| TRAM | M. Petit-Huguenin |
| Internet-Draft | Jive Communications |
| Intended status: Standards Track | G. Salgueiro |
| Expires: September 25, 2014 | Cisco Systems |
| March 24, 2014 |
Datagram Transport Layer Security (DTLS) as Transport for Session Traversal Utilities for NAT (STUN)
draft-ietf-tram-stun-dtls-01
This document specifies the usage of Datagram Transport Layer Security (DTLS) as a transport protocol for Session Traversal Utilities for NAT (STUN). It provides guidances on when and how to use DTLS with the currently standardized STUN Usages. It also specifies modifications to the STUN URIs and TURN URIs and to the TURN resolution mechanism to facilitate the resolution of STUN URIs and TURN URIs into the IP address and port of STUN and TURN servers supporting DTLS as a transport protocol.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 25, 2014.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
STUN [RFC5389] defines Transport Layer Security (TLS) over TCP (simply referred to as TLS [RFC5246]) as the transport for STUN due to additional security advantages it offers over plain UDP or TCP transport. But TLS-over-TCP is not an optimal transport when STUN is used for its originally intended purpose, which is to support multimedia sessions. This sub-optimality primarily stems from the added latency incurred by the TCP-based head-of-line (HOL) blocking problem coupled with additional TLS buffering (for integrity checks). This is a well documented and understood transport limitation for secure real-time communications.
TLS-over-UDP (referred to as DTLS [RFC6347]) offers the same security advantages as TLS-over-TCP, but without the undesirable latency concerns.
The key words "MUST", "MUST NOT", "REQUIRED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] when they appear in ALL CAPS. When these words are not in ALL CAPS (such as "must" or "Must"), they have their usual English meanings, and are not to be interpreted as RFC 2119 key words.
STUN [RFC5389] defines three transports: UDP, TCP, and TLS. This document adds DTLS as a valid transport for STUN.
STUN over DTLS MUST use the same retransmission rules as STUN over UDP (as described in Section 7.2.1 of [RFC5389]). It MUST also use the same rules that are described in Section 7.2.2 of [RFC5389] to verify the server identity. STUN over DTLS MUST, at a minimum, support TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 and MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. [[TODO: Do we want to specify that implementations MUST favor cipher suites which support PFS over non-PFS cipher suites]]. The same rules established in Section 7.2.2 of [RFC5389] for keeping open and closing TCP/TLS connections MUST be used as well for DTLS associations.
In addition to the path MTU rules described in Section 7.1 of [RFC5389], if the path MTU is unknown, the actual STUN message needs to be adjusted to take into account the size of the (13-byte) DTLS Record header, the MAC size, the padding size and the eventual compression applied to the payload.
By default, STUN over DTLS MUST use port 5349, the same port as STUN over TLS. However, the SRV procedures can be implemented to use a different port (as described in Section 9 of [RFC5389]). When using SRV records, the service name MUST be set to "stuns" and the application name to "udp".
Classic STUN [RFC3489] defines only UDP as a transport and DTLS MUST NOT be used. Any STUN request or indication without the magic cookie over DTLS MUST always result in an error.
[RFC5389] Section 7.2 states that STUN usages must specify which transport protocol is used. The following sections discuss if and how the existing STUN usages are used with DTLS as the transport. Future STUN usages MUST take into account DTLS as a transport and discuss its applicability.
As stated by Section 13 of [RFC5389], "...TLS provides minimal security benefits..." for this particular STUN usage. DTLS will also similarly offer only limited benefit. This is because the only mandatory attribute that is TLS/DTLS protected is the XOR-MAPPED-ADDRESS, which is already known by an on-path attacker, since it is the same as the source address and port of the STUN request. On the other hand, using TLS/DTLS will prevent an active attacker to inject XOR-MAPPED-ADDRESS in responses. The TLS/DTLS transport will also protect the SOFTWARE attribute, which can be used to find vulnerabilities in STUN implementations.
