Re: [tram] Allow TURN to forward inbound connectivity checks without permission

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 20 March 2018 14:33 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25A8F1200B9 for <tram@ietfa.amsl.com>; Tue, 20 Mar 2018 07:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.33
X-Spam-Level:
X-Spam-Status: No, score=-4.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mouFNVdAppUu for <tram@ietfa.amsl.com>; Tue, 20 Mar 2018 07:33:47 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 696371200FC for <tram@ietf.org>; Tue, 20 Mar 2018 07:33:46 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1521556411; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=D bhuvZeDWKS9/P+D/D1raCToqvY2Y8lpFQNwHbRjZI 0=; b=OAu2sc7fm1tFyzgBeczy48h3UIjZ3qtd8g8vwDzc3DZ1 mERL2pXvus7R90gwSlzA+fnyD7ERJJWiHfr7LBodsSeIzBjofS yJMViMr3UjMZVyCrDYu8xbC7PXKwoNHSUqrA7LmFM1dvI2xuww NvoPJwhwaKWC/iw8RjG8bUk73fA=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6013_4486_9a0d197a_4196_45f8_81e1_b023702bf8f0; Tue, 20 Mar 2018 09:33:30 -0500
Received: from DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 08:33:07 -0600
Received: from DNVEX10N01.corpzone.internalzone.com (10.44.82.192) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 20 Mar 2018 08:33:07 -0600
Received: from DNVO365EDGE1.corpzone.internalzone.com (10.44.176.66) by DNVEX10N01.corpzone.internalzone.com (10.44.82.192) with Microsoft SMTP Server (TLS) id 14.3.361.1; Tue, 20 Mar 2018 08:33:07 -0600
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.66) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 08:33:04 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1715.namprd16.prod.outlook.com (10.172.28.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.609.10; Tue, 20 Mar 2018 14:33:05 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([10.172.207.19]) by BN6PR16MB1425.namprd16.prod.outlook.com ([10.172.207.19]) with mapi id 15.20.0588.017; Tue, 20 Mar 2018 14:33:05 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Nils Ohlmeier <nohlmeier@mozilla.com>, Simon Perreault <sperreault@jive.com>
CC: Cullen Jennings <fluffy@cisco.com>, Eric Rescorla <ekr@rtfm.com>, "tram@ietf.org" <tram@ietf.org>, Brandon Williams <brandon.williams@akamai.com>
Thread-Topic: [tram] Allow TURN to forward inbound connectivity checks without permission
Thread-Index: AQHTv3BE7H+lEDCzy0aE6LgkPsBdZKPYCNMAgAAflQCAAL9dgIAABGPggAAfy4CAAAOAAIAAIgBQ
Date: Tue, 20 Mar 2018 14:33:05 +0000
Message-ID: <BN6PR16MB14253EE9E98F221B88F3EDDFEAAB0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <CANO7kWDd8NZ=svBONwzo6sE5YH3Y5MAdWFP2CQMiTg7M-b47AQ@mail.gmail.com> <c9ef837c-bf7c-decb-9542-8a9ddeda67fd@akamai.com> <E3AB81FC-D841-47A6-A0E2-775461779770@mozilla.com> <CANO7kWA4tmK7Di59tsjvCBoDdh-jW83FxMpqQH1-iSPGLS=mpA@mail.gmail.com> <BN6PR16MB14253012D6A5EA47A700EE1FEAAB0@BN6PR16MB1425.namprd16.prod.outlook.com> <CANO7kWD3rpCOrgjcLrkVfh0ZF5nrDs+cRnB02VgMHHW1axSRMg@mail.gmail.com> <F93213AC-991F-42B9-89D4-1FFBD7A251D9@mozilla.com>
In-Reply-To: <F93213AC-991F-42B9-89D4-1FFBD7A251D9@mozilla.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.200.100
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [161.69.163.25]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1715; 7:FIQeQjcPUrLlru7p2kymr2eSthDaQRMAhYlHjCQqSYe2/2f9NxBpgZQj2x4LYbTlWvaWwwN4h6j+K3+POJpq5g888idtbfVmfAOg71Cy1Sx2pjh6p6wLBzwQJ/7GypgY/T0SxEZGEYvoQ/QZQTZw31RUBq/xrwlnjpUp+rgbJaIWJmJ5gMKiXXz0PBUVzMg3Fufn+rwNCU9yoac27DykH8nlZ+9VjVZOLlD8tH39TebmbIwjZs+75WQmUbR7t3GL
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 0188e392-2e83-4f0a-82c7-08d58e6f7e97
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1715;
x-ms-traffictypediagnostic: BN6PR16MB1715:
x-microsoft-antispam-prvs: <BN6PR16MB1715A9CB2F2AFA600AE6BA7BEAAB0@BN6PR16MB1715.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(192374486261705)(95692535739014)(21748063052155)(123452027830198);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231221)(944501244)(52105095)(6041310)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:BN6PR16MB1715; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1715;
x-forefront-prvs: 061725F016
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(346002)(39380400002)(396003)(366004)(39860400002)(377424004)(32952001)(199004)(189003)(7696005)(2906002)(72206003)(3846002)(6116002)(790700001)(97736004)(81156014)(8676002)(80792005)(99286004)(2900100001)(59450400001)(4326008)(53546011)(3660700001)(6506007)(25786009)(66066001)(14454004)(86362001)(93886005)(478600001)(76176011)(110136005)(3280700002)(316002)(102836004)(74316002)(106356001)(55016002)(105586002)(6246003)(26005)(54906003)(68736007)(33656002)(77096007)(7736002)(53936002)(186003)(19609705001)(229853002)(236005)(6436002)(8936002)(9686003)(54896002)(6306002)(5660300001)(2950100002)(81166006)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1715; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: cDAqpEASl+GBYe+IvrI+IpIsABJRfNoDI1rPgt8KDqUL15vTVyql0q6/huavK201adzt1mHZOYEndG1hqTx/bV7Qa7XmOMkGZKnW+YRWb+AUj9x4oFG0SDw9zXC2Bo5VglKnGCVcDXXGDtyBi+fE3Hz/++cLVstW/78Xxq3gEFLFaXnfhkzohel/4zn2nAKrG0598D5WjGyHn3mNhnV++fgP7S5FVGRHh2JkTeEalwOnccmSwkuGv0S2irtXmbTBOVXAK+FMhwdVPhTDp453yuns6iBatgLSXsKkeKy4V3QYslPZrOwxksOqhKp7RFO8ILP2PiDj27UDKPDmmP+38w==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR16MB14253EE9E98F221B88F3EDDFEAAB0BN6PR16MB1425namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 0188e392-2e83-4f0a-82c7-08d58e6f7e97
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2018 14:33:05.8095 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1715
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6246> : inlines <6507> : streams <1781750> : uri <2611680>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/eHuK5W6PoVE6GmfTOnppelmMHvI>
Subject: Re: [tram] Allow TURN to forward inbound connectivity checks without permission
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 14:33:50 -0000

