| draft-ietf-rtcweb-stun-consent-freshness-02.txt | draft-ietf-rtcweb-stun-consent-freshness-03.txt | |||
|---|---|---|---|---|
| RTCWEB M. Perumal | RTCWEB M. Perumal | |||
| Internet-Draft D. Wing | Internet-Draft D. Wing | |||
| Intended status: Standards Track R. Ravindranath | Intended status: Standards Track R. Ravindranath | |||
| Expires: October 13, 2014 T. Reddy | Expires: November 20, 2014 T. Reddy | |||
| Cisco Systems | Cisco Systems | |||
| M. Thomson | M. Thomson | |||
| Mozilla | Mozilla | |||
| April 11, 2014 | May 19, 2014 | |||
| STUN Usage for Consent Freshness | STUN Usage for Consent Freshness | |||
| draft-ietf-rtcweb-stun-consent-freshness-02 | draft-ietf-rtcweb-stun-consent-freshness-03 | |||
| Abstract | Abstract | |||
| To prevent sending excessive traffic to an endpoint, periodic consent | To prevent sending excessive traffic to an endpoint, periodic consent | |||
| needs to be obtained from that remote endpoint. | needs to be obtained from that remote endpoint. | |||
| This document describes a consent mechanism using a new STUN usage. | This document describes a consent mechanism using a new STUN usage. | |||
| This same mechanism can also determine connection loss ("liveness") | This same mechanism can also determine connection loss ("liveness") | |||
| with a remote peer. | with a remote peer. | |||
| skipping to change at page 1, line 39 | skipping to change at page 1, line 39 | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 13, 2014. | This Internet-Draft will expire on November 20, 2014. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 16 | skipping to change at page 2, line 16 | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. Design Considerations . . . . . . . . . . . . . . . . . . . . 3 | 3. Design Considerations . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 3 | 4. Solution Overview . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 5. Connection Liveness . . . . . . . . . . . . . . . . . . . . . 4 | 4.1. Expiration of Consent . . . . . . . . . . . . . . . . . . 3 | |||
| 4.2. Immediate Revocation of Consent . . . . . . . . . . . . . 4 | ||||
| 5. Connection Liveness . . . . . . . . . . . . . . . . . . . . . 5 | ||||
| 6. DiffServ Treatment for Consent packets . . . . . . . . . . . 5 | 6. DiffServ Treatment for Consent packets . . . . . . . . . . . 5 | |||
| 7. W3C API Implications . . . . . . . . . . . . . . . . . . . . 5 | 7. W3C API Implications . . . . . . . . . . . . . . . . . . . . 5 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
| 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 6 | 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 6 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 6 | 11.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 | Appendix A. Example Implementation . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | ||||
| 1. Introduction | 1. Introduction | |||
| To prevent attacks on peers, RTP endpoints have to ensure the remote | To prevent attacks on peers, RTP endpoints have to ensure the remote | |||
| peer wants to receive traffic. This is performed both when the | peer wants to receive traffic. This is performed both when the | |||
| session is first established to the remote peer using ICE | session is first established to the remote peer using ICE | |||
| connectivity checks, and periodically for the duration of the session | connectivity checks, and periodically for the duration of the session | |||
| using the procedures defined in this document. | using the procedures defined in this document. | |||
| When a session is first established, WebRTC implementations are | When a session is first established, WebRTC implementations are | |||
| skipping to change at page 3, line 12 | skipping to change at page 3, line 12 | |||
| messages which verifies the remote peer's consent to receive traffic, | messages which verifies the remote peer's consent to receive traffic, | |||
| and can also detect loss of liveness. | and can also detect loss of liveness. | |||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| Consent: It is the mechanism of obtaining permission to send traffic | Consent: It is the mechanism of obtaining permission to send traffic | |||
| to a certain transport address. This is usually obtained via ICE. | to a certain transport address. This is the initial consent to | |||
| send traffic, which is obtained by ICE or a TCP handshake. | ||||
