Re: [tram] I-D Action: draft-ietf-tram-turnbis-19.txt

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 14 August 2018 07:30 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9A65130D7A; Tue, 14 Aug 2018 00:30:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IlANfSSfVjnm; Tue, 14 Aug 2018 00:30:08 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A5F6126CB6; Tue, 14 Aug 2018 00:30:08 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1534231808; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-ms-exchange-senderadcheck:x-exchange-antispam-report-cfa-test: x-forefront-prvs:x-forefront-antispam-report: received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:Content-Transfer-Encoding:MIME-Version: X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=B Sj1ttVmttm7RQfD8n1p9zS6HDoZLWpoudVh/TTZ4Y M=; b=hb0LpZN11KnbG98gOniLd7XwwhEW9ewlEvmQPehVnfEX Er5Y16v3819Co6kAvq4xhHMW8VDOJNJu2qsLnmRIrRhEe6RaUj mrO1m3hEAHJMcUWfUDKHIWZJFUgn7WSS1COyOCsGnWLbvSF+ZL sBqeUovFFyxTF7KZs3mSv7yBB1M=
Received: from DNVEXAPP1N05.corpzone.internalzone.com (unknown [10.44.48.89]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 63f2_e4bd_a0380bb6_f6d8_43dd_a61e_584ba65b5067; Tue, 14 Aug 2018 02:30:07 -0500
Received: from DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 14 Aug 2018 01:29:25 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXUSR1N08.corpzone.internalzone.com (10.44.48.81) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 14 Aug 2018 01:29:25 -0600
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (10.44.176.243) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 14 Aug 2018 01:29:20 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1524.namprd16.prod.outlook.com (10.172.208.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1038.23; Tue, 14 Aug 2018 07:29:22 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::19f3:f489:712f:e2b2]) by BN6PR16MB1425.namprd16.prod.outlook.com ([fe80::19f3:f489:712f:e2b2%7]) with mapi id 15.20.1038.025; Tue, 14 Aug 2018 07:29:22 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Jonathan Lennox <jonathan@vidyo.com>, Brandon Williams <brandon.williams=40akamai.com@dmarc.ietf.org>
CC: Cullen Jennings <fluffy@cisco.com>, Eric Rescorla <ekr@rtfm.com>, "tram@ietf.org" <tram@ietf.org>, Justin Uberti <juberti@google.com>, "Ram Mohan R (rmohanr)" <rmohanr@cisco.com>, Nils Ohlmeier <nohlmeier@mozilla.com>
Thread-Topic: [tram] I-D Action: draft-ietf-tram-turnbis-19.txt
Thread-Index: AQHT+8xh/jJZZ9WI/kiamzsF73X1WKRPoaJggGopW4CABHHxAIAA772Q
Date: Tue, 14 Aug 2018 07:29:22 +0000
Message-ID: <BN6PR16MB14251AB6322D891E73768AB8EA380@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <152809326560.20924.1993421118096117008@ietfa.amsl.com> <BN6PR16MB14259FA70767BA31FB3E35EBEA670@BN6PR16MB1425.namprd16.prod.outlook.com> <dd93a90b-7526-056e-582d-58720f9f20c2@akamai.com> <4A9C259E-A978-4556-97A7-E638CD0699EB@vidyo.com>
In-Reply-To: <4A9C259E-A978-4556-97A7-E638CD0699EB@vidyo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.500.52
