Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Thu, 15 October 2015 06:52 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 548EC1B30FC for <tram@ietfa.amsl.com>; Wed, 14 Oct 2015 23:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZXODcMOlefwj for <tram@ietfa.amsl.com>; Wed, 14 Oct 2015 23:52:50 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9D491B30FA for <tram@ietf.org>; Wed, 14 Oct 2015 23:52:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=18164; q=dns/txt; s=iport; t=1444891969; x=1446101569; h=from:to:cc:subject:date:message-id:mime-version; bh=Zn8aoNIZKQlMnhuY+m3S8WJ17UuZYUMtJm4aAPvcb4I=; b=TNouq6K9fFPRP0UplAZL1+9wIBTSfHjncHDys/uqbOMcWPHyUKAspab+ ddnb4TYs4FvaYUs2n5fr83W3E1dcDuJEsGbdNMtH26ChA2VLW/pbFy6uT 1ihc+wpLn65d47qCL9OAa+fF2/wqUf2y8yg4JVQcZIjELN+Xxy7LRzYcq w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AdAgAoTB9W/4ENJK1egllNVG4GvSYBDYFZFwELhXkCHIEjOBQBAQEBAQEBgQqEJgEBAQQBAQEgCkEJAgwGAQgOAwMBAQEZDwMCBCULFAkJAQQOBQiIJg2vUpM3AQEBAQEBAQEBAQEBAQEBAQEBAQEBF4Z2hH6EQjAKDQQGBwMQglCBRQWND4kIAYUYh3uBX0iDcpIKg24BEQ4BAUKCER0WgT9xhGGBBgEBAQ
X-IronPort-AV: E=Sophos;i="5.17,684,1437436800"; d="scan'208,217";a="198326751"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 15 Oct 2015 06:52:48 +0000
Received: from XCH-RCD-020.cisco.com (xch-rcd-020.cisco.com [173.37.102.30]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id t9F6qmZk008827 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 15 Oct 2015 06:52:48 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-RCD-020.cisco.com (173.37.102.30) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 15 Oct 2015 01:52:33 -0500
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1104.000; Thu, 15 Oct 2015 01:52:33 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Justin Uberti <juberti@google.com>
Thread-Topic: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
Thread-Index: AdEHFg9Qw09eYMw0TQ2oj7oWdbheyQ==
Date: Thu, 15 Oct 2015 06:52:33 +0000
Message-ID: <86c7182c5cb942799c73a88aa115328c@XCH-RCD-017.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.45.104]
Content-Type: multipart/alternative; boundary="_000_86c7182c5cb942799c73a88aa115328cXCHRCD017ciscocom_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/AEwrhsFuNzZPx3A4gghbsu1-uTE>
Cc: "tram@ietf.org" <tram@ietf.org>, Brandon Williams <brandon.williams@akamai.com>
Subject: Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 06:52:52 -0000
I meant with this change an attacker by just knowing the ufrag can now launch an attack on the TURN server and on the endpoint by sending spoofed ICE requests with valid ufrag but invalid message-integrity, and can use any source IP address and possibly launch DDOS attack, TURN server will just forward those ICE requests to the endpoint. -Tiru From: Justin Uberti [mailto:juberti@google.com] Sent: Thursday, October 15, 2015 11:38 AM To: Tirumaleswar Reddy (tireddy) Cc: Brandon Williams; tram@ietf.org Subject: Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt DDOS of spoofed ICE requests can happen already against the host/srflx candidate, so unclear this is a real-world problem. On Wed, Oct 14, 2015 at 7:39 PM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com<mailto:tireddy@cisco.com>> wrote: To handle DDOS attack of spoofed ICE requests, did you consider the option of signaling the endpoint's short-term password to TURN server so as to block those ICE requests ? draft-jennings-behave-rtcweb-firewall-01 and this draft are both discussing STUN inspection on firewalls and TURN servers but in different ways to solve different problems. -Tiru > -----Original Message----- > From: tram [mailto:tram-bounces@ietf.org<mailto:tram-bounces@ietf.org>] On Behalf Of Brandon Williams > Sent: Thursday, October 15, 2015 2:27 AM > To: tram@ietf.org<mailto:tram@ietf.org> > Subject: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag- > permission-00.txt > > I just posted the below referenced draft. It's focused on improving the speed > of relayed ICE connectivity checks by defining a new type of permission that > makes use of the offerer's ICE ufrag. > > We will appreciate your comments. > > Thanks, > --Brandon > > > -------- Forwarded Message -------- > Subject: New Version Notification for > draft-williams-tram-ufrag-permission-00.txt > Date: Wed, 14 Oct 2015 13:49:35 -0700 > From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> > To: Brandon Williams <brandon.williams@akamai.com<mailto:brandon.williams@akamai.com>>, Brandon Williams > <brandon.williams@akamai.com<mailto:brandon.williams@akamai.com>>, Justin Uberti <justin@uberti.name<mailto:justin@uberti.name>>, > Justin Uberti <justin@uberti.name<mailto:justin@uberti.name>> > > > A new version of I-D, draft-williams-tram-ufrag-permission-00.txt > has been successfully submitted by Brandon Williams and posted to the IETF > repository. > > Name: draft-williams-tram-ufrag-permission > Revision: 00 > Title: Ufrag Permissions for Traversal Using Relays around NAT > (TURN) > Document date: 2015-10-14 > Group: Individual Submission > Pages: 9 > URL: > https://www.ietf.org/internet-drafts/draft-williams-tram-ufrag-permission- > 00.txt > Status: > https://datatracker.ietf.org/doc/draft-williams-tram-ufrag-permission/ > Htmlized: > https://tools.ietf.org/html/draft-williams-tram-ufrag-permission-00 > > > Abstract: > When using a TURN relay, ICE connectivity checks require an explicit > permission or channel binding to be established for each peer address > to be checked. This requires the answerer to send its candidate > addresses to the offerer via the rendezvous server, which can impose > a latency penalty when the rendezvous server is centrally located. > This document defines a new type of TURN permission that will allow > any ICE connectivity check message that contains the offerer's ufrag > value to be accepted on a relay address for delivery over the > associated TURN tunnel. > > > > > > Please note that it may take a couple of minutes from the time of submission > until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>. > > The IETF Secretariat > > > > _______________________________________________ > tram mailing list > tram@ietf.org<mailto:tram@ietf.org> > https://www.ietf.org/mailman/listinfo/tram _______________________________________________ tram mailing list tram@ietf.org<mailto:tram@ietf.org> https://www.ietf.org/mailman/listinfo/tram
- [tram] Fwd: New Version Notification for draft-wi… Brandon Williams
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Justin Uberti
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Brandon Williams
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)