Webrtc UDP Firewall Traversal

WebRTC UDP Firewall Traversal

Tirumaleswar Reddy Technical Leader Summary

I received my Bachelor of Engineering in Computer Science and Engineering from Mysore University, and Master of Computer Science from Illinois institute of Technology. I have 14+ years of industry experience. I have worked on SIP, Firewall, IPS, Identity, Cloud Web Security, OpenDNS. I have 5 patents issued and 26 patents pending in USPTO in the areas of Security, SDN, Cloud, Policy, SFC and Identity. I have co-authored over 8 RFC and several IETF WG documents. My recent work and interests include SFC, DDOS, DNS Privacy, WebRTC, STUN and TURN.

3 Agenda • Introduction

• WebRTC

• Problem statement

• STUN and TURN

• ICE

• Solutions for FW traversal

• Challenges

• Conclusion

4 Introduction

• Firewalls are installed to enforce ‘security policy’ • Policy used to mean • protocols and port numbers • filtering of incoming unsolicited traffic • Now security policy includes • malware detection • anti-phishing • content filtering and more

6 Introduction

• UDP is often blocked • SIP ALG to permit media session

• UDP need not traverse Enterprise firewall • NTP, DNS, Bonjour stay inside Enterprise network • UDP is used by bots • Firewall cannot determine end of UDP session, other than inactivity time out • UDP used for DDoS attacks

7 Introduction

request DNS server reply

request attacker

reply DNS server victim Source IP = request victim’s IP reply

DNS server 8 Introduction

• FW tracks the TCP state.

• FW is capable of terminating TCP connection or drop packets if there is a protocol violation.

• FW checks for invalid segments sent after the connection has been established.

• FW supports TCP configuration for • Idle session timeout • Timeout for TCP session after a FIN • Timeout for TCP session after a SYN and no further data

9 Before WebRTC

10 After WebRTC

After WebRTC: interactive audio/video in your browser, without plugins

11 After WebRTC

12 WebRTC: browser architecture

13 WebRTC

After WebRTC: Media sent directly between browsers (P2P).

14 Problem statement

DTLS/SRTP STUN TURN DTLS/SCTP

UDP IP

• Enterprise Firewalls may block WebRTC media streams over UDP. • Firewall typically inspects signaling messages (SIP) to allow media over UDP. • WebRTC does not define signaling protocol. • Spark traffic is getting blocked.

• If UDP is blocked then WebRTC media streams can be sent over TCP. • TCP's user experience is worse than UDP.

• How to get WebRTC media streams over UDP traverse through FW ?

15 The basics of Voice over IP (VoIP)

network core (registrars, proxies, …)

Bob Address: B Alice Port: Pb Address: A Port: Pa

16 The basics of VoIP

network core (registrars, proxies, …)

Bob Address: B Alice Port: Pb Address: A Port: Pa

17 The basics of VoIP

network core (registrars, proxies, …)

… MEDIA over SRTP … Bob Address: B Alice Port: Pb Address: A Port: Pa

18 And then NATs were born …

ERROR

Alice Bob NAT/Firewall NAT/Firewall Private Address: A Address: XA Address: XB Address: B Impossible for Bob to initiate a media connection to Alice Impossible for Alice to initiate a media connection to Bob

19 Problem Summary

• The signaling path works because the server has a known publicly routable IP address. • The media path breaks because • Peers have private non-routable IP addresses. • Firewall configured to block UDP. • IPv6 could solve the problem, except firewalls still exist there.

20 STUN to the rescue

• STUN [RFC5389] binding request exchanged with the server opens a NAT pinhole. • Client learns the NAT mapping from the STUN server in the binding response. • Remote peer can send traffic to this address.

21 STUN to the Rescue

STUN Alice Bob NAT/Firewall NAT/Firewall Private Address: A Address: XA Address: XB Address: B Alice learns XAp from the STUN server, and sends it to Bob. Bob can initiate a media connection to Alice via XAp.

22 TURN to the Rescue

• STUN doesn't work for all NATs. Some NATs only accept from the original server. • Address-Dependent Mapping

• TURN [RFC5766] server allocates a public address for the client to advertise. • All P2P data is relayed via the TURN server, so restrictive NAT pinhole works. • Often more overhead than P2P connectivity: processing time on relay, additional latency.

