Re: [rtcweb] ICE and security

Dzonatas Sol <dzonatas@gmail.com> Sun, 18 September 2011 16:36 UTC

Return-Path: <dzonatas@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5863E21F8512 for <rtcweb@ietfa.amsl.com>; Sun, 18 Sep 2011 09:36:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.534
X-Spam-Level:
X-Spam-Status: No, score=-3.534 tagged_above=-999 required=5 tests=[AWL=-0.535, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y63Zfj312Mmc for <rtcweb@ietfa.amsl.com>; Sun, 18 Sep 2011 09:36:36 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 55B7321F84D4 for <rtcweb@ietf.org>; Sun, 18 Sep 2011 09:36:36 -0700 (PDT)
Received: by yxt33 with SMTP id 33so4428264yxt.31 for <rtcweb@ietf.org>; Sun, 18 Sep 2011 09:38:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=MffYEoX1C8G6WHyDTvtBypF8uxchOzBoVBPkvN4iJF0=; b=ifPNMp5olZ9RW+DxbgvQz7hI4nZAdIVNbT180PTIo/ELdvkLL5/OSOkmCW4SNR8CkR o7vhxd2T1oqtzHspyfOrfeH3GZP5NFG/7e4IoOZIxCr6RAtMX7FTJrx6xCrLFPJ5dzxx AN7cliOxbjCFAIcvKT7OHV/gSNgBEY4oJRQgY=
Received: by 10.68.12.196 with SMTP id a4mr2744317pbc.185.1316363936100; Sun, 18 Sep 2011 09:38:56 -0700 (PDT)
Received: from [192.168.0.50] ([70.133.70.225]) by mx.google.com with ESMTPS id f8sm57597074pbc.3.2011.09.18.09.38.53 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 18 Sep 2011 09:38:54 -0700 (PDT)
Message-ID: <4E761F22.1020901@gmail.com>
Date: Sun, 18 Sep 2011 09:41:06 -0700
From: Dzonatas Sol <dzonatas@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.16) Gecko/20110818 Icedove/3.0.11
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <CALiegfnOCxyTo9ffQ272+ncdu5UdgrtDT-dn10BWGTZMEjZoCg@mail.gmail.com> <2E239D6FCD033C4BAF15F386A979BF510F0C0A@sonusinmail02.sonusnet.com> <05CAC192-E462-421F-B1E5-B78DC8F60306@ag-projects.com> <2E239D6FCD033C4BAF15F386A979BF510F0C93@sonusinmail02.sonusnet.com> <16880306-5B3A-4EFD-ADE4-1201138D9182@acmepacket.com> <4E73BA23.6040305@skype.net> <E8DBBD7D-BAD2-43A9-807B-C3663FD31A2B@edvina.net> <0E6DD5C7-A59F-4C35-9412-780CB19F2DE1@acmepacket.com> <CABcZeBOPgNASQi5cELnhN+n6=Hi4ehfYoifXv_TMba=Ov-VNCQ@mail.gmail.com> <4E75BAC5.1060809@alvestrand.no>
In-Reply-To: <4E75BAC5.1060809@alvestrand.no>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [rtcweb] ICE and security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Sep 2011 16:36:37 -0000

On 09/18/2011 02:32 AM, Harald Alvestrand wrote:
> On 09/18/2011 07:01 AM, Eric Rescorla wrote:
>> On Sat, Sep 17, 2011 at 10:27 AM, Hadriel 
>> Kaplan<HKaplan@acmepacket.com>;  wrote:
>>> On Sep 17, 2011, at 4:22 AM, Olle E. Johansson wrote:
>>>
>>>> 16 sep 2011 kl. 23:05 skrev Matthew Kaufman:
>>>>> This, and supports enough security/safety that the library can be 
>>>>> trusted to run in the browser environment. (This is where the ICE 
>>>>> requirement comes from.)
>>>> Matt,
>>>> Can you please elaborate how ice relates to security?
>>> There's a concern that malicious javascript can make your Browser 
>>> start sending RTP packets at a target, and that enough people 
>>> running such a javascript would be a nice botnet flooding a target.  
>>> For example, there could be some malicious website which has some 
>>> interesting content on it to draw people to go to it (for example it 
>>> mirrors real content from somewhere else, or it offers pirated 
>>> content downloading, or porn, or whatever), and on the same webpage 
>>> it embeds javascript that makes your Browser start sending RTP 
>>> packets against root DNS servers or whatever.  IF they got enough 
>>> browsers viewing their webpage, then it would be a DDoS flood of RTP 
>>> against the target.  And of course if we have a UDP-based Data 
>>> channel and the javascript can decide what goes in the data packet, 
>>> then it could craft something nasty, to either perform a heavier 
>>> resource exhaustion attack, or whatever.  Ultimately the concern is 
>>> that UDP has no SYN/SYN-ACK exchange like TCP does, to verify 
> the
>>>   device you're going to send lots of packets to wants to receive 
>>> any of them.
>>>
>>> So ICE does that for you - it verifies the IP:port you're going to 
>>> send your RTP packets to is willing to accept your packets. (it has 
>>> some other security properties too, but I personally find the rest 
>>> questionable, compared to this one)
>>> So basically we're stuck with requiring ICE be used for every 
>>> media/data session, and thus not being able to interop directly with 
>>> devices which don't do ICE (which is most of the SIP world right now).
>>>
>>> One open question is if javascript will even be allowed to open a 
>>> media channel to a peer without human/user consent.  I thought we 
>>> were requiring per-site consent.  I guess a malicious site could 
>>> still offer legitimate media usage, and thus get user's consent, and 
>>> then sometime in the future the same website could turn evil; or it 
>>> could offer seemingly legitimate service that works, while in 
>>> javascript creating a forked stream that is the one attacking 
>>> someone else.
>> I don't see any reason not to allow (for instance) a data channel w/o
>> user consent.
> I think it's reasonable to aim to do somewhat better than current HTTP 
> practice, but not to demand that security for UDP connection be at a 
> totally different level than for HTTP/WS connections. When the WG has 
> talked about user consent, that has been related to use of user's 
> camera and microphone.
>>
>>> I wonder though if even requiring ICE is sufficient.  If I'm a 
>>> malicious javascript, I could add enough ICE candidates against a 
>>> target that it would be the same as an RTP stream in aggregate (I 
>>> believe ICE's throttling limit was in fact approximately the rate of 
>>> RTP by design, if I recall correctly).
>> At best this would be a DoS attack, however.
>
> And I see every reason for the browser to rate-limit the number of 
> unsuccessful connection attempts a script can make.

One difference someone could introduce is pre-mapped and canonicalized 
resource names (and labels). For example, each escaped and underline 
name version matches a date; then, the connection must be done JIT such 
that that any eval() of the date-to-name is already done.

See also this with private resources in mind: 
http://wiki.secondlife.com/wiki/LSL_http_server

So maybe it's more clear how we could go from that to RTP usage, so SIP 
is helpful, yet somewhat backwards step in progress. Either way, the 
resource either expire or stay open for recorders/playback (as different 
from rougher rate-limits).

At minimal, we need ICE for the resource names that are already 
standard. Then we contemplate next either S/MIME or SSRC based on 
direction of duplex. I'd leave in the sideband option (in 802.11n?) even 
if it's not on the agenda, sideband is like voice and data already 
mapped like DSL, yet again, I would digress to spectrum.

Thanks.

-- 

---
<i>The wheel.</i metro-link=t dzonatasolyndra>