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [103.245.47.20]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1524; 6:0Fzo+DBL/yaDNKKxRifg/Y1GcT7USG4cSl/40LKeGiNbwI8F+JZfHyrWjI1UO3YAczb1LXQHYmXn481N78Tb4revK/1Im8wpBit3jZv/JAA/17xK/H1NsqA81gbwX4mCBFrBqS2EmZB2OElDPAd6El2sNXbZ+LErNhgSp5Or2mMK0fgk4/sV20cRGabqLGH0C05RwtLn3DCEZY3342CZTZqMRAdO9Vcn+e2lyXuAu7QDPWsYMyZeMQTMSlAx/VGBK4+bQJfvfxHqw64/R2U2gTCJCM0O8LiqZkKVH1uhA86eyyaw0yeC3mp5/pTE8w0f0aLMsiSRZ+TQiDJVJF7SDksABYca748zVumEvHvV4Dxjf6n3835g6YIEuyNKXJ0NP1rF9gk61QVRB+GGVzaAkX0WsaZfz9H98dZP3zbGiMFpS1bkMlgClEb/tIG75K7PZ5W29CCroIm7Br7eh4Euow==; 5:svCJwIkjhSyOPxYwuCabxflXU9m2fRnnWMJNTUOIMLvh+JX+17piX9+BXzeOLG1PYFErSIj4JgImDkCN3fncvKngFF6AWFdJyfc1KgsEI/p6tmwIOoihRC+zReWqBQWgs/TjD0DDsuBn4o1Y4RC6CnL2CysLxS/ileDp+V/c6MQ=; 7:I1nKbQy21Tbbr+GmKikzWlB4bgqYDB0k/fnzn5JPpK4FwoKzl0mLxT36zjoX0rmMun2FonLBNopoFXTnI94cZMOQ8dNs9fGRhbBDqVpzft2Oe/iZbj63kWEVk+JwU2yWiLbGBVcDQTV/09xr0qffiz8fZWXcpUhK6SwvzuPMa1cmLlpHqbzgPL1y17jThR40QNsj0lN6yDuZ/p5T1KQ35P5LL8xPG2BQEJkqhTMvmbz0erH6l+enpJ52q6NGdnDV
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a1d26cd7-5db7-41e7-1100-08d601b7a7a2
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600074)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1524;
x-ms-traffictypediagnostic: BN6PR16MB1524:
x-microsoft-antispam-prvs: <BN6PR16MB1524BE998CB32B7D16695008EA380@BN6PR16MB1524.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(120809045254105)(192374486261705)(211936372134217)(95692535739014)(153496737603132)(17755550239193);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(3002001)(149027)(150027)(6041310)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BN6PR16MB1524; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1524;
x-forefront-prvs: 0764C4A8CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(136003)(39860400002)(376002)(346002)(199004)(32952001)(189003)(13464003)(53754006)(9686003)(6306002)(6436002)(25786009)(4326008)(55016002)(53936002)(66066001)(105586002)(106356001)(14444005)(256004)(5024004)(53546011)(6506007)(26005)(102836004)(86362001)(6246003)(186003)(476003)(486006)(2900100001)(5660300001)(446003)(11346002)(3846002)(33656002)(80792005)(81166006)(6116002)(8676002)(81156014)(5250100002)(97736004)(305945005)(2906002)(7736002)(74316002)(14454004)(76176011)(7696005)(99286004)(229853002)(110136005)(316002)(54906003)(68736007)(966005)(8936002)(93886005)(478600001)(72206003)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1524; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: T2gmizVChqKzDlcXwx1/SAkxxg6o32IfYWVkPoHCye9as/mSOa2b/dHWQ+7/xZJPgWzS9da5zyfaB4syCRS6AZUZg0TeKnqgYB/rIuw/n38/ceX0AixQ8WYs6x9qhv2sSryvo2MD849hcCd/CUt8cZ9cBLfv9+SvOsMI3aH8vkxDvu56HNTT8PMMk4SuUbIjinKzh8CCQR4qzewpPsUl8st6JIHotUpRmj4AFr2xR3irmYDTQ9qW1AGzJeLAQEh/ngfhXBhBVpyVlSspXzv7wCjBF3ntYxvflRG4dblnzsa++3mUOZkWf1V+fTHJAvK4AiP8yP+wdeJ71O7rCwjZVQidYuJGQX3IHUzlb+QNZY0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a1d26cd7-5db7-41e7-1100-08d601b7a7a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2018 07:29:22.1781 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1524
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6350> : inlines <6812> : streams <1795455> : uri <2688634>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/7Qvky-bHahWSs7C_9ICm_x0IVT4>
Subject: Re: [tram] I-D Action: draft-ietf-tram-turnbis-19.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 07:30:11 -0000