23 TURN to the Rescue

Address: Address:

Alice TA TB Bob Private Address: A TURN TURN Address: B

Alice and Bob get addresses from their TURN servers. The media connection is relayed via TA and TB.

24 ICE Functionality

25 What is ICE [RFC5245] ?

• Each peer can have multiple "candidate" addresses. • Interactive Connectivity Establishment is how the peers pick a candidate pair to use. • Basically, test connectivity for all pairs and pick the best candidate pair that works.

26 What is a Candidate?

TURN Server

TURN Server Bob NAT/Firewall Allocated IP: 192.168.1.34 IP: 1.4.7.4 IP: 45.67.89.34 Port: 4567 Port: 7865 Port: 45678 HOST RFLX RELAY

27 Candidate Gathering

TURN Server Allocating TURN Allocate Request RELAY port and reports back where request came from (RFLX)

Bob NAT/Firewall IP: 192.168.1.34 IP: 1.4.7.4 TURN Server Allocated Port: 4567 Port: 7865 IP: 45.67.89.34 HOST RFLX Port:RELAY 45678

28 Checklist

TURN TURN Server Server

Agents gather their candidates

HOST RFLX RELAY RELAY RFLX HOST

29 Checklist

TURN TURN Server Server

Need to check connectivity from host candidate

Alice Bob

HOST HOST

RFLX RFLX

RELAY RELAY 30 Checklist

TURN TURN Server Server

.. and from RELAY candidate. Not possible to send from Alice RFLX, that “just” happens. Bob HOST HOST

RFLX RFLX

RELAY RELAY

31 Checklist

TURN TURN Server Server

And checks from the other directions as well. (This is important, more on that later) Alice Bob HOST HOST

RFLX RFLX

RELAY RELAY

32 Connectivity Check

STUN Binding Request

STUN Binding Response

33 Connectivity Checks

TURN TURN Server Server

HOST to HOST is a nice start. If that works all is good.

Alice Bob HOST HOST

RFLX RFLX

RELAY RELAY

34 Connectivity Checks

TURN TURN Server Server No “pinhole” packet dropped

“Pinhole” open to allow answers back in Alice

HOST HOST

RFLX RFLX

RELAY RELAY

35 Connectivity Checks

TURN TURN “Pinhole” allow Server Server answer back in

“Pinhole” open to allow answers back in Alice Bob HOST HOST

RFLX RFLX

RELAY RELAY

36 Connectivity Checks

TURN TURN Server Server “Pinhole” open to allow answer back in

Retrying connectivity check Alice Bob HOST HOST

RFLX RFLX

RELAY RELAY

37 Concluding

TURN TURN Server Server

Success! P2P Media Alice without need for relay! Bob HOST HOST

RFLX RFLX

RELAY RELAY

38 Concluding

TURN TURN Server Server

Alice Bob Dependent on the NAT/FW media might take many paths

39 Main Steps

• Gather candidates • Exchange candidates (WebRTC signaling, SIP, XMPP etc.) • Create checklist and do connectivity checks • Stop, conclude and send media

40 IETF RFCS, DRAFTS AND I-DS

41 RFCs, drafts and I-Ds Individual Drafts Nombis

SIP Dual Stack Peer Adopted Drafts TURN Fairness Redirect ICE SIP SDP Trickle ICE Mobility SIP TURNBis Discovery Trickle ICE Server ICE SIP MICE Selection Core RFCs options ICE IANA 3rd party TURN TCP (RFC 5768) Registry ICEBis Auth (RFC 6062) (RFC 6336) [RFC7635] TURN IPv6 TURN ICE (RFC 6156) ICE TCP (RFC 5766) (RFC 5245) (RFC 6544) STUN (RFC 5389) STUN DTLS Security ALPN (RFC7350) rtcWEB (RFC 7443)

STUN STUNbis Consent Origin Freshness [RFC7675]

PMTUd DISCUSS PATH Data DANE

42 Solutions for Enterprise Firewall traversal

• STUN Inspection

• TURN Extension

• SDN

43 STUN inspection

• Based on STUN inspection outcome, either allow or deny the WebRTC connection • WebRTC uses STUN messages to perform connectivity checks. • Relies on RFC7675: STUN usage for consent freshness

44 RFC7675:STUN usage for consent freshness

• ICE checks for the duration of the media session.

