IETF Logo Mail Archive

Re: [tram] Transport of ICMP errors in TURN

"Pal Martinsen (palmarti)" <palmarti@cisco.com> Thu, 27 August 2015 13:01 UTC

Return-Path: <palmarti@cisco.com>
X-Original-To: tram@ietfa.amsl.com
Delivered-To: tram@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7A11B3403 for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 06:01:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPCal7p5NwWd for <tram@ietfa.amsl.com>; Thu, 27 Aug 2015 06:01:49 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E878E1B36CC for <tram@ietf.org>; Thu, 27 Aug 2015 06:01:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7308; q=dns/txt; s=iport; t=1440680464; x=1441890064; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=+3/2PSqC1aCwG8/2l9MJrxS+aOLksAR+NGjmXSh8Sfg=; b=HDE5FMKhB76rutNHMhaSqyQAuRpfipV2q7swU9o/crJjEvrOjFhBTLzE LW9xHyPKhkrbhSwGpKRIei/uBUN5O3YipzwOWL8dnt4Lyv+2Gy88e/4zj zL03PN0gl10DYm52TOn+U2TgCmIsUICHFLIYouunz8zdQ0eTCrdhAtXUb k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DDAgBuCd9V/4sNJK1UCYMbVGkGgx26VAEJgW4MhXkCHIEXOBQBAQEBAQEBgQqEIwEBAQMBAQEBIBE6CwULAgEIGAICIwMCAgIlCxQBEAIEDgWIJggNA7MRlREBAQEBAQEBAQEBAQEBAQEBAQEBAQEXgSKHVoJpgkCBaAcEBgEGGBgbB4JpL4EUBZU9AYUFh22BSkaDbJRkJoIOARyBVHEBgQUIFyOBBQEBAQ
X-IronPort-AV: E=Sophos;i="5.17,422,1437436800"; d="scan'208";a="22133251"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-8.cisco.com with ESMTP; 27 Aug 2015 13:01:03 +0000
Received: from XCH-RCD-008.cisco.com (xch-rcd-008.cisco.com [173.37.102.18]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id t7RD13KK023218 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2015 13:01:03 GMT
Received: from xch-rcd-008.cisco.com (173.37.102.18) by XCH-RCD-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 27 Aug 2015 08:01:02 -0500
Received: from xhc-rcd-x01.cisco.com (173.37.183.75) by xch-rcd-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Thu, 27 Aug 2015 08:01:02 -0500
Received: from xmb-rcd-x06.cisco.com ([169.254.6.133]) by xhc-rcd-x01.cisco.com ([173.37.183.75]) with mapi id 14.03.0248.002; Thu, 27 Aug 2015 08:01:02 -0500
From: "Pal Martinsen (palmarti)" <palmarti@cisco.com>
To: Marc Petit-Huguenin <petithug@acm.org>
Thread-Topic: [tram] Transport of ICMP errors in TURN
Thread-Index: AQHQ3+oWUq4elx0VKUWmZ9u5ZuMizJ4eib2AgAFwzICAABKLgIAAF8UA
Date: Thu, 27 Aug 2015 13:01:02 +0000
Message-ID: <82CC0777-152C-4741-9BCF-DF08CF2CC8DA@cisco.com>
References: <55DD94FF.7080400@acm.org> <55DDB133.6090608@jive.com> <A8F8D0A4-C847-4F3E-B5A3-45DA47CB95D9@cisco.com> <55DEF61F.8070809@acm.org>
In-Reply-To: <55DEF61F.8070809@acm.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.37.102.22]
Content-Type: text/plain; charset="utf-8"
Content-ID: <48FD65150ADE7B45A896C0AAC58CA592@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tram/zpIOARFkGfrb0UJ6A08bkht_JzE>
Cc: Simon Perreault <sperreault@jive.com>, "tram@ietf.org" <tram@ietf.org>
Subject: Re: [tram] Transport of ICMP errors in TURN
X-BeenThere: tram@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussing the creation of a Turn Revised And Modernized \(TRAM\) WG, which goal is to consolidate the various initiatives to update TURN and STUN." <tram.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tram>, <mailto:tram-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tram/>
List-Post: <mailto:tram@ietf.org>
List-Help: <mailto:tram-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tram>, <mailto:tram-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 13:01:56 -0000

