One document matched: draft-reddy-behave-turn-auth-04.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-reddy-behave-turn-auth-04"
ipr="trust200902">
<front>
<title abbrev=" Problems with STUN Authentication for TURN">Problems with
STUN Authentication for TURN</title>
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Cessna Business Park, Varthur Hobli</street>
<street>Sarjapur Marathalli Outer Ring Road</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560103</code>
<country>India</country>
</postal>
<email>tireddy@cisco.com</email>
</address>
</author>
<author fullname="Ram Mohan Ravindranath" initials="Ram Mohan"
surname="Ravindranath">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Cessna Business Park, Varthur Hobli</street>
<street>Sarjapur Marathalli Outer Ring Road</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560103</code>
<country>India</country>
</postal>
<email>rmohanr@cisco.com</email>
</address>
</author>
<author fullname="Muthu Arul Mozhi Perumal" initials="Muthu A M"
surname="Perumal">
<organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address>
<postal>
<street>Cessna Business Park</street>
<street>Sarjapur-Marathahalli Outer Ring Road</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560103</code>
<country>India</country>
</postal>
<email>mperumal@cisco.com</email>
</address>
</author>
<author fullname="Alper Yegin" initials="A." surname="Yegin">
<organization>Samsung</organization>
<address>
<postal>
<street></street>
<city>Istanbul</city>
<region></region>
<code></code>
<country>Turkey</country>
</postal>
<email>alper.yegin@yegin.org</email>
</address>
</author>
<date />
<workgroup>BEHAVE</workgroup>
<abstract>
<t>This document discusses some of the issues with STUN authentication
for TURN messages.</t>
</abstract>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>The TURN server is a building block to support interactive, real-time
communication using audio, video, collaboration, games, etc., between
two peer web browsers using the Web Real-Time communication (WebRTC)
<xref target="I-D.ietf-rtcweb-overview"> </xref> framework. The use-case
explained in "Simple Video Communication Service, enterprise aspects"
(Section 3.2.5 of <xref
target="I-D.ietf-rtcweb-use-cases-and-requirements"> </xref>) refers to
deploying a TURN<xref target="RFC5766"> </xref> server in the DMZ to
audit all media sessions from inside an Enterprise premises to any
external peer. TURN server could also be deployed for RTP Mobility <xref
target="I-D.wing-mmusic-ice-mobility"> </xref> etc.</t>
<t>TURN server is also used in the following scenarios:</t>
<t><list style="symbols">
<t>Users of RTCWEB based web application may use TURN server to hide
host candidate addresses from the remote peer for privacy.</t>
<t>Enterprise networks deploy firewalls which typically block UDP
traffic. When SIP user agents or WebRTC endpoints are deployed
behind such firewalls, media cannot be sent over UDP across the
firewall, but must be sent using TCP (which causes a different user
experience). In such cases a TURN server deployed in the DMZ MAY be
used to traverse Firewalls.</t>
<t>TURN Server may be used for IPv4-to-IPv6, IPv6-to-IPv6, and IPv6
-to-IPv4 relaying <xref target="RFC6156"></xref>.</t>
<t>ICE connectivity checks using server-reflexive candidates could
fail when the endpoint is behind NAT that performs Address-dependent
mapping. In such cases relayed candidate allocated from the TURN
server is used for media.</t>
</list></t>
<t><xref target="RFC5389">STUN</xref> specifies an authentication
mechanism called the long-term credential mechanism. <xref
target="RFC5766">TURN </xref> in section 4 specifies that TURN servers
and clients MUST implement this mechanism and the TURN server MUST
demand that all requests from the client be authenticated using this
mechanism, or that a equally strong or stronger mechanism for client
authentication be used.</t>
<t>In the above scenarios RTCWEB based web applications would use
Interactive Connectivity Establishment (ICE) protocol <xref
target="RFC5245"> </xref> for gathering candidates. ICE agent can use
TURN to learn server-reflexive and relayed candidates. If the TURN
server requires the TURN request to be authenticated then ICE agent will
use the long-term credential mechanism explained in section 10 of <xref
target="RFC5389"> </xref> for authentication and message integrity. TURN
specification <xref target="RFC5766"> </xref> in section 10 explains the
importance of long-term credential mechanism to mitigate various
attacks. With proposals like<xref
target="I-D.thomson-mmusic-rtcweb-bw-consent"> </xref> that defines a
STUN BANDWIDTH attribute for requesting bandwidth allocation at a TURN
server, STUN authentication becomes further important to prevent
