| draft-ietf-rtcweb-stun-consent-freshness-06.txt | draft-ietf-rtcweb-stun-consent-freshness-07.txt | |||
|---|---|---|---|---|
| RTCWEB M. Perumal | RTCWEB M. Perumal | |||
| Internet-Draft Ericsson | Internet-Draft Ericsson | |||
| Intended status: Standards Track D. Wing | Intended status: Standards Track D. Wing | |||
| Expires: February 13, 2015 R. Ravindranath | Expires: March 19, 2015 R. Ravindranath | |||
| T. Reddy | T. Reddy | |||
| Cisco Systems | Cisco Systems | |||
| M. Thomson | M. Thomson | |||
| Mozilla | Mozilla | |||
| August 12, 2014 | September 15, 2014 | |||
| STUN Usage for Consent Freshness | STUN Usage for Consent Freshness | |||
| draft-ietf-rtcweb-stun-consent-freshness-06 | draft-ietf-rtcweb-stun-consent-freshness-07 | |||
| Abstract | Abstract | |||
| To prevent sending excessive traffic to an endpoint, periodic consent | To prevent sending excessive traffic to an endpoint, periodic consent | |||
| needs to be obtained from that remote endpoint. | needs to be obtained from that remote endpoint. | |||
| This document describes a consent mechanism using a new STUN usage. | This document describes a consent mechanism using a new Session | |||
| This same mechanism can also determine connection loss ("liveness") | Traversal Utilities for NAT (STUN) usage. This same mechanism can | |||
| with a remote peer. | also determine connection loss ("liveness") with a remote peer. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 13, 2015. | This Internet-Draft will expire on March 19, 2015. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 34 | skipping to change at page 2, line 34 | |||
| 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 7 | 10. Acknowledgement . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 7 | 11.2. Informative References . . . . . . . . . . . . . . . . . 7 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | |||
| 1. Introduction | 1. Introduction | |||
| To prevent attacks on peers, RTP endpoints have to ensure the remote | To prevent attacks on peers, RTP endpoints have to ensure the remote | |||
| peer wants to receive traffic. This is performed both when the | peer wants to receive traffic. This is performed both when the | |||
| session is first established to the remote peer using ICE | session is first established to the remote peer using Interactive | |||
| connectivity checks, and periodically for the duration of the session | Connectivity Establishment ICE [RFC5245] connectivity checks, and | |||
| using the procedures defined in this document. | periodically for the duration of the session using the procedures | |||
| defined in this document. | ||||
| When a session is first established, WebRTC implementations are | When a session is first established, ICE implementations obtain | |||
| required to perform STUN connectivity checks as part of ICE | initial consent by performing STUN connectivity checks as part of | |||
| [RFC5245]. That initial consent is not described further in this | ICE. That initial consent is not described further in this document | |||
| document and it is assumed that ICE is being used for that initial | and it is assumed that ICE is being used for that initial consent. | |||
| consent. | ||||
| Related to consent is loss of connectivity ("liveness"). Many | Related to consent is loss of connectivity ("liveness"). Many | |||
| applications want notification of connection loss to take appropriate | applications want notification of connection loss to take appropriate | |||
| actions (e.g., alert the user, try switching to a different | actions (e.g., alert the user, try switching to a different | |||
| interface). | interface). | |||
| This document describes a new STUN usage with exchange of request and | This document describes a new STUN usage with exchange of request and | |||
| response messages to verify the remote peer's consent to receive | response messages to verify the remote peer's consent to receive | |||
| traffic, and the absence of which for a period of time indicates a | traffic, and the absence of which for a period of time indicates a | |||
| loss of liveness. | loss of liveness. | |||
| WebRTC endpoints are required to support full ICE as specified in | When a (full) ICE implementation interworks with an ICE-lite | |||
| section 3.4 of [I-D.ietf-rtcweb-transports]. However, when WebRTC | implementation the ICE-lite implementation will not generate consent | |||
| endpoints interwork with other endpoints that support only ICE-lite | checks, but will just just respond to consent checks it receives. | |||
| (e.g., gateways) those endpoints will not generate consent checks, | ||||
| but just respond to consent checks they receive. | ||||