| Consent Freshness: Permission to continue sending traffic to a | Consent Freshness: Permission to continue sending traffic to a | |||
| certain transport address. This is performed by the procedure | certain transport address. This is performed by the procedure | |||
| described in this document. | described in this document. | |||
| Session Liveness: Detecting loss of connectivity to a certain | Session Liveness: Detecting loss of connectivity to a certain | |||
| transport address. This is performed by the procedure described | transport address. This is performed by the procedure described | |||
| in this document. | in this document. | |||
| Transport Address: The remote peer's IP address and (UDP or TCP) | Transport Address: The remote peer's IP address and (UDP or TCP) | |||
| skipping to change at page 3, line 39 | skipping to change at page 3, line 40 | |||
| as STUN Indications which are send-and-forget, and do not evoke a | as STUN Indications which are send-and-forget, and do not evoke a | |||
| response. A response is necessary both for consent to continue | response. A response is necessary both for consent to continue | |||
| sending traffic, as well as to verify session liveness. Thus, we | sending traffic, as well as to verify session liveness. Thus, we | |||
| need a request/response mechanism for consent freshness. ICE can be | need a request/response mechanism for consent freshness. ICE can be | |||
| used for that mechanism because ICE already requires ICE agents | used for that mechanism because ICE already requires ICE agents | |||
| continue listening for ICE messages, as described in section 10 of | continue listening for ICE messages, as described in section 10 of | |||
| [RFC5245]. | [RFC5245]. | |||
| 4. Solution Overview | 4. Solution Overview | |||
| There are two ways consent to send traffic is revoked: expiration of | ||||
| consent and immediate revocation of consent, which are discussed in | ||||
| the following sections. | ||||
| 4.1. Expiration of Consent | ||||
| A WebRTC browser performs a combined consent freshness and session | A WebRTC browser performs a combined consent freshness and session | |||
| liveness test using STUN request/response as described below: | liveness test using STUN request/response as described below: | |||
| An endpoint MUST NOT send application data (in WebRTC this means RTP | An endpoint MUST NOT send application data (e.g., RTP, RTCP, SCTP, | |||
| or SCTP data) on an ICE-initiated connection unless the receiving | DTLS) on an ICE-initiated connection unless the receiving endpoint | |||
| endpoint consents to receive the data. After a successful ICE | consents to receive the data. After a successful ICE connectivity | |||
| connectivity check on a particular transport address, subsequent | check on a particular transport address, subsequent consent MUST be | |||
| consent MUST be obtained following the procedure described in this | obtained following the procedure described in this document. The | |||
| document. The consent expires after a fixed amount of time. | consent expires after a fixed amount of time. | |||
| Explicit consent to send is indicated by: | ||||
| 1. Sending an ICE binding request to the remote peer's Transport | Explicit consent to send is indicated by sending an ICE binding | |||
| Address and receiving a matching and authenticated ICE binding | request to the remote peer's Transport Address and receiving a | |||
| response from the inverted remote peer's Transport Address. | matching and authenticated ICE binding response from the inverted | |||
| remote peer's Transport Address. These ICE binding requests and | ||||
| responses are authenticated using the same short-term credentials as | ||||
| the initial ICE exchange, but using a new (fresh) transaction-id each | ||||
| time consent needs to be refreshed. Implementations MUST obtain | ||||
| fresh consent before their existing consent expires. If an ICE | ||||
| binding response is not received within 1.5 times the previous round | ||||
| trip time, another ICE binding request is sent using the a new | ||||
| (fresh) transaction-id (so that round-trip time can be calculated), | ||||
| and re-transmissions MUST NOT be sent more frequently than every | ||||
| 500ms or the smoothed round-trip time (from previous consent | ||||
| freshness checks or RTP round-trip time), whichever is less. For the | ||||
