Re: [tram] Allow TURN to forward inbound connectivity checks without permission

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 20 March 2018 10:31 UTC

Return-Path: <TirumaleswarReddy_Konda@mcafee.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A47E1242F7 for <tram@ietfa.amsl.com>; Tue, 20 Mar 2018 03:31:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.33
X-Spam-Level:
X-Spam-Status: No, score=-4.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xmBxUpf_RWr1 for <tram@ietfa.amsl.com>; Tue, 20 Mar 2018 03:31:51 -0700 (PDT)
Received: from DNVWSMAILOUT1.mcafee.com (dnvwsmailout1.mcafee.com [161.69.31.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DEE8124207 for <tram@ietf.org>; Tue, 20 Mar 2018 03:31:51 -0700 (PDT)
X-NAI-Header: Modified by McAfee Email Gateway (5500)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=s_mcafee; t=1521541893; h=From: To:CC:Subject:Thread-Topic:Thread-Index:Date: Message-ID:References:In-Reply-To:Accept-Language: Content-Language:X-MS-Has-Attach:X-MS-TNEF-Correlator: dlp-product:dlp-version:dlp-reaction:authentication-results: x-originating-ip:x-ms-publictraffictype:x-microsoft-exchange-diagnostics: x-ms-exchange-antispam-srfa-diagnostics:x-ms-office365-filtering-correlation-id: x-microsoft-antispam:x-ms-traffictypediagnostic: x-microsoft-antispam-prvs:x-exchange-antispam-report-test: x-exchange-antispam-report-cfa-test:x-forefront-prvs: x-forefront-antispam-report:received-spf:x-microsoft-antispam-message-info: spamdiagnosticoutput:spamdiagnosticmetadata: Content-Type:MIME-Version:X-MS-Exchange-CrossTenant-Network-Message-Id: X-MS-Exchange-CrossTenant-originalarrivaltime: X-MS-Exchange-CrossTenant-fromentityheader: X-MS-Exchange-CrossTenant-id:X-MS-Exchange-Transport-CrossTenantHeadersStamped: X-OriginatorOrg:X-NAI-Spam-Flag:X-NAI-Spam-Threshold: X-NAI-Spam-Score:X-NAI-Spam-Version; bh=r 7kD7TGo/6ZbZH50RmwqoS0H7jkB+5C6+qHFBySj2S k=; b=H6Z4dlMzR3H69KqawRstMID0hXOq/1P2eyc6Ump+yeSi /AEjCXLoNipMn4TV6eLLNmrvS2P9jUoy23AxeVqKGuo8bTDy+C mT7cKEy8U0UBwsDA7y9COekFM2wUw1DgZNOnFzulon3+8j9W3i Iai+MoCbdyUbfop616Fw2BBjeKA=
Received: from DNVEXAPP1N06.corpzone.internalzone.com (unknown [10.44.48.90]) by DNVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6013_483d_a1d60478_b140_497b_8f88_2bf72fe000b6; Tue, 20 Mar 2018 05:31:32 -0500
Received: from DNVEXUSR1N09.corpzone.internalzone.com (10.44.48.82) by DNVEXAPP1N06.corpzone.internalzone.com (10.44.48.90) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 04:31:04 -0600
Received: from DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) by DNVEXUSR1N09.corpzone.internalzone.com (10.44.48.82) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 04:31:03 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N04.corpzone.internalzone.com (10.44.48.88) with Microsoft SMTP Server (TLS) id 15.0.1347.2 via Frontend Transport; Tue, 20 Mar 2018 04:31:03 -0600
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (10.44.176.242) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1347.2; Tue, 20 Mar 2018 04:31:02 -0600
Received: from BN6PR16MB1425.namprd16.prod.outlook.com (10.172.207.19) by BN6PR16MB1841.namprd16.prod.outlook.com (10.172.29.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.588.14; Tue, 20 Mar 2018 10:31:00 +0000
Received: from BN6PR16MB1425.namprd16.prod.outlook.com ([10.172.207.19]) by BN6PR16MB1425.namprd16.prod.outlook.com ([10.172.207.19]) with mapi id 15.20.0588.017; Tue, 20 Mar 2018 10:31:00 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Simon Perreault <sperreault@jive.com>, Nils Ohlmeier <nohlmeier@mozilla.com>
CC: Cullen Jennings <fluffy@cisco.com>, Eric Rescorla <ekr@rtfm.com>, "tram@ietf.org" <tram@ietf.org>, Brandon Williams <brandon.williams@akamai.com>
Thread-Topic: [tram] Allow TURN to forward inbound connectivity checks without permission
Thread-Index: AQHTv3BE7H+lEDCzy0aE6LgkPsBdZKPYCNMAgAAflQCAAL9dgIAABGPg
Date: Tue, 20 Mar 2018 10:31:00 +0000
Message-ID: <BN6PR16MB14253012D6A5EA47A700EE1FEAAB0@BN6PR16MB1425.namprd16.prod.outlook.com>
References: <CANO7kWDd8NZ=svBONwzo6sE5YH3Y5MAdWFP2CQMiTg7M-b47AQ@mail.gmail.com> <c9ef837c-bf7c-decb-9542-8a9ddeda67fd@akamai.com> <E3AB81FC-D841-47A6-A0E2-775461779770@mozilla.com> <CANO7kWA4tmK7Di59tsjvCBoDdh-jW83FxMpqQH1-iSPGLS=mpA@mail.gmail.com>
In-Reply-To: <CANO7kWA4tmK7Di59tsjvCBoDdh-jW83FxMpqQH1-iSPGLS=mpA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.0.200.100
dlp-reaction: no-action
authentication-results: spf=none (sender IP is ) smtp.mailfrom=TirumaleswarReddy_Konda@McAfee.com;
x-originating-ip: [185.125.225.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR16MB1841; 7:kih8Q6H6Koes7PZyeanBAMulyfGKadjP/SlloTmATePbv8QDFADwpjPC66YeSGzAy1HAxYlcccQyI3exU7e9nhFDnpdRfXOcrzf4VuciOSC3KYxOTEPs8Vu/C2q58IXK36powLg/NhUNg2vsGWOGIfxPMLj6ebtTt3Mn8ZcrqEPCNXulsP0E9gGn6qGyyleHFxvhZjkCx98/V+1UORcGYhTxqA3iSI2TyiP19rQDRt2dPfwLHKR/n7n42Dbe3Ljk
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b8794908-ec5d-4780-dfe7-08d58e4dacc6
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(4604075)(3008032)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BN6PR16MB1841;
x-ms-traffictypediagnostic: BN6PR16MB1841:
x-microsoft-antispam-prvs: <BN6PR16MB184110417439A3EE5BF55A64EAAB0@BN6PR16MB1841.namprd16.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(192374486261705)(95692535739014)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231221)(944501309)(52105095)(93006095)(93001095)(6041310)(20161123562045)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:BN6PR16MB1841; BCL:0; PCL:0; RULEID:; SRVR:BN6PR16MB1841;
x-forefront-prvs: 061725F016
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39380400002)(366004)(396003)(39860400002)(376002)(346002)(189003)(54094003)(199004)(377424004)(32952001)(76176011)(7696005)(2900100001)(86362001)(97736004)(25786009)(80792005)(4326008)(102836004)(55016002)(7736002)(26005)(6116002)(790700001)(3846002)(68736007)(316002)(54906003)(110136005)(54896002)(6306002)(236005)(33656002)(9686003)(3660700001)(99286004)(53936002)(77096007)(6246003)(186003)(14454004)(2950100002)(74316002)(66066001)(229853002)(8936002)(2906002)(6436002)(93886005)(59450400001)(106356001)(81156014)(81166006)(3280700002)(5660300001)(19609705001)(8676002)(478600001)(6506007)(72206003)(53546011)(105586002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR16MB1841; H:BN6PR16MB1425.namprd16.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: McAfee.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: zTGcvgqPvfx2zH5blrJNvqYLJSy1F06+o6W2Q3ViK1GfATrDr+Yg5ufXsAA9ZtbK24cf8ut/+RrC2SGpNIx9lHT34N5ryGAMJcr+K2aqZQoprwv7MSVLiM9vrVtR74AIui1CIWySdLQ2afMAa0rjrqVF0AH9CBi2Fmqrh3NHRrFeyoREgfuRKX6Jd6h8BiCUqGcPZ1kWqtQ522U+nMfZiHHhT8A0TO2XvACRqaGwQvuxSXiX5jpUxotNBq9/bNlrzstreTF+ZS+6mb8LT1512PTVyBQsFraOKsVSEpw0pTUvfJ++OVp+ryO41T5I5mapinjbZCAoTWvYfCdSHnzvzQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR16MB14253012D6A5EA47A700EE1FEAAB0BN6PR16MB1425namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b8794908-ec5d-4780-dfe7-08d58e4dacc6
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2018 10:31:00.3002 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR16MB1841
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6245> : inlines <6506> : streams <1781734> : uri <2611579>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tram/vIXBEB_OSOEf3S-7sQsI-EwloyA>
Subject: Re: [tram] Allow TURN to forward inbound connectivity checks without permission
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 10:31:53 -0000

