Re: [tram] Secdir last call review of draft-ietf-tram-turnbis-27

"Christopher Wood" <caw@heapingbits.net> Thu, 11 July 2019 22:27 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 110901200DB; Thu, 11 Jul 2019 15:27:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=KZYhR+SN; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=zHX2Wvpk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J4nrfVwvj7AZ; Thu, 11 Jul 2019 15:27:52 -0700 (PDT)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4EE11200B6; Thu, 11 Jul 2019 15:27:52 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id D443A220BA; Thu, 11 Jul 2019 18:27:51 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Thu, 11 Jul 2019 18:27:51 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type:content-transfer-encoding; s=fm1; bh=6V NbfZFwSDaPF+hX8BUwuR4yZ86wlHBpSPfd9ywphSE=; b=KZYhR+SN4p7oJ1zSH2 R8dK0cDnqWxEvGSFwbzL1l5Bl1t4vSyCqB1LDnWu85WCO6ejbcC0Zgow/ts8ro3j Db5Majn3novJrsS/OPNZUwXptt9xMpsMwhZoOlI12nfz5bDhn/QcJNtlPYS+1cws W/2hAVMW1BcyJS0nwBcuEUc8M7R4zCW2UZBZ54SG3X0921HFf7ghCJ6/SnGjMGsj 4Gr3JEk1p73Tvfv0jFLZrF/Vx+yIOUQwGqs5y7wTti/OBOxVwaBKG0aDqQYpT7Cl oErgq+hKPUonxMC91g5saMfG+SFhOzJDdZGyHrd9LDYaDkBp5UcI/hGwH5/TmZj8 +Vcg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=6VNbfZFwSDaPF+hX8BUwuR4yZ86wlHBpSPfd9ywph SE=; b=zHX2WvpkSaKXQdvHnd1PyN/Cx+/1D/GpXB7GAcjVrMCjtCyMA+N8+CE/F 75gOskGHwy8szW24SuwGVQ4waARxBte9U+it5NW8F3d6kaFSkS5E/gT49bSxF994 wlECWUiQqn8n5nYGE+MBpx2DM+o6XB1fZoU5hHI7vdsh7H2FJOLtl8yfLWGuGYrz ujjFZjnTPuRXaDjsdWb273lEElaN5txqHXj8JwGys61vSmW7kFH1zZMyANKv4pdV LljuR0tNhEV5G+yOu/oXg6ucwK2DNm4+VxHBYWr8tJIM0RfG5YeZOz9k5gqWifqy rUwCR5zxIA4d1/9WoGmrLve3BCPpw==
X-ME-Sender: <xms:57cnXZU8gnMVn0M9FhXV5-8daDPxhdSr8SQKWnlZBXGYgWEVSo0uOQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduvddrgeelgdduudcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtgfesthhqredtreerjeenucfhrhhomhepfdevhhhr ihhsthhophhhvghrucghohhougdfuceotggrfieshhgvrghpihhnghgsihhtshdrnhgvth eqnecuffhomhgrihhnpehhthhtphehtdefrhgvshhpohhnshgvtghouggvrghnrghlohhg hiifohhulhgusggvhhgvlhhpfhhulhdrrghtpdhgihhthhhusgdrtghomhdpihgvthhfrd horhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhs rdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:57cnXVZJBO3S0-OMskf2yBrwDvkaEmGAVPyjN2hz2-Uku9DOuSWy5A> <xmx:57cnXb2hZQ8OV2Wd58ZNHjPw-nZQGN2csVFHkiQrLW6754yOfvyngg> <xmx:57cnXZCw_HHLS9OR_7-YzYnaTQptmLuvfquPYIMAwvHaFDEgukWWxQ> <xmx:57cnXWbKDE6g3mJhdqFp99xykS94g7UeVQyfQZrhAPWiwnl95hExQQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 4A5233C00A1; Thu, 11 Jul 2019 18:27:51 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.6-731-g19d3b16-fmstable-20190627v1
Mime-Version: 1.0
Message-Id: <8ba1f7d3-d286-46df-9c13-383340bbf7b5@www.fastmail.com>
In-Reply-To: <DM5PR16MB17055A8B96B74CD7E978591FEAF00@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <156253133809.549.13521510978566357744@ietfa.amsl.com> <DM5PR16MB17057A838828AE1DFD33702AEAF60@DM5PR16MB1705.namprd16.prod.outlook.com> <20190709203044.GD24351@kduck.mit.edu> <DM5PR16MB17055A8B96B74CD7E978591FEAF00@DM5PR16MB1705.namprd16.prod.outlook.com>
Date: Thu, 11 Jul 2019 15:27:50 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Benjamin Kaduk" <kaduk@mit.edu>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-tram-turnbis.all@ietf.org" <draft-ietf-tram-turnbis.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tram@ietf.org" <tram@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/G7smftbFQaKSLVO2QaYbZtvG8JA>
Subject: Re: [tram] Secdir last call review of draft-ietf-tram-turnbis-27
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jul 2019 22:27:56 -0000

