WebRTC UDP Firewall Traversal
Tirumaleswar Reddy Technical Leader Summary
I received my Bachelor of Engineering in Computer Science and Engineering from Mysore University, and Master of Computer Science from Illinois institute of Technology. I have 14+ years of industry experience. I have worked on SIP, Firewall, IPS, Identity, Cloud Web Security, OpenDNS. I have 5 patents issued and 26 patents pending in USPTO in the areas of Security, SDN, Cloud, Policy, SFC and Identity. I have co-authored over 8 RFC and several IETF WG documents. My recent work and interests include SFC, DDOS, DNS Privacy, WebRTC, STUN and TURN.
3 Agenda • Introduction
• WebRTC
• Problem statement
• STUN and TURN
• ICE
• Solutions for FW traversal
• Challenges
• Conclusion
4 Introduction
• Firewalls are installed to enforce ‘security policy’ • Policy used to mean • protocols and port numbers • filtering of incoming unsolicited traffic • Now security policy includes • malware detection • anti-phishing • content filtering and more
6 Introduction
• UDP is often blocked • SIP ALG to permit media session
• UDP need not traverse Enterprise firewall • NTP, DNS, Bonjour stay inside Enterprise network • UDP is used by bots • Firewall cannot determine end of UDP session, other than inactivity time out • UDP used for DDoS attacks
7 Introduction
request DNS server reply
request attacker
reply DNS server victim Source IP = request victim’s IP reply
DNS server 8 Introduction
• FW tracks the TCP state.
• FW is capable of terminating TCP connection or drop packets if there is a protocol violation.
• FW checks for invalid segments sent after the connection has been established.
• FW supports TCP configuration for • Idle session timeout • Timeout for TCP session after a FIN • Timeout for TCP session after a SYN and no further data
9 Before WebRTC
10 After WebRTC
After WebRTC: interactive audio/video in your browser, without plugins
11 After WebRTC
12 WebRTC: browser architecture
13 WebRTC
After WebRTC: Media sent directly between browsers (P2P).
14 Problem statement
DTLS/SRTP STUN TURN DTLS/SCTP
UDP IP
• Enterprise Firewalls may block WebRTC media streams over UDP. • Firewall typically inspects signaling messages (SIP) to allow media over UDP. • WebRTC does not define signaling protocol. • Spark traffic is getting blocked.
• If UDP is blocked then WebRTC media streams can be sent over TCP. • TCP's user experience is worse than UDP.
• How to get WebRTC media streams over UDP traverse through FW ?
15 The basics of Voice over IP (VoIP)
network core (registrars, proxies, …)
Bob Address: B Alice Port: Pb Address: A Port: Pa
16 The basics of VoIP
network core (registrars, proxies, …)
Bob Address: B Alice Port: Pb Address: A Port: Pa
17 The basics of VoIP
network core (registrars, proxies, …)
… MEDIA over SRTP … Bob Address: B Alice Port: Pb Address: A Port: Pa
18 And then NATs were born …
ERROR
Alice Bob NAT/Firewall NAT/Firewall Private Address: A Address: XA Address: XB Address: B Impossible for Bob to initiate a media connection to Alice Impossible for Alice to initiate a media connection to Bob
19 Problem Summary
• The signaling path works because the server has a known publicly routable IP address. • The media path breaks because • Peers have private non-routable IP addresses. • Firewall configured to block UDP. • IPv6 could solve the problem, except firewalls still exist there.
20 STUN to the rescue
• STUN [RFC5389] binding request exchanged with the server opens a NAT pinhole. • Client learns the NAT mapping from the STUN server in the binding response. • Remote peer can send traffic to this address.
21 STUN to the Rescue
STUN Alice Bob NAT/Firewall NAT/Firewall Private Address: A Address: XA Address: XB Address: B Alice learns XAp from the STUN server, and sends it to Bob. Bob can initiate a media connection to Alice via XAp.
22 TURN to the Rescue
• STUN doesn't work for all NATs. Some NATs only accept from the original server. • Address-Dependent Mapping
• TURN [RFC5766] server allocates a public address for the client to advertise. • All P2P data is relayed via the TURN server, so restrictive NAT pinhole works. • Often more overhead than P2P connectivity: processing time on relay, additional latency.
