IETF Logo Mail Archive

Re: [rtcweb] Security implications of host candidates

Justin Uberti <juberti@google.com> Wed, 11 July 2018 23:01 UTC

Return-Path: <juberti@google.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CB15130EAF for <rtcweb@ietfa.amsl.com>; Wed, 11 Jul 2018 16:01:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.51
X-Spam-Level:
X-Spam-Status: No, score=-17.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P0pkm_vO2QVp for <rtcweb@ietfa.amsl.com>; Wed, 11 Jul 2018 16:01:43 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D856130E73 for <rtcweb@ietf.org>; Wed, 11 Jul 2018 16:01:43 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id d191-v6so452320ite.1 for <rtcweb@ietf.org>; Wed, 11 Jul 2018 16:01:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=NspjXuNg0wJk5AEB+qJfpBzWOeU4tYQ/0xORjx/0+a8=; b=DoeqSVM5fd4qp+GK0sJbc6fxCbipLVh+5juEe7QpJeQ4HiLlbFZITrWBK4qMk5gYuk i0ZUmXkMp87338Egcay5j68h0PkNyPRUNFgXwIwi29f5ZVx0SGqnZPyx8KxCYiKVnXVB suM+RMwGYsRxNGn4Bg1ZDLBsKH0JcVr7Sn/z8sP8Hnuzjfub+8lfEcO9bHBNKu1I2SYG iHI0ZTYBV+oVp+7n5OUEuR7wiA6gOypKp2nH4Zc0eRV/NOhglqaZ5fFnGDemVQT3IKXr ecL2yod/7IDsG7A5eKAXehnRZx1hGISALfiqX7g29NT+WxaC2ZZWRDADn8S8oMeBIxdn Z2hw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=NspjXuNg0wJk5AEB+qJfpBzWOeU4tYQ/0xORjx/0+a8=; b=eEPXaP4NZgQgK6FGovKRrmGufLfHTB9TSyYFDasaKrSOcaJowdWBnavD025kfc1MTQ bBlTjT01qvszhNfvyiFC4lzF2SaDlwc7MQVXQKHoWF1b0gZ0Bc4T5TbKP7XXnOtGJ0Ju FpyJXIFSzrBGDJ0CZwYKzKtmXQpmgTvuQeUELgbCnzchF3YaA6sxLNcbdXHiMMX7zqdk E30QZcYhlWjqfz5KOm7t4fAc2p8Mopgu0vb3b5hnPN2HVjb5CWOn/N68HWMyRIGvUoO6 0VHHddKawxL3ZzUlRbGG5Lj7qs4eq3gKIxtAcgHI1+6T+Q1gBNr7V/uqGNyptCaRwTce UF4Q==
X-Gm-Message-State: AOUpUlFCIs2rM50d5DOiznmnVrQKfllji7t6nWi/BoGTEgNEk4XO6nY2 Z94DQr5OjCpg4VeGnNwCbCIBQyFtM1DaAZ5ttRmHxA==
X-Google-Smtp-Source: AAOMgpfh7r1Yl/hutfHMXTFr+z1K9TjW8HfwGeKK1XFWpoX6QkoNOMnVKSIcOmdu4Ai1JNUh28GoGt+fW4kADXfFZE8=
X-Received: by 2002:a02:94af:: with SMTP id x44-v6mr335018jah.121.1531350101997; Wed, 11 Jul 2018 16:01:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAOJ7v-1t_BDEEHmA4eqiS9ksYOOyHUz9LFLhQxs8FhjTdswP5w@mail.gmail.com> <CAOJ7v-3moUqwgxkz1Fek4vy-XV+WpDaO-PsQZEw4ougoCHjLww@mail.gmail.com> <CANN+akZ=Ebw41mA2wEX7-4u6q5WcZbFtM=VMLX4nDK39S=QGOQ@mail.gmail.com> <CAOJ7v-3X2Sj8Yid+i0=xadyH_Hmf4pMOF_iuOV+56Ty8HNnJuw@mail.gmail.com> <0ED74BE5-AC02-44C5-80E1-18532BD3D1FF@westhawk.co.uk> <CAOJ7v-0TGqvp=MUmeEUjYZTcvV37qbYSTV0pFMoi1J0CJQ7Q4A@mail.gmail.com> <CABkgnnXBTC5TERquJPO4dgiAKz037Cm0Omw4YrobtCW=wmGPyQ@mail.gmail.com> <CAOJ7v-0yzvu9POvR4Auokykqc63eju6_CveAzyVpcSd1kkK6Nw@mail.gmail.com> <CABkgnnXL6sdCDt=hjX+7KbP+xYm9jCmgjJNy4CvPPna_0oin=g@mail.gmail.com> <CAOJ7v-33ODGTsmbHEp_U7UdROvuKR7O7bne2_0tX6ivVf-+C5A@mail.gmail.com> <CABkgnnWJM4CE2ZLHYOOd=VYUj7kn5wFMAbeGB1HRyp++nvbPoQ@mail.gmail.com> <CAOJ7v-2WGyHSbSJwgbVVHLs-GO71rMLS2+OTetNyMhb0TM3ZcA@mail.gmail.com> <54EB6378-5DA2-4125-A4F4-84151D0E4F04@apple.com> <CAOJ7v-2dw1coDTpovTrKa__Oak7Jjn5EYgvWtByaRYmxfDDtXw@mail.gmail.com> <1d60feec-3a36-2deb-e4a7-703fb7144ed1@alvestrand.no> <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com>
In-Reply-To: <68bb5744-d9f2-462c-446d-ae47f2f27e5e@gmail.com>
From: Justin Uberti <juberti@google.com>
Date: Wed, 11 Jul 2018 16:01:30 -0700
Message-ID: <CAOJ7v-3CF5hXxOGkufzdP6VqrvjHW6BhnB1mjVnHjwv8pcP7KA@mail.gmail.com>
To: Lennart Grahl <lennart.grahl@gmail.com>
Cc: RTCWeb IETF <rtcweb@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dbcac80570c13a9f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/ocbM1hsDv8CVpV6CElyqcnCZg3U>
Subject: Re: [rtcweb] Security implications of host candidates
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 23:01:47 -0000

