Re: [tram] More issues with RFC 5389
Simon Perreault <sperreault@jive.com> Tue, 20 December 2016 15:53 UTC
Return-Path: <sperreault@jive.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE57C129AE6 for <tram@ietfa.amsl.com>; Tue, 20 Dec 2016 07:53:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jive-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tv56eW8LmS10 for <tram@ietfa.amsl.com>; Tue, 20 Dec 2016 07:53:24 -0800 (PST)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 751FF129AFC for <tram@ietf.org>; Tue, 20 Dec 2016 07:53:02 -0800 (PST)
Received: by mail-pf0-x233.google.com with SMTP id 189so29800087pfz.3 for <tram@ietf.org>; Tue, 20 Dec 2016 07:53:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jive-com.20150623.gappssmtp.com; s=20150623; h=from:subject:to:references:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding; bh=8kh+9jz8ehFCKXox4d6lSIaLMaZH6x0NyxAvU8MoWIQ=; b=cw6DKYWLfDSzztd4jdZ8g7/81tnsJJFIdCNCvP7v0iB+1O34sLZmAhs6xn8/aNKSHk bKfe0F0JtqVG69WFDl3xJRARhTaxOLFozSK5QUzZX0TbUWu5aAJfDp2LAtZqlLWC515x F6jSpV1Rwja9BG73ddo4aIBvO/QBpkhsOqLi1oyVPqVcESSvLXbuJNlkD16On23lqaKm CJg9X2PuY8Wk2mrDqAVj+OQ5tycA9XJzLj/TbxkFcIhKqz/OsQ0dAzgZYCOjz6LXB4sv BBqVAfUbHj5JeFOyYR8fH+gLUs4U8wz0im1rVPFAomas1pXfhNcTluAx4XnPnsczyN3c UlwA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=8kh+9jz8ehFCKXox4d6lSIaLMaZH6x0NyxAvU8MoWIQ=; b=ZY8BNmU+CJpOKAtYL3pI2dAs6qz0vMQpHMzER+cv2Dqw4rXqKgn0DQRRtiQDr7H5/R YnxwCxi71xOckZvKfnwyjTjFWK/9evGe8/e25sY2n3Wkc0l08VdOEv2vwRBjgZ0/zWTO sMomSVk71b/4riajmlJcEh5wBJoxgqTWnb58QAokz4LjcRMiQqzN5NdHSw9SUInBAFct VOHieQp/J5spM7TDiK3zN/m5KNzh6NsUd6nRQl4+nhCB9PpMpbwJqDcDPQFS5CWx6ZBM GmGF0RAFM9dLsEgT8lRRGvbjnDvfQ+FX86r0D/Hg4qnqL3vzb35caIQOctULqbxTojL6 I+Og==
X-Gm-Message-State: AKaTC03mgwbBU5Q/IPSF1T3kFNte8V42KiazZWHjoHAbC5LXrdugdf6gVvy9Wilpq0lKLlUvW9pU3FXYGWMlCTHBwvSDyCKzBIHR1LxD6ATrQn4M7Y2Jgr38HR/P3oM95QMrIyYyuXVgkcxrdFf1oQeSItqxXSeLXtmwsqJKdI8=
X-Received: by 10.99.242.5 with SMTP id v5mr36497299pgh.181.1482249181897; Tue, 20 Dec 2016 07:53:01 -0800 (PST)
Received: from MacBook-Pro-de-Simon.local ([2001:470:b161:0:d458:35d9:c74f:7d23]) by smtp.gmail.com with ESMTPSA id i76sm40157906pfk.89.2016.12.20.07.53.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Dec 2016 07:53:01 -0800 (PST)
From: Simon Perreault <sperreault@jive.com>
To: Marc Petit-Huguenin <marc@petit-huguenin.org>, "tram@ietf.org" <tram@ietf.org>
References: <28ad59e9-cc50-71b5-df23-08bb8f827889@petit-huguenin.org>
Message-ID: <42b707f6-9911-f267-b3e3-ab9ebb6258b7@jive.com>
Date: Tue, 20 Dec 2016 10:52:59 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <28ad59e9-cc50-71b5-df23-08bb8f827889@petit-huguenin.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/D_4QxdxOmpNbqP_m_rWtJaiU8kw>
Subject: Re: [tram] More issues with RFC 5389
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 15:53:27 -0000
Sorry for taking so long to reply... Le 2016-11-27 à 08:12, Marc Petit-Huguenin a écrit : > 1. In both section 10.1.3 and section 10.2.3, the text says "If the > value does not match, or if MESSAGE-INTEGRITY was absent, the > response MUST be discarded, as if it was never received. This means > that retransmits, if applicable, will continue." The issue there is > that when the response is discarded but the transaction layer is for > a reliable transport as described in section 7.2.2, then the > transaction has no way to ever succeed, as there is no > retransmissions in that case, and the transaction will simply timeout > after 39.5 seconds. That seems wrong to wait nearly 40 secs to > return an answer that we already know about. > > Our proposal is to send immediately an "attack error" back to the > upper layers on receiving an invalid or missing M-I on reliable > transactions. This is equivalent of what is happening today, but > without having to wait 40 seconds for that. The attack error is a > signal similar to the timeout error, in that it does not carry any > other information. It is internal to the implementation, so it does > not require a Error Code, in the same way that the timeout signal > does not have an Error Code. > > Unreliable transactions could also use a similar signal in case these > transactions fail not because no packet was ever received but because > all of them where discarded. In that case, the "attack error" signal > is sent after the normal timeout. This makes sense to me. > 2. In section 10.2.3 there is no provision for processing a 400 > response that does not have a valid MESSAGE-INTEGRITY attribute. > That means that if the text is implemented as it is written (which I > am sure is