IETF Logo Mail Archive

Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)

Martin Thomson <martin.thomson@gmail.com> Mon, 13 April 2015 18:17 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F37C21B2A2F; Mon, 13 Apr 2015 11:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ltHWRvBacBdX; Mon, 13 Apr 2015 11:17:10 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6CAB1B2A32; Mon, 13 Apr 2015 11:17:09 -0700 (PDT)
Received: by oign205 with SMTP id n205so11166954oig.2; Mon, 13 Apr 2015 11:17:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=bHKqAXgbrdo/35d3H5HiEFQzyIQlHDoh/7yt2AVXZII=; b=U+HYxZ6Jytuhsf3D36LKM6je2k3hCJGhxclmAz+LW0hE7pQWlPEteaqudaE33+fpZS mNk2U1RVL0gJLBQr+DU0GTO26OeKieet6/iZicPfzcbnCJX0Fo+pk3Avgmhqi17IMIWi PGqVu/SVftn9nKj/VX7sKP2pLuhLalFXUh/lvo0cZNnQ02g37F4rIIoFsrPweJAc16Q9 F/Td/nkipVT2CWNsin3uXN4Ib/zWPr/a0bN4IvRssJrtN68PmgUPL0yRtpjelPZ0CD83 F31Or6PEKQLoFW66iDUQFpoBOiEs/Az6dn2nCtglqIVhNn5pbf1eMLSB1owMWu2CF1Sp zOZA==
MIME-Version: 1.0
X-Received: by 10.202.0.75 with SMTP id 72mr8421013oia.131.1428949029403; Mon, 13 Apr 2015 11:17:09 -0700 (PDT)
Received: by 10.202.212.212 with HTTP; Mon, 13 Apr 2015 11:17:09 -0700 (PDT)
In-Reply-To: <913383AAA69FF945B8F946018B75898A411FFC5F@xmb-rcd-x10.cisco.com>
References: <20150410193813.20376.40907.idtracker@ietfa.amsl.com> <55282B4E.4000409@akamai.com> <913383AAA69FF945B8F946018B75898A411FFC5F@xmb-rcd-x10.cisco.com>
Date: Mon, 13 Apr 2015 11:17:09 -0700
Message-ID: <CABkgnnUyHTd83LWM0Lp0xOJnVp3Gt6KvrbuGkraejP7kwEJf7w@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/s1QjPkgb3P1uGeGIoj8sQg1co_I>
Cc: "tram-chairs@ietf.org" <tram-chairs@ietf.org>, "tram@ietf.org" <tram@ietf.org>, Brandon Williams <brandon.williams@akamai.com>, "rlb@ipv.sx" <rlb@ipv.sx>, "Salz, Rich" <rsalz@akamai.com>, "Stephen Farrell (stephen.farrell@cs.tcd.ie)" <stephen.farrell@cs.tcd.ie>
Subject: Re: [tram] Stephen Farrell's Discuss on draft-ietf-tram-turn-third-party-authz-13: (with DISCUSS and COMMENT)
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Apr 2015 18:17:12 -0000

On 10 April 2015 at 18:58, Tirumaleswar Reddy (tireddy)
<tireddy@cisco.com> wrote:
> Richard and we have already have discussed the comments further and resolved them, attached updated draft with diff.
> Main changes
>
> [1] Removed DKSPP
> [2] Removed non-AEAD algorithms; using AEAD modes AES-GCM and aead-aes-cbc
> [3] Updated the token format


I read this just now for the first time in a while.  Either I'm a lot
stupider this morning than I normally am, or this draft is very
confused.  There are some serious problems in here.

If you intend to use RFC 5116, please clearly specify the inputs, as
described in Section 2.1:
https://tools.ietf.org/html/rfc5116#section-2.1 Currently, the draft
uses N for the name of the server.  That conflicts with the label that
RFC 5116 uses for the nonce.  Also, the draft is very vague about the
construction of the nonce.  The draft certainly doesn't need to refer
to the CBC AEAD draft.

It does need to deal with algorithm agility and it currently does not.


I apologize for not reviewing this earlier.  Here are more comments.

Section 1 doesn't really explain what the draft provides.

Section 3 claims to be an overview, but it doesn't actually describe
what happens.  It leaves the token acquisition part out of scope.
That's fine, but it doesn't describe how the THIRD-PARTY-AUTHORIZATION
attribute might be used, even in the broadest sense.  It doesn't
explain why it's a server name, or how that name relates to the domain
name of the server (i.e., the one that might have been passed to a DNS
resolver).

Section 4 doesn't permit any additional information to be carried in
the token.  Therefore, the STUN/TURN server is unable to apply any
additional policies that the authorization server might impose, such
as limits on the length of the session, the number of ports allocated,
or the bandwidth that is allocated.  (Or whatever we might later
conceive of.)

It's not clear what Section 4.1.1 is for.  If this is private
communications, then it is far too specific.  If this is intended to
be normative, then it isn't sufficient.  What is the base URI?  What
prevents a random internet denizen from acquiring this symmetric key?
Why these two specific parameters?  Why does the expiration
information in the JWK replicate what HTTP provides?  I'd be far
happier with hand-waving than with this section in place.

Section 5 fails to explicitly state whether the MAC key is used as
input to short term or long term credentials.  It needs to say short
term, I think.

Why does this document use 'kid' rather than USERNAME?  Isn't the
point to get a short term  username+password pair from the
authorization server?

Section 7 seems to imply two layers of authentication: the AEAD and
some HMAC.  I can't work out what is being authenticated.  I'm not
sure that anyone else could either.

The replay protection in Section 7 is not sufficient.  If the intent
is to prevent replay, then the server needs to maintain a
globally-consistent register of the requests that it has seen so that
it can correctly reject replays.  However, I think that the intent is
to permit replay, so perhaps it is the case that casting this as
anti-replay is counter-intuitive.  That said, I believe that this is a
serious DoS vector and we should be recommending that servers at least
account for what has been replayed and limit the number of times a
particular token can be used.

If the intent of the lifetime in the token is to prevent replay, then
this is bad:

  o  The lifetime provided by the TURN server in the Allocate and
      Refresh responses MUST be less than or equal to the lifetime of
      the token.

Tying the two lifetimes together means that you need to have a long
token lifetime in order to support long sessions.  But long token
lifetimes means long periods of exposure to replay and lots of
maintained state.  See earlier point about policies being carried in
the token.

Section 8 seems completely unnecessary.  What resource is being
conserved here?  It's more work to maintain all this state and
validate all those tokens than it is to respond in the affirmative to
STUN request.  (Also, why doesn't STUN usage get a fancy OAuth mapping
table like Section 9?  Is it somehow different?)

In summary, I'm surprised that a document in this state was put before the IESG.

v2.23.0 | Report a Bug | By Email