RTCWEB STUN Usage for Consent Freshness and Session Liveness draft-muthu-behave-consent-freshness-01 Authors: D. Wing, Muthu A M. Perumal, R. Ram Mohan,

Slides:



Advertisements
Similar presentations
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
Advertisements

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-
INRIA Rhône-Alpes - Planète research group 1 Security and RMT Protocols: TESLA I-D simple-auth I-D rmt-sec I-D IETF 69 th – Chicago meeting, July 2007.
ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.
NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Real-time Transport Protocol (RTP) Recommendations for SIPREC (draft-eckel-siprec-rtp-rec-01) Charles Eckel IETF-81, Quebec City, July.
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.
RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.
July 18th, th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,
Whither Congestion Control? Sally Floyd E2ERG, July
TURN draft-ietf-behave-turn-07 Philip Matthews, Avaya Jonathan Rosenberg, Cisco Rohan Mahy, Plantronics.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.
Softwire Security Requirement draft-ietf-softwire-security-requirements-03.txt Softwires WG IETF#69, Chicago 25 th July 2007 Shu Yamamoto Carl Williams.
Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.
1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.
INRIA Rhône-Alpes - Planète research group Reed-Solomon FEC I-D LDPC-* FEC I-D TESLA I-D Simple-auth I-D IETF 70 th – Vancouver meeting, November 2007.
Curtsy Web
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
Wireless LAN Security. Security Basics Three basic tools – Hash function. SHA-1, SHA-2, MD5… – Block Cipher. AES, RC4,… – Public key / Private key. RSA.
SIP Performance Benchmarking draft-ietf-bmwg-sip-bench-term-02 draft-ietf-bmwg-sip-bench-meth-02 July 24, 2010 Prof. Carol Davids, Illinois Inst. of Tech.
1 STUN Changes draft-ietf-behave-rfc3489bis-03 Jonathan Rosenberg Dan Wing Cisco Systems.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
TURN -01 Changes and Issues Rohan Mahy BEHAVE at IETF66 - Montreal.
1 Implementing Monitoring and Reporting. 2 Why Should Implement Monitoring? One of the biggest complaints we hear about firewall products from almost.
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
NEA Requirement I-D IETF 68 – Prague Paul Sangster Symantec Corporation.
A SIP Event Package for DTMF Event Monitoring draft-zebarth-sipping-dtmfad-00.txt IETF 58 Joe Zebarth, Vice Chair T1S1.7.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
RTP – Real-time Transport Protocol Elbert Tsay, Brad Bargabus, Patrick Lim, Henry Quach The Five Packeteers (minus 1  )
IETF-81, Quebec City, July 25-29, 2011
November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.
Web Privacy Topics Andy Zeigler Senior Program Manager, Internet Explorer Microsoft.
ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.
BUNDLE Christer Holmberg, Ericsson Harald Alvestrand, Google IETF#84, Vancouver.
SIP Performance Benchmarking draft-ietf-bmwg-sip-bench-term-01 draft-ietf-bmwg-sip-bench-meth-01 March 22, 2010 Prof. Carol Davids, Illinois Inst. of Tech.
Packet Format Issues #227: Need Shim Header to indicate Crypto Property of packet Do we need to add pre-amble header to indicate if data is encrypted or.
Interactive Connectivity Establishment : ICE
Mobile IP 순천향대학교 정보기술공학부 이 상 정 VoIP 특론 순천향대학교 정보기술공학부 이 상 정 2 References  Tutorial: Mobile IP
Firewall – Survey  Purpose of a Firewall  To allow ‘proper’ traffic and discard all other traffic  Characteristic of a firewall  All traffic must go.
Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.
Session Traversal Utilities for NAT (STUN) IETF-92 Dallas, March 26, 2015 draft-ietf-tram-stunbis Marc Petit-Huguenin, Gonzalo Salgueiro.
1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP draft-ietf-mmusic-rfc2396bis-10 Magnus Westerlund Co-auhtors: Henning Schulzrinne, Rob Lanphier,
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
DIME WG IETF 84 Diameter Design Guidelines draft-ietf-dime-app-design-guide-15 Tuesday, July 31, 2012 Lionel Morand.
IETF68 DIME WG Diameter Applications Design Guidelines Document (draft-fajardo-dime-app-design-guide-00.txt)
Network Transport Circuit Breakers draft-ietf-tsvwg-circuit-breaker Most recent version -08 (uploaded for this meeting). Editor: Gorry Fairhurst.
On Firewalls Fred Baker and Paul Hoffman draft-ietf-opsawg-firewalls-01.txt.
Analysis of BFD Security According to KARP Design Guide draft-ietf-karp-bfd-analysis-01 draft-ietf-karp-bfd-analysis-01 Manav Bhatia Dacheng Zhang Mahesh.
Phil Hunt, Hannes Tschofenig
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Current Issues with DNS Configuration Options for SLAAC
RTP: A Transport Protocol for Real-Time Applications
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
A SIP Event Package for DTMF Event Monitoring
* Essential Network Security Book Slides.
Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008
NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt
X-Road as a Platform to Exchange MyData
Error Checking continued
Active RTP liveness discovery
Presentation transcript:

