WebRTC UDP Firewall Traversal Tirumaleswar Reddy Technical Leader Summary I received my Bachelor of Engineering in Computer Science and Engineering from Mysore University, and Master of Computer Science from Illinois institute of Technology. I have 14+ years of industry experience. I have worked on SIP, Firewall, IPS, Identity, Cloud Web Security, OpenDNS. I have 5 patents issued and 26 patents pending in USPTO in the areas of Security, SDN, Cloud, Policy, SFC and Identity. I have co-authored over 8 RFC and several IETF WG documents. My recent work and interests include SFC, DDOS, DNS Privacy, WebRTC, STUN and TURN. 3 Agenda • Introduction • WebRTC • Problem statement • STUN and TURN • ICE • Solutions for FW traversal • Challenges • Conclusion 4 Introduction • Firewalls are installed to enforce ‘security policy’ • Policy used to mean • protocols and port numbers • filtering of incoming unsolicited traffic • Now security policy includes • malware detection • anti-phishing • content filtering and more 6 Introduction • UDP is often blocked • SIP ALG to permit media session • UDP need not traverse Enterprise firewall • NTP, DNS, Bonjour stay inside Enterprise network • UDP is used by bots • Firewall cannot determine end of UDP session, other than inactivity time out • UDP used for DDoS attacks 7 Introduction request DNS server reply request attacker reply DNS server victim Source IP = request victim’s IP reply DNS server 8 Introduction • FW tracks the TCP state. • FW is capable of terminating TCP connection or drop packets if there is a protocol violation. • FW checks for invalid segments sent after the connection has been established. • FW supports TCP configuration for • Idle session timeout • Timeout for TCP session after a FIN • Timeout for TCP session after a SYN and no further data 9 Before WebRTC 10 After WebRTC After WebRTC: interactive audio/video in your browser, without plugins 11 After WebRTC 12 WebRTC: browser architecture 13 WebRTC After WebRTC: Media sent directly between browsers (P2P). 14 Problem statement DTLS/SRTP STUN TURN DTLS/SCTP UDP IP • Enterprise Firewalls may block WebRTC media streams over UDP. • Firewall typically inspects signaling messages (SIP) to allow media over UDP. • WebRTC does not define signaling protocol. • Spark traffic is getting blocked. • If UDP is blocked then WebRTC media streams can be sent over TCP. • TCP's user experience is worse than UDP. • How to get WebRTC media streams over UDP traverse through FW ? 15 The basics of Voice over IP (VoIP) network core (registrars, proxies, …) Bob Address: B Alice Port: Pb Address: A Port: Pa 16 The basics of VoIP network core (registrars, proxies, …) Bob Address: B Alice Port: Pb Address: A Port: Pa 17 The basics of VoIP network core (registrars, proxies, …) … MEDIA over SRTP … Bob Address: B Alice Port: Pb Address: A Port: Pa 18 And then NATs were born … ERROR Alice Bob NAT/Firewall NAT/Firewall Private Address: A Address: XA Address: XB Address: B Impossible for Bob to initiate a media connection to Alice Impossible for Alice to initiate a media connection to Bob 19 Problem Summary • The signaling path works because the server has a known publicly routable IP address. • The media path breaks because • Peers have private non-routable IP addresses. • Firewall configured to block UDP. • IPv6 could solve the problem, except firewalls still exist there. 20 STUN to the rescue • STUN [RFC5389] binding request exchanged with the server opens a NAT pinhole. • Client learns the NAT mapping from the STUN server in the binding response. • Remote peer can send traffic to this address. 21 STUN to the Rescue STUN Alice Bob NAT/Firewall NAT/Firewall Private Address: A Address: XA Address: XB Address: B Alice learns XAp from the STUN server, and sends it to Bob. Bob can initiate a media connection to Alice via XAp. 22 TURN to the Rescue • STUN doesn't work for all NATs. Some NATs only accept from the original server. • Address-Dependent Mapping • TURN [RFC5766] server allocates a public address for the client to advertise. • All P2P data is relayed via the TURN server, so restrictive NAT pinhole works. • Often more overhead than P2P connectivity: processing time on relay, additional latency. 23 TURN to the Rescue Address: Address: Alice TA TB Bob Private Address: A TURN TURN Address: B Alice and Bob get addresses from their TURN servers. The media connection is relayed via TA and TB. 24 ICE Functionality 25 What is ICE [RFC5245] ? • Each peer can have multiple "candidate" addresses. • Interactive Connectivity Establishment is how the peers pick a candidate pair to use. • Basically, test connectivity for all pairs and pick the best candidate pair that works. 