IETF Logo Mail Archive

Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 12 May 2015 01:14 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F16421A8992; Mon, 11 May 2015 18:14:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zVmo4SJ4FCpD; Mon, 11 May 2015 18:14:28 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A4A61A1BA4; Mon, 11 May 2015 18:14:28 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 4A281BED5; Tue, 12 May 2015 02:14:26 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LCi5ddJONZEY; Tue, 12 May 2015 02:14:25 +0100 (IST)
Received: from [10.87.48.73] (unknown [86.46.19.109]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0FE72BEB5; Tue, 12 May 2015 02:14:25 +0100 (IST)
Message-ID: <555153F0.4050204@cs.tcd.ie>
Date: Tue, 12 May 2015 02:14:24 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0
MIME-Version: 1.0
To: Alissa Cooper <alissa@cooperw.in>, Oleg Moskalenko <mom040267@gmail.com>
References: <20150511233012.17046.42319.idtracker@ietfa.amsl.com> <CALDtMr+x2Mi8v0jwFUscryccjc7Zf0o-mPo64S2dpHPqnnoXUA@mail.gmail.com> <A14F5400-21EB-4EE0-B988-CDA929EAE5A2@cooperw.in>
In-Reply-To: <A14F5400-21EB-4EE0-B988-CDA929EAE5A2@cooperw.in>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/R2pQ9b8w3FTQONDU2skulvDagBI>
Cc: tram-chairs@ietf.org, "tram@ietf.org" <tram@ietf.org>, draft-ietf-tram-stun-origin.shepherd@ietf.org, draft-ietf-tram-stun-origin.ad@ietf.org, Simon Perreault <sperreault@jive.com>, IESG <iesg@ietf.org>, draft-ietf-tram-stun-origin@ietf.org
Subject: Re: [tram] Alissa Cooper's Discuss on draft-ietf-tram-stun-origin-05: (with DISCUSS)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 May 2015 01:14:31 -0000

Hiya,

On 12/05/15 01:43, Alissa Cooper wrote:
>>> 
>>> if the client is lying, then the request will not be
>>> authenticated and it will be rejected - because the client's
>>> credentials will be incorrect.
>
> My question was about requests without authentication, as I said. I
> assume the origin is not used for authentication in that case, since
> authentication is not performed.
>

There's also this issue. If user credentials can collide over >1
"realm" (where authentication realm means in the HTTP basic/digest
sense) then those are almost certainly human memorable (why else
could they collide with non-negligible probability?) and in the
case of STUN/TURN and, in particular, WebRTC, setting up to use
human memorable credentials is just basically broken given that
the humans aren't actually logging in to the STUN/TURN server.

So I actually doubt the supposed security benefit even when the
web-origin is pre-emptively sent as an authentication realm (in
the HTTP basic/digest sense) just in case authentication with a
STUN/TURN server is later required. And pre-emptively sending
has the privacy downside that is recognised in the draft and
as previously noted.

Put another way: if a WebRTC server cannot arrange to use high
entropy credentials with a STUN/TURN server then perhaps we're
just promoting the wrong authentication scheme(s) and maybe
also prioritising avoiding the wrong code changes? (Some code
change being required in all cases.)

So if there is a real reason why there ought be a well designed
scheme for WebRTC with a non-negligible probability of credential
collision then I'd like to hear about it. (I'm not saying that's
impossible, but dumb old me can't figure it out;-)

Or perhaps we're conflating user authentication with other
protocol features (e.g. multi-tenant support) in a way that does
unnecessarily damage privacy for users?

S.

v2.23.0 | Report a Bug | By Email