Re: [tram] Transport of ICMP errors in TURN
"Cullen Jennings (fluffy)" <fluffy@cisco.com> Thu, 27 August 2015 13:49 UTC
Return-Path: <fluffy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB6FC1B2E38 for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 06:49:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -114.511
X-Spam-Level:
X-Spam-Status: No, score=-114.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FXtnc5b3YlMO for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 06:49:34 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D9F31B2CF8 for <tram@ietf.org>; Thu, 27 Aug 2015 06:49:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4078; q=dns/txt; s=iport; t=1440683371; x=1441892971; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=vosxB8TcwCO5Dgz6226oahepk3l7H4sCCJ1ad3zm2Wc=; b=Dd8kX0DvjYLsirVTGoD/JJvbLz7Lq1GLY46vgb7NJkix9t/EvHeMdeyC LctYwAzvLV5hC+MJ8K1epNrZMmTYRFl8j7kqPqwJrv0IUN9ILrelujpwE t4fouq0ltVhfpPknGLpJgtVDhdOTSXhKsSii7cnXZGr1jWIGtlY+wy6d1 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CmAgBeFN9V/4sNJK1dgxtUWg8GvXEBCYFuDIV5AoEvOBQBAQEBAQEBgQqEIwEBAQMBAQEBawsFCwIBCBEEAQEBJwcnCxQJCAIEDgWIJggNA8gzAQEBAQEBAQEBAQEBAQEBAQEBAQEBEwSIeIJphEAYMweDGIEUBZU9AYUFh22BSoQylGQmg39xAYEEBzyBBQEBAQ
X-IronPort-AV: E=Sophos;i="5.17,422,1437436800"; d="scan'208";a="182622189"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-8.cisco.com with ESMTP; 27 Aug 2015 13:49:30 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t7RDnU7S023693 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2015 13:49:30 GMT
Received: from xch-rcd-003.cisco.com (173.37.102.13) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 27 Aug 2015 08:49:29 -0500
Received: from xhc-aln-x09.cisco.com (173.36.12.83) by xch-rcd-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Thu, 27 Aug 2015 08:49:29 -0500
Received: from xmb-aln-x02.cisco.com ([169.254.5.3]) by xhc-aln-x09.cisco.com ([173.36.12.83]) with mapi id 14.03.0248.002; Thu, 27 Aug 2015 08:49:29 -0500
From: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Thread-Topic: [tram] Transport of ICMP errors in TURN
Thread-Index: AQHQ3+oWETbZM/WfLU6J25V188icC54eib2AgAFwyYCAAB8ggIAAGLcA
Date: Thu, 27 Aug 2015 13:49:28 +0000
Message-ID: <44C024B4-CAC6-4E3A-A812-793809449E10@cisco.com>
References: <55DD94FF.7080400@acm.org> <55DDB133.6090608@jive.com> <A8F8D0A4-C847-4F3E-B5A3-45DA47CB95D9@cisco.com> <913383AAA69FF945B8F946018B75898A478C7C70@xmb-rcd-x10.cisco.com>
In-Reply-To: <913383AAA69FF945B8F946018B75898A478C7C70@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.36.7.13]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <181F75591718234E941274FA5FB8D44F@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/Ez0gcJiHkL0zU5kG5jQMBX-6I_0>
Cc: Simon Perreault <sperreault@jive.com>, "Pal Martinsen (palmarti)" <palmarti@cisco.com>, "tram@ietf.org" <tram@ietf.org>, Marc Petit-Huguenin <petithug@acm.org>
Subject: Re: [tram] Transport of ICMP errors in TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 13:49:36 -0000
A key part of TURN design was that it was not usable for running general purpose server that accepted traffic from anyone without first identifying who it is that you want to get the traffic from. So the client has to tell the TURN server which external hosts can send it traffic. Receiving ICMP violates this because you would need to accept stuff from sources you had not given permission to send you stuff. That allows TURN to be used to build generic servers which allows it to circumvent firewall policy. One of the reasons we invented TURN instead of using one of the other tunnel protocols was to not have this problem. > On Aug 27, 2015, at 6:20 AM, Tirumaleswar Reddy (tireddy) <tireddy@cisco.com> wrote: > > I