Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Mon, 23 April 2018 00:23 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E6D8126D73 for <tram@ietfa.amsl.com>; Sun, 22 Apr 2018 17:23:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pdVM7-n2tq30 for <tram@ietfa.amsl.com>; Sun, 22 Apr 2018 17:22:59 -0700 (PDT)
Received: from mail-ot0-x233.google.com (mail-ot0-x233.google.com [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83E3F1241F3 for <tram@ietf.org>; Sun, 22 Apr 2018 17:22:56 -0700 (PDT)
Received: by mail-ot0-x233.google.com with SMTP id w4-v6so15334209ote.12 for <tram@ietf.org>; Sun, 22 Apr 2018 17:22:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=GTTFVyVATBms960Y3SuwqD2Z85Qr3ZFVM0zQU/NXeYk=; b=TNQqjbGSvowZS6fEhb1pfCdcPFuiQZ7KOJB6SZiJFciidluRXGRW5s8l0HYKDXszs3 j1v7sSX6nPODCLdsquB7mWiQvFClOhgJkilfmYg9gxeF7513YIUHqJg6mjTaI+Oyzsnl D4u2bICLQpDwq2tgbbPv7wIJAONdZUyPQQZr1h9S8us5K759mDb9/CQdx4pZllHxNlkj f6vJBjKzTETioZ2ESsLBALLGEQdFtJ6M57LlxkWfWIB+xOrpY9aOYlal8aeKimcSZMYt T20EY7cnYfmapykrJuS9wcgupjQAffMUin4bUL6mQlo1PcXxXSo9Thidzp8nWtvYK+zh CqFQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=GTTFVyVATBms960Y3SuwqD2Z85Qr3ZFVM0zQU/NXeYk=; b=aped+AQ44bd6eXCOLkuw3XH87R2MQo0vR/W9a9AntA+MmKadq9nQaym4U2qks/Wxec 3+bPpPHP3ULsQZH0t9PF9VNFZaUyxoIIhv7JEjJOow+RzvWuiqscP1PboEbhHmoeEkYG P/pXVa3mYUoSl99dGYePeaBta/twDcGkASu/vhyrEPexlYaooaQMkBUFkOzZB+of6yQU rfEPgbwQaCcQABuoaFEPtXzr2+sd6ozdg90Uy49HDVqe2gRLKOdW/xTZJ5W7neBvi8Dm 0osXQXMPHVo+1UzjZsudUP4SHSE+h47+/9v8D7XJ5C31l02Cykx318osbDJxaf/nl6E8 gQLw==
X-Gm-Message-State: ALQs6tDRg0g2OppcPm5ytteiiMqXiCsmdeCxCDbJ36qzgM7XnhohcQ26 0jxvzJB83/ZCTmse2bNQ+NYe6Tkbcx2FAyOtnB95Tg==
X-Google-Smtp-Source: AIpwx498aUQW3aCbwSGX92vocN2jToKgmK6kHb4HxZy9Lt0nAruphbIrTifUGSaoQnlDGH0khOCE0XILHcQr8MBbnQ4=
X-Received: by 2002:a9d:3b03:: with SMTP id z3-v6mr12036015otb.392.1524442975869; Sun, 22 Apr 2018 17:22:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Sun, 22 Apr 2018 17:22:15 -0700 (PDT)
In-Reply-To: <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 22 Apr 2018 17:22:15 -0700
Message-ID: <CABcZeBNk4KWA1Bzw7=i=Siie_6Vf7v-v2cfDyA4WvSAE2D9hrA@mail.gmail.com>
To: Marc Petit-Huguenin <petithug@acm.org>
Cc: The IESG <iesg@ietf.org>, tram-chairs@ietf.org, tasveren@rbbn.com, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, draft-ietf-tram-stunbis@ietf.org, tram@ietf.org
Content-Type: multipart/alternative; boundary="0000000000000eb4b1056a790af1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/1PHwhXQRmQsEK-jl7WS2cjF9hXQ>
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2018 00:23:02 -0000
On Sun, Apr 22, 2018 at 2:02 PM, Marc Petit-Huguenin <petithug@acm.org> wrote: > > >> For a request or indication message, the agent MUST include the > >> USERNAME, MESSAGE-INTEGRITY-SHA256, and MESSAGE-INTEGRITY > attributes > >> in the message unless the agent knows from an external indication > >> which message integrity algorithm is supported by both agents. In > >> this case either MESSAGE-INTEGRITY or MESSAGE-INTEGRITY-SHA256 MUST > >> be included in addition to USERNAME. The HMAC for the MESSAGE- > > > > This text appears to conflict with S 7.3 of 5245-bis, which says: > > [text missing] > > Hmm, no, RFC245bis is still referencing RFC5389, so the procedure for > stunbis does not apply. > I hear what you're saying, but publishing two documents at the same time which make contrary recommendations about the same basic protocol is un-good. >> The STUN usage must specify which transport protocol is used, and > how > >> the agent determines the IP address and port of the recipient. > >> Section 8 describes a DNS-based method of determining the IP > address > >> and port of a server that a usage may elect to use. STUN may be > used > >> with anycast addresses, but only with UDP and in usages where > >> authentication is not used. > > > > Why this restriction? You should be able to use anycast with long-term > > AUTH for (say) TURN. > > https://www.ietf.org/mail-archive/web/behave/current/msg03582.html > > I think that the decision of permitting Anycast should be left to each > STUN Usage. Basic STUN Usage does not use authentication and use only a > one round trip for the Binding transaction, so Unicast can be used. > > OTOH, TURN and ICE should probably say something about that, so I added a > new bullet point in Section 13: > > o If Anycast addresses can be