[Search] [txt|xml|pdfized|bibtex] [Tracker] [Email] [Nits]
Versions: 00                                                            
rtcweb                                                        M. Thomson
Internet-Draft                                                  B. Aboba
Intended status: Standards Track                               Microsoft
Expires: April 15, 2013                                 October 12, 2012

  Bandwidth Constraints for Session Traversal Utilities for NAT (STUN)


   An attribute is defined for Session Traversal Utilities for NAT
   (STUN) that allows for declarations of bandwidth limits on the
   negotiated flow.  The application of this attribute to reducing
   denial of service attacks from internet telephony systems.  Other
   applications include negotiation of bandwidth at packet relays.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 15, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Thomson & Aboba          Expires April 15, 2013                 [Page 1]

Internet-Draft               STUN Bandwidth                 October 2012

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
   3.  The BANDWIDTH Attribute . . . . . . . . . . . . . . . . . . . . 4
   4.  Application . . . . . . . . . . . . . . . . . . . . . . . . . . 4
     4.1.  ICE Bandwidth Consent . . . . . . . . . . . . . . . . . . . 5
       4.1.1.  STUN Usage  . . . . . . . . . . . . . . . . . . . . . . 5
       4.1.2.  Bandwidth Limiting  . . . . . . . . . . . . . . . . . . 5
       4.1.3.  Bandwidth Consent Revocation  . . . . . . . . . . . . . 6
     4.2.  Relay Bandwidth Allocation  . . . . . . . . . . . . . . . . 6
   5.  Bandwidth Measurement Considerations  . . . . . . . . . . . . . 6
     5.1.  Rate Enforcement  . . . . . . . . . . . . . . . . . . . . . 7
   6.  Security Considerations . . . . . . . . . . . . . . . . . . . . 8
   7.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   8.  Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 8
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     9.1.  Normative References  . . . . . . . . . . . . . . . . . . . 8
     9.2.  Informative References  . . . . . . . . . . . . . . . . . . 9
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 9

Thomson & Aboba          Expires April 15, 2013                 [Page 2]

Internet-Draft               STUN Bandwidth                 October 2012

1.  Introduction

   A key security property that Interactivity Connectivity Establishment
   (ICE) [RFC5245] establishes is that the subject of a flow of packets
   consents to receive packets.  This provides a measure of protection
   against the Voice Hammer attack (see Section 18.5.1 of [RFC5245])
   where an attacker with access to signaling induces valid clients to
   send excessive amounts of data toward a victim.

   ICE depends on the use of a Session Traversal Utilities for NAT
   (STUN) Binding request and response to provide an indication of
   consent.  A host that provides a Binding response demonstrates that
   they have seen the transaction ID and are therefore either on the
   path between sender and receiver, or have an agent on the path.

   As a result of the connectivity check, the sender determines that
   either the receiving host consents to receiving packets, or some on-
   path attacker has faked consent.  In the latter case, the on-path
   attacker is already in a position to generate packets toward the
   receiving host, so this does not present an advantage to the attacker
   and we discount the attack.

   This basic consent mechanism only establishes that some data is
   acceptable.  It does not establish how much the receiver is prepared
   to accept.  In particular, where media multiplexing is negotiated,
   consent cannot be provided for individual media; it must apply to all
   potential streams received on a transport address.  Given the wide
   disparity in potential bandwidth usage by text, audio and video, this
   enables a volume-based denial of service attack.  In this attack a
   service that is prepared to automatically accept real-time
   communications can become the target of excessive bandwidth from
   clients.  This only requires that the client visits the attacker's
   site, there is no user consent required.

   This attack is only mitigated by measures such as continuing consent
   [I-D.muthu-behave-consent-freshness].  Refusing to provide continuing
   consent takes a non-trivial amount of time to effect changes in
   senders.  Thus, continuing consent can only limit the duration of an
   attack, not prevent it, and only by refusing all media traffic.

   This document defines a BANDWIDTH attribute for STUN that can be used
   to prevent this attack.  This attribute can also be used to request
   and allocate bandwidth at a Traversal Using Relays around NAT (TURN)

   This attribute is used for indicating a bandwidth limit that is set
   in policy.  The sender is not advised or required to utilize
   bandwidth up to this limit; limits are usually set well in excess of

Thomson & Aboba          Expires April 15, 2013                 [Page 3]

Internet-Draft               STUN Bandwidth                 October 2012

   application needs.  Senders also limit their use of bandwidth in
   reaction to path congestion and "circuit breakers".

2.  Terminology

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as
   described in BCP 14, RFC 2119 [RFC2119] and indicate requirement
   levels for compliant implementations.

   The term "sender" and "receiver" refer to peers that are respectively
   sending or receiving packets on a given transport flow.  In a typical
   peer to peer transport flow, both peers act in both roles.  ICE
   terminology, specifically candidate, flow, and candidate are borrowed
   from [RFC5245].