26 What is a Candidate? TURN Server TURN Server Bob NAT/Firewall Allocated IP: 192.168.1.34 IP: 1.4.7.4 IP: 45.67.89.34 Port: 4567 Port: 7865 Port: 45678 HOST RFLX RELAY 27 Candidate Gathering TURN Server Allocating TURN Allocate Request RELAY port and reports back where request came from (RFLX) Bob NAT/Firewall IP: 192.168.1.34 IP: 1.4.7.4 TURN Server Allocated Port: 4567 Port: 7865 IP: 45.67.89.34 HOST RFLX Port:RELAY 45678 28 Checklist TURN TURN Server Server Agents gather their candidates HOST RFLX RELAY RELAY RFLX HOST 29 Checklist TURN TURN Server Server Need to check connectivity from host candidate Alice Bob HOST HOST RFLX RFLX RELAY RELAY 30 Checklist TURN TURN Server Server .. and from RELAY candidate. Not possible to send from Alice RFLX, that “just” happens. Bob HOST HOST RFLX RFLX RELAY RELAY 31 Checklist TURN TURN Server Server And checks from the other directions as well. (This is important, more on that later) Alice Bob HOST HOST RFLX RFLX RELAY RELAY 32 Connectivity Check STUN Binding Request STUN Binding Response 33 Connectivity Checks TURN TURN Server Server HOST to HOST is a nice start. If that works all is good. Alice Bob HOST HOST RFLX RFLX RELAY RELAY 34 Connectivity Checks TURN TURN Server Server No “pinhole” packet dropped “Pinhole” open to allow answers back in Alice HOST HOST RFLX RFLX RELAY RELAY 35 Connectivity Checks TURN TURN “Pinhole” allow Server Server answer back in “Pinhole” open to allow answers back in Alice Bob HOST HOST RFLX RFLX RELAY RELAY 36 Connectivity Checks TURN TURN Server Server “Pinhole” open to allow answer back in Retrying connectivity check Alice Bob HOST HOST RFLX RFLX RELAY RELAY 37 Concluding TURN TURN Server Server Success! P2P Media Alice without need for relay! Bob HOST HOST RFLX RFLX RELAY RELAY 38 Concluding TURN TURN Server Server Alice Bob Dependent on the NAT/FW media might take many paths 39 Main Steps • Gather candidates • Exchange candidates (WebRTC signaling, SIP, XMPP etc.) • Create checklist and do connectivity checks • Stop, conclude and send media 40 IETF RFCS, DRAFTS AND I-DS 41 RFCs, drafts and I-Ds Individual Drafts Nombis SIP Dual Stack Peer Adopted Drafts TURN Fairness Redirect ICE SIP SDP Trickle ICE Mobility SIP TURNBis Discovery Trickle ICE Server ICE SIP MICE Selection Core RFCs options ICE IANA 3rd party TURN TCP (RFC 5768) Registry ICEBis Auth (RFC 6062) (RFC 6336) [RFC7635] TURN IPv6 TURN ICE (RFC 6156) ICE TCP (RFC 5766) (RFC 5245) (RFC 6544) STUN (RFC 5389) STUN DTLS Security ALPN (RFC7350) rtcWEB (RFC 7443) STUN STUNbis Consent Origin Freshness [RFC7675] PMTUd DISCUSS PATH Data DANE 42 Solutions for Enterprise Firewall traversal • STUN Inspection • TURN Extension • SDN 43 STUN inspection • Based on STUN inspection outcome, either allow or deny the WebRTC connection • WebRTC uses STUN messages to perform connectivity checks. • Relies on RFC7675: STUN usage for consent freshness 44 RFC7675:STUN usage for consent freshness • ICE checks for the duration of the media session. • Media stopped if consent check fails. 45 STUN inspection STUN Server Firewall × Bob Alice Open pinhole* in firewall to allow STUN request from Alice to anywhere Enterprise 46 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:X34$:57er, ID = 500 STUN Request × Bob Firewall Alice STUN response ID=100 Enterprise Convert pinhole to full flow and store ice username (X34$:57er) and transaction id. Firewall will terminate flow after 30 seconds on inactivity from Alice. 47 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:57er:X34$, ID = 500 Bob Firewall Alice STUN response ID=500 Enterprise 48 STUN inspection ICE Connectivity Checks STUN Request ice-ufrag:57xx:Y34$, ID = 100 Bob Firewall× Alice Enterprise 49 STUN inspection • ASA • 9.6.1, March 2016 release • CLI: inspect stun • This CLI command is used to enable or disable STUN inspection. • Inspection scope will be configured via access-lists. • STUN inspection will not kick-in • If client uses (D)TLS with the TURN server. • Enterprise network need not deploy a STUN or TURN server. 50 TURN • TURN client can indicate start and end of UDP flow. • Firewall can be configured to permit UDP traffic to TURN servers. • TURN client authenticates to the server using long-term credentials (username/password). 51 TURN FW blocks traffic to external STUN Server STUN server Internet Firewall Remote Peer WebRTC client TURN Server Enterprise Network 52 TURN RFC 7635: STUN Extension for Third Party Authorization • Enterprise TURN server can identify business related media session. 53 Third party authorization for TURN using OAuth OAuth TURN Client TURN Client Resource Owner Authorization Server (e.g.: WebRTC server) Authorization server Authorization Server Resource Server TURN Server 54 55 Third party authorization for TURN using OAuth WebRTC Server (2) (1) Access Token AS-RS, Request (3) Access Token AUTH Keys + Session Key WebRTC client TURN Server (4) Allocate request + Access Token (5) Allocate response 56 STUN Attribute : ACCESS-TOKEN struct { opaque { uint16_t nonce_length; opaque nonce[nonce_length]; opaque { ushort key_length; opaque mac_key[key_length]; uint64_t timestamp[8]; uint32_t lifetime; } encrypted_block; opaque mac[mac_length]; } token; 57 Advantages of RFC7635 • No long-term TURN user credentials to keep secret; even if discovered, credential usefulness is limited • TURN username contains no externally-identifying information and helps to provide privacy.