Presentation is loading. Please wait.

Presentation is loading. Please wait.

STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they.

Published byThomas Hensley Modified over 10 years ago

Similar presentations

Presentation on theme: "STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they."— Presentation transcript:

1 STUN Open Issues Jonathan Rosenberg dynamicsoft

2 Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they were OK Alignment of params on natural boundaries –Will break backwards compatibility Added missing parameter code Clarified meaning of changed-address Added security

3 TCP and Fragmentation STUN recommends that UDP response never contain certs If you want certs, do a separate TCP query to fetch them –UDP may fragment –Fragmentation support in NATs are questionable ISSUE: can use UDP if you know your NAT supports fragmentation? –How to know? –Detection algorithms not reliable –Please let us use TCP STUN UDP STUN UDP w/o certs STUN TCP STUN TCP w/ certs (all other info ignored)

4 Security STUN is susceptible to a theft attack –Attacker can snoop request –Inject fake response –MAPPED-ADDRESS points to itself –Victim thinks its its own address, hands it out –Media, signaling applications go to attacker Why is this BAD –Back Door to attack MANY applications –But, if application is secure, this will be detected Authenticated key exchange for SRTP –Too many are not protected

5 Solution Requirements Server authenticates itself to client –Same domain as one client launched request to Client can validate the integrity of the entire response No encryption – utility is not clear Server to client authentication typically based on PK –Web model –Want to work with servers with which you have no shared secret –Want only one mecahnism

6 Solution Approach Cryptographic Message Syntax (CMS) RFC 2630 –Heart of SMIME –Syntax for signatures, certs, etc. Problem: dont want to sign responses for ANY request –DDoS attack, force CPU cycles to be eaten on PK operations Solution is four-way SYN handshake cookie approach –Client asks server –Server sends cookie to client –Client asks server with cookie –Server performs operation Guarantees there is no source address spoofing, avoids DDoS attacks

7 Whats the Issue? CMS implementation is probably 10-20 times more work than STUN itself Kind of sad However, security is hard Other approaches?

8 Whats left? Not much Lots of implementations underway, products are shipping soon (months away) Will rev with draft-ietf-midcom-stun-00 after blackout period Then ready for WGLC AFAIK

Download ppt "STUN Open Issues Jonathan Rosenberg dynamicsoft. Changes since -00 Answered UNSAF considerations –Still awaiting response from Leslie on whether they."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP 2000-05-10-00 SIP Security Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.
TRIP: Recent Changes and Open Issues Jonathan Rosenberg, Hussein Salama, Matt Squire Pittsburgh IETF August 3, 2000.

TRIP: Recent Changes and Open Issues Jonathan Rosenberg, Hussein Salama, Matt Squire Pittsburgh IETF August 3, 2000.
Security Issues In Mobile IP

Security Issues In Mobile IP
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.

Call Server LIS VPC ESGW SR Manhattan PSAP LO=Wall St Route=Manhattan PSAP The Location Object (LO) is provided in the call setup information to the Call.
State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.

State of DNS Security Extensions Edward Lewis February 26, 2001 APRICOT 2001 Panel.
RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.

TCP for today’s Web. Connections today Web-page > 300KB but objects are small 7.5KB -2.4KB [25] lots of small objects in a page. Implication: TCP Handshake.
SIP Working Group Stuff Jonathan Rosenberg dynamicsoft.

SIP Working Group Stuff Jonathan Rosenberg dynamicsoft.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
RSVP Cryptographic Authentication ...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.

RSVP Cryptographic Authentication "...RSVP requires the ability to protect its messages against corruption and spoofing. This document defines a mechanism.
August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.

August 2, 2005EAP WG, IETF 631 EAP-IKEv2 review Pasi Eronen.
STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.

STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –www.ietf.orgwww.ietf.org.

Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Similar presentations

Ads by Google