Hi Tiru,

On Wed, Jul 10, 2019, at 5:41 AM, Konda, Tirumaleswar Reddy wrote:
> Hi Ben,
> 
> Thanks for the review. Please see inline.
> 
> > -----Original Message-----
> > From: Benjamin Kaduk <kaduk@mit.edu>;
> > Sent: Wednesday, July 10, 2019 2:01 AM
> > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>;
> > Cc: Christopher Wood <caw@heapingbits.net>;; secdir@ietf.org; draft-ietf-
> > tram-turnbis.all@ietf.org; ietf@ietf.org; tram@ietf.org
> > Subject: Re: [tram] Secdir last call review of draft-ietf-tram-turnbis-27
> > 
> > This email originated from outside of the organization. Do not click links or
> > open attachments unless you recognize the sender and know the content is
> > safe.
> > 
> > Chris, thanks for the review.  Some more questions/comments inline as I
> > prepare to ballot on this document...
> > 
> > On Mon, Jul 08, 2019 at 02:18:26PM +0000, Konda, Tirumaleswar Reddy wrote:
> > > Hi Christopher,
> > >
> > > Thanks for the detailed review. Please see inline
> > >
> > > > -----Original Message-----
> > > > From: tram <tram-bounces@ietf.org>; On Behalf Of Christopher Wood via
> > > > Datatracker
> > > > Sent: Monday, July 8, 2019 1:59 AM
> > > > To: secdir@ietf.org
> > > > Cc: draft-ietf-tram-turnbis.all@ietf.org; ietf@ietf.org;
> > > > tram@ietf.org
> > > > Subject: [tram] Secdir last call review of
> > > > draft-ietf-tram-turnbis-27
> > > >
> > > > This email originated from outside of the organization. Do not click
> > > > links or open attachments unless you recognize the sender and know
> > > > the content is safe.
> > > >
> > > > Reviewer: Christopher Wood
> > > > Review result: Has Nits
> > > >
> > > > I have reviewed this document as part of the security directorate's
> > > > ongoing effort to review all IETF documents being processed by the
> > > > IESG. These comments were written primarily for the benefit of the
> > > > security area directors.
> > > > Document editors and WG chairs should treat these comments just like
> > > > any other last call comments.
> > > >
> > > > The summary of the review is: Ready with nits
> > > >
> > > > Summary:
> > > >
> > > > In general, the document is well written and clearly founded in
> > > > operational experience. The security considerations are thorough,
> > > > providing examples where necessary to highlight important problem
> > > > areas. It draws a clear line between issues best addressed by
> > > > applications outside of TURN, and provides sufficient detail for
> > > > those issues in scope. My comments and questions are, hopefully, mostly
> > nits.
> > > >
> > > > General comments:
> > > >
> > > > - TURN server authentication in the case of (D)TLS is
> > > > underspecified. Are servers assumed to have WebPKI certificates,
> > > > OOB-trusted raw public keys, or something else? Is there a preferred
> > form of authentication?
> > > > Relatedly, in
> > > > Section 3.2, how do clients authenticate the server?
> > >
> > > Server certificate validation is discussed in https://tools.ietf.org/html/draft-
> > ietf-tram-stunbis-21#section-6.2.3.  I have modified the text as follows:
> > >
> > > If (D)TLS transport is used between the TURN client and the TURN
> > > server, the cipher suites, server certificate validation and
> > > authentication of TURN server are discussed in Section 6.2.3 of
> > > [I-D.ietf-tram-stunbis]
> > 
> > That helps, but it would still be nice to give some indication of what certificate
> > PKI(s) are expected to be used.  Is anything other than the Web PKI under
> > consideration ?
> 
> No. Please see 
> https://tools.ietf.org/html/draft-ietf-tram-stunbis-21#section-6.2.3, 
> It discusses to verify the certificate path and identity of the server.