3.  The BANDWIDTH Attribute

   The BANDWIDTH attribute (identifier TBD) identifies the rate of
   packet transmission in kilobits per second that is permitted for a
   given transport flow.  The BANDWIDTH attribute is a comprehension-
   optional attribute (see Section 15 from [RFC5389]).  Figure 1 shows
   the format of this attribute.

       0                   1                   2                   3
       0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
      |     Attribute Type (TBD)      |          Length (4)           |
      |                          Bandwidth                            |

                   Figure 1: Bandwidth Attribute Format

   The value of this attribute is an unsigned integer that represents
   the maximum bandwidth for the flow in kilobits per second (1 kilobit
   = 1024 bits).

4.  Application

   Bandwidth limits are applied to both ICE connectivity checking and
   TURN relay allocation.

Thomson & Aboba          Expires April 15, 2013                 [Page 4]

Internet-Draft               STUN Bandwidth                 October 2012

4.1.  ICE Bandwidth Consent

   For a negotiated ICE flow, the BANDWIDTH attribute indicates the
   bandwidth that a receiver consents to receive.

   In the absence of a BANDWIDTH attribute, no bandwidth limits apply to
   a flow.

4.1.1.  STUN Usage

   A sender that supports this attribute MUST include a BANDWIDTH
   attribute in the STUN Binding requests it generates for connectivity
   checks.  The primary utility of this inclusion is to indicate support
   for a parameter.

   A receiver that supports this attribute includes the permitted
   bandwidth in the STUN Binding response it generates.  A receiver that
   requires bandwidth consent MUST ignore Binding requests that do not
   include the BANDWIDTH attribute.  A receiver MAY use the value in the
   Binding request as guidance on what bandwidth to permit.

4.1.2.  Bandwidth Limiting

   An ICE-capable sender MUST NOT exceed the allowed bandwidth that has
   been indicated in connectivity checks for the specific flow.
   Bandwidth limits for each flow are independent.  That is, a bandwidth
   limit learned from a connectivity check response only applies to
   packets that are sent from the local candidate to the remote
   candidate that were used in that connectivity check.  An attacker
   with access to signaling could otherwise insert a candidate that they
   control.  The attacker-controlled candidate could then indicate a
   larger bandwidth limit that affects other flows.

   Independent bandwidth limits for flows implies that where there are
   multiple valid candidate pairs the overall bandwidth limit is
   increased for each valid candidate pair.  For an attacker, this
   presents an opportunity to multiply the bandwidth that flows toward a
   receiver by the number of valid candidate pairs.  A receiver SHOULD
   monitor the incoming bandwidth for a component and limit the
   aggregate bandwidth to the expected maximum.  This depends on
   application-specific knowledge of how flows are expected to be used,
   such as knowledge of how the ICE component relates to Session
   Description Protocol (SDP) [RFC4566] "m=" lines.  If an aggregate
   limit is exceeded, the receiver SHOULD revoke consent (Section 4.1.3)
   on one or more flows.

   In ICE, a peer MAY choose to include a BANDWIDTH value of zero prior
   to nominating a candidate pair.  This implies that only STUN Binding

Thomson & Aboba          Expires April 15, 2013                 [Page 5]

Internet-Draft               STUN Bandwidth                 October 2012

   requests are permitted on the flow.  The advantage of this is that
   the bandwidth allowance is not increased by the number of valid
   candidate pairs.  This increases the latency of flow setup because
   the controlled peer needs to perform a post-nomination connectivity
   check to check if available bandwidth has increased to a usable

4.1.3.  Bandwidth Consent Revocation

   During ongoing consent checks [I-D.muthu-behave-consent-freshness],
   the BANDWIDTH attribute allows for a faster revocation of consent by
   a receiver.  Without the BANDWIDTH attribute, the receiver stops
   responding to Binding requests.  The sender only stops sending when
   enough of these responses are lost.  By responding with a BANDWIDTH
   value of zero, a sender ceases packet transmission on the flow in a
   much shorter time.

   A sender MUST cease transmission of all packets toward a receiver
   that indicates a bandwidth of zero.  This is important even where
   rates are averaged over time, where changes in the bandwidth limit
   might otherwise take some time.

4.2.  Relay Bandwidth Allocation

   The BANDWIDTH attribute indicates a limit to available inbound
   bandwidth for TURN [RFC5766] allocation.  Inbound bandwidth is the
   bandwidth of data sent from a peer toward the TURN server.

   A BANDWIDTH attribute - when present in an Allocate request -
   indicates that the given bandwidth is requested.  A BANDWIDTH
   attribute in an Allocate response indicates the limit that will be
   applied by the TURN server.  The value a TURN server provides could
   be influenced by the value that a TURN client requests at the
   discretion of server policy.

   A TURN client can use the indicated bandwidth to limit the value that
   it sends in ICE connectivity check responses.

   Bandwidth that the TURN client sends toward the TURN server is not
   governed by this attribute.  A TURN server is able to terminate an
   allocation if a TURN client generates excessive outbound bandwidth.