| purposes of this document, receipt of an ICE response with the | ||||
| matching transaction-id of its request with a valid MESSAGE-INTEGRITY | ||||
| is considered a consent response. | ||||
| These ICE binding request/response are authenticated using the | The initial Consent to send traffic is obtained by ICE. Consent | |||
| same short- term credentials as the initial ICE exchange, but | expires after 30 seconds. That is, if a valid STUN binding response | |||
| using a new (fresh) transaction-id each time consent needs to be | corresponding to one of the STUN requests sent in the last 30 seconds | |||
| refresh. Implementations MUST obtain fresh consent before their | has not been received from the inverted 5-tuple, the endpoint MUST | |||
| existing consent expires. When obtaining fresh consent a STUN | cease transmission on that 5-tuple. | |||
| connectivity check (or response) could be lost, and re- | ||||
| transmissions MUST use the same STUN transaction-id, and re- | ||||
| transmissions MUST NOT be sent more frequently than every 500ms | ||||
| or the smoothed round-trip time (from previous consent freshness | ||||
| checks or RTP round-trip time), whichever is less. For the | ||||
| purposes of this document, receipt of an ICE response with the | ||||
| matching transaction-id of its request with a valid MESSAGE- | ||||
| INTEGRITY is considered an authenticated packet. | ||||
| Consent expires after 15 seconds. That is, if an authenticated | To meet the security needs of consent, an untrusted application | |||
| packet (e.g., DTLS, SRTP, ICE) has not been received from the | (e.g., JavaScript) MUST NOT be able to obtain or control the ICE | |||
| inverted 5-tuple after 15 seconds, the application MUST cease | transaction-id, because that enables spoofing STUN responses, | |||
| transmission on that 5-tuple. | falsifying consent | |||
| Consent is ended immediately by receipt of a an authenticated message | An endpoint that is only receiving application traffic (recvonly) | |||
| that closes the connection (for instance, a TLS fatal alert). | does not need to obtain consent which can slightly conserve its | |||
| resources. However, the endpoint needs to ensure its NAT or firewall | ||||
| mappings persist which can be done using keepalive or other | ||||
| techniques (see Section 10 of [RFC5245] and see [RFC6263]). If the | ||||
| endpoint wants send application traffic, it needs to first obtain | ||||
| consent if its consent expired. | ||||
| Receipt of an unauthenticated end-of-session message (e.g., TCP FIN) | 4.2. Immediate Revocation of Consent | |||
| does not indicate loss of consent. Thus, an endpoint receiving an | ||||
| unauthenticated end-of-session message SHOULD continue sending media | ||||
| (over connectionless transport) or attempt to re-establish the | ||||
| connection (over connection-oriented transport) until consent expires | ||||
| or it receives an authenticated message revoking consent. | ||||
| Although receiving authenticated packets is sufficient for consent, | The previous section explained how consent expires due to a timeout. | |||
| it is still RECOMMENDED to send messages to keep NAT or firewall | In some cases it is useful to signal a connection is terminated, | |||
| bindings alive (see Section 10 of [RFC5245] and [RFC6263]). | rather than relying on a timeout. This is done by immediately | |||
| revoking consent. | ||||
| To meet the security needs of consent, an implementation MUST ensure | Consent for sending traffic on the media or data channel is revoked | |||
| that an application (e.g., Javascript application) is not able to | by receipt of a an authenticated message that closes the connection | |||
| obtain or control STUN information relevant to consent, specifically | (for instance, a TLS fatal alert). | |||
| the ICE transaction-id MUST NOT be accessible to upper-level | ||||
| applications. | Receipt of an unauthenticated message that closes a connection (e.g., | |||
| TCP FIN) does not indicate revocation of consent. Thus, an endpoint | ||||
| receiving an unauthenticated end-of-session message SHOULD continue | ||||
| sending media (over connectionless transport) or attempt to re- | ||||
| establish the connection (over connection-oriented transport) until | ||||
| consent expires or it receives an authenticated message revoking | ||||
| consent. | ||||
| 5. Connection Liveness | 5. Connection Liveness | |||
