Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)

Eric Rescorla <ekr@rtfm.com> Mon, 23 April 2018 00:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6D8126D73 for <tram@ietfa.amsl.com>; Sun, 22 Apr 2018 17:23:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdVM7-n2tq30 for <tram@ietfa.amsl.com>; Sun, 22 Apr 2018 17:22:59 -0700 (PDT)
Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83E3F1241F3 for <tram@ietf.org>; Sun, 22 Apr 2018 17:22:56 -0700 (PDT)
Received: by mail-ot0-x233.google.com with SMTP id w4-v6so15334209ote.12 for <tram@ietf.org>; Sun, 22 Apr 2018 17:22:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GTTFVyVATBms960Y3SuwqD2Z85Qr3ZFVM0zQU/NXeYk=; b=TNQqjbGSvowZS6fEhb1pfCdcPFuiQZ7KOJB6SZiJFciidluRXGRW5s8l0HYKDXszs3 j1v7sSX6nPODCLdsquB7mWiQvFClOhgJkilfmYg9gxeF7513YIUHqJg6mjTaI+Oyzsnl D4u2bICLQpDwq2tgbbPv7wIJAONdZUyPQQZr1h9S8us5K759mDb9/CQdx4pZllHxNlkj f6vJBjKzTETioZ2ESsLBALLGEQdFtJ6M57LlxkWfWIB+xOrpY9aOYlal8aeKimcSZMYt T20EY7cnYfmapykrJuS9wcgupjQAffMUin4bUL6mQlo1PcXxXSo9Thidzp8nWtvYK+zh CqFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GTTFVyVATBms960Y3SuwqD2Z85Qr3ZFVM0zQU/NXeYk=; b=aped+AQ44bd6eXCOLkuw3XH87R2MQo0vR/W9a9AntA+MmKadq9nQaym4U2qks/Wxec 3+bPpPHP3ULsQZH0t9PF9VNFZaUyxoIIhv7JEjJOow+RzvWuiqscP1PboEbhHmoeEkYG P/pXVa3mYUoSl99dGYePeaBta/twDcGkASu/vhyrEPexlYaooaQMkBUFkOzZB+of6yQU rfEPgbwQaCcQABuoaFEPtXzr2+sd6ozdg90Uy49HDVqe2gRLKOdW/xTZJ5W7neBvi8Dm 0osXQXMPHVo+1UzjZsudUP4SHSE+h47+/9v8D7XJ5C31l02Cykx318osbDJxaf/nl6E8 gQLw==
X-Gm-Message-State: ALQs6tDRg0g2OppcPm5ytteiiMqXiCsmdeCxCDbJ36qzgM7XnhohcQ26 0jxvzJB83/ZCTmse2bNQ+NYe6Tkbcx2FAyOtnB95Tg==
X-Google-Smtp-Source: AIpwx498aUQW3aCbwSGX92vocN2jToKgmK6kHb4HxZy9Lt0nAruphbIrTifUGSaoQnlDGH0khOCE0XILHcQr8MBbnQ4=
X-Received: by 2002:a9d:3b03:: with SMTP id z3-v6mr12036015otb.392.1524442975869; Sun, 22 Apr 2018 17:22:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Sun, 22 Apr 2018 17:22:15 -0700 (PDT)
In-Reply-To: <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Apr 2018 17:22:15 -0700
Message-ID: <CABcZeBNk4KWA1Bzw7=i=Siie_6Vf7v-v2cfDyA4WvSAE2D9hrA@mail.gmail.com>
To: Marc Petit-Huguenin <petithug@acm.org>
Cc: The IESG <iesg@ietf.org>, tram-chairs@ietf.org, tasveren@rbbn.com, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, draft-ietf-tram-stunbis@ietf.org, tram@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000eb4b1056a790af1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/1PHwhXQRmQsEK-jl7WS2cjF9hXQ>
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 00:23:02 -0000

On Sun, Apr 22, 2018 at 2:02 PM, Marc Petit-Huguenin <petithug@acm.org>
wrote:

>
> >>      For a request or indication message, the agent MUST include the
> >>      USERNAME, MESSAGE-INTEGRITY-SHA256, and MESSAGE-INTEGRITY
> attributes
> >>      in the message unless the agent knows from an external indication
> >>      which message integrity algorithm is supported by both agents.  In
> >>      this case either MESSAGE-INTEGRITY or MESSAGE-INTEGRITY-SHA256 MUST
> >>      be included in addition to USERNAME.  The HMAC for the MESSAGE-
> >
> > This text appears to conflict with S 7.3 of 5245-bis, which says:
>
> [text missing]
>
> Hmm, no, RFC245bis is still referencing RFC5389, so the procedure for
> stunbis does not apply.
>

I hear what you're saying, but publishing two documents at the same time
which
make contrary recommendations about the same basic protocol is un-good.