RTCWEB STUN Usage for Consent Freshness and Session Liveness draft-muthu-behave-consent-freshness-01 Authors: D. Wing, Muthu A M. Perumal, R. Ram Mohan, H. Kaplan July 30, 2012 IETF-84 Vancouver, BC, Canada draft-muthu-behave-consent-freshness-011

What is “Consent”  Purpose of Consent: avoid denial of service  Consent o Permission to send traffic  Consent freshness o Permission to continue sending traffic  Traffic sender requests consent of the receiver draft-muthu-behave-consent-freshness-012

Problem Description (1/3) draft-muthu-behave-consent-freshness-013

Our Approach to Consent Use ICE Connectivity Checks – RTCWEB needs ICE anyway – Transaction-ID protects from off-path attackers No longer need ICE ‘indications’ for firewall and NAT keepalives – RFC6263 – Instead, keepalive using connectivity checks – Provides both Consent and “Liveliness” draft-muthu-behave-consent-freshness-014

Need WG Feedback on several things 1.Consent with authentication? 2.When to stop sending after no consent? 3.Consent frequency when sending 4.Consent frequency when not sending – (liveliness / keepalive) 5.RTCP 6.APIs draft-muthu-behave-consent-freshness-015

1. Consent with authentication Need WG feedback Authentication options 1.STUN Binding method with authentication (SHA-1) – Objection: CPU hit for PSTN gateway, SBC, mixer 1.STUN Binding method without authentication (no SHA-1) – Objection: security is different – Objection: no longer compatible with normal ICE draft-muthu-behave-consent-freshness-016

2. When to stop sending Need WG feedback How long to wait for the consent response before stop sending ? o 39.5 seconds using STUN defaults o Based on fixed seconds? o Based on fixed packets per second? o Based on fixed bandwidth? o Based on 3x, 4x previous STUN round-trip time? draft-muthu-behave-consent-freshness-017

3. Consent Frequency when Sending Need WG feedback How frequently to request consent when actively sending? Every 5 seconds? Every minute? Every hour? draft-muthu-behave-consent-freshness-018

4. Consent frequency when not sending (liveliness / keepalive) Need WG feedback Every 15 seconds – as recommended by RFC6263 Recommend using PCP to reduce frequency? draft-muthu-behave-consent-freshness-019

5. RTCP Need WG feedback Get consent for RTCP if on different port? o RTCP is typically rate limited draft-muthu-behave-consent-freshness-0110

6. APIs Need WG feedback What APIs do we need? o Consent transaction failed o Set consent frequency (?) o Others? draft-muthu-behave-consent-freshness-0111

WG Feedback: Summary 1.Consent with authentication? 2.When to stop sending after no consent? 3.Consent frequency when sending 4.Consent frequency when not sending – (liveliness / keepalive) 5.RTCP 6.APIs draft-muthu-behave-consent-freshness-0112

draft-muthu-behave-consent-freshness  Interest in Consent and Liveliness?  Is document going in the proper direction? draft-muthu-behave-consent-freshness-0113

End draft-muthu-behave-consent-freshness-0114

draft-muthu-behave-consent-freshness-0115

Problem Description (2/3)  ICE connectivity checks verify consent only at session establishment  Existing ICE keepalives are one-way o STUN “Indication” o Not confirmed o Not authenticated draft-muthu-behave-consent-freshness-0116

Problem Description (3/3)  Related problem: Session liveness o Detect connection failure after session establishment o Optimize consent freshness and liveness tests to avoid sending recurring messages draft-muthu-behave-consent-freshness-0117

Design Considerations (1/8)  STUN Binding Request o ICE says MUST use short term authentication o But SHA-1 impacts performance of aggregation equipment (e.g., PSTN gateways, mixers, SBCs)  STUN transaction ID o Uniformly and randomly chosen from the interval 0.. 2^ 96-1 o Good enough for preventing off-path attacks o MUST NOT be chosen or controlled by Javascript draft-muthu-behave-consent-freshness-0118

Design Considerations (3/8)  Only obtain Consent when sending traffic o Reduces bandwidth usage o Conserves batteries draft-muthu-behave-consent-freshness-0119

Design Considerations (2/8)  ICE requires an agent to be prepared to receive connectivity checks after ICE concludes  So, let’s do ICE connectivity checks for ‘Consent’  Reusing STUN Binding method allows to interoperate with existing ICE/ICE-lite implementations  No need to also perform ICE/RTP keepalive draft-muthu-behave-consent-freshness-0120

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.