Network Working Group B. Williams
Internet-Draft Akamai
Intended status: Standards Track J. Uberti
Expires: April 16, 2016 Google
October 14, 2015
Ufrag Permissions for Traversal Using Relays around NAT (TURN)
draft-williams-tram-ufrag-permission-00
Abstract
When using a TURN relay, ICE connectivity checks require an explicit
permission or channel binding to be established for each peer address
to be checked. This requires the answerer to send its candidate
addresses to the offerer via the rendezvous server, which can impose
a latency penalty when the rendezvous server is centrally located.
This document defines a new type of TURN permission that will allow
any ICE connectivity check message that contains the offerer's ufrag
value to be accepted on a relay address for delivery over the
associated TURN tunnel.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 16, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
Williams & Uberti Expires April 16, 2016 [Page 1]
Internet-Draft Ufrag Permission for TURN October 2015
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Ufrag Permission Usage . . . . . . . . . . . . . . . . . . . 5
3.1. Forming a CreatePermission Request . . . . . . . . . . . 6
3.2. Processing a CreatePermission Request . . . . . . . . . . 6
3.3. Server Backward Compatibility . . . . . . . . . . . . . . 6
3.4. Processing a ChannelBind Request . . . . . . . . . . . . 7
3.5. Processing a Message on the Relay Transport Address . . . 7
3.6. Processing a Data Indication . . . . . . . . . . . . . . 7
4. ICE Interactions . . . . . . . . . . . . . . . . . . . . . . 7
5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 8
8. Normative References . . . . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9
1. Introduction
Interactive Connectivity Establishment (ICE) [RFC5245] provides a
connectivity checking mechanism that peers can use to determine how
to communicate directly with each other (e.g. which network layer
protocol to use, which network address and transport port to use,
etc.). The peers gather their sets of candidate addresses and
exchange them via a rendezvous server using an offer/answer protocol.
After gathering the addresses, the peers then send connectivity
checks between address pairs to find a suitable local/remote adress
pair to use for communication.
Successful direct connectivity checks between the peers is the
simplest scenario.
Williams & Uberti Expires April 16, 2016 [Page 2]
Internet-Draft Ufrag Permission for TURN October 2015
+------------+
| |
+--------------------> rendezvous +---------------------+
| | server | 2 |
| | | |
| +------------+ |
| |
| |
| |
| |
| 1 |
| |
+-----+------+ +------v-----+
| | 3 | |
| offerer <-----------------------------------------+ answerer |
| | | |
+------------+ +------------+
The offerer sends an offer with its candidate addresses to the
rendezvous server (1), the rendezvous server forwards the offer to
the answerer (2), and the answerer is able to send a connectivity
check directly to the offerer (3) at the same time that it sends its
answer back to the offerer via the rendezvous server.
Successful connectivity checks for a relayed candidate with Traversal
Using Relays around NAT (TURN) [RFC5766] is more complicated and time
consuming, partially due to the requirement for the local peer to
explicitly notify the relay server about every permitted remote
address.
+------------+
| | 2
+--------------------> rendezvous +---------------------+
|--------------------+ server <---------------------|
|| 4 | | ||
|| +------------+ ||
|| ||
|| ||
|| ||
|| ||
|| ||
1 || 3 ||
+------v-----+ +------------+ +------v-----+
| | 5 | | | |
| offerer +-------------> relay | | answerer |
| +-------------> +--------------> |
+------------+ 6 +------------+ 7 +------------+
Williams & Uberti Expires April 16, 2016 [Page 3]
Internet-Draft Ufrag Permission for TURN October 2015
In this case, the offerer first issues an allocation request to the
relay server (not pictured) before sending an offer that includes the
assigned relay address to the rendezvous server (1), which forwards
the offer to the answerer (2). If the answerer sends a connectivity
check to the relay address immediately, the relay will reject the
message because there is no permission established for the answerer's
address yet. Instead, the answerer must send its answer along with
its candidate list to the rendezvous server (3), which relays the
answer to the offerer (4). Only now can the offerer send a
permission request to the relay (5) and then send a connectivity
check message to the relay (6) to be forwarded to the answerer (7).
Since the answer must be delivered before the necessary TURN
permissions can be established, successful connectivity checks via
the offerer's relay require an extra half round trip time via the
rendezvous server as compared to direct host-to-host connectivity
checks. This could be a significant penalty in the common case of a
remotely located rendezvous server.
The latency penalty for the relay use case could be mitigated by
permitting all ICE connectivity check messages to be delivered by the
relay, regardless of whether there is an active permission for the
sender. However, doing so would mean that use of the relay opens up
the client to potential attacks from anywhere on the Internet. TURN
permissions limit the risk by requiring the attacker to first
discover an address associated with an active permission. This may
be trivial to accomplish for an attacker who is on-path between the
answerer and the relay, but would be more difficult for an off-path
attacker.