| 2. Terminology | 2. Terminology | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this | |||
| document are to be interpreted as described in [RFC2119]. | document are to be interpreted as described in [RFC2119]. | |||
| Consent: It is the mechanism of obtaining permission to send traffic | Consent: It is the mechanism of obtaining permission to send traffic | |||
| to a certain transport address. This is the initial consent to | to a certain transport address. This is the initial consent to | |||
| send traffic, which is obtained by ICE or a TCP handshake. | send traffic, which is obtained by ICE or a TCP handshake. | |||
| skipping to change at page 3, line 42 | skipping to change at page 3, line 40 | |||
| port number. | port number. | |||
| 3. Design Considerations | 3. Design Considerations | |||
| Although ICE requires periodic keepalive traffic to keep NAT bindings | Although ICE requires periodic keepalive traffic to keep NAT bindings | |||
| alive (Section 10 of [RFC5245], [RFC6263]), those keepalives are sent | alive (Section 10 of [RFC5245], [RFC6263]), those keepalives are sent | |||
| as STUN Indications which are send-and-forget, and do not evoke a | as STUN Indications which are send-and-forget, and do not evoke a | |||
| response. A response is necessary both for consent to continue | response. A response is necessary both for consent to continue | |||
| sending traffic, as well as to verify session liveness. Thus, we | sending traffic, as well as to verify session liveness. Thus, we | |||
| need a request/response mechanism for consent freshness. ICE can be | need a request/response mechanism for consent freshness. ICE can be | |||
| used for that mechanism because ICE already requires ICE agents | used for that mechanism because ICE implementations are already | |||
| continue listening for ICE messages, as described in section 10 of | required to continue listening for ICE messages, as described in | |||
| [RFC5245]. | section 10 of [RFC5245]. | |||
| 4. Solution | 4. Solution | |||
| There are two ways consent to send traffic is revoked: expiration of | There are two ways consent to send traffic is revoked: expiration of | |||
| consent and immediate revocation of consent, which are discussed in | consent and immediate revocation of consent, which are discussed in | |||
| the following sections. | the following sections. | |||
| 4.1. Expiration of Consent | 4.1. Expiration of Consent | |||
| A WebRTC browser performs a combined consent freshness and session | A WebRTC implementation [I-D.ietf-rtcweb-overview], which implements | |||
| liveness test using STUN request/response as described below: | ICE, MUST perform a combined consent freshness and session liveness | |||
| test using STUN request/response as described below: | ||||
| An endpoint MUST NOT send application data (e.g., RTP, RTCP, SCTP, | An endpoint MUST NOT send application data (e.g., RTP, RTCP, SCTP, | |||
| DTLS), over any transport protocol (e.g., UDP, TCP) on an ICE- | DTLS), over any transport protocol (e.g., UDP, TCP) on an ICE- | |||
| initiated connection unless the receiving endpoint consents to | initiated connection unless the receiving endpoint consents to | |||
| receive the data. After a successful ICE connectivity check on a | receive the data. After a successful ICE connectivity check on a | |||
| particular transport address, subsequent consent MUST be obtained | particular transport address, subsequent consent MUST be obtained | |||
| following the procedure described in this document. The consent | following the procedure described in this document. The consent | |||
| expires after a fixed amount of time. During ICE restart consent | expires after a fixed amount of time. During ICE restart consent | |||
| checks MUST continue to be sent on previously validated pair, and | checks MUST continue to be sent on previously validated pair, and | |||
| MUST be responded to on the previously validated pair, until ICE | MUST be responded to on the previously validated pair, until ICE | |||
| skipping to change at page 5, line 8 | skipping to change at page 5, line 8 | |||
| endpoint MUST cease transmission on that 5-tuple. | endpoint MUST cease transmission on that 5-tuple. | |||
| To meet the security needs of consent, an untrusted application | To meet the security needs of consent, an untrusted application | |||
| (e.g., JavaScript) MUST NOT be able to obtain or control the STUN | (e.g., JavaScript) MUST NOT be able to obtain or control the STUN | |||
| transaction ID, because that enables spoofing STUN responses, | transaction ID, because that enables spoofing STUN responses, | |||
| falsifying consent. | falsifying consent. | |||
| While TCP affords some protection from off-path attackers ([RFC5961], | While TCP affords some protection from off-path attackers ([RFC5961], | |||
