[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Early arriving media before 200 OK

To: "'Eric Rescorla'" <ekr@xxxxxxxxxxxxxxxxxxxx>, "Rob Raymond" <rob@xxxxxxxxxxxxxxx>
Subject: RE: Early arriving media before 200 OK
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Wed, 7 Feb 2007 14:22:52 -0800
Authentication-results: sj-dkim-8; header.From=dwing@xxxxxxxxx; dkim=pass (s ig from cisco.com/sjdkim8002 verified; );
Cc: <ietf-rtpsec@xxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=5310; t=1170886976; x=1171750976; c=relaxed/simple; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20RE=3A=20Early=20arriving=20media=20before=20200=20OK=20 |Sender:=20; bh=2nMYm5pvoBmTYXXGhzfnv4kwsAg5SGJ4v0yBCKNTb/U=; b=ZwRRI6m+CXPaUes4jdzwkw2GAFsVOOgBwZAt8c4tOLSy05U+JianqQHSo8CdH53iA2LCDBFi t0ZQxk25N2z6qmRmXqN5IxzlCqTnnS+t20weGRh84NhKNsu/K7i+O2YE;
In-reply-to: <20070207212944.072005C07B@xxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: AcdK/f8T58t6pVFRQDu3UxGd2cMuoAABm4aA

(Eric and I clarified my misunderstanding with a phone call.)

Thanks.  Rob's concern seemed to extend to on-path attackers
who could delay offers and even manipulate SDP.

Going back to Rob's original email:

    >
    >  1) Discard all media before the 200 OK - not acceptable,
    >     that early arriving media often includes the "hello"
    >     which if lost causes a very poor user call experience.
    >     Horrible in fact.  I'm already concerned by the amount
    >     of data loss during the round-trips for DTLS
    >     negotiation and the required SIP signaling for ICE
    >     before a path change, let alone adding to the trouble.
    >

Rob, are you aware that ICE-13 (and -12, I believe), implements what could
be called a 'poor-man's connectivity precondition', which delays alerting
the called party until the SDP answer is received?  See
http://tools.ietf.org/html/draft-ietf-mmusic-ice-13#section-12.1 which says:

   ...
   If an offer is received in an INVITE request, the callee SHOULD
   immediately gather its candidates and then generate an answer in a
   provisional response.  ICE requires that a provisional response with
   an SDP be transmitted reliably.  This can be done through the
   existing PRACK mechanism [9], or through an optimization that is
   specific to ICE.  With this optimization, provisional responses
   containing an SDP answer that begins ICE processing for one or more
   media streams can be sent reliably without RFC 3264.  To do this, the
   agent retransmits the provisional response with th exponential
   backoff timers described in RFC 3262.  Retransmits MUST cease on
   receipt of a STUN Binding Request for one of the media streams
   signaled in that SDP or on transmission of a 2xx response.  If no
   Binding Request is received prior to the last retransmit, the agent
   does not consider the session terminated.  Despite the fact that the
   provisional response will be delivered reliably, the rules for when
   an agent can send an updated offer or answer do not change from those
   specified in RFC 3262.  Specifically, if the INVITE contained an
   offer, the same answer appears in all of the 1xx and in the 2xx
   response to the INVITE.  Only after that 2xx has been sent can an
   updated offer/answer exchange occur.  This optimization SHOULD NOT be
   used if both agents support PRACK.  Note that the optimization is
   very specific to provisional response carrying answers that start ICE
   processing; it is not a general technique for 1xx reliability.
   ...

Back to Rob's original email:

    >
    >  I propose that the bar be raised and that this limitation
    >  be rejected in favour of something that ensures all early
    >  arriving media is at least the recipient of the INVITE.
    >

You can't be sure who legitimately received the Invite until you receive the
SDP answer, and that SDP answer needs to contain an a=fingerprint or
something functionally equivalent to the a=fingerprint.  

Otherwise, an attacker could passively observe the Invite and send the
necessary cookie to the offerer.  Based on your original post on this topic,
I don't think that provides adequate protection for the threats you are
considering, does it?

-d

> -----Original Message-----
> From: Eric Rescorla [mailto:ekr@xxxxxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, February 07, 2007 1:22 PM
> To: Dan Wing
> Cc: robin@xxxxxxxxxxxxxxx; ietf-rtpsec@xxxxxxx
> Subject: Re: Early arriving media before 200 OK 
> 
> Dan Wing <dwing@xxxxxxxxx> wrote:
> > I read through RFC4279 ("PSK Ciphersuites for TLS") again, and I 
> > admit I still don't understand what you meant in your original 
> > reply when you wrote "key which is used to key TLS PSK mode".  You
> > meant something different from what I understood, because what I
> > understood was that you were going to send the PSK in SDP, which
> > would share most of the features and drawbacks of Security 
> > Descriptions.  You meant something else, but I can't tease apart
> > what you meant.
> 
> So, the basic point here is that you want to do a public key 
> exchange in the TLS channel but require that the TLS client
> (the SDP answerer) demonstrate possession of some secret sent
> in the SDP offer. This provides confidentiality against 
> passive attackers who observe the SDP (unlike SDES) because
> you would need to mount an MITM attack on the public key
> exchange.
> 
> So, if people consider this attack to be serious, what we want
> to do is:
> 
> 1. Include a secret in the SDP Offer that is required to complete
>    the handshake. This protects against active attacks before
>    the 200 by people who cannot see the SDP Offer.
> 2. Have both sides include authenticated commitments to their
>    public keys in the SDP offer. This allows you to do an
>    asymmetric key establishment in the media channel, thus 
>    protecting you against attackers who can passively see
>    the SDP exchange (including other members of the fork).
> 
> TLS PSK provides one way of doing that by allowing you to have
> an asymmetric key establishment (2) that's also authenticated by
> a shared key (1). It may or may not turn out to be the best way.
> 
> -Ekr

References:
- Re: Early arriving media before 200 OK
  - From: Eric Rescorla

Prev by Date: Re: Early arriving media before 200 OK
Previous by thread: Re: Early arriving media before 200 OK
Index(es):
- Date
- Thread