Re: [secdir] secdir review of draft-ietf-avt-rapid-acquisition-for-rtp-16

"Ali C. Begen (abegen)" <abegen@cisco.com> Mon, 25 October 2010 15:12 UTC

Return-Path: <abegen@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A78003A686B; Mon, 25 Oct 2010 08:12:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.564
X-Spam-Level:
X-Spam-Status: No, score=-10.564 tagged_above=-999 required=5 tests=[AWL=0.035, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PcYNQ95oJGzH; Mon, 25 Oct 2010 08:12:56 -0700 (PDT)
Received: from sj-iport-4.cisco.com (sj-iport-4.cisco.com [171.68.10.86]) by core3.amsl.com (Postfix) with ESMTP id 90BA93A6A27; Mon, 25 Oct 2010 08:12:56 -0700 (PDT)
Authentication-Results: sj-iport-4.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEANI7xUyrR7H+/2dsb2JhbAChXXGgH5wlhUgEhFSJBQ
X-IronPort-AV: E=Sophos;i="4.58,236,1286150400"; d="scan'208";a="206223944"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-4.cisco.com with ESMTP; 25 Oct 2010 15:14:41 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o9PFEfv7024561; Mon, 25 Oct 2010 15:14:41 GMT
Received: from xmb-sjc-215.amer.cisco.com ([171.70.151.169]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 25 Oct 2010 08:14:41 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 25 Oct 2010 08:15:04 -0700
Message-ID: <04CAD96D4C5A3D48B1919248A8FE0D540D816948@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <4CC599E7.2010703@cs.tcd.ie>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-avt-rapid-acquisition-for-rtp-16
Thread-Index: Act0VGWN9CE7A2kMSqegc8VG0BPxkgAAYR9w
References: <4CAA07C8.4030806@cs.tcd.ie> <04CAD96D4C5A3D48B1919248A8FE0D540D758A5D@xmb-sjc-215.amer.cisco.com> <4CC58A1C.5020704@cs.tcd.ie> <04CAD96D4C5A3D48B1919248A8FE0D540D81691E@xmb-sjc-215.amer.cisco.com> <4CC599E7.2010703@cs.tcd.ie>
From: "Ali C. Begen (abegen)" <abegen@cisco.com>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
X-OriginalArrivalTime: 25 Oct 2010 15:14:41.0558 (UTC) FILETIME=[5912EB60:01CB7457]
X-Mailman-Approved-At: Tue, 26 Oct 2010 18:28:17 -0700
Cc: draft-ietf-avt-rapid-acquisition-for-rtp.all@tools.ietf.org, sec-ads@ietf.org, avt-chairs@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-avt-rapid-acquisition-for-rtp-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Oct 2010 15:12:59 -0000

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> Sent: Monday, October 25, 2010 4:53 PM
> To: Ali C. Begen (abegen)
> Cc: draft-ietf-avt-rapid-acquisition-for-rtp.all@tools.ietf.org; sec-ads@ietf.org; secdir@ietf.org; avt-chairs@ietf.org
> Subject: Re: secdir review of draft-ietf-avt-rapid-acquisition-for-rtp-16
> 
> 
> 
> On 25/10/10 15:04, Ali C. Begen (abegen) wrote:
> > Hi Stephen,
> >
> > This time, hopefully a quick answer.
> 
> Let's keep it up while we can:-)
> 
> >> The first is that this protocol is vulnerable to off-path DoS attacks
> >> unless SRTP is used, and even where SRTP is used, additional (though
> >> minor) constraints on how it is used are required to prevent
> >> authorized receivers messing with one another.
> >
> > First of all, while RAMS could be favored more by the attackers due to the damage it can make, the same set of problems
> exist in any scenario where a feedback target (receiving feedback from multicast receivers) is supposed to act on them
> (doing retransmissions, or asking the actual media source to slow down, speed up, etc.).
> 
> Fair enough. I've no idea if this application is more likely
> to be used as a potential DoS vector, compared to others with
> the same issues.