Thanks for the suggestions on intermediate modes. I think we're converging
on the following potential replacements for Mode 2:
2b) IPv4 mDNS + RFC 4941 IPv6
2d) mDNS of any private IPv4/IPv6  + any public v4/v6 (as determined via
STUN query)

2d) is basically your 2c), but exposing any IPs that would already be
visible to the server. This would basically give all the privacy benefits
of Mode 3 (although, unlike Mode 3, it does allow host-host connections).

Your 2a) probably makes more sense to consider as a derivative of Mode 1,
essentially a 1b), since it exposes all interfaces. I don't know if that
provides a lot of value, since Mode 1 already requires trust, but I'd be
open to arguments for this.

I think the main outstanding question is what we want the final Mode 2 to
be (2b vs 2d), and the key sub-question is whether we think there's enough
benefit in hiding private RFC 4941 addresses. However, we may need
experimental data to properly consider the tradeoffs.



On Wed, Jul 11, 2018 at 7:22 AM Lennart Grahl <lennart.grahl@gmail.com>
wrote:

> On 10.07.2018 09:56, Harald Alvestrand wrote:
> > Thoughts:
> >
> > - If I want to find out that I'm on the same host as another context
> > that I can communicate with in *any* fashion, I've got lots of games I
> > can play.
> >
> > Example: Measure memory pressure, allocate 1 Gbyte in one context,
> > measure memory pressure again. This works for any measurement that's
> > available to both contexts and relates to the whole system.
> > Example: Measure the local clock's skew compared to some reference clock
> > (NTP-fashion). If the skew is the same down to the nanosecond, same host
> > is likely.
> > Example: Allocate any resource that can only be accessed from one
> > context at a time. Loop, asking for it, in the other context. Release it
> > in the first context, and check the timing on when the other one gets it.
> >
> > In general, anything that can potentially be used as a covert channel
> > can be used more easily to figure out if we're on the same host.
> >
> > My conclusion: Defending against this attack isn't worth the trouble.
> > We've already lost.
> >
> > - Nevertheless, we're finding that the MDNS mode has implications that
> > we don't perceive fully yet.
> >
> > My conclusion: This is an additional mode, not a replacement for one of
> > the other modes. We should continue to specify both.
>
> I'm treating this thread as a follow-up to the "IP handling: Using mDNS
> names for host candidates" thread, so this refers to both drafts and the
> PR for ip-handling (https://github.com/juberti/draughts/pull/103).
>
> Harald, I second your conclusions. Regarding mDNS, I see potential for
> the following three "intermediate" modes:
>
> - Mode 2.a: Enumerates all addresses but only the default route's
> interface addresses are exposed as host candidates. All other addresses
> are hidden via mDNS.
> - Mode 2.b: The mode 2 as described in ip-handling-09.
> - Mode 2.c: Only expose the default route's interface addresses hidden
> via mDNS.
>
> 2.a is a minor improvement but will fix issues for users who would be
> able to establish a direct connection over a different route but the
> default one.
>
> 2.c is a major restriction over 2.b and 2.a. since it will break the
> ability to establish direct connections in a corporate network.
>
> Regarding the ip-handling document: It's probably okay to restrict the
> default mode further from ip-handling-09's mode 2. FWIW, it might even
> be okay to give implementations the freedom to choose any of the
> available modes as their default (let's be honest, many browser vendors
> have already done so anyway). But only if all use cases have access to
> an adequate way to request consent to achieve mode 1 or at least 2.a.
> Specifically, this should be a MUST in the ip-handling document. Because
> if that is not guaranteed, some less obvious already existing use cases
> (think of sharedrop.io for example) will be further discriminated and
> without a TURN server can be completely broken. Not to mention the
> impact on delay and throughput caused by hairpinning or even relaying.
>
> Cheers
> Lennart
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>

v2.23.0 | Report a Bug | By Email