Re: [rtcweb] Security issue: consent refresh
Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 28 October 2011 09:51 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1DC21F8AD6 for <rtcweb@ietfa.amsl.com>; Fri, 28 Oct 2011 02:51:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.56
X-Spam-Level:
X-Spam-Status: No, score=-106.56 tagged_above=-999 required=5 tests=[AWL=0.039, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdfZe90Oxzuj for <rtcweb@ietfa.amsl.com>; Fri, 28 Oct 2011 02:51:07 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by ietfa.amsl.com (Postfix) with ESMTP id 4AA0321F87E2 for <rtcweb@ietf.org>; Fri, 28 Oct 2011 02:51:07 -0700 (PDT)
X-AuditID: c1b4fb3d-b7c26ae0000035b9-a3-4eaa7b050a8d
Received: from esessmw0247.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 62.D0.13753.50B7AAE4; Fri, 28 Oct 2011 11:51:02 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0247.eemea.ericsson.se (153.88.115.94) with Microsoft SMTP Server id 8.3.137.0; Fri, 28 Oct 2011 11:51:02 +0200
Message-ID: <4EAA7B02.4010400@ericsson.com>
Date: Fri, 28 Oct 2011 11:50:58 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Hadriel Kaplan <HKaplan@acmepacket.com>
References: <3FACD0E9-449A-4897-8997-F76B5A41A34E@acmepacket.com>
In-Reply-To: <3FACD0E9-449A-4897-8997-F76B5A41A34E@acmepacket.com>
X-Enigmail-Version: 1.3.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Security issue: consent refresh
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Oct 2011 09:51:08 -0000
On 2011-10-28 02:02, Hadriel Kaplan wrote: > Howdy, per the request made by the Chairs for threads on the security > daft, I'm starting this one on the topic of media-stream consent > refresh. This is related to section 4.2.3 of > draft-ietf-rtcweb-security. > > The concern here is to make sure the other side wants to keep > receiving RTP, since a malicious JS can prevent the Browser learning > the far-end no longer wants to communicate via the high-path. It > also provides protection against certain non-malicious failure cases, > especially with automated systems like media servers. > > Receipt of RTP cannot be used for consent refresh since the session > may be in sendonly/recvonly mode, and RTP can be easily spoofed. One > proposal was to use receipt of RTCP as consent refresh. > > ISTM the problem with using RTCP is (1) some deployed devices don't > do RTCP and faking it in a gateway is bad mojo, and The question is if non RTCP sender will be able at all to interact with WEBRTC peers at all due to congestion control reasons. I think we will come back to this issue several times. (2) if RTCP > wasn't entropic enough for initial consent, why is it for consent > refresh? The issue is that as RTCP contains only a limited amount of entropy it takes long time to provide consent that it isn't feasible. The question is if the same is true for consent refresh. This as one can look over a window of the last 30 seconds and see if a sufficient number of correct RTCP Report blocks has been received that matches the RTCP SR that the media sender sent. > > Alternative Proposal: I think one obvious solution is to use a STUN > request/response check as a consent refresh. The STUN check does not > need to use SHA-1 stuff, just responding with the same transaction ID > as the request should provide enough entropy. The STUN message could > be an existing one from RFC 5389, but it would take a new draft to > say "do this" and indicate it in SDP. And the reason you are not needing the SHA-1 stuff is that you see no need for this consent refresh to continue to verify that the one sending the answers echoing the transaction IDs is a node which you provided with the credentials? Or which the "evil" webservice has provisioned with the credentials from the signalling exchange? > > The benefits of this are that it doesn't rely on RTCP entropy, or > even RTCP period. It is easier to implement in a gateway than fake > RTCP generation. And it allows interworking gateways to get out of > the way (not be in the media-plane) because they can know both sides > do the consent refresh, which they don't know about just RTCP. Well, interworking gateways that have peers that terminates their ICE connectivity check capabilities after session establishment and only send STUN indication will not work as you stated. And in the case the peer are not ICE capable and you anyhow need the media plane gateway function to answer the ICE exchanges you get more work in this gateway. > > The downside is any existing RTP devices that already support ICE and > RTCP would need to be upgraded in order to talk to WebRTC. I think > there's a solution to that too if people think we need to interop > with them without upgrading. One idea is IF RTCP is sufficiently > entropic for consent refresh, then we have an escape clause that if > the peer doesn't indicate support for this new STUN-based consent > refresh, then we allow it to use RTCP as consent refresh. If you need this upgrade, why not ensure that they do RTCP? That is more useful for also other purpose and may actually ensure that we can fulfill some minimal congestion control requirements even in the interworking cases. Yes, it is more new code, than tweaking an existing ICE stack to do what you suggest. Cheers Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [rtcweb] Security issue: consent refresh Hadriel Kaplan
- Re: [rtcweb] Security issue: consent refresh Magnus Westerlund
- Re: [rtcweb] Security issue: consent refresh Hadriel Kaplan
- Re: [rtcweb] Security issue: consent refresh Bernard Aboba
- Re: [rtcweb] Security issue: consent refresh Magnus Westerlund
- Re: [rtcweb] Security issue: consent refresh Randell Jesup