23 TURN to the Rescue
Address: Address:
Alice TA TB Bob Private Address: A TURN TURN Address: B
Alice and Bob get addresses from their TURN servers. The media connection is relayed via TA and TB.
24 ICE Functionality
25 What is ICE [RFC5245] ?
• Each peer can have multiple "candidate" addresses. • Interactive Connectivity Establishment is how the peers pick a candidate pair to use. • Basically, test connectivity for all pairs and pick the best candidate pair that works.
26 What is a Candidate?
TURN Server
TURN Server Bob NAT/Firewall Allocated IP: 192.168.1.34 IP: 1.4.7.4 IP: 45.67.89.34 Port: 4567 Port: 7865 Port: 45678 HOST RFLX RELAY
27 Candidate Gathering
TURN Server Allocating TURN Allocate Request RELAY port and reports back where request came from (RFLX)
Bob NAT/Firewall IP: 192.168.1.34 IP: 1.4.7.4 TURN Server Allocated Port: 4567 Port: 7865 IP: 45.67.89.34 HOST RFLX Port:RELAY 45678
28 Checklist
TURN TURN Server Server
Agents gather their candidates
HOST RFLX RELAY RELAY RFLX HOST
29 Checklist
TURN TURN Server Server
Need to check connectivity from host candidate
Alice Bob
HOST HOST
RFLX RFLX
RELAY RELAY 30 Checklist
TURN TURN Server Server
.. and from RELAY candidate. Not possible to send from Alice RFLX, that “just” happens. Bob HOST HOST
RFLX RFLX
RELAY RELAY
31 Checklist
TURN TURN Server Server
And checks from the other directions as well. (This is important, more on that later) Alice Bob HOST HOST
RFLX RFLX
RELAY RELAY
32 Connectivity Check
STUN Binding Request
STUN Binding Response
33 Connectivity Checks
TURN TURN Server Server
HOST to HOST is a nice start. If that works all is good.
Alice Bob HOST HOST
RFLX RFLX
RELAY RELAY
34 Connectivity Checks
TURN TURN Server Server No “pinhole” packet dropped
“Pinhole” open to allow answers back in Alice
HOST HOST
RFLX RFLX
RELAY RELAY
35 Connectivity Checks
TURN TURN “Pinhole” allow Server Server answer back in
“Pinhole” open to allow answers back in Alice Bob HOST HOST
RFLX RFLX
RELAY RELAY
36 Connectivity Checks
TURN TURN Server Server “Pinhole” open to allow answer back in
Retrying connectivity check Alice Bob HOST HOST
RFLX RFLX
RELAY RELAY
37 Concluding
TURN TURN Server Server
Success! P2P Media Alice without need for relay! Bob HOST HOST
RFLX RFLX
RELAY RELAY
38 Concluding
TURN TURN Server Server
Alice Bob Dependent on the NAT/FW media might take many paths
39 Main Steps
• Gather candidates • Exchange candidates (WebRTC signaling, SIP, XMPP etc.) • Create checklist and do connectivity checks • Stop, conclude and send media
40 IETF RFCS, DRAFTS AND I-DS
41 RFCs, drafts and I-Ds Individual Drafts Nombis
SIP Dual Stack Peer Adopted Drafts TURN Fairness Redirect ICE SIP SDP Trickle ICE Mobility SIP TURNBis Discovery Trickle ICE Server ICE SIP MICE Selection Core RFCs options ICE IANA 3rd party TURN TCP (RFC 5768) Registry ICEBis Auth (RFC 6062) (RFC 6336) [RFC7635] TURN IPv6 TURN ICE (RFC 6156) ICE TCP (RFC 5766) (RFC 5245) (RFC 6544) STUN (RFC 5389) STUN DTLS Security ALPN (RFC7350) rtcWEB (RFC 7443)
STUN STUNbis Consent Origin Freshness [RFC7675]
PMTUd DISCUSS PATH Data DANE
42 Solutions for Enterprise Firewall traversal
• STUN Inspection
• TURN Extension
• SDN
43 STUN inspection
• Based on STUN inspection outcome, either allow or deny the WebRTC connection • WebRTC uses STUN messages to perform connectivity checks. • Relies on RFC7675: STUN usage for consent freshness
44 RFC7675:STUN usage for consent freshness
• ICE checks for the duration of the media session.