Nice optimization.
We should also discuss the security implications, If any STUN packet is allowed from anyone in the Internet, the TURN client could be subjected to DDoS attack (e.g. spoofed STUN packets from attackers, client wastes cycles validating the message integrity, and could also be subjected to bandwidth-hogging attack).

-Tiru

From: tram [mailto:tram-bounces@ietf.org] On Behalf Of Simon Perreault
Sent: Tuesday, March 20, 2018 10:08 AM
To: Nils Ohlmeier <nohlmeier@mozilla.com>
Cc: Cullen Jennings <fluffy@cisco.com>om>; Eric Rescorla <ekr@rtfm.com>om>; tram@ietf.org; Brandon Williams <brandon.williams@akamai.com>
Subject: Re: [tram] Allow TURN to forward inbound connectivity checks without permission

Wow, I had totally forgotten about ufrag perms!

2018-03-19 22:43 GMT+00:00 Nils Ohlmeier <nohlmeier@mozilla.com<mailto:nohlmeier@mozilla.com>>:
I also like the idea of simply forwarding all binding requests to the TURN client. Because 1) it does not expose the ufrag to the network when talking to the TURN server. And 2) it’s easier for the TURN server to just check for the STUN request type and hot have to parse for the ufrag attribute as well.

Same opinion here. The point of permissions is to prevent TURN clients from being able to run generic servers. It seems like always allowing STUN packets would preserve this feature while solving the session establishment latency problem. And would be quite a bit simpler to implement than ufrag perms. Have your cake, eat it, and eat it a second time.

Also, because this is so simple (just one sentence to specify it!), and impact potential is so great (make Brandon happy!), I wonder if we shouldn't simply add it to TURN-bis while there's still time.

One question which comes to my mind is if the TURN server at some point, e.g. after receiving the permission request, stops forwarding the binding requests blindly?

Because the allocation might be paired with multiple remote candidates, I think we'd need to always forward STUN blindly.

Simon