Perhaps it would be good to explicitly say this in the document?

> 
> > 
> > > >- Section 3.7: Could
> > > > TURN servers not chunk data from stream-oriented transports (TCP or
> > > >TLS)  to a preferred MTU size before relaying to peers?
> > > > Specifically, there are likely
> > > > some cases wherein the server could deal with the client data
> > > >messages  larger than the recommended 500B limit. On that point,
> > > >should servers even  accept data larger than this recommended size ?
> > > >-
> > >
> > > Please see
> > > https://tools.ietf.org/html/draft-ietf-tram-turnbis-27#section-15 for
> > > TCP-to-UDP relay. If the PMTU is not known, and on legacy or otherwise
> > > unusual networks,
> > > 500 byte limit for application data is recommended.
> > >
> > > > Section 3.9: There may be
> > > > cases where the TLS connection post TCP connection establishment
> > > > fails. It would therefore seems prudent to not declare victory for
> > > > one connection over the other until TLS connects, too. -
> > >
> > > Agreed, Eric (as part of ISEG review) suggested to simplify the text. I have
> > updated the text as follows:
> > >
> > >    o  For TCP or TLS-over-TCP, the results of the Happy Eyeballs
> > >       procedure [RFC8305] are used by the TURN client for sending its
> > >       TURN messages to the server.
> > 
> > Is the editor's copy available for viewing somewhere?  It would be good to
> > see this (and other changes) in context.
> 
> Yes, Please see https://github.com/tireddy2/TURNbis 

Thanks!

> 
> > 
> > > > Section 3 could benefit from a
> > > > subsection on replays and the nonce role. In particular, as later
> > > > discussed in the security considerations, some of these attacks are
> > > > not new to TURN and should therefore be dealt with by the
> > > > application protocol (SRTP). This section might also describe nonce
> > > > rotation policies with more specificity, as this is underspecified in the
> > document.
> > >
> > > It is discussed in Section 5 in the specification, the server should expire the
> > nonce at least once every hour during the lifetime of the allocation.
> > >
> > > >- Section 3 could also benefit from
> > > > discussion about cleartext versus encryption transports between
> > > >clients and  servers.
> > >
> > > It is discussed in https://tools.ietf.org/html/draft-ietf-tram-turnbis-
> > 27#section-21.1.6.
> > 
> > There's not much discussion about potential information  leakage via (e.g.)
> > USERNAME/USERHASH, and really just a claim that the peer address is the
> > "primary protocol content".

+1 to Ben's concern, which echoes my own.

> Agreed, added the following paragraph :
> 
> If the TURN client and server use the STUN Extension for Third-Party 
> Authorization [RFC7635], the username does not reveal the
> real user's identity, the USERNAME attribute carries an ephemeral and 
> unique key identifier, and the key identifier can change per call.
> If the TURN client and server use the STUN long-term credential 
> mechanism and the username reveals the
> real user's identity, the client need to either use (D)TLS transport 
> between the client and the server or use 
> the USERHASH attribute instead of the USERNAME attribute to anonynmize 
> the username.

