Re: [rtcweb] draft-rescorla-rtcweb-security
Harald Alvestrand <harald@alvestrand.no> Thu, 08 September 2011 10:08 UTC
Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39E4021F8A71 for <rtcweb@ietfa.amsl.com>; Thu, 8 Sep 2011 03:08:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.22
X-Spam-Level:
X-Spam-Status: No, score=-107.22 tagged_above=-999 required=5 tests=[AWL=2.138, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B6NihsG8IuiC for <rtcweb@ietfa.amsl.com>; Thu, 8 Sep 2011 03:08:58 -0700 (PDT)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id CB8AB21F8A6F for <rtcweb@ietf.org>; Thu, 8 Sep 2011 03:08:57 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id CBCA739E0F3; Thu, 8 Sep 2011 12:10:48 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoVoSiKKDxbw; Thu, 8 Sep 2011 12:10:46 +0200 (CEST)
Received: from hta-dell.lul.corp.google.com (62-20-124-50.customer.telia.com [62.20.124.50]) by eikenes.alvestrand.no (Postfix) with ESMTPS id EC09639E074; Thu, 8 Sep 2011 12:10:45 +0200 (CEST)
Message-ID: <4E6894A5.3090208@alvestrand.no>
Date: Thu, 08 Sep 2011 12:10:45 +0200
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.18) Gecko/20110617 Thunderbird/3.1.11
MIME-Version: 1.0
To: Bernard Aboba <bernard_aboba@hotmail.com>
References: <BLU152-W54CEF0D1B390D7326BB98F931E0@phx.gbl>
In-Reply-To: <BLU152-W54CEF0D1B390D7326BB98F931E0@phx.gbl>
Content-Type: multipart/alternative; boundary="------------050404040003030709070309"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] draft-rescorla-rtcweb-security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Sep 2011 10:08:59 -0000
On 09/08/11 10:04, Bernard Aboba wrote: > Much of this document is very good, but the sections on ICE and > masking aren't quite right. > > The security properties attributed to ICE only exist under a very > carefully circumscribed set of conditions. Unfortunately, Sections > 4.2.1 and 4.2.2 aren't clear about this. > > The ICE exchange is fine for verifying willingness to accept a > particular stream, assuming that the receiver provides an indication > of willingness to receive. In part, this works because the specific > characteristics of the stream are negotiated in SDP offer/answer > simultaneous with ICE. However, Section 4.2.1 isn't specific enough > about what guarantees are provided by ICE and under what conditions. > An ICE exchange doesn't enable "traffic"; at best it enables media > with characteristics specified in SDP offer/answer to be sent. I think that what a completed ICE exchange provides is a guarantee that someone sending datagrams with the source address of <IP+PORT> has access to a) an incoming datagram sent to that <IP+PORT>, and b) a secret shared out-of-band. That's all. We have made the assumption that in correctly implemented applications, this means that the listener at <IP+PORT> is willing to receive media as negotiated in the same exchange as that which exchanged the shared secret. > > Section 4.2.2 says that masking is not necessary for UDP, but the > logic behind the statement needs more elaboration. There are lots of > potentially nasty things that can be done if a browser can send > arbitrary datagrams to a receiver, even if we postulate a STUN > exchange. Things like: > > * Sending a datagram that might be mistaken for a DNS response, > potentially poisoning the cache. This only works if we have completed the ICE exchange to the port that is listening for DNS responses. > * Sending an SNMP set to a device. This only works if we have completed the ICE exchange to port 161 on the device. > * Sourcing a routing packet (e.g. RIPv2). Again.... > > It strikes me that Section 4.2.2 is needs to be more specific about > the specific threats and the conditions under which they are mitigated > via ICE, SDP offer/answer, etc. More specific language is usually better. But in this particular instance, I have trouble interpreting the argument. > > > 4.2.1. ICE > > > > Verifying receiver consent requires some sort of explicit handshake, > but conveniently we already need one in order to do NAT hole- > punching. ICE [RFC5245 <http://tools.ietf.org/html/rfc5245>] includes a handshake designed to verify that > the receiving element wishes to receive traffic from the sender. > > [BA] I believe that the requirement needs to be stronger -- that > the receiver has agreed to specific traffic offered > by the sender. So if the receiver agrees to receive audio and gets > video instead, that isn't ok. I believe this is outside what ICE can provide - the same issue exists if someone asks for 140x100 thumbnail video and gets 8K cinema resolution instead. Agreed that it needs addressing, but now we're into "have to obey constraints specified in the media negotiation" territory. > Similarly, the guarantee shouldn't > permit a browser to DoS a public STUN server, that merely by responding > to a STUN request, hasn't indicated a willingness to receive any > media at all. Overall, it's important that we get into the specific > conditions under which ICE provides the security guarantees we need. > More on this later. What exactly does a public STUN server respond to? Somehow I doubt that it completes an ICE handshake according to RFC 5245. > It is important to remember here that the site initiating ICE is > presumed malicious; in order for the handshake to be secure the > receiving element MUST demonstrate receipt/knowledge of some value > not available to the site (thus preventing it from forging > responses). In order to achieve this objective with ICE, the STUN > transaction IDs must be generated by the browser and MUST NOT be made > available to the initiating script, even via a diagnostic interface. > > > 4.2.2. Masking > > > > Once consent is verified, there still is some concern about > misinterpretation attacks as described by Huang et al.[huang-w2sp <http://tools.ietf.org/html/draft-rescorla-rtcweb-security-01#ref-huang-w2sp>]. > As long as communication is limited to UDP, then this risk is > probably limited, thus masking is not required for UDP. I.e., once > communications consent has been verified, it is most likely safe to > allow the implementation to send arbitrary UDP traffic to the chosen > destination, provided that the STUN keepalives continue to succeed. > > [BA] Receiving a STUN keepalive (particularly one which is not authenticated) > is not sufficient to protect against UDP-based attacks. Why not? Note - the RFC 5389 short term credential mechanism is mandatory for all ICE packets. I see no reason to relax this requirement. > However, with TCP the risk of transparent proxies becomes much more > severe. If TCP is to be used, then WebSockets style masking MUST be > employed. > > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb
- [rtcweb] draft-rescorla-rtcweb-security Bernard Aboba
- Re: [rtcweb] draft-rescorla-rtcweb-security Harald Alvestrand