Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
Eric Rescorla <ekr@rtfm.com> Mon, 18 June 2018 17:44 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7D60130E08 for <tram@ietfa.amsl.com>; Mon, 18 Jun 2018 10:44:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ai4gevWdfJvX for <tram@ietfa.amsl.com>; Mon, 18 Jun 2018 10:44:05 -0700 (PDT)
Received: from mail-ot0-x243.google.com (mail-ot0-x243.google.com [IPv6:2607:f8b0:4003:c0f::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2748912872C for <tram@ietf.org>; Mon, 18 Jun 2018 10:44:05 -0700 (PDT)
Received: by mail-ot0-x243.google.com with SMTP id a5-v6so19442566otf.12 for <tram@ietf.org>; Mon, 18 Jun 2018 10:44:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=5awIXE/Pt5DYf8U7R/Agy7+3aLJQBOP5duDQ/27QkG8=; b=WWruUiYoW1+HAMWmtO/7OMMlpuoS/gE3io/EYAF2ktXVgCRmj1THk5+hTfy6aGofvR dvgs1sM2Mh6NY9f7qB+wV8yPWdRyBu2QLpMAk7IB4z8IjhncfAzBNb4KzbEAOkRPScxX EEBkoeSXUoVmkdhp+dVbQW4S4HxdCPJYgYOMX+09ftqJTKVLlVDdfloVjImJSZSd46TV amt0W5tJXiSl/6gSr/5yQa7ou6v63Hn0xVErwt05JVQrC5I5DKXpZh+l1TUu9JDFu0gd zI3zT8ue/vbimKteShHM+PZjoK/I/qya5mtqUECNqRrCVCbYOAXdiL1poL4NKm7Gnw0E +Asw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=5awIXE/Pt5DYf8U7R/Agy7+3aLJQBOP5duDQ/27QkG8=; b=oRC9O7MXbIcACqOJXdhblPQ5LdFyLQEeCFHP838k5V7R29HGMd4DWQf4USkm4lmzml PlkECz5Xl2i1URjjC0loutnwfuFJLE4nu+3u6tWrTEQ74FXO6XbOXlObzy9R142c15Si FSeHtKHCoZDJeSOoyZ9V+CtrUJzN9S/AoMsxgiqwOv685ia6+lROxMRD2bJXrkK1MESv R6Zzjhd1dCP63qAl3umy2bdcpbmG1d1+XDLv6vo1CGDNGpWtrNR782Z2HFMNEkbjsXgg W0oqhCQUbuZWHZIv5Khq45cLi74xPGPJJMoSLG1t6C2GmPo8mYO22R04bLdqwV8lwshP 24rA==
X-Gm-Message-State: APt69E1I1b6UDaJbqgywFzYW7sWPwawj8HEF1WVv0Rgsg64sWz5jqQb/ 61vwN6JGgwMEAt3uOfOqrgSdpokiEipYqmA/v5C6Ow==
X-Google-Smtp-Source: ADUXVKJhM1RU8Vn97ChFAbdShoZM0Qz03b6hpYT/xvpkU1t6CqfYLnAv9wqziUXME4n9q1+rnZsr1Mil3aFni1/bdQI=
X-Received: by 2002:a9d:42b0:: with SMTP id r45-v6mr9132470ote.44.1529343844495; Mon, 18 Jun 2018 10:44:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ac9:3a8a:0:0:0:0:0 with HTTP; Mon, 18 Jun 2018 10:43:24 -0700 (PDT)
In-Reply-To: <235b838f-2800-2cd0-8b01-947e70837619@ericsson.com>
References: <152390863222.19652.10310304989315386136.idtracker@ietfa.amsl.com> <c0a06754-6f8c-97dc-7f7e-26a7df43e842@acm.org> <CABcZeBNk4KWA1Bzw7=i=Siie_6Vf7v-v2cfDyA4WvSAE2D9hrA@mail.gmail.com> <02569943-db8f-654e-7322-49bc1f1a1163@acm.org> <CABcZeBN2=a90qbgo8MkihVFpO2bBzi2Ceepj3UpXVxAZJKJrxg@mail.gmail.com> <235b838f-2800-2cd0-8b01-947e70837619@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 18 Jun 2018 10:43:24 -0700
Message-ID: <CABcZeBMn1G8BT13bx3JTs04zwQk8K72+btj=xwC662F5AcANXg@mail.gmail.com>
To: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
Cc: Marc Petit-Huguenin <petithug@acm.org>, tram-chairs@ietf.org, tram@ietf.org, tasveren@rbbn.com, The IESG <iesg@ietf.org>, draft-ietf-tram-stunbis@ietf.org
Content-Type: multipart/alternative; boundary="000000000000974342056eee1cde"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/nmH1--UwkP8czxx8FtW6VTDU2YQ>
Subject: Re: [tram] Eric Rescorla's Discuss on draft-ietf-tram-stunbis-16: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jun 2018 17:44:10 -0000
Hi folks, I've reviewed the new version, but I don't think that the biddown discussion makes much sense. To recap, there are two hashes here: - The hash which you use to store the password with (currently mostly MD5) - The hash you use to compute the MAC (currently SHA-1). First, let's stipulate that MD5 isn't a great choice here, though SHA-1 isn't a great choice either for pwd hashing You want Argon or the like. With that said, there's no sensible biddown attack on that hash because it's a per-server feature, not a per-transaction feature. So, as long as the server has MD5-hashed passwords, the situation is bad. The second topic is the hash used to compute the MAC. However, I don't see how this gives you sensible biddown protection because that hash is also used to compute MAC over the negotiation: an attacker who has compromised a MAC which the server supports will quite likely be able to forge a MAC over the transcript as well. This is, I suppose, potentially useful as a defense against some other weakness (e.g., version #), but I don't really see how the current design helps against attacks on the MAC. You might think that there was a MAC which was easier to reverse to find the original password, but the defense you have here doesn't help with that because the on-path attacker can do a bid-down and use the client as a MAC oracle for any MAC the client supports. So, I still don't understand what this is supposed to do. Happy to have a call if you think that helps -Ekr On Mon, Jun 18, 2018 at 3:40 AM, Gonzalo Camarillo < Gonzalo.Camarillo@ericsson.com> wrote: > Marc, Eric, > > what is the status of this discussion? > > Thanks, > > Gonzalo > > On 04/05/2018 2:35 AM, Eric Rescorla wrote: > > > > > > On Mon, Apr 23, 2018 at 11:16 AM, Marc Petit-Huguenin <petithug@acm.org > > <mailto:petithug@acm.org>> wrote: > > > > On 04/22/2018 05:22 PM, Eric Rescorla wrote: > > > On Sun, Apr 22, 2018 at 2:02 PM, Marc Petit-Huguenin < > petithug@acm.org <mailto:petithug@acm.org>> > > > wrote: > > > > > >> > > >>>> For a request or indication message, the agent MUST > include the > > >>>> USERNAME, MESSAGE-INTEGRITY-SHA256, and MESSAGE-INTEGRITY > > >> attributes > > >>>> in the message unless the agent knows from an external > indication > > >>>> which message integrity algorithm is supported by both > agents. In > > >>>> this case either MESSAGE-INTEGRITY or > MESSAGE-INTEGRITY-SHA256 MUST > > >>>> be included in addition to USERNAME. The HMAC for the > MESSAGE- > > >>> > > >>> This text appears to conflict with S 7.3 of 5245-bis, which says: > > >> > > >> [text missing] > > >> > > >> Hmm, no, RFC245bis is still referencing RFC5389, so the procedure > for > > >> stunbis does not apply. > > >> > > > > > > I hear what you're saying, but publishing two documents at the > same time > > > which > > > make contrary recommendations about the same basic protocol is > un-good. > > > > Sure, but wouldn't it be simpler to have rfc5245bis using stunbis > > and have them updating their text, more than adding some tortuous > > text in stunbis? > > > > > > > > > > >>> The STUN usage must specify which transport protocol is > used, and > > >> how > > >>>> the agent determines the IP address and port of the > recipient. > > >>>> Section 8 describes a DNS-based method of determining the > IP > > >> address > > >>>> and port of a server that a usage may elect to use. STUN > may be > > >> used > > >>>> with anycast addresses, but only with UDP and in usages > where > > >>>> authentication is not used. > > >>> > > >>> Why this restriction? You should be able to use anycast with > long-term > > >>> AUTH for (say) TURN. > > >> > > >> https://www.ietf.org/mail-archive/web/behave/current/ > msg03582.html > > <https://www.ietf.org/mail-archive/web/behave/current/msg03582.html> > > >> > > >> I think that the decision of permitting Anycast should be left to > each > > >> STUN Usage. Basic STUN Usage does not use authentication and use > only a > > >> one round trip for the Binding transaction, so Unicast can be > used. > > >> > > > > > >> OTOH, TURN and ICE should probably say something about that, so I > added a > > >> new bullet point in Section 13: > > >> > > >> o If Anycast addresses can be used for the server in case TCP > or > > >> TLS-over-TCP, or authentication are used. > > >> > > > > > > Are you leaving this text in? That seems very confusing. > > > > In isolation yes, but I think it makes sense which the text before > > the bullet points: > > > > A STUN usage defines how STUN is actually utilized -- when to send > > requests, what to do with the responses, and which optional > > procedures defined here (or in an extension to STUN) are to be > used. > > A usage also defines: > > > > [...] > > > > o If Anycast addresses can be used for the server in case TCP or > > TLS-over-TCP, or authentication are used. > > > > > > What is the need for the restriction at all. > > > > > > > > >>>> transaction over UDP or DTLS-over-UDP is also considered > failed if > > >>>> there has been a hard ICMP error [RFC1122]. For example, > assuming > > >> an > > >>>> RTO of 500ms, requests would be sent at times 0 ms, 500 > ms, 1500 > > >> ms, > > >>>> 3500 ms, 7500 ms, 15500 ms, and 31500 ms. If the client > has not > > >>>> received a response after 39500 ms, the client will > consider the > > >>>> transaction to have timed out. > > >>> > > >>> I note that these recommendations now seem crazily long. I > assume the > > >>> WG had consensus on this, but I wanted to note it. > > >> > > >> Not just the WG, also the IESG that approved RFC 5389 too as, but > for the > > >> addition of "or DTLS-over-UDP", this is the same text than in RFC > 5389. > > >> > > > > > > Yes, I know. My point is that while they might have bee sensible > when > > > 5389 was published they *now* seem crazily long. Did the WG > explicitly > > > decide not to update them? > > > > No, nobody ever suggested that there