We will see. IPTV is one of the mostly used multicast (SSM) application out there. So, RAMS will be a good test.
 
> > If we really need further explanation about SRTP, I will get together with my SRTP-savvy friends and work on this.
> 
> Don't think that's needed myself, its more whether or not
> SRTP is a real solution that'll be used, and as I say, I've
> no idea about that.
> 
> >> The -16 version is clear enough (I think) about this, so my only
> >> remaining question is whether or not SRTP, with the additional
> >> constraints specified, is likely to be deployed or not.
> >
> > Well, I think we are only responsible to mention the problems and possible solutions. We cannot force vendors to
> implement everything from A to Z. The first deployment that RAMS has is the IPTV networks (for fast channel change). In
> such environments, the networks are managed and clients are deployed by the operator anyway. So, many of these concerns
> are not even relevant. I'd imagine they would not care much about SRTP.
> >
> > In other areas, SRTP could be needed, but will it be always used? It is not up to me.
> 
> Sure. But I guess there are other situations where RFCs say
> e.g. "use s/mime" but we know that people just don't do that.

Indeed.
 
> >> I have no idea myself, but if its unlikely to really be deployed,
> >> then the vulnerability could probably easily be exploited which
> >> would be bad and would lead me at least to wonder whether it would
> >> be wiser to try to design this so that it is less vulnerable to
> >> off-path attacks. (Assuming that such a solution exists of course.)
> >
> > I would not say it is very unlikely as SRTP exists today in many VoIP applications. So, the code is available. It is not rocket
> science, either. So, there is hope ;)
> 
> Right. And I assume that the AVT WG and the IESG might know
> if that hope is likely to be realised.
> 
> To be clear, I'm not asking for a change to -16 here, I'm really
> asking if -16's use of SRTP is likely to happen or not, and if
> not, (which you guys may know), then whether that's considered
> ok or not.

I don't have a concern at least for the applications we are considering RAMS for. If IESG will have, then I hope we will figure out something.
 
> >> The second one relates to the additional SRTP constraints. The new
> >> text says that the BRS needs to keep a list of receiver certs (which
> >> seems unlikely) or else must ensure that all receivers are certified
> >> by some "trusted" CA. I don't think that really works - if the
> >> problem is that authorized receivers could DoS one another then I
> >> don't see how this fixes that. Or am I missing something?
> >
> > Hit by your friends? E.g., the wife's set-top can attack the husband's set-top if her channel changes are getting slower. That
> is a tough problem to fix, though ;)
> 
> Well, hit by anyone else who can change a channel using
> that BRS, which presumably is more than just my friends.

The example was just funny and I could not resist sending :)
 
> > I think this can be only solved if each unicast session is associated with the initial requestor's cert. So, only the messages
> with the right cert can cause changes in that session. Would that solve the problem?
> 
> I guess so, though that then depends on each receiver having
> a key pair and cert, which is probably a deployment headache.

Yes, that would be a concern if the server needs to deal with e.g., 100K clients.

> Is there no other way that this protocol could be hardened
> against off-path DoS attempts? E.g. if messages contained a
> nonce that had to be present in each subsequent message if
> it was present in the first? Maybe the WG considered that
> and rejected it, I don't know.

Actually, there is a normative reference for RAMS, which is the port mapping stuff:
http://tools.ietf.org/html/draft-ietf-avt-ports-for-ucast-mcast-rtp-02
https://datatracker.ietf.org/idtracker/draft-begen-avt-token-for-portmapping/

These add a natural protection since they require a cookie or token validation (which verifies the address (and maybe the port) of the client). The work is still in progress but eventually, regardless of which approach is chosen, it will hopefully avoid somebody else using your cookie/token so in theory they cannot hijack your RAMS session.

Cheers, acbegen.