>>      The STUN usage must specify which transport protocol is used, and
> how
> >>      the agent determines the IP address and port of the recipient.
> >>      Section 8 describes a DNS-based method of determining the IP
> address
> >>      and port of a server that a usage may elect to use.  STUN may be
> used
> >>      with anycast addresses, but only with UDP and in usages where
> >>      authentication is not used.
> >
> > Why this restriction? You should be able to use anycast with long-term
> > AUTH for (say) TURN.
>
> https://www.ietf.org/mail-archive/web/behave/current/msg03582.html
>
> I think that the decision of permitting Anycast should be left to each
> STUN Usage.  Basic STUN Usage does not use authentication and use only a
> one round trip for the Binding transaction, so Unicast can be used.
>

> OTOH, TURN and ICE should probably say something about that, so I added a
> new bullet point in Section 13:
>
>    o  If Anycast addresses can be used for the server in case TCP or
>       TLS-over-TCP, or authentication are used.
>

Are you leaving this text in? That seems very confusing.


> >>      transaction over UDP or DTLS-over-UDP is also considered failed if
> >>      there has been a hard ICMP error [RFC1122].  For example, assuming
> an
> >>      RTO of 500ms, requests would be sent at times 0 ms, 500 ms, 1500
> ms,
> >>      3500 ms, 7500 ms, 15500 ms, and 31500 ms.  If the client has not
> >>      received a response after 39500 ms, the client will consider the
> >>      transaction to have timed out.
> >
> > I note that these recommendations now seem crazily long. I assume the
> > WG had consensus on this, but I wanted to note it.
>
> Not just the WG, also the IESG that approved RFC 5389 too as, but for the
> addition of "or DTLS-over-UDP", this is the same text than in RFC 5389.
>

Yes, I know. My point is that while they might have bee sensible when
5389 was published they *now* seem crazily long. Did the WG explicitly
decide not to update them?




> >>      ALTERNATE-SERVER where authentication of the response is not
> possible
> >>      or practical.  If the transaction uses TLS or DTLS and if the
> >>      transaction is authenticated by a MESSAGE-INTEGRITY-SHA256
> attribute
> >>      and if the server wants to redirect to a server that uses a
> different
> >>      certificate, then it MUST include an ALTERNATE-DOMAIN attribute
> >>      containing the subjectAltName of that certificate.
> >
> > 1. Why is MESSAGE-INTEGRITY-SHA256 relevant here?
>
> ALTERNATE-DOMAIN exists only since stunbis, so the
> MESSAGE-INTEGRITY-SHA256 acts as a flag indicating that 1) the transaction
> is authenticated and 2) that the client understand that new attribute.
>

This would be good to explain.


> >>      o  What authentication and message-integrity mechanisms are used.
> >>
> >>      o  The considerations around manual vs. automatic key derivation
> for
> >>         the integrity mechanism, as discussed in [RFC4107].
> >>
> >>      o  What mechanisms are used to distinguish STUN messages from other
> >
> > Why is this required? It seems like that's a generic STUN feature.
>
> That text is identical to the text in RFC 5389.  RFC 5764/7983 is one such
> mechanism, but there is nothing that prevent another protocol stack to use
> a different mechanism (inference, shim, etc...)
>

But ultimately no matter what the other protocol provides for demux, STUN
has its
own demux.


>>      transport protocol uses TLS or DTLS.
> >>
> >>      The value of ALTERNATE-DOMAIN is variable length.  It MUST be a
> UTF-8
> >>      [RFC3629] encoded sequence of less than 128 characters (which can
> be
> >>      as long as 509 bytes when encoding them and as long as 763 bytes
> when
> >>      decoding them).
> >
> > Is it an A-label or a U-label?
>
> I do not know.  What would you suggest?
>

I believe Alexey raised this separately, so I would refer to his comments.

>
> >
> >>      that is not readily subject to offline dictionary attacks.
> >>      Protection of the channel itself, using TLS or DTLS, mitigates
> these
> >>      attacks.
> >>
> >>      STUN supports both MESSAGE-INTEGRITY and MESSAGE-INTEGRITY-SHA256,
> >>      which is subject to bid down attacks by an on-path attacker.
> >
> > By an on-path attacker who can forge HMAC-SHA1 in real-time? That's a
> > pretty serious adversary, so you should clarify here
> >
>
> New text:
>
>    STUN supports both MESSAGE-INTEGRITY and MESSAGE-INTEGRITY-SHA256,
>    which is subject to bid down attacks by an on-path attacker that
>    would strip the MESSAGE-INTEGRITY-SHA256 attribute leaving only the
>    MESSAGE-INTEGRITY attribute and exploiting a potential vulnerability.
>    Protection of the channel itself, using TLS or DTLS, mitigates these
>    attacks.  Timely removal of the support of MESSAGE-INTEGRITY in a
>    future version of STUN is necessary.
>

I still don't understand the capabilities you seem to believe the attacker
has.
Can you describe the exact attack.