Re: [tram] Review of draft-ietf-tram-auth-problems-00
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Wed, 30 April 2014 02:15 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41481A093E for <tram@ietfa.amsl.com>; Tue, 29 Apr 2014 19:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.152
X-Spam-Level:
X-Spam-Status: No, score=-15.152 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eHSa0sonn1jw for <tram@ietfa.amsl.com>; Tue, 29 Apr 2014 19:15:40 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) by ietfa.amsl.com (Postfix) with ESMTP id 2643D1A0949 for <tram@ietf.org>; Tue, 29 Apr 2014 19:15:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6013; q=dns/txt; s=iport; t=1398824139; x=1400033739; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=WfcH+FYwBb5T7052Kw3/WMbx1YXwOoWMNhCyLXlq5uY=; b=cMPC5TIYK/y4+vhyqE07sYho2EdfctzqC2YQOl/9qRNoI0AoSvY1pUcz xIt2w6c2ARlJ1gdFFo5aKrwcq9ldu98P0watWSVQ8iCeQIaDMOZ/Zbmsd RnpJfM2ojuBHMrVkoS8W/7XAVnPhj5dqWagdgHMPNdtCHuDM1ykDwV8Dt U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ak8FAP5bYFOtJV2Y/2dsb2JhbABPCoMGT1e9Loc5gSYWdIIlAQEBAgEBAQEBNzQQBwYBCBEEAQELDgYJLgsUCQkBBAESCAGIMAgNygoXjWMQKz4SgwyBFQSaTJEngzGBcjk
X-IronPort-AV: E=Sophos;i="4.97,955,1389744000"; d="scan'208";a="321346965"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-5.cisco.com with ESMTP; 30 Apr 2014 02:15:38 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id s3U2FcnX007950 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 30 Apr 2014 02:15:38 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.104]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.03.0123.003; Tue, 29 Apr 2014 21:15:38 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Marc Petit-Huguenin <marcph@getjive.com>, "tram@ietf.org" <tram@ietf.org>
Thread-Topic: [tram] Review of draft-ietf-tram-auth-problems-00
Thread-Index: Ac9kGg/YNCKChplNTCa+JC7TIfSJYA==
Date: Wed, 30 Apr 2014 02:15:38 +0000
Message-ID: <913383AAA69FF945B8F946018B75898A2431E0B5@xmb-rcd-x10.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.65.70.32]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tram/Qnp6n0lm1zTOHzHYMnnZ2Ch0Gy0
Subject: Re: [tram] Review of draft-ietf-tram-auth-problems-00
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Apr 2014 02:15:45 -0000
Hi Marc, Thanks for the review. Please see inline > -----Original Message----- > From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Marc Petit-Huguenin > Sent: Friday, April 18, 2014 8:27 PM > To: tram@ietf.org > Subject: [tram] Review of draft-ietf-tram-auth-problems-00 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > A1. 1. Title "Problems with STUN Authentication for TURN > > I would suggest to change the title to "Problems with STUN long-term > Authentication for TURN", as the STUN short-term authentication is not > discussed in this draft. TURN only uses long-term authentication, so > "Problems with TURN Authentication" is fine too. Changed the title to "Problems with STUN long-term Authentication for TURN". (The 00 version of the draft had the title "Problems with TURN Authentication" (https://tools.ietf.org/html/draft-reddy-behave-turn-auth-00) but based on the comments received in BEHAVE WG that TURN is only using the long-term authentication mechanism provided by STUN, the title of the draft was changed in 01 version.) > > A2. Section 1. Introduction, first paragraph. > > I think that this paragraph puts too much emphasis on WebRTC. WebRTC > is the reason people are finding issues with the authentication, but > it is not the reason for the issues. Yes, updated the draft. > > A3. Section 2. Notational Conventions > > This is an informational draft, so RFC 2119 key words (and the > reference) do not need to be defined. besides, none of them are used > in the document. Ok, removed. > > A4. Section 4. Title > > Replace with "Problems with usage of long-term STUN Authentication" Ok. > > A5. Section 4, fourth bullet. > > This is an man-in-the-middle attack, so the text