used for the server in case TCP or > TLS-over-TCP, or authentication are used. > Are you leaving this text in? That seems very confusing. > >> transaction over UDP or DTLS-over-UDP is also considered failed if > >> there has been a hard ICMP error [RFC1122]. For example, assuming > an > >> RTO of 500ms, requests would be sent at times 0 ms, 500 ms, 1500 > ms, > >> 3500 ms, 7500 ms, 15500 ms, and 31500 ms. If the client has not > >> received a response after 39500 ms, the client will consider the > >> transaction to have timed out. > > > > I note that these recommendations now seem crazily long. I assume the > > WG had consensus on this, but I wanted to note it. > > Not just the WG, also the IESG that approved RFC 5389 too as, but for the > addition of "or DTLS-over-UDP", this is the same text than in RFC 5389. > Yes, I know. My point is that while they might have bee sensible when 5389 was published they *now* seem crazily long. Did the WG explicitly decide not to update them? > >> ALTERNATE-SERVER where authentication of the response is not > possible > >> or practical. If the transaction uses TLS or DTLS and if the > >> transaction is authenticated by a MESSAGE-INTEGRITY-SHA256 > attribute > >> and if the server wants to redirect to a server that uses a > different > >> certificate, then it MUST include an ALTERNATE-DOMAIN attribute > >> containing the subjectAltName of that certificate. > > > > 1. Why is MESSAGE-INTEGRITY-SHA256 relevant here? > > ALTERNATE-DOMAIN exists only since stunbis, so the > MESSAGE-INTEGRITY-SHA256 acts as a flag indicating that 1) the transaction > is authenticated and 2) that the client understand that new attribute. > This would be good to explain. > >> o What authentication and message-integrity mechanisms are used. > >> > >> o The considerations around manual vs. automatic key derivation > for > >> the integrity mechanism, as discussed in [RFC4107]. > >> > >> o What mechanisms are used to distinguish STUN messages from other > > > > Why is this required? It seems like that's a generic STUN feature. > > That text is identical to the text in RFC 5389. RFC 5764/7983 is one such > mechanism, but there is nothing that prevent another protocol stack to use > a different mechanism (inference, shim, etc...) > But ultimately no matter what the other protocol provides for demux, STUN has its own demux. >> transport protocol uses TLS or DTLS. > >> > >> The value of ALTERNATE-DOMAIN is variable length. It MUST be a > UTF-8 > >> [RFC3629] encoded sequence of less than 128 characters (which can > be > >> as long as 509 bytes when encoding them and as long as 763 bytes > when > >> decoding them). > > > > Is it an A-label or a U-label? > > I do not know. What would you suggest? > I believe Alexey raised this separately, so I would refer to his comments. > > > > >> that is not readily subject to offline dictionary attacks. > >> Protection of the channel itself, using TLS or DTLS, mitigates > these > >> attacks. > >> > >> STUN supports both MESSAGE-INTEGRITY and MESSAGE-INTEGRITY-SHA256, > >> which is subject to bid down attacks by an on-path attacker. > > > > By an on-path attacker who can forge HMAC-SHA1 in real-time? That's a > > pretty serious adversary, so you should clarify here > > > > New text: > > STUN supports both MESSAGE-INTEGRITY and MESSAGE-INTEGRITY-SHA256, > which is subject to bid down attacks by an on-path attacker that > would strip the MESSAGE-INTEGRITY-SHA256 attribute leaving only the > MESSAGE-INTEGRITY attribute and exploiting a potential vulnerability. > Protection of the channel itself, using TLS or DTLS, mitigates these > attacks. Timely removal of the support of MESSAGE-INTEGRITY in a > future version of STUN is necessary. > I still don't understand the capabilities you seem to believe the attacker has. Can you describe the exact attack.
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- [tram] Eric Rescorla's Discuss on draft-ietf-tram… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Brandon Williams
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Matthew A. Miller
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Brandon Williams
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- [tram] Blackout posting of draft-ietf-tram-stunbi… Spencer Dawkins at IETF
- Re: [tram] Blackout posting of draft-ietf-tram-st… Gonzalo Salgueiro (gsalguei)