Agreed, it’s not a blocker but needs to be discussed in the Security Considerations section.

-Tiru

From: Nils Ohlmeier [mailto:nohlmeier@mozilla.com]
Sent: Tuesday, March 20, 2018 12:30 PM
To: Simon Perreault <sperreault@jive.com>
Cc: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>om>; Cullen Jennings <fluffy@cisco.com>om>; Eric Rescorla <ekr@rtfm.com>om>; tram@ietf.org; Brandon Williams <brandon.williams@akamai.com>
Subject: Re: [tram] Allow TURN to forward inbound connectivity checks without permission




On Mar 20, 2018, at 12:17, Simon Perreault <sperreault@jive.com<mailto:sperreault@jive.com>> wrote:

2018-03-20 10:31 GMT+00:00 Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@mcafee.com<mailto:TirumaleswarReddy_Konda@mcafee.com>>:
the TURN client could be subjected to DDoS attack (e.g. spoofed STUN packets from attackers, client wastes cycles validating the message integrity, and could also be subjected to bandwidth-hogging attack).

That would be new to TURN, but not new to the client: NAT pinholes, created with STUN or otherwise, expose the client similarly. So while this is certainly worth mentioning in the security considerations section, I don't see this as a blocker.

I also can't think of a way that this could be exploited to mount any kind of practical attack against a specific target…

I guess you could divide this into three categories:

- the TURN client is an ICE agent, which needs to be prepared to handle any incoming traffic already any way
- the TURN client is not an ICE agent, but a STUN client, and as Simon pointed out needs to be prepared to receive traffic through the pin holes it created
- the TURN client is purely a TURN client and only ever expected to get traffic back from the TURN relay

I would assume the last scenario is not very common, but I don’t have any numbers to back that up.
I think Simon is right that it’s worth mentioning in the security considerations.

Best
  Nils Ohlmeier