Presentation is loading. Please wait.

Presentation is loading. Please wait.

RTCWEB STUN Usage for Consent Freshness and Session Liveness draft-muthu-behave-consent-freshness-01 Authors: D. Wing, Muthu A M. Perumal, R. Ram Mohan,

Published byTamsyn Bennett Modified over 8 years ago

Similar presentations

Presentation on theme: "RTCWEB STUN Usage for Consent Freshness and Session Liveness draft-muthu-behave-consent-freshness-01 Authors: D. Wing, Muthu A M. Perumal, R. Ram Mohan,"— Presentation transcript:

1 RTCWEB STUN Usage for Consent Freshness and Session Liveness draft-muthu-behave-consent-freshness-01 Authors: D. Wing, Muthu A M. Perumal, R. Ram Mohan, H. Kaplan July 30, 2012 IETF-84 Vancouver, BC, Canada draft-muthu-behave-consent-freshness-011

2 What is “Consent”  Purpose of Consent: avoid denial of service  Consent o Permission to send traffic  Consent freshness o Permission to continue sending traffic  Traffic sender requests consent of the receiver draft-muthu-behave-consent-freshness-012

3 Problem Description (1/3) draft-muthu-behave-consent-freshness-013

4 Our Approach to Consent Use ICE Connectivity Checks – RTCWEB needs ICE anyway – Transaction-ID protects from off-path attackers No longer need ICE ‘indications’ for firewall and NAT keepalives – RFC6263 – Instead, keepalive using connectivity checks – Provides both Consent and “Liveliness” draft-muthu-behave-consent-freshness-014

5 Need WG Feedback on several things 1.Consent with authentication? 2.When to stop sending after no consent? 3.Consent frequency when sending 4.Consent frequency when not sending – (liveliness / keepalive) 5.RTCP 6.APIs draft-muthu-behave-consent-freshness-015

6 1. Consent with authentication Need WG feedback Authentication options 1.STUN Binding method with authentication (SHA-1) – Objection: CPU hit for PSTN gateway, SBC, mixer 1.STUN Binding method without authentication (no SHA-1) – Objection: security is different – Objection: no longer compatible with normal ICE draft-muthu-behave-consent-freshness-016

7 2. When to stop sending Need WG feedback How long to wait for the consent response before stop sending ? o 39.5 seconds using STUN defaults o Based on fixed seconds? o Based on fixed packets per second? o Based on fixed bandwidth? o Based on 3x, 4x previous STUN round-trip time? draft-muthu-behave-consent-freshness-017

8 3. Consent Frequency when Sending Need WG feedback How frequently to request consent when actively sending? Every 5 seconds? Every minute? Every hour? draft-muthu-behave-consent-freshness-018

9 4. Consent frequency when not sending (liveliness / keepalive) Need WG feedback Every 15 seconds – as recommended by RFC6263 Recommend using PCP to reduce frequency? draft-muthu-behave-consent-freshness-019

10 5. RTCP Need WG feedback Get consent for RTCP if on different port? o RTCP is typically rate limited draft-muthu-behave-consent-freshness-0110

11 6. APIs Need WG feedback What APIs do we need? o Consent transaction failed o Set consent frequency (?) o Others? draft-muthu-behave-consent-freshness-0111

12 WG Feedback: Summary 1.Consent with authentication? 2.When to stop sending after no consent? 3.Consent frequency when sending 4.Consent frequency when not sending – (liveliness / keepalive) 5.RTCP 6.APIs draft-muthu-behave-consent-freshness-0112

13 draft-muthu-behave-consent-freshness  Interest in Consent and Liveliness?  Is document going in the proper direction? draft-muthu-behave-consent-freshness-0113

14 End draft-muthu-behave-consent-freshness-0114

15 draft-muthu-behave-consent-freshness-0115

16 Problem Description (2/3)  ICE connectivity checks verify consent only at session establishment  Existing ICE keepalives are one-way o STUN “Indication” o Not confirmed o Not authenticated draft-muthu-behave-consent-freshness-0116

17 Problem Description (3/3)  Related problem: Session liveness o Detect connection failure after session establishment o Optimize consent freshness and liveness tests to avoid sending recurring messages draft-muthu-behave-consent-freshness-0117

18 Design Considerations (1/8)  STUN Binding Request o ICE says MUST use short term authentication o But SHA-1 impacts performance of aggregation equipment (e.g., PSTN gateways, mixers, SBCs)  STUN transaction ID o Uniformly and randomly chosen from the interval 0.. 2^ 96-1 o Good enough for preventing off-path attacks o MUST NOT be chosen or controlled by Javascript draft-muthu-behave-consent-freshness-0118

19 Design Considerations (3/8)  Only obtain Consent when sending traffic o Reduces bandwidth usage o Conserves batteries draft-muthu-behave-consent-freshness-0119

20 Design Considerations (2/8)  ICE requires an agent to be prepared to receive connectivity checks after ICE concludes  So, let’s do ICE connectivity checks for ‘Consent’  Reusing STUN Binding method allows to interoperate with existing ICE/ICE-lite implementations  No need to also perform ICE/RTP keepalive draft-muthu-behave-consent-freshness-0120

Download ppt "RTCWEB STUN Usage for Consent Freshness and Session Liveness draft-muthu-behave-consent-freshness-01 Authors: D. Wing, Muthu A M. Perumal, R. Ram Mohan,"

Similar presentations

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-
INRIA Rhône-Alpes - Planète research group 1 Security and RMT Protocols: TESLA I-D simple-auth I-D rmt-sec I-D IETF 69 th – Chicago meeting, July 2007.

INRIA Rhône-Alpes - Planète research group 1 Security and RMT Protocols: TESLA I-D simple-auth I-D rmt-sec I-D IETF 69 th – Chicago meeting, July 2007.
ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering.

ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.

Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.

STUN bis draft-ietf-behave-rfc3489bis Jonathan Rosenberg Cisco Systems.
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
Real-time Transport Protocol (RTP) Recommendations for SIPREC (draft-eckel-siprec-rtp-rec-01) Charles Eckel IETF-81, Quebec City, July.

Real-time Transport Protocol (RTP) Recommendations for SIPREC (draft-eckel-siprec-rtp-rec-01) Charles Eckel IETF-81, Quebec City, July.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.

ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.
RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.

RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.
Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.

Error Checking continued. Network Layers in Action Each layer in the OSI Model will add header information that pertains to that specific protocol. On.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.
July 18th, 200254th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,

July 18th, th IETF Yokohama A Protocol for Anycast Address Resolving Shingo Ata, Osaka City University Hiroshi Kitamura,
Whither Congestion Control? Sally Floyd E2ERG, July 2006 www.icir.org/floyd/talks.

Whither Congestion Control? Sally Floyd E2ERG, July
TURN draft-ietf-behave-turn-07 Philip Matthews, Avaya Jonathan Rosenberg, Cisco Rohan Mahy, Plantronics.

TURN draft-ietf-behave-turn-07 Philip Matthews, Avaya Jonathan Rosenberg, Cisco Rohan Mahy, Plantronics.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.

SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

Similar presentations

Ads by Google