Hosts infected with malware contact the command & control server in the Internet and not the other way around and currently most malware communication is encrypted using TLS (some of them use Tor) and I don't see a reason why they would want to move to use ICE connectivity checks to obfuscate traffic. 

The update does not change the default behavior of the TURN server i.e. all incoming traffic including STUN traffic is dropped without permissions installed, and TURN server administrator must enable the configuration to allow inbound STUN connectivity checks without explicit permission. A Enterprise network that does not want to relax the firewall like rules on the TURN server need not turn on this feature. Further, simple misuse can be easily detected using the techniques discussed in the last paragraph in section 19.2  (Firewall Considerations). 

Cheers,
-Tiru

> -----Original Message-----
> From: tram <tram-bounces@ietf.org> On Behalf Of Jonathan Lennox
> Sent: Monday, August 13, 2018 8:58 PM
> To: Brandon Williams <brandon.williams=40akamai.com@dmarc.ietf.org>
> Cc: Cullen Jennings <fluffy@cisco.com>om>; Eric Rescorla <ekr@rtfm.com>om>;
> tram@ietf.org; Justin Uberti <juberti@google.com>om>; Ram Mohan R (rmohanr)
> <rmohanr@cisco.com>om>; Nils Ohlmeier <nohlmeier@mozilla.com>
> Subject: Re: [tram] I-D Action: draft-ietf-tram-turnbis-19.txt
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is safe.
> 
> I’d also like to get security review of this change, especially from the
> perspective of people running firewalls.
> 
> One of the design goals of TURN originally was that it behave like an address-
> dependent filtering firewall / NAT — you can’t get incoming traffic from a peer
> you don’t already know about.  This was so it can’t be used to tunnel
> connections to an open server behind a firewall, e.g. to allow a controller
> somewhere on the open Internet to contact malware running inside a
> corporate network.
> 
> Thus, network operators can be more confident about allowing TURN traffic out
> through their firewalls.
> 
> Permissionless ICE relay support breaks this guarantee, if you can tunnel your
> traffic to make it look like ICE connectivity checks, and I’m worried it will make
> operators less willing to allow TURN out of their networks.
> 
> Now, maybe the relevant operators are already not allowing TURN, or there
> are already plenty of ways to tunnel in traffic, so this isn’t a concern.  But if we
> change this property, I’d like to make sure we’re doing so with full
> consciousness and deliberation.
> 
> > On Aug 10, 2018, at 3:35 PM, Brandon Williams
> <brandon.williams=40akamai.com@dmarc.ietf.org> wrote:
> >
> > Hi all,
> >
> > The one remaining item that I have been hoping for before submitted
> > turnbis for publication is review of permissionless ICE relay support
> > from someone who intends to make use of this new feature in the
> > protocol. I attempted to get commitments for review from EKR and
> > Cullen in Montreal, but they were each busy enough with other things
> > that they weren't prepared to make such a commitment. So, with that in
> > mind, I have a couple of questions for the list.
> >
> > For those of you who have reviewed this new content (namely Nils,
> > Justin, and Ram): Have any of you implemented support for this
> > capability? Or do you intend to in the near future?
> >
> > For the rest of you, is there anyone who has not reviewed the changes
> > yet who has implemented these changes?
> >
> > I'm mostly concerned about verifying that an implementor has looked at
> > this carefully enough to be confident that it can be implemented
> > effectively, especially as regards relevant security controls to
> > protect the client that is behind a relay that supports this capability.
> >
> > I'll appreciate any feedback from the list about this.
> >
> > Thanks,
> > --Brandon
> >
> > On 06/04/2018 02:24 AM, Konda, Tirumaleswar Reddy wrote:
> >> This revision addresses comments from Justin.
> >>
> >> -Tiru
> >>
> >>> -----Original Message-----
> >>> From: tram [mailto:tram-bounces@ietf.org] On Behalf Of internet-
> >>> drafts@ietf.org
> >>> Sent: Monday, June 4, 2018 11:51 AM
> >>> To: i-d-announce@ietf.org
> >>> Cc: tram@ietf.org
> >>> Subject: [tram] I-D Action: draft-ietf-tram-turnbis-19.txt
> >>>
> >>>
> >>>
> >>> A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >>> This draft is a work item of the TURN Revised and Modernized WG of the
> IETF.
> >>>
> >>>        Title           : Traversal Using Relays around NAT (TURN): Relay
> Extensions
> >>> to Session Traversal Utilities for NAT (STUN)
> >>>        Authors         : Tirumaleswar Reddy
> >>>                          Alan Johnston
> >>>                          Philip Matthews
> >>>                          Jonathan Rosenberg
> >>> 	Filename        : draft-ietf-tram-turnbis-19.txt
> >>> 	Pages           : 84
> >>> 	Date            : 2018-06-03
> >>>
> >>> Abstract:
> >>>   If a host is located behind a NAT, then in certain situations it can
> >>>   be impossible for that host to communicate directly with other hosts
> >>>   (peers).  In these situations, it is necessary for the host to use
> >>>   the services of an intermediate node that acts as a communication
> >>>   relay.  This specification defines a protocol, called TURN (Traversal
> >>>   Using Relays around NAT), that allows the host to control the
> >>>   operation of the relay and to exchange packets with its peers using
> >>>   the relay.  TURN differs from some other relay control protocols in
> >>>   that it allows a client to communicate with multiple peers using a
> >>>   single relay address.
> >>>
> >>>   The TURN protocol was designed to be used as part of the ICE
> >>>   (Interactive Connectivity Establishment) approach to NAT traversal,
> >>>   though it also can be used without ICE.
> >>>
> >>>   This document obsoletes RFC 5766 and RFC 6156.
> >>>
> >>>
> >>> The IETF datatracker status page for this draft is:
> >>> https://datatracker.ietf.org/doc/draft-ietf-tram-turnbis/
> >>>
> >>> There are also htmlized versions available at:
> >>> https://tools.ietf.org/html/draft-ietf-tram-turnbis-19
> >>> https://datatracker.ietf.org/doc/html/draft-ietf-tram-turnbis-19
> >>>
> >>> A diff from the previous version is available at:
> >>> https://www.ietf.org/rfcdiff?url2=draft-ietf-tram-turnbis-19
> >>>
> >>>
> >>> Please note that it may take a couple of minutes from the time of
> >>> submission until the htmlized version and diff are available at tools.ietf.org.
> >>>
> >>> Internet-Drafts are also available by anonymous FTP at:
> >>> ftp://ftp.ietf.org/internet-drafts/
> >>>
> >>> _______________________________________________
> >>> tram mailing list
> >>> tram@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/tram
> >>
> >> _______________________________________________
> >> tram mailing list
> >> tram@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tram
> >>
> >
> > --
> > Brandon Williams
> > Platform Engineering
> > Akamai Technologies Inc.
> >
> > _______________________________________________
> > tram mailing list
> > tram@ietf.org
> > https://www.ietf.org/mailman/listinfo/tram
> >
> 
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram