Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
"Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com> Mon, 26 October 2015 03:02 UTC
Return-Path: <tireddy@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76EDF1B3583 for <tram@ietfa.amsl.com>; Sun, 25 Oct 2015 20:02:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eE2WcdgbY5L3 for <tram@ietfa.amsl.com>; Sun, 25 Oct 2015 20:02:25 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 138D01B3584 for <tram@ietf.org>; Sun, 25 Oct 2015 20:02:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11164; q=dns/txt; s=iport; t=1445828545; x=1447038145; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=AASVqIW/zQdSKLqL/TZQraWm8CIkyonORBtwtqzPaEs=; b=K1kq+FY0+7EvhhoeMBe6SU407YOJTfNNeYqBjtrOPHv1Kf2QRmhYC4t4 0bj8KoYW26kgE2/zR8mnyRXVPNdLUdXK9cQPyiG6I17tPt3ebkA0rXKWw X/UIZ9A0tJYls+US7oRhHFpHAsZHAjR2O1biVV0rhhLgSkdCyDdd4W0v5 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D3AQDMli1W/5hdJa1egzZUbwa+NgENgVoXCoV8AhyBATgUAQEBAQEBAYEKhDIBAQEDAQEBASAROgkCDAQCAQgRAwEBAQECAhQPAwICAiULFAEICAEBBAENBQiIIAgNsh2RbwEBAQEBAQEBAQEBAQEBAQEBAQEBARiBIoVVhH6ENQ0wGwcGE4JQgUUFjRiJHgGFG4d/gWBIg3eSJ4NvAR8BAUKCER0WgT9yAQGFTgEeBxyBBgEBAQ
X-IronPort-AV: E=Sophos;i="5.20,199,1444694400"; d="scan'208";a="201711105"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-8.cisco.com with ESMTP; 26 Oct 2015 03:02:24 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t9Q32ORg000979 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 26 Oct 2015 03:02:24 GMT
Received: from xch-rcd-017.cisco.com (173.37.102.27) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Sun, 25 Oct 2015 22:02:01 -0500
Received: from xch-rcd-017.cisco.com ([173.37.102.27]) by XCH-RCD-017.cisco.com ([173.37.102.27]) with mapi id 15.00.1104.000; Sun, 25 Oct 2015 22:02:01 -0500
From: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
To: Brandon Williams <brandon.williams@akamai.com>, Justin Uberti <juberti@google.com>
Thread-Topic: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
Thread-Index: AdEHFg9Qw09eYMw0TQ2oj7oWdbheyQAYp9wAAggmFaA=
Date: Mon, 26 Oct 2015 03:02:01 +0000
Message-ID: <91598d090c6f499d835770b2469289df@XCH-RCD-017.cisco.com>
References: <86c7182c5cb942799c73a88aa115328c@XCH-RCD-017.cisco.com> <561FAC54.2020605@akamai.com>
In-Reply-To: <561FAC54.2020605@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.65.41.148]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/ptickLD1jwhC0z8cfUuncKcu0bE>
Cc: "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Fwd: New Version Notification for draft-williams-tram-ufrag-permission-00.txt
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2015 03:02:27 -0000
> -----Original Message----- > From: Brandon Williams [mailto:brandon.williams@akamai.com] > Sent: Thursday, October 15, 2015 7:08 PM > To: Tirumaleswar Reddy (tireddy); Justin Uberti > Cc: tram@ietf.org > Subject: Re: [tram] Fwd: New Version Notification for draft-williams-tram- > ufrag-permission-00.txt > > I don't see a significant difference in the attack profile for DDOS between this > an standard address based permissions. In this case, I can mount a DDOS by > knowing the ufrag. For address-based, I can mount a DDOS by knowing the > address. The relatively minor difference is that reverse path filtering might > limit an attacker's ability to spoof some addresses, but this is uncommon and > unreliable enough that it's not really a meaningful improvement. There are various other ways to detect IP address spoofing. For example possible techniques for source address validation are discussed in https://tools.ietf.org/html/rfc6959. > > Since the relay and the client already have to deal with roughly the same > DDOS risk, I don't see significant value in sharing the short-term password > with the relay. DDOS mitigation now has to also deal with a possible L7 attack and would be good to be discussed in detail in the draft. -Tiru > > --Brandon > > On 10/15/2015 02:52 AM, Tirumaleswar Reddy (tireddy) wrote: > > I meant with this change an attacker by just knowing the ufrag can now > > launch an attack on the TURN server and on the endpoint by sending > > spoofed ICE requests with valid ufrag but invalid message-integrity, > > and can use any source IP address and possibly launch DDOS attack, > > TURN server will just forward those ICE requests to the endpoint. > > > > -Tiru > > > > *From:*Justin Uberti [mailto:juberti@google.com] > > *Sent:* Thursday, October 15, 2015 11:38 AM > > *To:* Tirumaleswar Reddy (tireddy) > > *Cc:* Brandon Williams; tram@ietf.org > > *Subject:* Re: [tram] Fwd: New Version Notification for > > draft-williams-tram-ufrag-permission-00.txt > > > > DDOS of spoofed ICE requests can happen already against the host/srflx > > candidate, so unclear this is a real-world problem. > > > > On Wed, Oct 14, 2015 at 7:39 PM, Tirumaleswar Reddy (tireddy) > > <tireddy@cisco.com <mailto:tireddy@cisco.com>> wrote: > > > > To handle DDOS attack of spoofed ICE requests, did you consider the > > option of signaling the endpoint's short-term password to TURN server > > so as to block those ICE requests ? > > draft-jennings-behave-rtcweb-firewall-01 and this draft are both > > discussing STUN inspection on firewalls and TURN servers but in > > different ways to solve different problems. > > > > -Tiru > > > > > > > -----Original Message----- > > > From: tram [mailto:tram-bounces@ietf.org > > <mailto:tram-bounces@ietf.org>] On Behalf Of Brandon Williams > Sent: > > Thursday, October 15, 2015 2:27 AM > To: tram@ietf.org > > <mailto:tram@ietf.org> > Subject: [tram] Fwd: New Version > > Notification for > > draft-williams-tram-ufrag- > > > permission-00.txt > > > > > > I just posted the below referenced draft. It's focused on improving > > the speed > of relayed ICE connectivity checks by defining a new type > > of permission that > makes use of the offerer's ICE ufrag. > > > > > > We will appreciate your comments. > > > > > > Thanks, > > > --Brandon > > > > > > > > > -------- Forwarded Message -------- > Subject: New Version > > Notification for > draft-williams-tram-ufrag-permission-00.txt > > > Date: Wed, 14 Oct 2015 13:49:35 -0700 > From: > > internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> > To: > > Brandon Williams <brandon.williams@akamai.com > > <mailto:brandon.williams@akamai.com>>, Brandon Williams > > > <brandon.williams@akamai.com > <mailto:brandon.williams@akamai.com>>, > > Justin Uberti <justin@uberti.name <mailto:justin@uberti.name>>, > > > Justin Uberti <justin@uberti.name <mailto:justin@uberti.name>> > > > > > A new version of I-D, draft-williams-tram-ufrag-permission-00.txt > > > has been successfully submitted by Brandon Williams and posted to > > the IETF > repository. > > > > > > Name: draft-williams-tram-ufrag-permission > > > Revision: 00 > > > Title: Ufrag Permissions for Traversal Using Relays > > around NAT > > > (TURN) > > > Document date: 2015-10-14 > > > Group: Individual Submission > > > Pages: 9 > > > URL: > > > > > https://www.ietf.org/internet-drafts/draft-williams-tram-ufrag-permiss > > ion- > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_int > > ernet-2Ddrafts_draft-2Dwilliams-2Dtram-2Dufrag-2Dpermission- > 2D&d=BQMGa > > Q&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6- > NSnsgwbBVUJa4mZfmEIB > > Xg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7-- > UboitJcrs_Q&s=mlSpD0qNlcC4uIhWTAI > > PwCrTL2vKELBa1tiNytFJD5k&e=> > > > 00.txt > > > Status: > > > > > https://datatracker.ietf.org/doc/draft-williams-tram-ufrag-permission/ > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__datatracker.ietf > > .org_doc_draft-2Dwilliams-2Dtram-2Dufrag- > 2Dpermission_&d=BQMGaQ&c=96Zb > > ZZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6- > NSnsgwbBVUJa4mZfmEIBXg&m=bZy > > Xc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJcrs_Q&s=uVF3cL4fmafmz2y- > hCdit5rb6DN > > UtWzLSbRkKfp9Y6A&e=> > > > Htmlized: > > > https://tools.ietf.org/html/draft-williams-tram-ufrag-permission-00 > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_h > > tml_draft-2Dwilliams-2Dtram-2Dufrag-2Dpermission- > 2D00&d=BQMGaQ&c=96ZbZ > > ZcaMF4w0F4jpN6LZg&r=bwZ-nnRGWmcGKRIuadq6- > NSnsgwbBVUJa4mZfmEIBXg&m=bZyX > > c9ukjJ_QUjWupaG2ypne_ucgf7-- > UboitJcrs_Q&s=bHBgOYW5JVSu372AlYCOhgPH2uWf > > 4q2WLO51-HHWpwU&e=> > > > > > > > > > Abstract: > > > When using a TURN relay, ICE connectivity checks require an explicit > > > permission or channel binding to be established for each peer address > > > to be checked. This requires the answerer to send its candidate > > > addresses to the offerer via the rendezvous server, which can impose > > > a latency penalty when the rendezvous server is centrally located. > > > This document defines a new type of TURN permission that will allow > > > any ICE connectivity check message that contains the offerer's ufrag > > > value to be accepted on a relay address for delivery over the > > > associated TURN tunnel. > > > > > > > > > > > > > > > > > > Please note that it may take a couple of minutes from the time of > > submission > until the htmlized version and diff are available at > > tools.ietf.org > > <https://urldefense.proofpoint.com/v2/url?u=http- > 3A__tools.ietf.org&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ- > nnRGWmcGKRIuadq6- > NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7-- > UboitJcrs_Q&s=mGfmfaGDmisJX_ve6W-h_UsYBV8kRWIb_moQSXv1LyA&e=>. > > > > > > The IETF Secretariat > > > > > > > > > > > > _______________________________________________ > > > tram mailing list > > > tram@ietf.org <mailto:tram@ietf.org> > > > https://www.ietf.org/mailman/listinfo/tram > > <https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_mai > > lman_listinfo_tram&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ- > nnRGWmcGKRI > > uadq6- > NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJc > > rs_Q&s=BCDaXm84h8lOwaaK0UIn2XBghElu3h0oZp4iXligskc&e=> > > > > _______________________________________________ > > tram mailing list > > tram@ietf.org <mailto:tram@ietf.org> > > https://www.ietf.org/mailman/listinfo/tram > > <https://urldefense.proofpoint.com/v2/url?u=https- > 3A__www.ietf.org_mai > > lman_listinfo_tram&d=BQMGaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=bwZ- > nnRGWmcGKRI > > uadq6- > NSnsgwbBVUJa4mZfmEIBXg&m=bZyXc9ukjJ_QUjWupaG2ypne_ucgf7--UboitJc > > rs_Q&s=BCDaXm84h8lOwaaK0UIn2XBghElu3h0oZp4iXligskc&e=> > > > > -- > Brandon Williams; Chief Architect > Cloud Networking; Akamai Technologies Inc.
- [tram] Fwd: New Version Notification for draft-wi… Brandon Williams
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Justin Uberti
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Brandon Williams
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)
- Re: [tram] Fwd: New Version Notification for draf… Tirumaleswar Reddy (tireddy)