Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
Brandon Williams <brandon.williams@akamai.com> Thu, 15 October 2015 13:38 UTC
Return-Path: <brandon.williams@akamai.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A83F1B3204 for <tram@ietfa.amsl.com>; Thu, 15 Oct 2015 06:38:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id azsJePuUoIn9 for <tram@ietfa.amsl.com>; Thu, 15 Oct 2015 06:38:30 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id A53761B3202 for <tram@ietf.org>; Thu, 15 Oct 2015 06:38:30 -0700 (PDT)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 7D39D4D38F; Thu, 15 Oct 2015 13:38:29 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id E5BF9423AD4; Thu, 15 Oct 2015 13:38:28 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1444916308; bh=bn+FuOirKxTLESQvm0u4mWqcTEtoEF6p5ZGh4jHMb6E=; l=6895; h=To:References:Cc:From:Date:In-Reply-To:From; b=KwkZhbzudFY3mYwuuMjcEbzfRHecfh1mbdQ7e9x95yYPPj+9PTYJ1Z83tri34LUTr GSwIX9ONqusvjf7WAtuzMGiFbt/Y8kHIoKO5H9mCtlEGIYuG1H89ZM3WJdj5pbqTXV uRZLrA1L38VRv80pMqw1UjvaZdHGVkTFAfCD5U2w=
Received: from [172.28.113.72] (bowill.kendall.corp.akamai.com [172.28.113.72]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id DD97A203D; Thu, 15 Oct 2015 13:38:28 +0000 (GMT)
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, Justin Uberti <juberti@google.com>
References: <86c7182c5cb942799c73a88aa115328c@XCH-RCD-017.cisco.com>
From: Brandon Williams <brandon.williams@akamai.com>
Message-ID: <561FAC54.2020605@akamai.com>
Date: Thu, 15 Oct 2015 09:38:28 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <86c7182c5cb942799c73a88aa115328c@XCH-RCD-017.cisco.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/GaohxMt5AJXw5MpVrDc69nCnSsk>
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2015 13:38:34 -0000
I don't see a significant difference in the attack profile for DDOS between this an standard address based permissions. In this case, I can mount a DDOS by knowing the ufrag. For address-based, I can mount a DDOS by knowing the address. The relatively minor difference is that reverse path filtering might limit an attacker's ability to spoof some addresses, but this is uncommon and unreliable enough that it's not really a meaningful improvement. Since the relay and the client already have to deal with roughly the same DDOS risk, I don't see significant value in sharing the short-term password with the relay. --Brandon On 10/15/2015 02:52 AM, Tirumaleswar Reddy (tireddy) wrote: > I meant with this change an attacker by just knowing the ufrag can now > launch an attack on the TURN server and on the endpoint by sending > spoofed ICE requests with valid ufrag but invalid message-integrity, and > can use any source IP address and possibly launch DDOS attack, TURN > server will just forward those ICE requests to the endpoint. > > -Tiru > > *From:*Justin Uberti [mailto:juberti@google.com] > *Sent:* Thursday, October 15, 2015 11:38 AM > *To:* Tirumaleswar Reddy (tireddy) > *Cc:* Brandon Williams; tram@ietf.org > *Subject:* Re: [tram] Fwd: New Version Notification for > draft-williams-tram-ufrag-permission-00.txt > > DDOS of spoofed ICE requests can happen already against the host/srflx > candidate, so unclear this is a real-world problem. > > On Wed, Oct 14, 2015 at 7:39 PM, Tirumaleswar Reddy (tireddy) > <tireddy@cisco.com <mailto:tireddy@cisco.com>> wrote: > > To handle DDOS attack of spoofed ICE requests, did you consider the > option of signaling the endpoint's short-term password to TURN server so > as to block those ICE requests ? > draft-jennings-behave-rtcweb-firewall-01 and this draft are both > discussing STUN inspection on firewalls and TURN servers but in > different ways to solve different problems. > > -Tiru > > > > -----Original Message----- > > From: tram [mailto:tram-bounces@ietf.org > <mailto:tram-bounces@ietf.org>] On Behalf Of Brandon Williams > > Sent: Thursday, October 15, 2015 2:27 AM > > To: tram@ietf.org <mailto:tram@ietf.org> > > Subject: [tram] Fwd: New Version Notification for > draft-williams-tram-ufrag- > > permission-00.txt > > > > I just posted the below referenced