10. The Goal: Standard based solution that
solves RTC Firewall/NAT traversal
11. Firewall Traversal
· Traversal is getting more and
more complicated
· Moving target
· Today Internet:
· NAT (different types),
· Firewall (packet filters),
· IPv4 => IPv6 transition,
· Multi homing, etc.
· TCP not ideal for RTC
18. Linux NAT
· Allow IP forwarding sysctl net.ipv4.ip_forward=1
· Symmetric NAT
· Address and Port dependent Mapping
· Address and Port dependent Filtering
· iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE --random
· Port restricted Cone NAT
· Endpoint Independent Mapping
· Address and Port dependent Filtering
· iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
19. RFC5780 and coTURN
· NAT behavior is not always constant in time!
· NAT could change characteristics during attacks, or high load, etc.
· Still worth to understand the current behavior.
· RFC 4787 - NAT Behavioral Requirements for Unicast UDP
· coTURN provides a brilliant stun client library
· Based on it I created a utility to detect NAT type according RFC5780
· bin/turnutils_natdiscovery -f -m 193.224.47.74
20. Example symmetric NAT output
misi@csiga:~/work/coturn$ bin/turnutils_natdiscovery -f -m 193.224.47.74
…
========================================
NAT with Address and Port Dependent Mapping!
========================================
…
========================================
NAT with Address and Port Dependent Filtering!
========================================
misi@csiga:~/work/coturn$
22. ICE step by step
· Discovery and Candidate gathering
· Allocation
· Prioritisation
· Exchange
· Connectivity Check
· Frozen Algorithm
· Coordination
· Communication
23. IP address, and port discovery
· Candidate pair
· IP address, port, protocol
· Types
· Relayed
· Reflexive
· Server, Peer
· Host
TURN
Server
NAT
UA
Y:y
X':x'
X:x
Public Internet
24. Why cause problem gathering all
addresses?
· ICE gathers ALL(!)
· „By Design”
· to find the best way
· IP address leakage
· expose your IP addresses
· Private, Public, VPN etc.
· Solution:
· Limit candidate discovery
· Limit interface and address
gathering
· Fix is under way
· draft-ietf-rtcweb-ip-handling
· Chrome
· Opt-In:
Network limiter extension
· Step two:
build in the core, and make it
default
· Firefox
· New UI tools to restrict candidates
· https://wiki.mozilla.org/Media/WebRTC/Privacy
25. Trickle ICE
Slide from: trickle-ice-iet86-orlando.pptx
STUN
Server
STUN
Server
BobAlice
disco
disco
offer and
candidates
…
connectivity
checks
…
answer and
candidates
Vanilla ICE as per RFC 5245
STUN
Server
STUN
Server
BobAlice
disco disco
O/A with host
or no cands
…
more cands &
conn checks
…
28. Long Term vs Short Term
· STUN (RFC5389) define to Credential Auth Mechanism
· Short-term Credential mechanism
· Use once
· Every-time new encryption key
· ICE using it for connection check
· sdp (a=ice-ufrag and a=ice-pwd)
· Long-term Credential mechanism
· Credential is not limited in time.
· Main Usage STUN reflexive address detection and TURN relay allocation
· Stored in a User Database (HA1)
29. Long Term Credential
· User, Realm, Password
· „Origin” based REALM (draft-ietf-tram-stun-origin) /WebRTC/
· User Database stores HA1
· HA1=MD5(”user:example.com:mysecret”)
· Message Integrity Algorithm (SHA1)
· HMAC(M, MD5(”user:example.com:mysecret”))
· Protection against reply based attacks
· It is the base auth method for STUN
30. WebRTC & LTC = not perfect match
· Long Term Credential
· Summary of problems: draft-reddy-behave-turn-auth
· Keeping password in secret is difficulty for Web Apps
· Message Integrity is not protected against Off-line dictionary attacks.
· The Server makes lookup in the User Database for the credential.
· The username is not encrypted in STUN message and this way could be
used for tracking.
· Short Term Credential (only for one connection)
· No protection against reply attacks
· Designed for short term
31. STUN auth for WebRTC = REST API
(Time Limited Long Term Credential)
· draft-uberti-rtcweb-turn-rest-00
· REST API and STUN/TURN server shared secret.
· The Service Provider Identified by an api_key and get on
behalf the end-user request and get a time limited credential.
· The web application transfer this credential to the end-user
browser JS API.
· username = timestamp and an application specific data
seperated by a „:”.
32. REST API Operation Overview
(Time Limited Long Term Credential)
REST
API
Web App
Turn Server
Shared
Secret
35. PoC Overview
· Web Frontend
· After AAI: eduGAIN
· get (LTC) usr/pwd credential
· get key to REST API
· Distributed service
· NIIF, UNINETT, FCT/FCCN
· Closest Server (GeoIP)
· Auth methods
· LTC,REST API,
· OAuth (coming soon)
36. Ansible
· Automated install central
· OS (firewall,ntp,fail2ban,etc.)
· Web Server and PHP
· EduGAIN privacy statement
· MySQL master
· Automated install slaves
· OS (firewall,ntp,fail2ban,etc.)
· MySQL slave
· coTURN
· Configure even more
· Certs
· Configure SimpleSAMLPHP
· Install Composer
· Update php libs
· Checkout git
· Frontend
· REST API
· Setup replication
· Master and Slave sides
37. Design Goals
· Only Open Source components (Debian Jessie, etc.)
