1 / 11

Challenges with STUN Authentication for TURN Servers

This document discusses the problems associated with STUN authentication for TURN servers, focusing on issues like password security, exposure to attacks, and management overhead. It also proposes solutions to address these challenges, including third-party authorization and resolving realm issues.

sreinoso
Download Presentation

Challenges with STUN Authentication for TURN Servers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Problems with STUN Authentication for TURN draft-reddy-behave-turn-auth-04 Mar 2013 IETF 89 Meeting Authors : T.Reddy, Ram. R, Muthu.P, A.Yegin draft-reddy-behave-turn-auth-04

  2. Background • Applications like WebRTC may choose to use TURN for privacy. • NAT/Firewall traversal. • TURN server could be deployed in Enterprise DMZ for Auditing etc. • Mobility. • TURN includes IPv4-to-IPv6, IPv6-to-IPv6, and IPv6-to-IPv4 relaying. draft-reddy-behave-turn-auth-04

  3. Related proposals • draft-ietf-rtcweb-use-cases-and-requirements refers to deploying a TURN server for auditing and FW traversal. draft-reddy-behave-turn-auth-04

  4. STUN Auth TURN uses key derived from username and password to generate message integrity for TURN request/response. key = MD5(username ":" realm ":“ SASLprep(password)) draft-reddy-behave-turn-auth-04

  5. Problems with STUN Auth • “log-in” username and password will not change for extended periods of time • Password susceptible to offline dictionary attacks • TURN server needs to be aware of username and password (management overhead) or store the key (MD5 hash). draft-reddy-behave-turn-auth-04

  6. Attackers verses TURN Servers 3. Adversary can learn USERNAME by snooping TURN messages. Attacker can learn USERNAME of the user. Cloud Internet TURN Server TURN Server Alice Attacker 3 Attacker 1 Attacker 2 draft-reddy-behave-turn-auth-04

  7. Problems contd.. 4. TURN credential exposed to JavaScript. 5. TURN could be deployed in cloud and comes at a cost on SaaS provider. 6. No support for multiple realms. draft-reddy-behave-turn-auth-04

  8. Problems contd.. • STUN authentication important to prevent un-authorized users from accessing the TURN Server. draft-reddy-behave-turn-auth-04

  9. Solutions • draft-johnston-tram-stun-origin-01 addresses the realm problem • draft-petithuguenin-tram-stun-dtls-00 addresses some of the problems • draft-reddy-tram-turn-third-party-authz-00 addresses the problem for third party authorization. draft-reddy-behave-turn-auth-04

  10. Solutions contd.. • There may be a need to resolve first party authentication. • Auditing and FW traversal use case in Enterprise • ISP deploying TURN Server draft-reddy-behave-turn-auth-04

  11. Next steps ? draft-reddy-behave-turn-auth-04

More Related