Regardless, this usage is rarely used by itself, since TURN [RFC5766] is generally mandatory to use with ICE [RFC5245], and TURN provides the same NAT Discovery feature as part of an Allocation creation. In fact, with ICE, the NAT Discovery usage is only used when there is no longer any resource available for new Allocations in the TURN server.
This document does not make any changes to the syntax of a STUN URI [RFC7064]. As indicated in Section 3.2 of [RFC7064], secure transports like STUN over TLS, and now STUN over DTLS, MUST use the "stuns" URI scheme.
The <host> value MUST be used when using the rules in Section 7.2.2 of [RFC5389] to verify the server identity. [[TODO: What happens if an IP address is used in the URI? Should we forbid that?]]
Using DTLS would hide the USERNAME, PRIORITY, USE-CANDIDATE, ICE-CONTROLLED and ICE-CONTROLLING attributes. But because MESSAGE-INTEGRITY protects the entire STUN response using a password that is known only by looking at the SDP exchanged, it is not possible for an attacker to inject an incorrect XOR-MAPPED-ADDRESS, which would subsequently be used as a peer reflexive candidate.
Adding DTLS on top of the connectivity check would delay, and consequently impair, the ICE process. There is, in fact, a proposal ([I-D.thomson-rtcweb-ice-dtls]) to use the DTLS handshake used by the WebRTC SRTP streams as a replacement for the connectivity checks, proving that adding additional round-trips to ICE is undesirable.
This usage MUST NOT be used with a STUN URI.
The media keep-alive (described in Section 20 of [RFC5245]) runs inside an RTP or RTCP session, so it is already protected if the RTP or RTCP session is also protected (i.e., SRTP/SRTCP). Adding DTLS inside the SRTP/SRTCP session would add overhead, with minimal security benefit.
This usage MUST NOT be used with a STUN URI.
The SIP keep-alive (described in [RFC5626]) runs inside a SIP flow. This flow would be protected if a SIP over DTLS transport mechanism is implemented (such as described in [I-D.jennings-sip-dtls]).
This usage MUST NOT be used with a STUN URI.
The NAT Behavior Discovery usage is Experimental and to date has never being effectively deployed. Despite this, using DTLS would add the same security properties as for the NAT Discovery Usage [section.usages.nat-discovery].
The STUN URI can be used to access the NAT Discovery feature of a NAT Behavior Discovery server, but accessing the full features would require definition of a "stun-behaviors:" URI, which is out of scope for this document.
TURN [RFC5766] defines three combinations of transports/allocations: UDP/UDP, TCP/UDP and TLS/UDP. This document adds DTLS/UDP as a valid combination. A TURN server using DTLS MUST implement the denial-of-service counter-measure described in Section 4.2.1 of [RFC6347].
[RFC6062] states that TCP allocations cannot be obtained using a UDP association between client and server. The fact that DTLS uses UDP implies that TCP allocations MUST NOT be obtained using a DTLS association between client and server.
By default, TURN over DTLS uses port 5349, the same port as TURN over TLS. However, the SRV procedures can be implemented to use a different port (as described in Section 6 of [RFC5766]. When using SRV records, the service name MUST be set to "turns" and the application name to "udp".
This document does not make any changes to the syntax of a TURN URI [RFC7065]. As indicated in Section 3 of [RFC7065], secure transports like TURN over TLS, and now TURN over DTLS, MUST use the "turns" URI scheme. When using the "turns" URI scheme to designate TURN over DTLS, the transport value of the TURN URI, if set, MUST be "udp".
This document defines a new Straightforward Naming Authority Pointer (S-NAPTR) application protocol tag: "turn.dtls".