> On 27 Aug 2015, at 13:35, Marc Petit-Huguenin <petithug@acm.org> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 08/27/2015 04:29 AM, Pal Martinsen (palmarti) wrote:
>> 
>> On 26 Aug 2015, at 14:29, Simon Perreault
>> <sperreault@jive.com<mailto:sperreault@jive.com>> wrote:
>> 
>> Le 2015-08-26 06:29, Marc Petit-Huguenin a écrit : During the
>> presentation of the Path MTU Discovery Using STUN draft in Prague,
>> there was some discussion on how ICMP can be received by the client
>> when the PMTUD probes are sent through a TURN server.  Which reminded
>> me that I worked on that problem when I proposed PMTUD over STUN,
>> back in 2008.  That was the case, according to my notes, but in fact
>> the idea of tunneling the ICMP packets through the TURN server was
>> proposed the year before, but for a different reason:
>> 
>> https://mailarchive.ietf.org/arch/msg/behave/76pAtymXlAtF5SoD0rgoFECf2Fg
>> 
>> So my proposal is to add this into turnbis.  I can provide text.
>> 
>> RFC 5766 section 2.6
>> <https://tools.ietf.org/html/rfc5766#section-2.6> explains that ICMP
>> not being relayed was a design decision to make it possible to run a
>> TURN server as an unprivileged user. That conclusion is wrong for two
>> reasons:
>> 
>> - With the BSD sockets API, some ICMP errors are translated into
>> recv() error codes. This means that it is always possible to relay at
>> least some subset of ICMP errors. (Not sure for TCP or IPv6, I’d need
>> to check.)
>> 
>> 
>> It is possible by creating a new listen socket.
>> 
>> See:
>> https://tools.ietf.org/html/draft-martinsen-tram-stuntrace-01#appendix-A.2
>> 
>> The code described in that ID works well and we have implemented it
>> in most of our hard and soft clients. Not sure about any performance
>> issues when doing this on the server side though.
>> 
>> The STUNTrace ID is not a TRAM draft anymore. We will ask for it to
>> be AD sponsored, just need to have some more discussion in the
>> security section regarding information leakage. This is particular
>> hard in the intersection network troubleshooting and end user
>> privacy. If you got any concerns or ideas please ping me. (Or maybe
>> we can have chair approval to have the discussion on this list? If
>> any that is..)
>> 
>> 
>> - On Linux, which dominates the market of TURN server, one can
>> receive all ICMP errors as an unprivileged user with the
>> IP(V6)_RECVERR socket option.
>> 
>> So my conclusion is: yes, please. :)
>> 
>> +1
>> 
>> But we need to carefully describe the security pitfalls. Some people
>> might already be using a TURN server as mean to hide their “true” IP
>> address. Any changes in the TURN spec that introduces a change in the
>> server behaviour that affects the privacy aspect might potentially be
>> risk to some users.
>> 
> 
> Can you elaborate on this? The proposed extension is to have the server send to the client an indication message that wraps the information for ICMP packets received by the server with only type 3, and perhaps type 12 for ICMPv4 and 1, 2 and 3 for ICMPv6, and that match a permission and contain an UDP header.
> 
> This indication message will contain a XOR-MAPPED-ADDRESS attribute that contains the same IP address/port that was in the CreatePermission/Send messages sent by the client (or in the CHANNEL-BIND request if channels are used).  There is no additional information leaked here.
> 
> Then the indication message should also contain a new attribute that contains the ICMP error.  That also does not reveal anything about the identity of the sender of the packet that triggered this ICMP packet.
> 

If we limit this to deal with host unreachable and related problems I am fine with this. Having the argumentation you just did in the spec is useful. 

My main concern was if we wanted to turn the TURN server into some sort of ICMP gateway and allow the client to trigger all sort of network weirdness on the public side. 

Sorry about wearing the paranoia hat, just wanted to make sure this was understood and discussed.

.-.
Pål-Erik



> - -- 
> Marc Petit-Huguenin
> Email: marc@petit-huguenin.org
> Blog: http://blog.marc.petit-huguenin.org
> Profile: http://www.linkedin.com/in/petithug
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
> 
> iQIcBAEBCAAGBQJV3vYaAAoJECnERZXWan7E+3MQAJiJa8dF1LLFw9edwiGE6jX6
> EIDiXOcTQIc6UBB9t+JTJcKPaSFD28khEenOY6fMCG9b3VDKuFWxEKi6d8yWTUp5
> Ijhr50sugfmLiS53+jAQEM5RiffJD+3pCcktRJn2Hjy2TNOu1ouPOhXtq/+EQXlX
> PC3j+qFoIYK1OM0cJiRH3DkGPgjNjgy0mQzOfoaSVC2AbCz8swbgj2rwuywyRy42
> cfIuqmUhD5lfp52Gt7pRI8aKlKeN3CKGQOf4LViO0JT+pi9Z50QKI/0hwOmF0Pz1
> I79iT1wt6V4JP7lCatdUk0r5zteXJIO/sUJXWvgmUtv/ginI1i9sV3GwcSBrYBP9
> O0NhEhRho/RIK+v4HvbHoUWn9Wr606rh44gVgDyoIYv04Yvte0i/wt/6UPSh5XeZ
> pMhBKcs8vsdhT6Q4fFE45IFtRDCVrhCT/hC6CRDvSCGkw0VW+98eZdsOJGuLTKan
> e6DWcHFV7tB1/aOr8jDsIyDjNnY4FGN1BfYtF7LqGdE+jNkSkCiDDV7Hd9QeG9vu
> VUlm5D9z6LBuHGbmuNHOmrZP8zi858XQa9Ta/3UKbotO8XErgEGv+dzRKXp/KpaI
> pTf2xry4tWNBdpiar3L9uG1qaUQRW47lk22N/XQvQJAGIPAuPxoAWSiGIMNp2jPu
> 803fI2FWofeSyGmPpUN9
> =OkNS
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> tram mailing list
> tram@ietf.org
> https://www.ietf.org/mailman/listinfo/tram

v2.23.0 | Report a Bug | By Email