problems with stun authentication for turn draft-reddy-behave-turn-auth-04 mar 2013 ietf 89 meeting...
TRANSCRIPT
![Page 1: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/1.jpg)
Problems with STUN Authentication for TURN
draft-reddy-behave-turn-auth-04
Mar 2013 IETF 89 Meeting
Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin
draft-reddy-behave-turn-auth-041
![Page 2: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/2.jpg)
• Applications like WebRTC may choose to use TURN for privacy.
• NAT/Firewall traversal.• TURN server could be deployed in Enterprise DMZ for
Auditing etc.• Mobility.• TURN includes IPv4-to-IPv6, IPv6-to-IPv6, and IPv6-to-
IPv4 relaying.
2
Background
draft-reddy-behave-turn-auth-04
![Page 3: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/3.jpg)
• draft-ietf-rtcweb-use-cases-and-requirements refers to deploying a TURN server for auditing and FW traversal.
3
Related proposals
draft-reddy-behave-turn-auth-04
![Page 4: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/4.jpg)
TURN uses key derived from username and password to generate message integrity for TURN request/response.
key = MD5(username ":" realm ":“ SASLprep(password))
draft-reddy-behave-turn-auth-044
STUN Auth
![Page 5: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/5.jpg)
1. “log-in” username and password will not change for extended periods of timeo Password susceptible to offline
dictionary attacks
2. TURN server needs to be aware of username and password (management overhead) or store the key (MD5 hash).
draft-reddy-behave-turn-auth-045
Problems with STUN Auth
![Page 6: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/6.jpg)
6
Attackers verses TURN Servers
TURN ServerInternet
Alice TURN Server
Cloud
Attacker 2
Attacker 3
3. Adversary can learn USERNAME by snooping TURN messages. Attacker can learn USERNAME of the user.
Attacker 1
draft-reddy-behave-turn-auth-04
![Page 7: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/7.jpg)
4. TURN credential exposed to JavaScript.
5. TURN could be deployed in cloud and comes at a cost on SaaS provider.
6. No support for multiple realms.
7
Problems contd..
draft-reddy-behave-turn-auth-04
![Page 8: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/8.jpg)
• STUN authentication important to prevent un-authorized users from accessing the TURN Server.
8
Problems contd..
draft-reddy-behave-turn-auth-04
![Page 9: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/9.jpg)
• draft-johnston-tram-stun-origin-01 addresses the realm problem
• draft-petithuguenin-tram-stun-dtls-00 addresses some of the problems
• draft-reddy-tram-turn-third-party-authz-00
addresses the problem for third party
authorization.
9
Solutions
draft-reddy-behave-turn-auth-04
![Page 10: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/10.jpg)
• There may be a need to resolve first party authentication. Auditing and FW traversal use case in
Enterprise ISP deploying TURN Server
10
Solutions contd..
draft-reddy-behave-turn-auth-04
![Page 11: Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04](https://reader036.vdocuments.mx/reader036/viewer/2022082821/5697bf811a28abf838c85268/html5/thumbnails/11.jpg)
11draft-reddy-behave-turn-auth-04
Next steps ?