was an issue there. > > > > > > OK, well, this seems like it should be considered, then, because this > > doesn't > > match modern practice. > > > > > > > > > This would be good to explain. > > > > New text: > > > > [...] > > containing the subjectAltName of that certificate. The test on > the > > MESSAGE-INTEGRITY-SHA256 attribute indicates that the transaction > is > > authenticated and that the client implements this specification > and > > so can process the ALTERNATE-DOMAIN attribute. > > > > > > All right. > > > > > > > > > > > > >>>> o What authentication and message-integrity mechanisms > are used. > > >>>> > > >>>> o The considerations around manual vs. automatic key > derivation > > >> for > > >>>> the integrity mechanism, as discussed in [RFC4107]. > > >>>> > > >>>> o What mechanisms are used to distinguish STUN messages > from other > > >>> > > >>> Why is this required? It seems like that's a generic STUN > feature. > > >> > > >> That text is identical to the text in RFC 5389. RFC 5764/7983 is > one such > > >> mechanism, but there is nothing that prevent another protocol > stack to use > > >> a different mechanism (inference, shim, etc...) > > >> > > > > > > But ultimately no matter what the other protocol provides for > demux, STUN > > > has its > > > own demux. > > > > In fact I think that the reason for that item was because > > FINGERPRINT can also be used to demux STUN traffic, but it is > > optional. So an STUN Usage needs to tell if FINGERPRINT is > > mandatory (like in ICE). > > > > > > This should be explained. > > > > > > >>> > > >>>> that is not readily subject to offline dictionary attacks. > > >>>> Protection of the channel itself, using TLS or DTLS, > mitigates > > >> these > > >>>> attacks. > > >>>> > > >>>> STUN supports both MESSAGE-INTEGRITY and > > MESSAGE-INTEGRITY-SHA256, > > >>>> which is subject to bid down attacks by an on-path > attacker. > > >>> > > >>> By an on-path attacker who can forge HMAC-SHA1 in real-time? > > That's a > > >>> pretty serious adversary, so you should clarify here > > >>> > > >> > > >> New text: > > >> > > >> STUN supports both MESSAGE-INTEGRITY and > MESSAGE-INTEGRITY-SHA256, > > >> which is subject to bid down attacks by an on-path attacker > that > > >> would strip the MESSAGE-INTEGRITY-SHA256 attribute leaving > > only the > > >> MESSAGE-INTEGRITY attribute and exploiting a potential > > vulnerability. > > >> Protection of the channel itself, using TLS or DTLS, mitigates > > these > > >> attacks. Timely removal of the support of MESSAGE-INTEGRITY > in a > > >> future version of STUN is necessary. > > >> > > > > > > I still don't understand the capabilities you seem to believe the > > attacker > > > has. > > > Can you describe the exact attack. > > > > > > > 1. Vulnerability is found in HMAC-SHA1 > > 2. Client Alice still supports M-I and M-I-256, does not know what > > version of STUN server Bob supports and so send both. > > 3. On-path attacker removes M-I-256. > > 5. stunbis server Bob thinks that Alice is an RFC 5389 client and > > continue with that protocol. > > > > > > This seems like an extremely weak attack. In general, any protocol of > > this type is as strong > > as the weakest integrity algorithm it supports, so it's not that the > > protocol has a downgrade > > attack, but rather that the minimum algorithm supported is one you don't > > trust as much > > as you might like. > > > > -Ekr > > > > > > -- > > Marc Petit-Huguenin > > Email: marc@petit-huguenin.org <mailto:marc@petit-huguenin.org> > > Blog: https://marc.petit-huguenin.org <https://marc.petit-huguenin. > org> > > Profile: https://www.linkedin.com/in/petithug > > <https://www.linkedin.com/in/petithug> > > > > >
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- [tram] Eric Rescorla's Discuss on draft-ietf-tram… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Brandon Williams
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Matthew A. Miller
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Brandon Williams
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Marc Petit-Huguenin
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Camarillo
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Spencer Dawkins at IETF
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Gonzalo Salgueiro (gsalguei)
- Re: [tram] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- [tram] Blackout posting of draft-ietf-tram-stunbi… Spencer Dawkins at IETF
- Re: [tram] Blackout posting of draft-ietf-tram-st… Gonzalo Salgueiro (gsalguei)