not), receiving an unauthenticated 400 (as triggered by > bullet 2 of 10.2.2) will trigger the discarding packet rule on the > last paragraph of 10.2.3 and will take 40 seconds to timeout. > > Our proposal is to just add text between the 2nd and 3rd paragraph of > 12.2.3 to explain that receiving a unauthenticated 400 will cause a > timeout. Does this mean that an attacker could just send unauthenticated 400 responses, much like a TCP RST attack? > 3. Section 10.2.1.1 states that a first request SHOULD omit the > USERNAME, MESSAGE-INTEGRITY, REAL and NONCE, but inserting these > attribute will in fact make the first request a subsequent request. > Conversely Section 10.2.1.2 states a subsequent request SHOULD > include a USERNAME, MESSAGE-INTEGRITY, REAL and NONCE, but omitting > them will in fact make the subsequent request a first request. > > Our proposal is to say MUST omit in 10.2.1.1 and MUST include in > 10.2.1.2, and add new text to explain the logic. Makes sense. This is only about making text clearer, right? No protocol changes? > 4. The (simplified) order of processing in Section 10.2.2 is to > process 438 (Nonce stale) first (bullet 3) and then password invalid > (bullet 5). If a server changes the password and the nonce at the > same time, then 3 transactions are needed to recover. > > Our proposal is to change bullet 3 to say that if the nonce is > invalid and the Message-Integrity is wrong (showing that the password > also changed), then a 401 must be returned instead of a 438. The new > nonce is sent in the 401, so the session recovers in one additional > transaction instead of 2. The additional message-integrity > validation needed for this is minimal (with TURN, the NONCE should be > expired at least once each hour. Allocations have a default lifetime > of 10 minutes, 5 minutes for permissions/channel bindings. So if we > have 3 permissions - which seems the minimum with ICE - that means a > maximum of 2.4% of the transactions will have an expired nonce and > will require an additional verification of the M-I). Makes sense. > 5. When a 438 is returned, it says that no MESSAGE-INTEGRITY is > returned. But in fact the server could use the previous nonce to > generate a valid MESSAGE-INTEGRITY and protect the response. Note > that there is not really a lot of advantages for doing this, excepted > that in STUNbis it will permit to not have to return the > PASSWORD-ALGORIHMS attribute in that case in the response to protect > against MiTM attacks (if we go with the idea that the password > algorithm list can be changed during a session, which is a separate > issue). > > Our proposal is to say that 438 response MAY contain a > MESSAGE-INTEGRITY attribute that reuses the previous nonce. No objection. > 6. Same issue than before, but when the password changes. Instead of > not signing the 401 in bullet 5, it can be signed using the previous > password. > > Our proposal is to say that the 401 response in that case MAY contain > a MESSAGE-INTEGRITY attribute that reuses the previous password, i.e. > if the server remembers it. No objection. > 7. In section 15.6, it says "401 Unauthorized". It should really be > "401 Unauthenticated". The concern here is that some higher level > protocol overloads the real meaning of 401 and returns a 401 when > something is not authorized at this level and so messes with the Long > Term Credential Mechanism. Note that TURN got that right by using a > 403 to mean Unauthorized, but other STUN Usages can get this wrong. > > Our proposal is to change the text from "Unauthorized" to > "Unauthenticated”. Cool. > 8. Bullets 2 and 4 of Section 10.2.2 says that the response SHOULD > NOT contain a MESSAGE-INTEGRITY attribute, but even if the > application wanted to, there is no possible way to generate a > MESSAGE-INTEGRITY in these cases (for bullet 2 either USERNAME, REALM > or NONCE are missing, and for bullet 4 the USERNAME is invalid). > > Our proposal is to remove MESSAGE-INTEGRITY in these two paragraphs, > and to add some informative text saying that the message cannot > contain MESSAGE-INTEGRITY, because necessary fields are missing. Makes sense. -- Simon Perreault Director of Engineering, Platform | Jive Communications, Inc. https://jive.com | +1 418 478 0989 ext. 1241 | sperreault@jive.com
- [tram] More issues with RFC 5389 Marc Petit-Huguenin
- Re: [tram] More issues with RFC 5389 Simon Perreault
- Re: [tram] More issues with RFC 5389 Marc Petit-Huguenin
- Re: [tram] More issues with RFC 5389 Brandon Williams
- Re: [tram] More issues with RFC 5389 Marc Petit-Huguenin