The <transport> component, as provisioned or resulting from the parsing of a TURN URI, is passed without modification to the TURN resolution mechanism defined in Section 3 of [RFC5928], but with the following alterations to that algorithm:
| <secure> | <transport> | TURN Transport |
|---|---|---|
| true | "udp" | DTLS |
Note that using the [RFC5928] resolution mechanism does not imply that additional round trips to the DNS server will be needed (e.g., the TURN client will start immediately if the TURN URI contains an IP address).
[[Note to RFC Editor: Please remove this section and the reference to [RFC6982] before publication.]]
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC6982]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.
According to [RFC6982], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".
STUN over DTLS as a STUN transport does not introduce any specific security considerations beyond those for STUN over TLS detailed in [RFC5389].
The usage of "udp" as a transport parameter with the "stuns" URI scheme does not introduce any specific security issues beyond those discussed in [RFC7064].
TURN over DTLS as a TURN transport does not introduce any specific security considerations beyond those for TURN over TLS detailed in [RFC5766].
The usage of "udp" as a transport parameter with the "turns" URI scheme does not introduce any specific security issues beyond those discussed in [RFC7065].
The new S-NAPTR application protocol tag defined in this document as well as the modifications this document makes to the TURN resolution mechanism described in [RFC5928] do not introduce any additional security considerations beyond those outlined in [RFC5928].
This specification contains the registration information for one S-NAPTR application protocol tag (in accordance with [RFC3958]).
This specification contains the registration information for two Service Name and Transport Protocol Port Numbers (in accordance with [RFC6335]).
Thanks to Alan Johnston, Oleg Moskalenko, and Simon Perreault for the comments, suggestions, and questions that helped improve this document.
| [RFC6982] | Sheffer, Y. and A. Farrel, "Improving Awareness of Running Code: The Implementation Status Section", RFC 6982, July 2013. |
| [I-D.thomson-rtcweb-ice-dtls] | Thomson, M., "Using Datagram Transport Layer Security (DTLS) For Interactivity Connectivity Establishment (ICE) Connectivity Checking: ICE-DTLS", Internet-Draft draft-thomson-rtcweb-ice-dtls-00, March 2012. |
| [I-D.jennings-sip-dtls] | Jennings, C. and N. Modadugu, "Using Interactive Connectivity Establishment (ICE) in Web Real-Time Communications (WebRTC)", Internet-Draft draft-jennings-sip-dtls-05, October 2007. |
Table 1 shows how the <secure>, <port> and <transport> components are populated for a TURN URI that uses DTLS as its transport. For all these examples, the <host> component is populated with "example.net".
| URI | <secure> | <port> | <transport> |
|---|---|---|---|
| turns:example.net?transport=udp | true | DTLS |
With the DNS RRs in Figure 1 and an ordered TURN transport list of {DTLS, TLS, TCP, UDP}, the resolution algorithm will convert the TURN URI "turns:example.net" to the ordered list of IP address, port, and protocol tuples in Table 2.
example.net. IN NAPTR 100 10 "" RELAY:turn.udp:turn.dtls "" datagram.example.net. IN NAPTR 200 10 "" RELAY:turn.tcp:turn.tls "" stream.example.net. datagram.example.net. IN NAPTR 100 10 S RELAY:turn.udp "" _turn._udp.example.net. IN NAPTR 100 10 S RELAY:turn.dtls "" _turns._udp.example.net. stream.example.net. IN NAPTR 100 10 S RELAY:turn.tcp "" _turn._tcp.example.net. IN NAPTR 200 10 A RELAY:turn.tls "" a.example.net. _turn._udp.example.net. IN SRV 0 0 3478 a.example.net. _turn._tcp.example.net. IN SRV 0 0 5000 a.example.net. _turns._udp.example.net. IN SRV 0 0 5349 a.example.net. a.example.net. IN A 192.0.2.1
Figure 1
| Order | Protocol | IP address | Port |
|---|---|---|---|
| 1 | DTLS | 192.0.2.1 | 5349 |
| 2 | TLS | 192.0.2.1 | 5349 |
This section must be removed before publication as an RFC.