This is an improvement -- thanks! Should use of (D)TLS be mandated ("MUST" instead of "need to") when long-term credentials are used?

> > > > Encrypting the nonce, username, realm, etc., among other things, has
> > > > obvious benefits. - Why are SOFTWARE and FINGERPRINT attributes
> > > > recommended?  It seems like clients should be discouraged from
> > > > sending these if anything, especially if not used to make allocation
> > > > decisions on the server.
> > >
> > > Username may not be the user identity, Please see
> > https://tools.ietf.org/html/rfc7635), It could be an ephemeral and unique
> > key identifier. Further, username can be anonymized (please see
> > https://tools.ietf.org/html/draft-ietf-tram-stunbis-21#section-14.4).
> > > SOFTWARE and FINGERPRINT attributes are defined in the STUN
> > specification, see https://tools.ietf.org/html/draft-ietf-tram-stunbis-21.

I realize they're defined elsewhere. My concern was that this draft seems to encourage sending them when perhaps that's not needed, i.e., as is the case for the SOFTWARE attribute.

> > 
> > These mechanisms  are partial mitigations but can still be susceptible to cross-
> > connection correlation attacks.
> 
> The use of FINGERPRINT is not mandatory, the TURN client and server may 
> include the FINGERPRINT attribute.  Note that ICE 
> (https://tools.ietf.org/html/rfc8445) mandates the use of FINGERPRINT 
> attribute. Added the following line for SOFTWARE attribute (TURNbis is 
> using the same behavior defined in RFC5766 to use SOFTWARE attribute)  :
> 
> SOFWATE attribute can reveal the specific software version of the TURN 
> client and server to eavesdropper and it might possibly allow attacks 
> against vulnerable software that is known to contain security holes. If 
> it is important to prevent an eavesdropper from learning the software 
> version, TURN can be run over (D)TLS.

I'd replace "holes" with "vulnerabilities," and rewrite 

   "If  it is important to prevent an eavesdropper from learning the software  version, TURN can be run over (D)TLS."

as follows:

"TURN SHOULD be run over (D)TLS to prevent leaking the SOFTWARE attribute in clear text."

> > > - Section 5: When servers receive data that exceeds an allocation’s
> > > > bandwidth quota, servers silently discard this data. This means
> > > > there’s no allocation-based flow control mechanism between client
> > > > and server beyond what’s provided by the transport protocol, right?
> > >
> > > Yes, UDP does not include a congestion control mechanism.

Right -- it might be good to mention this explicitly.

> > > > This seems fine, though
> > > > perhaps some discussion of why this design decision was made would
> > > > be helpful. For example, I could imagine explicit signals from
> > > > servers to clients that indicate server state would reveal
> > > > information about other allocations on the server, which might be
> > > > problematic. -
> > >
> > > The errors 486 (Allocation Quota Exceeded) or 508 (Insufficient Capacity)
> > do not reveal information of which other users are using the TURN server.

Perhaps not which other *users* are using the TURN server, correct. It may leak other information though, and drawing HTTP 503 response code analogy would be helpful.

> > At least the latter seems to give some indication that many other users are
> > using the server at the  time (so that it's overloaded), though not information
> > about *which* users that is.
> 
> Yes, similar to 503 HTTP error response.
> 
> > 
> > > > Section 7.2 suggests that
> > > > servers can redirect client allocation requests to other servers.
> > > > Can this create a loop, wherein two TURN servers redirect to one another?
> > >
> > > The client detect and stop the loop, it is similar to HTTP redirection.
> > 
> > Where is this specified?
> 
> It is specified in the last paragraph of 
> https://tools.ietf.org/html/draft-ietf-tram-stunbis-21#section-10 

Aha -- I missed that. Thanks!

Best,
Chris