draft. It's focused on improving > the speed > > of relayed ICE connectivity checks by defining a new type of > permission that > > makes use of the offerer's ICE ufrag. > > > > We will appreciate your comments. > > > > Thanks, > > --Brandon > > > > > > -------- Forwarded Message -------- > > Subject: New Version Notification for > > draft-williams-tram-ufrag-permission-00.txt > > Date: Wed, 14 Oct 2015 13:49:35 -0700 > > From: internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > > To: Brandon Williams <brandon.williams@akamai.com > <mailto:brandon.williams@akamai.com>>, Brandon Williams > > <brandon.williams@akamai.com <mailto:brandon.williams@akamai.com>>, > Justin Uberti <justin@uberti.name <mailto:justin@uberti.name>>, > > Justin Uberti <justin@uberti.name <mailto:justin@uberti.name>> > > > > > > A new version of I-D, draft-williams-tram-ufrag-permission-00.txt > > has been successfully submitted by Brandon Williams and posted to the > IETF > > repository. > > > > Name: draft-williams-tram-ufrag-permission > > Revision: 00 > > Title: Ufrag Permissions for Traversal Using Relays > around NAT > > (TURN) > > Document date: 2015-10-14 > > Group: Individual Submission > > Pages: 9 > > URL: > > > https://www.ietf.org/internet-drafts/draft-williams-tram-ufrag-permission- > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_internet-2Ddrafts_draft-2Dwilliams-2Dtram-2Dufrag-2Dpermission-2D&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=mlSpD0qNlcC4uIhWTAIPwCrTL2vKELBa1tiNytFJD5k&e=> > > 00.txt > > Status: > > > https://datatracker.ietf.org/doc/draft-williams-tram-ufrag-permission/ > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf.org_doc_draft-2Dwilliams-2Dtram-2Dufrag-2Dpermission_&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=uVF3cL4fmafmz2y-hCdit5rb6DNUtWzLSbRkKfp9Y6A&e=> > > Htmlized: > > https://tools.ietf.org/html/draft-williams-tram-ufrag-permission-00 > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dwilliams-2Dtram-2Dufrag-2Dpermission-2D00&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=bHBgOYW5JVSu372AlYCOhgPH2uWf4q2WLO51-HHWpwU&e=> > > > > > > Abstract: > > When using a TURN relay, ICE connectivity checks require an explicit > > permission or channel binding to be established for each peer address > > to be checked. This requires the answerer to send its candidate > > addresses to the offerer via the rendezvous server, which can impose > > a latency penalty when the rendezvous server is centrally located. > > This document defines a new type of TURN permission that will allow > > any ICE connectivity check message that contains the offerer's ufrag > > value to be accepted on a relay address for delivery over the > > associated TURN tunnel. > > > > > > > > > > > > Please note that it may take a couple of minutes from the time of > submission > > until the htmlized version and diff are available at tools.ietf.org > <https://urldefense.proofpoint.com/v2/url?u=http-3A__tools.ietf.org&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=mGfmfaGDmisJX_ve6W-h_UsYBV8kRWIb_moQSXv1LyA&e=>. > > > > The IETF Secretariat > > > > > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org <mailto:tram@ietf.org> > > https://www.ietf.org/mailman/listinfo/tram > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tram&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=BCDaXm84h8lOwaaK0UIn2XBghElu3h0oZp4iXligskc&e=> > > _______________________________________________ > tram mailing list > tram@ietf.org <mailto:tram@ietf.org> > https://www.ietf.org/mailman/listinfo/tram > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tram&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6-NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=BCDaXm84h8lOwaaK0UIn2XBghElu3h0oZp4iXligskc&e=> > -- Brandon Williams; Chief Architect Cloud Networking; Akamai Technologies Inc.
- [tram] Fwd: New Version Notification for draft-wi… Brandon Williams
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Justin Uberti
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Brandon Williams
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)