IETF Logo Mail Archive

Re: [tram] Transport of ICMP errors in TURN

Marc Petit-Huguenin <petithug@acm.org> Thu, 27 August 2015 11:36 UTC

Return-Path: <petithug@acm.org>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4B301B3B80 for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 04:36:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.236
X-Spam-Level:
X-Spam-Status: No, score=-1.236 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nhMWcotrhhbt for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 04:36:04 -0700 (PDT)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id 048931B3B7C for <tram@ietf.org>; Thu, 27 Aug 2015 04:36:04 -0700 (PDT)
Received: from [IPv6:2602:61:7515:ec00:4cc7:99e8:efbc:2ca9] (unknown [IPv6:2602:61:7515:ec00:4cc7:99e8:efbc:2ca9]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client CN "Marc Petit-Huguenin", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 63AF920415; Thu, 27 Aug 2015 13:36:02 +0200 (CEST)
To: "Pal Martinsen (palmarti)" <palmarti@cisco.com>, Simon Perreault <sperreault@jive.com>
References: <55DD94FF.7080400@acm.org> <55DDB133.6090608@jive.com> <A8F8D0A4-C847-4F3E-B5A3-45DA47CB95D9@cisco.com>
From: Marc Petit-Huguenin <petithug@acm.org>
X-Enigmail-Draft-Status: N1110
Message-ID: <55DEF61F.8070809@acm.org>
Date: Thu, 27 Aug 2015 05:35:59 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.1.0
MIME-Version: 1.0
In-Reply-To: <A8F8D0A4-C847-4F3E-B5A3-45DA47CB95D9@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/kDXvBeaR3U9VCIE4pz6QxUWCQmY>
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Transport of ICMP errors in TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 11:36:05 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/27/2015 04:29 AM, Pal Martinsen (palmarti) wrote:
> 
> On 26 Aug 2015, at 14:29, Simon Perreault
> <sperreault@jive.com<mailto:sperreault@jive.com>> wrote:
> 
> Le 2015-08-26 06:29, Marc Petit-Huguenin a écrit : During the
> presentation of the Path MTU Discovery Using STUN draft in Prague,
> there was some discussion on how ICMP can be received by the client
> when the PMTUD probes are sent through a TURN server.  Which reminded
> me that I worked on that problem when I proposed PMTUD over STUN,
> back in 2008.  That was the case, according to my notes, but in fact
> the idea of tunneling the ICMP packets through the TURN server was
> proposed the year before, but for a different reason:
> 
> https://mailarchive.ietf.org/arch/msg/behave/76pAtymXlAtF5SoD0rgoFECf2Fg
>
>  So my proposal is to add this into turnbis.  I can provide text.
> 
> RFC 5766 section 2.6
> <https://tools.ietf.org/html/rfc5766#section-2.6> explains that ICMP
> not being relayed was a design decision to make it possible to run a
> TURN server as an unprivileged user. That conclusion is wrong for two
> reasons:
> 
> - With the BSD sockets API, some ICMP errors are translated into
> recv() error codes. This means that it is always possible to relay at
> least some subset of ICMP errors. (Not sure for TCP or IPv6, I’d need
> to check.)
> 
> 
> It is possible by creating a new listen socket.
> 
> See:
> https://tools.ietf.org/html/draft-martinsen-tram-stuntrace-01#appendix-A.2
>
>  The code described in that ID works well and we have implemented it
> in most of our hard and soft clients. Not sure about any performance
> issues when doing this on the server side though.
> 
> The STUNTrace ID is not a TRAM draft anymore. We will ask for it to
> be AD sponsored, just need to have some more discussion in the
> security section regarding information leakage. This is particular
> hard in the intersection network troubleshooting and end user
> privacy. If you got any concerns or ideas please ping me. (Or maybe
> we can have chair approval to have the discussion on this list? If
> any that is..)
> 
> 
> - On Linux, which dominates the market of TURN server, one can
> receive all ICMP errors as an unprivileged user with the
> IP(V6)_RECVERR socket option.
> 
> So my conclusion is: yes, please. :)
> 
> +1
> 
> But we need to carefully describe the security pitfalls. Some people
> might already be using a TURN server as mean to hide their “true” IP
> address. Any changes in the TURN spec that introduces a change in the
> server behaviour that affects the privacy aspect might potentially be
> risk to some users.
> 

Can you elaborate on this? The proposed extension is to have the server send to the client an indication message that wraps the information for ICMP packets received by the server with only type 3, and perhaps type 12 for ICMPv4 and 1, 2 and 3 for ICMPv6, and that match a permission and contain an UDP header.

This indication message will contain a XOR-MAPPED-ADDRESS attribute that contains the same IP address/port that was in the CreatePermission/Send messages sent by the client (or in the CHANNEL-BIND request if channels are used).  There is no additional information leaked here.

Then the indication message should also contain a new attribute that contains the ICMP error.  That also does not reveal anything about the identity of the sender of the packet that triggered this ICMP packet.

- -- 
Marc Petit-Huguenin
Email: marc@petit-huguenin.org
Blog: http://blog.marc.petit-huguenin.org
Profile: http://www.linkedin.com/in/petithug
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJV3vYaAAoJECnERZXWan7E+3MQAJiJa8dF1LLFw9edwiGE6jX6
EIDiXOcTQIc6UBB9t+JTJcKPaSFD28khEenOY6fMCG9b3VDKuFWxEKi6d8yWTUp5
Ijhr50sugfmLiS53+jAQEM5RiffJD+3pCcktRJn2Hjy2TNOu1ouPOhXtq/+EQXlX
PC3j+qFoIYK1OM0cJiRH3DkGPgjNjgy0mQzOfoaSVC2AbCz8swbgj2rwuywyRy42
cfIuqmUhD5lfp52Gt7pRI8aKlKeN3CKGQOf4LViO0JT+pi9Z50QKI/0hwOmF0Pz1
I79iT1wt6V4JP7lCatdUk0r5zteXJIO/sUJXWvgmUtv/ginI1i9sV3GwcSBrYBP9
O0NhEhRho/RIK+v4HvbHoUWn9Wr606rh44gVgDyoIYv04Yvte0i/wt/6UPSh5XeZ
pMhBKcs8vsdhT6Q4fFE45IFtRDCVrhCT/hC6CRDvSCGkw0VW+98eZdsOJGuLTKan
e6DWcHFV7tB1/aOr8jDsIyDjNnY4FGN1BfYtF7LqGdE+jNkSkCiDDV7Hd9QeG9vu
VUlm5D9z6LBuHGbmuNHOmrZP8zi858XQa9Ta/3UKbotO8XErgEGv+dzRKXp/KpaI
pTf2xry4tWNBdpiar3L9uG1qaUQRW47lk22N/XQvQJAGIPAuPxoAWSiGIMNp2jPu
803fI2FWofeSyGmPpUN9
=OkNS
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email