Re: [rtcweb] ICE and security

Hadriel Kaplan <HKaplan@acmepacket.com> Sat, 17 September 2011 17:24 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B79121F8A35 for <rtcweb@ietfa.amsl.com>; Sat, 17 Sep 2011 10:24:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.212
X-Spam-Level:
X-Spam-Status: No, score=-2.212 tagged_above=-999 required=5 tests=[AWL=-0.213, BAYES_00=-2.599, J_CHICKENPOX_24=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8SSX2rf-N32M for <rtcweb@ietfa.amsl.com>; Sat, 17 Sep 2011 10:24:55 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by ietfa.amsl.com (Postfix) with ESMTP id BD48621F8783 for <rtcweb@ietf.org>; Sat, 17 Sep 2011 10:24:55 -0700 (PDT)
Received: from MAIL2.acmepacket.com (10.0.0.22) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.2.254.0; Sat, 17 Sep 2011 13:27:12 -0400
Received: from MAIL1.acmepacket.com ([169.254.1.150]) by Mail2.acmepacket.com ([169.254.2.157]) with mapi id 14.01.0270.001; Sat, 17 Sep 2011 13:27:12 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "Olle E. Johansson" <oej@edvina.net>
Thread-Topic: [rtcweb] ICE and security
Thread-Index: AQHMdV8HZnV0C/itdk+1WJWhe7py/g==
Date: Sat, 17 Sep 2011 17:27:10 +0000
Message-ID: <0E6DD5C7-A59F-4C35-9412-780CB19F2DE1@acmepacket.com>
References: <CALiegfnOCxyTo9ffQ272+ncdu5UdgrtDT-dn10BWGTZMEjZoCg@mail.gmail.com> <2E239D6FCD033C4BAF15F386A979BF510F0C0A@sonusinmail02.sonusnet.com> <05CAC192-E462-421F-B1E5-B78DC8F60306@ag-projects.com> <2E239D6FCD033C4BAF15F386A979BF510F0C93@sonusinmail02.sonusnet.com> <16880306-5B3A-4EFD-ADE4-1201138D9182@acmepacket.com> <4E73BA23.6040305@skype.net> <E8DBBD7D-BAD2-43A9-807B-C3663FD31A2B@edvina.net>
In-Reply-To: <E8DBBD7D-BAD2-43A9-807B-C3663FD31A2B@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [216.41.24.34]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3EAE6F2B1AFA6B4C8BFE0AEF5C7BDBE4@acmepacket.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] ICE and security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Sep 2011 17:24:56 -0000

On Sep 17, 2011, at 4:22 AM, Olle E. Johansson wrote:

> 
> 16 sep 2011 kl. 23:05 skrev Matthew Kaufman:
>> 
>> This, and supports enough security/safety that the library can be trusted to run in the browser environment. (This is where the ICE requirement comes from.)
> 
> Matt,
> Can you please elaborate how ice relates to security?

There's a concern that malicious javascript can make your Browser start sending RTP packets at a target, and that enough people running such a javascript would be a nice botnet flooding a target.  For example, there could be some malicious website which has some interesting content on it to draw people to go to it (for example it mirrors real content from somewhere else, or it offers pirated content downloading, or porn, or whatever), and on the same webpage it embeds javascript that makes your Browser start sending RTP packets against root DNS servers or whatever.  IF they got enough browsers viewing their webpage, then it would be a DDoS flood of RTP against the target.  And of course if we have a UDP-based Data channel and the javascript can decide what goes in the data packet, then it could craft something nasty, to either perform a heavier resource exhaustion attack, or whatever.  Ultimately the concern is that UDP has no SYN/SYN-ACK exchange like TCP does, to verify the device you're going to send lots of packets to wants to receive any of them.

So ICE does that for you - it verifies the IP:port you're going to send your RTP packets to is willing to accept your packets. (it has some other security properties too, but I personally find the rest questionable, compared to this one)
So basically we're stuck with requiring ICE be used for every media/data session, and thus not being able to interop directly with devices which don't do ICE (which is most of the SIP world right now).

One open question is if javascript will even be allowed to open a media channel to a peer without human/user consent.  I thought we were requiring per-site consent.  I guess a malicious site could still offer legitimate media usage, and thus get user's consent, and then sometime in the future the same website could turn evil; or it could offer seemingly legitimate service that works, while in javascript creating a forked stream that is the one attacking someone else.

I wonder though if even requiring ICE is sufficient.  If I'm a malicious javascript, I could add enough ICE candidates against a target that it would be the same as an RTP stream in aggregate (I believe ICE's throttling limit was in fact approximately the rate of RTP by design, if I recall correctly).

-hadriel