Re: [tram] [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 17 January 2020 01:26 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F14E120059; Thu, 16 Jan 2020 17:26:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsK2lfpOTHj3; Thu, 16 Jan 2020 17:26:54 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FFE512004A; Thu, 16 Jan 2020 17:26:53 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C5EF33897D; Thu, 16 Jan 2020 20:26:24 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 8C417E7F; Thu, 16 Jan 2020 20:26:52 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
to: tram@ietf.org, behave@ietf.org
In-Reply-To: <11345.1579216274@localhost>
References: <DB7PR07MB4572708BEAC771375AC2AF5395380@DB7PR07MB4572.eurprd07.prod.outlook.com> <20200110123841.GD8801@faui48f.informatik.uni-erlangen.de> <29758.1578671195@localhost> <eb6effe49c65b90cf4e6af45b9b701b4f86db608.camel@ericsson.com> <11345.1579216274@localhost>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 16 Jan 2020 20:26:52 -0500
Message-ID: <12509.1579224412@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/GFuHXUmKoN6mamVHGApoe8R6x2Q>
Subject: Re: [tram] [BEHAVE] errata 4933: RFC 5766 prevent spoofed refresh requests when using short-term credentials
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jan 2020 01:26:56 -0000
https://www.rfc-editor.org/errata_search.php?eid=4933 4933> Section 17.3.3 says: 4933> An attacker might attempt to disrupt service to other users of the 4933> TURN server by sending Refresh requests or CreatePermission requests 4933> that (through source address spoofing) appear to be coming from 4933> another user of the TURN server. TURN prevents this by requiring 4933> that the credentials used in CreatePermission, Refresh, and 4933> ChannelBind messages match those used to create the initial 4933> allocation. Thus, the fake requests from the attacker will be 4933> rejected. 4933> Notes: 4933> When using short-term, credentials expire after a specific amount of time 4933> (such as 5 4933> minutes) and clients get new credentials. The restriction imposed at section 4933> 17.3.3 4933> prevents from refreshing allocation or permission using the new credentials. 4933> This RFC approves RFC 5389. So one can use short-term credentials. But 4933> short-term credentials are useless if it can not be used to refresh 4933> allocation or permission. 4933> The goal of 17.3.3 can be achieved by sending 438 with the new nonce. a) I think we should accept this as verified. b) It seems that sending with the new nonce will work. This requires some text changes, and we can now perhaps use the errata patcher with XML. I've asked for the XML (if there is any), and I'll suggest some changes to the text. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [tram] [BEHAVE] errata 4933: RFC 5766 prevent… Michael Richardson
- Re: [tram] [BEHAVE] errata 4933: RFC 5766 prevent… Justin Uberti
- Re: [tram] [BEHAVE] errata 4933: RFC 5766 prevent… Magnus Westerlund
- Re: [tram] [BEHAVE] errata 4933: RFC 5766 prevent… Konda, Tirumaleswar Reddy