don’t see a privacy problem with the proposal of Marc. > > -Tiru > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Pal Martinsen (palmarti) > Sent: Thursday, August 27, 2015 4:00 PM > To: Simon Perreault > Cc: Marc Petit-Huguenin; tram@ietf.org > Subject: Re: [tram] Transport of ICMP errors in TURN > > > On 26 Aug 2015, at 14:29, Simon Perreault <sperreault@jive.com> wrote: > > Le 2015-08-26 06:29, Marc Petit-Huguenin a écrit : > > During the presentation of the Path MTU Discovery Using STUN draft in Prague, there was some discussion on how ICMP can be received by the client when the PMTUD probes are sent through a TURN server. Which reminded me that I worked on that problem when I proposed PMTUD over STUN, back in 2008. That was the case, according to my notes, but in fact the idea of tunneling the ICMP packets through the TURN server was proposed the year before, but for a different reason: > > https://mailarchive.ietf.org/arch/msg/behave/76pAtymXlAtF5SoD0rgoFECf2Fg > > So my proposal is to add this into turnbis. I can provide text. > > RFC 5766 section 2.6 <https://tools.ietf.org/html/rfc5766#section-2.6> > explains that ICMP not being relayed was a design decision to make it > possible to run a TURN server as an unprivileged user. That conclusion > is wrong for two reasons: > > - With the BSD sockets API, some ICMP errors are translated into recv() > error codes. This means that it is always possible to relay at least > some subset of ICMP errors. (Not sure for TCP or IPv6, I’d > need to check.) > > > It is possible by creating a new listen socket. > > See: https://tools.ietf.org/html/draft-martinsen-tram-stuntrace-01#appendix-A.2 > > The code described in that ID works well and we have implemented it in most of our hard and soft clients. > Not sure about any performance issues when doing this on the server side though. > > The STUNTrace ID is not a TRAM draft anymore. We will ask for it to be AD sponsored, just need to have some more discussion in the security section regarding information leakage. This is particular hard in the intersection network troubleshooting and end user privacy. If you got any concerns or ideas please ping me. (Or maybe we can have chair approval to have the discussion on this list? If any that is..) > > > - On Linux, which dominates the market of TURN server, one can receive > all ICMP errors as an unprivileged user with the IP(V6)_RECVERR socket > option. > > So my conclusion is: yes, please. :) > > +1 > > But we need to carefully describe the security pitfalls. Some people might already be using a TURN server as mean to hide their “true” IP address. Any changes in the TURN spec that introduces a change in the server behaviour that affects the privacy aspect might potentially be risk to some users. > > .-. > Pål-Erik > > > Simon > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] Transport of ICMP errors in TURN Marc Petit-Huguenin
- Re: [tram] Transport of ICMP errors in TURN Simon Perreault
- Re: [tram] Transport of ICMP errors in TURN Pal Martinsen (palmarti)
- Re: [tram] Transport of ICMP errors in TURN Marc Petit-Huguenin
- Re: [tram] Transport of ICMP errors in TURN Tirumaleswar Reddy (tireddy)
- Re: [tram] Transport of ICMP errors in TURN Tirumaleswar Reddy (tireddy)
- Re: [tram] Transport of ICMP errors in TURN Pal Martinsen (palmarti)
- Re: [tram] Transport of ICMP errors in TURN Cullen Jennings (fluffy)
- Re: [tram] Transport of ICMP errors in TURN Simon Perreault
- Re: [tram] Transport of ICMP errors in TURN Cullen Jennings (fluffy)
- Re: [tram] Transport of ICMP errors in TURN Marc Petit-Huguenin
- Re: [tram] Transport of ICMP errors in TURN Marc Petit-Huguenin
- Re: [tram] Transport of ICMP errors in TURN Marc Petit-Huguenin