Re: [secdir] secdir review of draft-ietf-avtcore-ports-for-ucast-mcast-rtp-01

"Ali C. Begen (abegen)" <abegen@cisco.com> Wed, 06 April 2011 11:20 UTC

Return-Path: <abegen@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A8F7D3A690F; Wed, 6 Apr 2011 04:20:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.528
X-Spam-Level:
X-Spam-Status: No, score=-10.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQtmzh1op6z4; Wed, 6 Apr 2011 04:20:57 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 7515C3A6907; Wed, 6 Apr 2011 04:20:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=abegen@cisco.com; l=5432; q=dns/txt; s=iport; t=1302088961; x=1303298561; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to; bh=Bpw9uAeXF1knMWiFbC96iA47CM9wlCEDJOXYj3QfNFc=; b=lQ1gh6K4lBWanK0KwugdfN4la6qGuFBVv3rmYyP4O8vuh1Q0ksl11p8P JLcFNtq4xKx1oKCkNdlQw67HvaMBwMElSYqaSfDfWbG4sXM1oWjOFNv4l yLhWzM9zjLaNiCR6fQjzgiwhsDJHKwMmhpxhzz1IshC7L8i6l5J6sb5I4 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvUAAHRMnE2rRDoH/2dsb2JhbACYLY1Ld3iIAZwpnCOFbASFTotX
X-IronPort-AV: E=Sophos;i="4.63,309,1299456000"; d="scan'208";a="290366585"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by sj-iport-3.cisco.com with ESMTP; 06 Apr 2011 11:22:26 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p36BMQut021587; Wed, 6 Apr 2011 11:22:26 GMT
Received: from xmb-sjc-215.amer.cisco.com ([171.70.151.169]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 6 Apr 2011 04:22:25 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 6 Apr 2011 04:21:14 -0700
Message-ID: <04CAD96D4C5A3D48B1919248A8FE0D540EB56974@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <D80EDFF2AD83E648BD1164257B9B09122C41462A@TK5EX14MBXC110.redmond.corp.microsoft.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: secdir review of draft-ietf-avtcore-ports-for-ucast-mcast-rtp-01
Thread-Index: AcvzxmoOwCr5HXG7TFutkMKEhgYPygAhEl/g
References: <D80EDFF2AD83E648BD1164257B9B09122C41462A@TK5EX14MBXC110.redmond.corp.microsoft.com>
From: "Ali C. Begen (abegen)" <abegen@cisco.com>
To: "Charlie Kaufman" <charliek@microsoft.com>, <secdir@ietf.org>, <iesg@ietf.org>, <draft-ietf-avtcore-ports-for-ucast-mcast-rtp.all@tools.ietf.org>
X-OriginalArrivalTime: 06 Apr 2011 11:22:25.0956 (UTC) FILETIME=[E8240E40:01CBF44C]
X-Mailman-Approved-At: Mon, 11 Apr 2011 08:18:17 -0700
Subject: Re: [secdir] secdir review of draft-ietf-avtcore-ports-for-ucast-mcast-rtp-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Apr 2011 11:20:58 -0000

Thanks Charlie. One comment below.

> -----Original Message-----
> From: Charlie Kaufman [mailto:charliek@microsoft.com]
> Sent: Wednesday, April 06, 2011 12:16 AM
> To: secdir@ietf.org; iesg@ietf.org; draft-ietf-avtcore-ports-for-ucast-mcast-rtp.all@tools.ietf.org
> Subject: secdir review of draft-ietf-avtcore-ports-for-ucast-mcast-rtp-01
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being
> processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document
> editors and WG chairs should treat these comments just like any other last call comments.
> 
> This protocol deals with requesting and managing multicast and unicast connection streams, and in particular dealing with
> the case where they are coming through a NAT. The interesting security threat in this case is one of DoS through
> amplification, where the attacker with a small number of packets can request that a source direct a large number of packets
> towards the victim. Because these streams do not have the sorts of acknowledgements that would force a TCP stream to
> back off if the target were unresponsive, the possibility of this sort of attack is particularly dangerous.
> 
> The RTP and RTCP protocols have no authentication infrastructure that can be leveraged. There is a resumption that all
> information is public and can be requested by any destination. (It is possible that one could implement encryption at a higher
> layer such that the data received would not be useful to someone who doesn't know the key, but any such encryption is
> beyond the scope of this protocol). This means that certain security attacks are unavoidable. In particular, an attacker could
> potentially exhaust the source or the network by requesting that data from large numbers of locations simultaneously. And
> an attacker that can act as a man-in-the-middle between source and victim can initiate a flood of data and then get out of
> the way.
> 
> This protocol attempts to assure that an attacker that can forge the victim's IP address but cannot receive packets addressed
> to the victim cannot mount an amplification DoS attack. It does that by adding a "token" to various messages in the protocol.
> The token is generated by the source when a context is set up and must be supplied by the receiver in requests to modify the
> data streams. In order to not add state at the source, they recommend that the token be generated as an HMAC-SHA1 of the
> concatenation of the client IP address, a client nonce (that is chosen for the session and supplied with each request), and a
> server timestamp (also chosen per session and supplied to prevent long delayed replay). This closely matches the design of
> "cookies" in other protocols.
> 
> The recommended use of HMAC-SHA1 may be slightly controversial, but its security is more than adequate for this
> application, it is a local decision on the part of the server, and the I-D has excellent text on how and when implementations
> should migrate to a different algorithm (in particular, referencing HMAC-SHA2-256).
> 
> There is one aspect of the design that I could not figure out reading the spec, and it would seem to relate to a security
> vulnerability that the spec therefore does not close. The spec recommends computing the token as a hash over a number of
> fields including the source IP address but not the source port. It appears that this is because the RTP and RTCP protocols use
> different ports and they want to use the same token with both. This introduces a threat, however, that if a node requests a
> token, that token will be valid for all nodes that are NATted behind the same IP address. An attacker in the inside of the

The token depends on other things but they are available next to the token in the response message. If a client asks for a token, and an attacker captures that token along with the associated nonce and exp time, then it can be used in an attack against this client. This is mentioned in par. 1 of section 9.1. 

For someone else with a different IP address to start an attack, it needs to spoof victim's IP address in addition to the token and its associated info. If spoofing is allowed in the network, you don't need a token to cause harm. Here we rely on ingress filtering in multicast networks to minimize this kind of risks. 

> NATted network could therefore acquire a token, hand it off to a co-conspirator outside the NATted network, and that co-
> conspirator could use it to direct traffic at a different node inside the network. It's not obvious what could or should be done
> to mitigate this threat. The spec allows for - but recommends against - using lots of different ports on the client side for
> different purposes, but I couldn't figure out how the client knows how all of those ports will be translated by the NAT. If there
> were a separate token per port, this problem could be solved, but I suspect there is some reason why that is impractical.

We cannot have a specific token port since there could be several similar apps running in the same system using this approach.

-acbegen

> 
> 	--Charlie