When ICE is in use, the offer and answer messages each contain an
ice-ufrag value, which is used in connectivity check messages as part
of the username for Session Traversal Utilities for NAT (STUN)
[RFC5389]. This document describes a new TURN permission type that
allows any ICE connectivity check message to be relayed to TURN
client if it has the expected remote ufrag (RFRAG) value in the STUN
username attribute. This mechanism allows ICE connectivity checks to
the offerer's relayed candidate to succeed without having to wait for
the answer to arrive at the offerer, while at the same time
continuing to require an attacker to learn some information about an
active permission in order to construct packets that will be accepted
by the relay dor delivery to the client.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Williams & Uberti Expires April 16, 2016 [Page 4]
Internet-Draft Ufrag Permission for TURN October 2015
3. Ufrag Permission Usage
To allow successful connetivity checks from the answerer, the offerer
registers a new type of permission, known as a ufrag permission, with
the relay server. Instead of using an XOR-PEER-ADDRESS attribute to
identify the the remote peer, a ufrag permission specifies the
offerer's ufrag as the value for a LOCAL-UFRAG attribute. A ufrag
permission allows any ICE connectivity check from a remote peer to be
accepted by the relay if the RFRAG in that message matches the ufrag
specified for the permission. Note that the LOCAL-UFRAG attribute is
only allowed for TURN permission requests. ChannelBind requests
cannot make use of this type of permission.
Message flow for successful connectivity checks using ufrag
permissions looks fairly similar to the direct connectivity case
where timing of the first successful check is concerned.
+------------+
| | 2
+--------------------> rendezvous +---------------------+
| | server | |
| | | |
| +------------+ |
| |
| |
| |
| |
| |
1 | |
+-----+------+ 1' +------------+ +------v-----+
| +-------------> | | |
| offerer | | relay | | answerer |
| <-------------+ <--------------+ |
+------------+ 4 +------------+ 3 +------------+
The offerer first establishes a TURN allocation with the relay (not
pictured) to learn its relay candidate(s). At the point when the
offerer sends the offer to the rendezvous server (1), it also sends a
ufrag permission request to the relay (1'). The rendezvous server
forwards the offer to the answerer (2), at which point the answerer
can immediately send ICE connectivity checks (3) that can be accepted
by the relay and forwarded to the offerer (4). Provided that the
relay is fairly close to the offerer or at least inline between the
offerer and the answerer, the primary difference in latency between
direct and relay connectivity checks is the time required for
candidate gathering (i.e. the allocation request).
Williams & Uberti Expires April 16, 2016 [Page 5]
Internet-Draft Ufrag Permission for TURN October 2015
3.1. Forming a CreatePermission Request
A ufrag permission request is formed in the same general way as a
permission associated with an IP address, with the only exception
being that it contains a LOCAL-UFRAG attribute to provide the ufrag
value. As with any other CreatePermission request, multiple
permissions may be established using a single CreatePermission
request, meaning that a combination of one or more XOR-PEER-ADDRESS
attributes and one or more LOCAL-UFRAG attributes may be present in a
single request, with each resulting in a separate permission.
The LOCAL-UFRAG attribute is an understanding required attribute with
the type TBD, and it contains a single value, which is the sender's
ufrag value. This is allowed to be from 4 to 256 bytes in length.
NOTE: The authors considered two alternatives: providing the ufrag in
either an XOR-PEER-ADDRESS or a USERNAME attribute. In both cases,
it this change would modify the semantics for the attribute enough
that it seemed better to defined a new attribute type.
3.2. Processing a CreatePermission Request
When the server receives a CreatePermission request, it processes it
as per [RFC5766]. The rest of this section describes processing for
cases where the request contains a LOCAL-UFRAG attribute.
If the server understands but does not support ufrag addresses, it
rejects the request with a 403 (Forbidden) error.
If the request is valid, then the server installs or refreshes a
permission for the ufrag contained in the LOCAL-UFRAG attribute. The
server then responds with a CreatePermission success response.
NOTE: Careful consideration of the ufrag permission's lifetime is
required. It needs to be long enough to be useful for its intended
purpose but short enough to limit security exposure. A future
revision of the draft will cover this in more detail.
3.3. Server Backward Compatibility
A server that does not recognize the LOCAL-UFRAG attribute will
reject the request and send a 420 (Unknown Attribute) error response
and otherwise ignore the request.
If the request sent by the client contained IP address XOR-PEER-
ADDRESS attributes in addition to a LOCAL-UFRAG attribute, the client
MAY resend the request without the LOCAL-UFRAG attribute in order to
retry registration of the IP address permissions.