· Supporting all possible Authentication methods
· LTC, REST, OAuth
· AAI enabled eduGAIN front-end site
· Distributed back-end database
· Secure Communication, IPv6, DNSSEC
· Support wide range of STUN/TURN transport protocols
· Automated deployment
38. Security Design Principles
· LTC user password is generated to avoid any Offline dictionary
attacks.
· According STUN RFC recommendation “the password SHOULD have
at least 128 bits of randomness”
· We use 32 alphanumeric ~190 bit (hackzilla/password-generator)
· REST
· API_KEY is generated random key and has one year expiration
· 32 alphanumeric char ~190 bit (hackzilla/password-generator)
· Shared Secret between API and coTURN is rotated daily
43. Pick the closest STUN/TURN
· LTC
· DNS GeoIP based Views
· Based on Location of DNS
resolver not the client (!)
· OpenDNSSEC not yet
supporting views!
Issue: OPENDNSSEC-232
· AnyCast
· Provider independent
· IPv4 /24
· IPv6 /64
· REST
· Input the user IP address the
web server side application
· Local GeoIP database
· IP => Coordinate
· Vincenty's formulae
· Coordinates => Distance
44. Auth methods
· LTC and REST
· client behavior is not
changed.
· Only Server side differs.
· coTURN doesn't support both
mechanism in one daemon
· We used that simple design
approach to separate auth
methods VM level.
· Avoiding repackaging
· Multiple deamon could also
work on the same VM.
· Drawback: normal Debian
package designed to run on
daemon on one host.
· To exploit the latest coTURN
implementation features we
deciced to use jessie-
backports repository
45. IPv6 Ready service
smooth IPv6 transition
· All service IPv6 READY and
works in dual stack
· STUN/TURN services
· Dual Allocation
· MySQL
· NTP
· SSH
· DNS Resolvers
· Web Server
· Frontend, REST API
46. MySQL
· Separated DB for different
auth methods
· MySQL Replication
· Encrypted
· netfilter protects ports
· IP address based access
controll
· Generated passwords
· Replication filtered based on
DB (auth method)
· MySQL Events:
· LTC
· Revoking LTC back after a year
· REST
· Generating daily new shared
secrets
· Revoking API token after a
year.
· Shared Key aging
· Cause a limited problem if a
REST TURN server is
compromised.
48. STUN & Long Term Credential
· STUN LTC authentication is optional according the RFC
· Pros:
· Use the same Auth policy for STUN and TURN
· Avoid attacks and server discovery. Avoid crawler robots that tracking
Internet for vulnerable open STUN/TURN services. (Version)
· Avoid detect STUN server topology alternate address and port.
· Contra
· Work involved in authenticating the request is more than the work in
simply processing it.
· Reality: Lack of Browser implementation
51. OAuth
Browser Implementation Status
· Chrome
· Open Issue 4907:
https://goo.gl/Z69q6I
· Not happen in Q1
· Firefox
· Open Bug 1247616:
https://goo.gl/6n78rL
· Not implemented warning
for App Devs from Mozilla 47
52. OAuth & TURN
· No PHP library that supports the Authenticated-Encryption
with Associated-Data (AEAD)
· OpenSSL samples: https://goo.gl/UfuqTr
· CoTURN
· self-contained OAuth token validation implemented
· src/client/ns_turn_msg.c
· Function:
int encode_oauth_token(const u08bits *server_name, encoded_oauth_token
*etoken, const oauth_key *key, const oauth_token *dtoken, const u08bits
*nonce)
53. Built in STUN
· Chrome
· stun.l.google.com:19302
· Firefox
· media.peerconnection.default_iceservers;[]
· media.peerconnection.ice.tcp;false
· stun.services.mozilla.com
· Default stun server removed
from ver 41
· Bug: 1167922, 1143827
· No Service Agreement about
service long term availability
· It is up to Browser vendor
· Built-in STUN SLA is not well
defined
54. Lesson Learned
· STUN binding with LTC is not
supported in Browsers.
· Port numbers
· Standard ports
· Standard Alternate port
· 80, 443 for strict firewalls
· NAT discovery
· Multiple IP addresses
required
· Decisions & Lessons
· LTC
· GeoIP vs Anycast
· OpenDNSSEC is not
supporting views.
· REST API
· GeoIP and Vincenty
vs
· Google Maps API
· OAuth (coming soon..)
· Wait for Browser support.
56. Make or Buy?
· We in place Infrastructure
· Virtual/Physical Machine
· Small instance required
· Networking Service
· High bandwidth capacity
· IPv6
· Secure and encrypted
· updated
· Open Source
· From Public Money
· Non technical reasons
· Trust
· Transparency
· Time spent following market
players offerings (moving)
· Time spent negotiate price
· Procurement fees
· NREN & Commercial market
different priorities
· Education market is not big
enough to implement feature
58. GN4 Symposium Demo
· WebTut
· Teacher <=> Student
· Symmetric NAT
· Tablet and PC
· What happens
· 1. Without STUN/TURN
· 2. With STUN/TURN
· 3. Two endpoints in the same
LAN segment
60. Summary
· ICE if possible provides E2E communication (lowest latency)
· Standard based NAT Firewall Traversal and smooth IPv6 transition
· According WebRTC transport draft ICE is MUST.
· “ ICE [RFC5245] MUST be supported.”
· ICE needs STUN/TURN server infrastructure.
· A GÉANT4 PoC service is up and running. Next step? Pilot...
· „Leading edge” collaboration technologies serving the NREN
community communications needs.