5.  Bandwidth Measurement Considerations

   Connectivity check and allocation messages (Binding and Allocate) are
   exempt from any bandwidth measurement accounting.  This allows
   consent to be verified without being subject to delays due to

Thomson & Aboba          Expires April 15, 2013                 [Page 6]

Internet-Draft               STUN Bandwidth                 October 2012

   bandwidth throttling.  Senders are expected to limit the rate of
   outgoing connectivity checks using independent mechanisms.

   In calculating bandwidth, the entire IP packet - including the header
   - is measured.  This is identical to the measurement performed by the
   Real-Time Transport Protocol (RTP) [RFC3550].  At a TURN server,
   bandwidth measurement is performed on the packets arriving at the
   TURN server, prior to the encapsulation that occurs between TURN
   server and TURN client.

   Determining the rate requires that the bits be allocated to specific
   intervals of time.  How bits are allocated MAY vary between

   Measurement of bandwidth is imperfect and inconsistent.  Packet
   jitter can result in fluctuations in received packet rate so that a
   receiver might see an instantaneous bandwidth that is different to
   what the sender might have transmitted.  Jitter can cause the
   observed bandwidth of incoming packets to temporarily increase above
   the permitted rate.  At a minimum, implementations SHOULD allow for
   short periods of excessive bandwidth to allow for these temporary

5.1.  Rate Enforcement

   [[Editor's Note: There are two approaches to this: Either make the
   limit a hard limit (with a small jitter allowance), which would
   necessitate fairly high bandwidth limits for normal usage lest there
   be squeezing or dropping of video i-frames, which can significantly
   affect a real-time experience.  The other approach, taken here,
   permits a more usage-aware limiting, taking the limit as more of a
   "guideline", which allows latitude for temporary excess, enabling
   more realistic limits (and probably some queueing somewhere), with
   guarantees on compliance with the limit over longer periods.]]

   Enforcement of bandwidth limits is a sender responsibility, though a
   receiver or other middlebox MAY perform enforcement.  Senders are
   able to make temporary allowances for the data that is being
   transmitted, by averaging bandwidth usage to account.  This allows
   for different bandwidth usage profiles.  For example, real-time audio
   typically uses a nearly constant rate, whereas bandwidth consumption
   increases significantly for the transmission of intra-frames in real-
   time video.  In contrast, real-time application sharing has highly
   unpredictable bandwidth consumption.

   Enforcement of limits by nodes other than the sender SHOULD provide
   an allowance for application usages that temporarily exceed the
   limit.  For example, assessing observed bandwidth usage as an average

Thomson & Aboba          Expires April 15, 2013                 [Page 7]

Internet-Draft               STUN Bandwidth                 October 2012

   over 10 seconds ensures that real-time video does not clip
   unnecessarily; shorter durations could result in any enforcement
   affecting valuable intra-frames.

6.  Security Considerations

   ICE negotiation potentially results in multiple candidate pairs for a
   component becoming valid.  If a non-zero bandwidth value is used
   during the checking phase, the sender might be convinced that there
   are multiple valid flows.  Mitigation measures and considerations for
   their use are described in Section 4.1.

7.  IANA Considerations

   IANA has allocated a code of (TBD) to the STUN BANDWIDTH attribute.
   This attribute is registered in the "STUN Attribute" Registry
   following the procedures of Section 18.2 of [RFC5389].  BANDWIDTH is
   a comprehension-optional STUN attribute.

8.  Acknowledgments

   Humayun Khan, Tim Moore provided input and implementation experience.

9.  References

9.1.  Normative References

              Perumal, M., Wing, D., and H. Kaplan, "STUN Usage for
              Consent Freshness and Session Liveness",
              draft-muthu-behave-consent-freshness-01 (work in
              progress), July 2012.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5245]  Rosenberg, J., "Interactive Connectivity Establishment
              (ICE): A Protocol for Network Address Translator (NAT)
              Traversal for Offer/Answer Protocols", RFC 5245,
              April 2010.

   [RFC5389]  Rosenberg, J., Mahy, R., Matthews, P., and D. Wing,
              "Session Traversal Utilities for NAT (STUN)", RFC 5389,
              October 2008.

Thomson & Aboba          Expires April 15, 2013                 [Page 8]

Internet-Draft               STUN Bandwidth                 October 2012

   [RFC5766]  Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using
              Relays around NAT (TURN): Relay Extensions to Session
              Traversal Utilities for NAT (STUN)", RFC 5766, April 2010.

9.2.  Informative References

   [RFC3550]  Schulzrinne, H., Casner, S., Frederick, R., and V.
              Jacobson, "RTP: A Transport Protocol for Real-Time
              Applications", STD 64, RFC 3550, July 2003.

   [RFC4566]  Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
              Description Protocol", RFC 4566, July 2006.

Authors' Addresses

   Martin Thomson
   3210 Porter Drive
   Palo Alto, CA  94304

   Phone: +1 650-353-1925
   Email: martin.thomson@outlook.com

   Bernard Aboba
   One Microsoft Way
   Redmond, WA  98052

   Email: bernard_aboba@outlook.com

Thomson & Aboba          Expires April 15, 2013                 [Page 9]