should say so. Updated. > > A6. Section 4, 5th bullet > > Note that this applies only to the TCP and UDP transports, as SNI can > be used to select the tenant/realm when TLS or DTLS is used. The need for ORIGIN attribute even if D{TLS} is used is discussed in http://tools.ietf.org/html/draft-johnston-tram-stun-origin-02 > > A7. Section 4, 6th bullet. "This exposes the user credential to the > Javascript which could be malicious". > > It is only a problem if somehow the web server sends a user/password > that can be used to access something else than the TURN server > resources. It is not a problem created by the long-term > authentication, but by bad code or misconfiguration on the server > side. The problem is that long-term credentials (username/password) must be exposed to the java script code which could be malicious. For example refer to the sample java script code in slide 2 of http://www.ietf.org/proceedings/87/slides/slides-87-behave-10.pdf where RTCPeerConnection API needs the client username/password. The credentials could be leaked by a malicious java script, thus resulting in TURN server access to be misused. > If you really insist on saying something about this, it should > about how long-term authentication creates the possibility that a web > server sends credentials that can be reused elsewhere. I think that > the 3rd bullet as the same issue: Privacy leakage is not a > consequence of using long-term authentication, but of using usernames > that can be matched with a real person or that can be reused to access > other resources. Agreed. NEW: 3. The long-term credential mechanism in [RFC5389] requires that the TURN client must include username value in the USERNAME STUN attribute. An adversary snooping the TURN messages between the TURN client and server can identify the users involved in the call resulting in privacy leakage. If TURN usernames are linked to real usernames then it will result in privacy leakage, but in certain scenarios TURN usernames need not be linked to any real usernames given to users as they are just provisioned on a per company basis. .... .... 7. In WebRTC the Javascript code needs to know the username and password to use in W3C RTCPeerConnection API to access the TURN server. This exposes the user credentials to the Javascript which could be malicious. The malicious java script could misuse or leak the credentials. If the credentials happen to be used for accessing services other than TURN then the security implications are much larger. > > A7. Section 8. References > > I think that because this is an Informational document, all the > references must be Informative. I think informational document can have normative references. For example check RFC7152, RFC 6819. > > > Nits > ==== > > - - Section 1. 4th bullet "ICE connectivity checks using > server-reflexive candidate" > > The exact terminology in RFC 5245 is "server reflexive". Updated. > > - - Section 4, second paragraph "...is deployed in DMZ..." > > Expand the initialism. Ok. > > - - Section 4, sixth bullet > > s/Javascript needs be know/JavaScript code needs to know/ Fixed. Thanks and Regards, -Tiru > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQEcBAEBAgAGBQJTUT1DAAoJEMUNRP98lsiX2j8IAI887pQ2p5EpzjjjHXHykUe1 > mDfUX1wjs5YO7067sWV0s7gHev5G9h6NIo4fjQ8JNNmng3WkBn6hPT1k3HXz4KE > d > CpHFiihPMvjstjUv6AUtAF4igiRO2V4rkCbiHzxXt268+QTnW3Whzsjlq01pD6Pj > RZcCBE/ASHy+8wUdV+CpF6ZHFU6+165pajiaEusMfrCLAqlin/Rj3aRBBe+s7/s7 > yrHTlsQzEYPKdAvi6qD0MlZ6+/jtari0VJhQA5/fvHsa+3GA6/z9h5nACfXI+yh2 > j9So3/qD90njHQFtxQXvspKasYagZjwO93RxLzIYKVy2BDMHlmsGL7wJ62Vo55o= > =YfrU > -----END PGP SIGNATURE----- > > _______________________________________________ > tram mailing list > tram@ietf.org > https://www.ietf.org/mailman/listinfo/tram
- [tram] Review of draft-ietf-tram-auth-problems-00 Marc Petit-Huguenin
- Re: [tram] Review of draft-ietf-tram-auth-problem… Tirumaleswar Reddy (tireddy)
- Re: [tram] Review of draft-ietf-tram-auth-problem… Marc Petit-Huguenin