un-authorized users from accessing the TURN server and misuse of
credentials could impose significant cost on the victim TURN server.</t>
<t>This note focuses on listing the problems with current STUN
authentication for TURN so that it can serve as the basis for stronger
authentication mechanisms.</t>
<t>Compared to a Binding request the Allocate request is more likely to
be identified by a server administrator as needing client authentication
and integrity protection of messages exchanged. Hence, the issues
discussed here in STUN authentication are applicable mainly in the
context of TURN messages.</t>
</section>
<section anchor="notation" title="Notational Conventions">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119"></xref>.</t>
<t>This note uses terminology defined in <xref target="RFC5389"></xref>,
<xref target="RFC5766"> </xref>.</t>
</section>
<section title="Scope">
<t>This document can be used as an input to design solution(s) to
address the problems with the current STUN authentication for TURN
messages.</t>
</section>
<section anchor="TURN_Auth"
title="Problems with usage of STUN Authentication">
<t><list style="numbers">
<t>The long-term credential mechanism in <xref
target="RFC5389"></xref> could use traditional "log-in" username and
password given to users which does not change for extended periods
of time and uses the key derived from user credentials to generate
message integrity for every TURN request/response. An attacker that
is capable of eavesdropping on a message exchange between a client
and server can determine the password by trying a number of
candidate passwords and checking if one of them is correct by
calculating the message-integrity of the message using these
candidate passwords and comparing with the message integrity value
in the MESSAGE-INTEGRITY attribute.</t>
<t>When TURN server is deployed in DMZ and requires requests to be
authenticated using the long-term credential mechanism in <xref
target="RFC5389"> </xref>, TURN server needs to be aware of the
username and password to validate the message integrity of the
requests and to provide message integrity for responses. This
results in management overhead on the TURN server. </t>
<t>The long-term credential mechanism in <xref
target="RFC5389"></xref> requires that the TURN client must include
username value in the USERNAME STUN attribute. An adversary snooping
the TURN messages between the TURN client and server can identify
the users involved in the call resulting in privacy leakage. In
certain scenarios TURN usernames need not be linked to any real
usernames given to users as they are just provisioned on a per
company basis.</t>
<t>An Attacker posing as a TURN server challenges the client to
authenticate, learns the USERNAME of the client and later snoops the
traffic from the client identifying the user activity resulting in
privacy leakage.</t>
<t>Hosting multiple realms on a single IP address is challenging
with TURN. When a TURN server needs to send the REALM attribute in
response to an unauthenticated request, it has no useful information
for determining which realm it should send, except the source
transport address of the TURN request. Note this is a problem with
multi-tenant scenarios only. This may not be a problem when TURN
server is located in enterprise premises.</t>
<t>In WebRTC the Javascript needs be know the username and password
to use in W3C RTCPeerConnection API to access the TURN server. This
exposes the user credentials to the Javascript which could be
malicious.</t>
</list></t>
</section>
<section anchor="security" title="Security Considerations">
<t>This document lists problems with current STUN authentication for
TURN so that it can serve as the basis for stronger authentication
mechanisms.</t>
</section>
<section anchor="iana" title="IANA Considerations">
<t>This document does not require any action from IANA.</t>
</section>
<section title="Acknowledgments">
<t>Authors would like to thank Dan Wing, Harald Alvestrand, Sandeep Rao,
Prashanth Patil, Pal Martinsen and Simon Perreault for their comments
and review.</t>
</section>
</middle>
<back>
<references title="Normative References">
<?rfc include="reference.RFC.2119"?>
<?rfc include='reference.RFC.5766'?>
<?rfc include='reference.RFC.5389'?>
<?rfc include='reference.RFC.6156'?>
</references>
<references title="Informative References">
<?rfc include="reference.RFC.5245"?>
<?rfc include="reference.RFC.6544"?>
<?rfc include='reference.I-D.ietf-rtcweb-use-cases-and-requirements'?>
<?rfc include='reference.I-D.ietf-rtcweb-overview'?>
<?rfc include='reference.I-D.wing-mmusic-ice-mobility'
?>
<?rfc include='reference.I-D.thomson-mmusic-rtcweb-bw-consent'
?>
<!---->
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 10:23:07 |