• Media stopped if consent check fails.

45 STUN inspection

STUN Server

Firewall × Bob Alice Open pinhole* in firewall to allow STUN request from Alice to anywhere Enterprise

46 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:X34$:57er, ID = 500 STUN Request × Bob Firewall Alice STUN response ID=100

Enterprise Convert pinhole to full flow and store ice username (X34$:57er) and transaction id. Firewall will terminate flow after 30 seconds on inactivity from Alice.

47 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:57er:X34$, ID = 500 Bob Firewall Alice STUN response ID=500

Enterprise

48 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:57xx:Y34$, ID = 100 Bob Firewall× Alice

Enterprise

49 STUN inspection

• ASA • 9.6.1, March 2016 release • CLI: inspect stun • This CLI command is used to enable or disable STUN inspection. • Inspection scope will be configured via access-lists.

• STUN inspection will not kick-in • If client uses (D)TLS with the TURN server.

• Enterprise network need not deploy a STUN or TURN server.

50 TURN

• TURN client can indicate start and end of UDP flow.

• Firewall can be configured to permit UDP traffic to TURN servers.

• TURN client authenticates to the server using long-term credentials (username/password).

51 TURN FW blocks traffic to external STUN Server STUN server

Internet Firewall Remote Peer WebRTC client

TURN Server

Enterprise Network

52 TURN

RFC 7635: STUN Extension for Third Party Authorization • Enterprise TURN server can identify business related media session.

53 Third party authorization for TURN using OAuth

OAuth TURN Client TURN Client Resource Owner Authorization Server (e.g.: WebRTC server) Authorization server Authorization Server Resource Server TURN Server

54 55 Third party authorization for TURN using OAuth

WebRTC Server

(2) (1) Access Token AS-RS, Request (3) Access Token AUTH Keys + Session Key WebRTC client TURN Server

(4) Allocate request + Access Token (5) Allocate response

56 STUN Attribute : ACCESS-TOKEN struct { opaque { uint16_t nonce_length; opaque nonce[nonce_length]; opaque { ushort key_length; opaque mac_key[key_length]; uint64_t timestamp[8]; uint32_t lifetime; } encrypted_block; opaque mac[mac_length]; } token;

57 Advantages of RFC7635

• No long-term TURN user credentials to keep secret; even if discovered, credential usefulness is limited

• TURN username contains no externally-identifying information and helps to provide privacy.

• Session key is machine-generated, to prevent dictionary attacks.

58 SDN

RestConf E-SDN C-SDN NetConf

WebRTC Server

Enterprise Network

59 Challenges

• WebRTC data channels use SCTP over DTLS over UDP for white boarding, file transfer etc. • Inspection of data channel traffic by firewall.

60 Conclusion

• Enterprise Firewall can be configured to permit WebRTC media steams over UDP.

• No need to inspect WebRTC signaling protocol over HTTPS.

61 Conclusion

• STUN inspection improves user • TURN can be used to distinguish experience between business and social calls • Avoids fallback to TCP • Permit social calls during specific • Will soon be available in ASA hours of the day and prioritize Firewall from 2016. business calls over social calls

• Allows P2P connectivity • Auditing

62 Call to Action

• Visit the World of Solutions for • Cisco Campus – Cisco Firepower Next-Generation Firewall, OpenDNS, Cisco Cloud Web Security. • Walk in Labs – Advanced - Network Forensics & Threat Awareness: My network COULD BE compromised, what can I do?!?! , Advanced Network Threat Defense, Countermeasures, and Controls, Cisco ASA with FirePOWER services, • Technical Solution Clinics

• Meet the Engineer – Thursday 2/28 11:00 AM

• Lunch and Learn Topics

• DevNet zone related sessions

63 Complete Your Online Session Evaluation

• Please complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt.

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

64 Thank you