson.com>
Date: Mon, 02 Dec 2013 14:44:28 -0800
Message-ID: <CABkgnnUX3OFUyc5PXeN0ydykBwL0HyRuaigfJKMBbuWnuhnVJg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: text/plain; charset="UTF-8"
Cc: Cullen Jennings <fluffy@cisco.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Consent alternative
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 22:44:34 -0000
On 29 November 2013 05:40, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote: > I have looked briefly on this and wonder if this isn't vulnerable to > active attacks from a attacker (Alice) that likes to use a set of WebRTC > browsers, including (Bob) to generate DDOS traffic towards the target > (Charlie). Hi Magnus, I think that you did manage to hit on something critical here. The basic security primitive in play with ICE consent is proof of receipt. That is the key piece at play here as well. We require proof of receipt simply because that elevates the requirements for an attacker to the point that they have to basically be on-path. At that point, they (likely) already have the ability to generate traffic toward a victim of an equal (or maybe greater) volume to the sender and gain little by mounting the attack. That's why I'm not particularly interested in the part where you talk about attackers intercepting binding requests. The actual attack that you have hit upon (or caused me to think about) is not quite as you described, but it does rely on the fact that the proposed change to the consent mechanism no longer actively depends on proof of receipt. It also relies on the possibility that a DTLS connection can be moved without requiring proof of receipt on the new path. That, to me, is the fundamental problem to be solved. From my reread of RFC 6347, it appears as though the only consideration given to DoS was at the handshake. Once something like ICE is in play (and MICE makes this worse), the ability to "move" the connection presents an attacker with an opportunity. (I have to point out that this also confirms my fears about the mechanism used to signal ICE restarts, but I'll get back to that.) Here is the attack as I understand it: 1. A talks to B, establishing a DTLS connection using ICE. There is no need for lots of data to flow at this point, this is the "warm-up" phase of the attack. 2. B (the attacker) triggers an "ICE restart" with A, though really this generates a new ICE negotiation with a victim, C. C consents to talk to B, but not necessarily with A. This arrangement is easy to achieve on the drive-by web. 3. A completes ICE with C and expects to continue the DTLS connection over the newly discovered 5-tuple. C is confused, but really has no recourse at this point. Even if the DTLS connection fails, C is now the victim on the other end of an unending stream of bits. B spoofs the source address of the necessary packets to continue consent, A continues to send to C, and nothing that C does can stop the flood because they don't have access to the master secret and cannot therefore produce an authenticated packet that terminates the connection. B can continue the attack as long as A is willing, at the bargain-basement price of a (spoofed) DTLS heartbeat response every 10-20 seconds. The key here is the lack of a proof of receipt from A toward C for the DTLS connection that is moved. There is nothing inherent to DTLS that provides proof that C received data from A and is also willing to continue to communicate... Almost. The DTLS heartbeat extension does provide such a thing: http://tools.ietf.org/html/rfc6520#page-6 All we need to do to close this little loophole is to require that a DTLS heartbeat request be sent after any change in underlying 5-tuple. That request MUST contain sufficient entropy that guessing would be difficult for an off-path attacker; noting that this is also covered by TLS record layer encryption and authentication, limiting the number of parties that are even allowed to make a guess. I'm a big fan of 128 bits, but less is almost certainly OK. If no response is received within N seconds, consent is expired. The basic consent timer seems appropriate here, i.e., N=30. DTLS renegotiation would also work, but I consider that to be a little heavyweight. I'm not sure that it's that widely implemented either.
- [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative tim panton
- Re: [rtcweb] Consent alternative Bernard Aboba
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative tim panton
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Lorenzo Miniero
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Magnus Westerlund
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Dan Wing
- Re: [rtcweb] Consent alternative Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Dan Wing
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Consent alternative Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Consent alternative Harald Alvestrand
- Re: [rtcweb] Consent alternative Tirumaleswar Reddy (tireddy)
- Re: [rtcweb] Consent alternative Martin Thomson
- Re: [rtcweb] Consent alternative Tirumaleswar Reddy (tireddy)