• Media stopped if consent check fails.
45 STUN inspection
STUN Server
Firewall × Bob Alice Open pinhole* in firewall to allow STUN request from Alice to anywhere Enterprise
46 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:X34$:57er, ID = 500 STUN Request × Bob Firewall Alice STUN response ID=100
Enterprise Convert pinhole to full flow and store ice username (X34$:57er) and transaction id. Firewall will terminate flow after 30 seconds on inactivity from Alice.
47 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:57er:X34$, ID = 500 Bob Firewall Alice STUN response ID=500
Enterprise
48 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:57xx:Y34$, ID = 100 Bob Firewall× Alice
Enterprise
49 STUN inspection
• ASA • 9.6.1, March 2016 release • CLI: inspect stun • This CLI command is used to enable or disable STUN inspection. • Inspection scope will be configured via access-lists.
• STUN inspection will not kick-in • If client uses (D)TLS with the TURN server.
• Enterprise network need not deploy a STUN or TURN server.
50 TURN
• TURN client can indicate start and end of UDP flow.
• Firewall can be configured to permit UDP traffic to TURN servers.
• TURN client authenticates to the server using long-term credentials (username/password).
51 TURN FW blocks traffic to external STUN Server STUN server
Internet Firewall Remote Peer WebRTC client
TURN Server
Enterprise Network
52 TURN
RFC 7635: STUN Extension for Third Party Authorization • Enterprise TURN server can identify business related media session.
53 Third party authorization for TURN using OAuth
OAuth TURN Client TURN Client Resource Owner Authorization Server (e.g.: WebRTC server) Authorization server Authorization Server Resource Server TURN Server
54 55 Third party authorization for TURN using OAuth
WebRTC Server
(2) (1) Access Token AS-RS, Request (3) Access Token AUTH Keys + Session Key WebRTC client TURN Server
(4) Allocate request + Access Token (5) Allocate response
56 STUN Attribute : ACCESS-TOKEN struct { opaque { uint16_t nonce_length; opaque nonce[nonce_length]; opaque { ushort key_length; opaque mac_key[key_length]; uint64_t timestamp[8]; uint32_t lifetime; } encrypted_block; opaque mac[mac_length]; } token;
57 Advantages of RFC7635
• No long-term TURN user credentials to keep secret; even if discovered, credential usefulness is limited
• TURN username contains no externally-identifying information and helps to provide privacy.
• Session key is machine-generated, to prevent dictionary attacks.
58 SDN
RestConf E-SDN C-SDN NetConf
WebRTC Server
Enterprise Network
59 Challenges
• WebRTC data channels use SCTP over DTLS over UDP for white boarding, file transfer etc. • Inspection of data channel traffic by firewall.
60 Conclusion
• Enterprise Firewall can be configured to permit WebRTC media steams over UDP.
• No need to inspect WebRTC signaling protocol over HTTPS.
61 Conclusion
• STUN inspection improves user • TURN can be used to distinguish experience between business and social calls • Avoids fallback to TCP • Permit social calls during specific • Will soon be available in ASA hours of the day and prioritize Firewall from 2016. business calls over social calls
• Allows P2P connectivity • Auditing
62 Call to Action
• Visit the World of Solutions for • Cisco Campus – Cisco Firepower Next-Generation Firewall, OpenDNS, Cisco Cloud Web Security. • Walk in Labs – Advanced - Network Forensics & Threat Awareness: My network COULD BE compromised, what can I do?!?! , Advanced Network Threat Defense, Countermeasures, and Controls, Cisco ASA with FirePOWER services, • Technical Solution Clinics
• Meet the Engineer – Thursday 2/28 11:00 AM
• Lunch and Learn Topics
• DevNet zone related sessions
63 Complete Your Online Session Evaluation
• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
64 Thank you
65