Williams & Uberti Expires April 16, 2016 [Page 6]
Internet-Draft Ufrag Permission for TURN October 2015
3.4. Processing a ChannelBind Request
A ChannelBind request received on the server MUST be considered
invalid if it contains a LOCAL-UFRAG attribute. The server MUST
reject such a request with a 403 (Forbidden) error.
3.5. Processing a Message on the Relay Transport Address
When a message is received on the relay transport address, the server
first checks whether the allocation has a matching IP/IPv6
permission. If it does not have a matching IP/IPv6 permission but it
does have one or more ufrag permissions, the server examines the
message to determine whether it is an ICE connectivity check message,
meaning: it is a STUN Binding request that contains all of the
required atrributes: FINGERPRINT, PRIORTY, ICE-CONTROLLED or ICE-
CONTROLLING, USERNAME, and MESSAGE-INTEGRITY. If the message is not
a structurally valid ICE connectivity check, the server MUST discard
the message if there is no IP/IPv6 permission that applies.
If the message is an ICE connectivity check with no matching IP/IPv6
permission, the server then parses the value of the USERNAME
attribute to extract the RFRAG value, which is the second colon-
separated field. If a ufrag permission exists for the RFRAG value,
the relay server generates a Data indication for the message. The
Data indication is then sent to the TURN client.
NOTE: TURN-TCP [RFC6062] should be discussed in this document if/when
it moves forward.
3.6. Processing a Data Indication
When the client receives a structurally valid Data indication, the
client first checks whether the XOR-PEER-ADDRESS attribute value
contains an IP address with which the client believes there is an
active permission. If there is no such permission and the message is
not a structurally valid ICE connectivity check, the client SHOULD
discard the message. If the message is a structurally valid ICE
connectivity check, the client parses, validates, and responds to the
message as per standard ICE behavior.
4. ICE Interactions
The following subjects have been identified that should be discussed
in greater detail:
o Interaction with ice-lite.
o Interactions with vanilla ice.
Williams & Uberti Expires April 16, 2016 [Page 7]
Internet-Draft Ufrag Permission for TURN October 2015
o Interactions with trickle ice.
In particular, this section should discuss setting IP address
permissions as a result of receiving a valid ICE connectivity check
and/or learning the true candidates via the answer.
5. Security Considerations
The following subjects have been identified that must be discussed in
greater detail:
o An open port could be used to provide an unauthorized service. At
this time, this is the primary security concern identified by the
authors and some suitable mitigations should be discussed in this
document.
o A valid ICE connectivity check could be replayed by an attacker.
This risk is shared by existing address-based permissions and so
is not a significant concern for this draft.
o An invalid ICE connectivity check using a snooped ufrag value
could be forwarded to the client. This risk is also shared by
existing address-based permissions and so is not a significant
concern for this draft.
o Others?
6. IANA Considerations
[Paragraphs below in braces should be removed by the RFC Editor upon
publication]
[The LOCAL-UFRAG attribute requires that IANA allocate a value in the
"STUN attributes Registry" from the comprehension-required range
(0x0000-0x7FFF), to be replaced for TBD throughout this document]
This document defines the LOCAL-UFRAG attribute, described in
Section 3.1. IANA has allocated the comprehension-required codepoint
TBD for this attribute.
7. Acknowledgements
Thanks to T. Reddy for early review of this draft.
8. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
Williams & Uberti Expires April 16, 2016 [Page 8]
Internet-Draft Ufrag Permission for TURN October 2015
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC5245] Rosenberg, J., "Interactive Connectivity Establishment
(ICE): A Protocol for Network Address Translator (NAT)
Traversal for Offer/Answer Protocols", RFC 5245, DOI
10.17487/RFC5245, April 2010,
<http://www.rfc-editor.org/info/rfc5245>.
[RFC5389] Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
"Session Traversal Utilities for NAT (STUN)", RFC 5389,
DOI 10.17487/RFC5389, October 2008,
<http://www.rfc-editor.org/info/rfc5389>.
[RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
Relays around NAT (TURN): Relay Extensions to Session
Traversal Utilities for NAT (STUN)", RFC 5766, DOI
10.17487/RFC5766, April 2010,
<http://www.rfc-editor.org/info/rfc5766>.
[RFC6062] Perreault, S., Ed. and J. Rosenberg, "Traversal Using
Relays around NAT (TURN) Extensions for TCP Allocations",
RFC 6062, DOI 10.17487/RFC6062, November 2010,
<http://www.rfc-editor.org/info/rfc6062>.
Authors' Addresses
Brandon Williams
Akamai, Inc.
150 Broadway
Cambridge, MA 02142
USA
Email: brandon.williams@akamai.com
Justin Uberti
Google
747 6th Ave S
Kirkland, WA 98033
USA
Email: justin@uberti.name
Williams & Uberti Expires April 16, 2016 [Page 9]