| A connection is considered "live" if packets are received from a | A connection is considered "live" if packets are received from a | |||
| remote endpoint within an application-dependent period. An | remote endpoint within an application-dependent period. An | |||
| application can request a notification when there are no packets | application can request a notification when there are no packets | |||
| received for a certain period (configurable). | received for a certain period (configurable). | |||
| Similarly, if packets haven't been received within a certain period, | Similarly, if packets haven't been received within a certain period, | |||
| an application can request a consent check (heartbeat) be generated. | an application can request a consent check (heartbeat) be generated. | |||
| skipping to change at page 7, line 9 | skipping to change at page 7, line 29 | |||
| rtcweb-qos-00 (work in progress), April 2014. | rtcweb-qos-00 (work in progress), April 2014. | |||
| [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. | [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. | |||
| Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, | Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, | |||
| August 2004. | August 2004. | |||
| [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session | [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session | |||
| Description Protocol (SDP) Security Descriptions for Media | Description Protocol (SDP) Security Descriptions for Media | |||
| Streams", RFC 4568, July 2006. | Streams", RFC 4568, July 2006. | |||
| Appendix A. Example Implementation | ||||
| This section describes one possible implementation algorithm of | ||||
| consent. This section is non-normative and provided for reference | ||||
| only. | ||||
| The solution uses three values: | ||||
| 1. A consent timer, Tc, whose value is set to 30 seconds. | ||||
| 2. A packet receipt timer, Tr, whose value is determined by the | ||||
| application. Tr can be greater than 1 but less than 30 seconds | ||||
| and has a default value of 5 seconds. | ||||
| 3. A consent timeout, Tf, which is how many seconds elapse without a | ||||
| consent response before the browser ceases transmission of media. | ||||
| Its value is be 30 seconds or less. | ||||
| 4. A retransmission Timer, Tret, whose value is determined by the | ||||
| RTT of a given path. The duration of this timer is set to 1.5 | ||||
| times of (500 ms or the smoothened round-trip time (from previous | ||||
| consent freshness checks or RTP round-trip time)), whichever is | ||||
| less. | ||||
| A WebRTC browser performs a combined consent freshness and session | ||||
| liveness test using STUN request/response as described below: | ||||
| Every Tc seconds, the WebRTC browser sends a STUN Binding Request to | ||||
| the peer. The difference from ICE connectivity check is that there | ||||
| is no exponential back off for retransmissions. | ||||
| If a valid STUN Binding Response is received, the consent timer is | ||||
| reset to the time of receiving the response and fires again Tc | ||||
| seconds later. | ||||
| If a valid STUN Binding Response is not received after Tret | ||||
| milliseconds, the STUN Binding Request is retransmitted (with a new | ||||
| Transaction ID). As long as a valid STUN Binding Response is not | ||||
| received, this retransmission is repeated every Tret milliseconds | ||||
| until Tf seconds have elapsed or a valid response is received. If no | ||||
| valid response is received after Tf seconds, the WebRTC browser quits | ||||
| transmitting traffic to this remote peer. The streams that are being | ||||
| sent on a flow(5-tuple) for which a consent has failed will be | ||||
| stopped. If the default value of Tf is 30 seconds then media | ||||
| transmission will stop Consent (Tf) expires. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Muthu Arul Mozhi Perumal | Muthu Arul Mozhi Perumal | |||
| Cisco Systems | Cisco Systems | |||
| Cessna Business Park | Cessna Business Park | |||
| Sarjapur-Marathahalli Outer Ring Road | Sarjapur-Marathahalli Outer Ring Road | |||
| Bangalore, Karnataka 560103 | Bangalore, Karnataka 560103 | |||
| India | India | |||
| Email: mperumal@cisco.com | Email: mperumal@cisco.com | |||
| End of changes. 18 change blocks. | ||||
| 52 lines changed or deleted | 120 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||