| [RFC4953]), there is still a risk an attacker could cause a TCP | [RFC4953]), there is still a risk an attacker could cause a TCP | |||
| sender to send packets forever by spoofing ACKs. To prevent such an | sender to send packets forever by spoofing ACKs. To prevent such an | |||
| attack, consent checks MUST be performed over all WebRTC-initiated | attack, consent checks MUST be performed over all transport | |||
| transport connections, including TCP. In this way, an off-path | connections, including TCP. In this way, an off-path attacker | |||
| attacker spoofing TCP segments can not cause a TCP sender to send | spoofing TCP segments can not cause a TCP sender to send packets | |||
| packets longer than the consent timer (30 seconds). | longer than the consent timer (30 seconds). | |||
| An endpoint that is not sending any application traffic does not need | An endpoint that is not sending any application traffic does not need | |||
| to obtain consent which can slightly conserve its resources. | to obtain consent which can slightly conserve its resources. | |||
| However, the endpoint needs to ensure its NAT or firewall mappings | However, the endpoint needs to ensure its NAT or firewall mappings | |||
| persist which can be done using keepalive or other techniques (see | persist which can be done using keepalive or other techniques (see | |||
| Section 10 of [RFC5245] and see [RFC6263]). If the endpoint wants to | Section 10 of [RFC5245] and see [RFC6263]). If the endpoint wants to | |||
| send application traffic, it needs to first obtain consent if its | send application traffic, it needs to first obtain consent if its | |||
| consent has expired. | consent has expired. | |||
| 4.2. Immediate Revocation of Consent | 4.2. Immediate Revocation of Consent | |||
| skipping to change at page 7, line 48 | skipping to change at page 7, line 48 | |||
| Keeping Alive the NAT Mappings Associated with RTP / RTP | Keeping Alive the NAT Mappings Associated with RTP / RTP | |||
| Control Protocol (RTCP) Flows", RFC 6263, June 2011. | Control Protocol (RTCP) Flows", RFC 6263, June 2011. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [I-D.ietf-avtcore-srtp-ekt] | [I-D.ietf-avtcore-srtp-ekt] | |||
| McGrew, D. and D. Wing, "Encrypted Key Transport for | McGrew, D. and D. Wing, "Encrypted Key Transport for | |||
| Secure RTP", draft-ietf-avtcore-srtp-ekt-02 (work in | Secure RTP", draft-ietf-avtcore-srtp-ekt-02 (work in | |||
| progress), February 2014. | progress), February 2014. | |||
| [I-D.ietf-rtcweb-transports] | [I-D.ietf-rtcweb-overview] | |||
| Alvestrand, H., "Transports for RTCWEB", draft-ietf- | Alvestrand, H., "Overview: Real Time Protocols for | |||
| rtcweb-transports-05 (work in progress), June 2014. | Browser-based Applications", draft-ietf-rtcweb-overview-11 | |||
| (work in progress), August 2014. | ||||
| [I-D.ietf-tsvwg-rtcweb-qos] | [I-D.ietf-tsvwg-rtcweb-qos] | |||
| Dhesikan, S., Jennings, C., Druta, D., Jones, P., and J. | Dhesikan, S., Jennings, C., Druta, D., Jones, P., and J. | |||
| Polk, "DSCP and other packet markings for RTCWeb QoS", | Polk, "DSCP and other packet markings for RTCWeb QoS", | |||
| draft-ietf-tsvwg-rtcweb-qos-02 (work in progress), June | draft-ietf-tsvwg-rtcweb-qos-02 (work in progress), June | |||
| 2014. | 2014. | |||
| [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. | [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. | |||
| Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, | Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, | |||
| August 2004. | August 2004. | |||
| skipping to change at page 8, line 34 | skipping to change at page 8, line 34 | |||
| 2010. | 2010. | |||
| [RFC6062] Perreault, S. and J. Rosenberg, "Traversal Using Relays | [RFC6062] Perreault, S. and J. Rosenberg, "Traversal Using Relays | |||
| around NAT (TURN) Extensions for TCP Allocations", RFC | around NAT (TURN) Extensions for TCP Allocations", RFC | |||
| 6062, November 2010. | 6062, November 2010. | |||
| Authors' Addresses | Authors' Addresses | |||
| Muthu Arul Mozhi Perumal | Muthu Arul Mozhi Perumal | |||
| Ericsson | Ericsson | |||
| Mahadevapura | Ferns Icon | |||
| Bangalore, Karnataka 560048 | Doddanekundi, Mahadevapura | |||
| Bangalore, Karnataka 560037 | ||||
| India | India | |||
| Email: muthu.arul@gmail.com | Email: muthu.arul@gmail.com | |||
| Dan Wing | Dan Wing | |||
| Cisco Systems | Cisco Systems | |||
| 821 Alder Drive | 821 Alder Drive | |||
| Milpitas, California 95035 | Milpitas, California 95035 | |||
| USA | USA | |||
| End of changes. 13 change blocks. | ||||
| 34 lines changed or deleted | 35 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||