原文链接:https://datatracker.ietf.org/doc/html/rfc8445#section-19
19. Security Considerations【安全注意事项】
19.1. IP Address Privacy【IP地址隐私】
The process of probing for candidates reveals the source addresses of the client and its peer to any on-network listening attacker, and the process of exchanging candidates reveals the addresses to any attacker that is able to see the negotiation.
探测候选者的过程向任何网络监听攻击者揭示客户端及其对等点的源地址,并且交换候选者的过程向能够看到协商的任何攻击者揭示地址。
Some addresses, such as the server-reflexive addresses gathered through the local interface of VPN users, may be sensitive information.
某些地址,例如通过 VPN 用户的本地接口收集的服务器反射地址,可能是敏感信息。
If these potential attacks cannot be mitigated, ICE usages can define mechanisms for controlling which addresses are revealed to the negotiation and/or probing process.
如果无法缓解这些潜在的攻击,ICE 使用可以定义控制哪些地址向协商和/或探测过程显示的机制。
Individual implementations may also have implementation-specific rules for controlling which addresses are revealed.
单独的实现也可能具有用于控制显示哪些地址的特定于实现的规则。
For example, [WebRTC-IP-HANDLING] provides additional information about the privacy aspects of revealing IP addresses via ICE for WebRTC applications.
例如,[WebRTC-IP-HANDLING] 提供了有关通过 ICE 为 WebRTC 应用程序揭示 IP 地址的隐私方面的额外信息。
ICE implementations where such issues can arise are RECOMMENDED to provide a programmatic or user interface that provides control over which network interfaces are used to generate candidates.
建议在可能出现此类问题的 ICE 实现中提供编程或用户界面,以控制使用哪些网络接口来生成候选者。
Based on the types of candidates provided by the peer, and the results of the connectivity tests performed against those candidates, the peer might be able to determine characteristics of the local network, e.g., if different timings are apparent to the peer.
根据对等方提供的候选类型以及针对这些候选执行的连接测试的结果,对等方可能能够确定本地网络的特征,例如,如果对等方明显不同的时间。
Within the limit, the peer might be able to probe the local network. There are several types of attacks possible in an ICE system. The subsections consider these attacks and their countermeasures.
在限制范围内,对等方可能能够探测本地网络。 ICE 系统中可能存在多种类型的攻击。 这些小节考虑了这些攻击及其对策。
19.2. Attacks on Connectivity Checks【连接检查上的攻击】
An attacker might attempt to disrupt the STUN connectivity checks.
攻击者可能会尝试破坏 STUN 连接检查。
Ultimately, all of these attacks fool an ICE agent into thinking something incorrect about the results of the connectivity checks.
最终,所有这些攻击都会欺骗 ICE 代理,使其认为连接检查的结果不正确。
Depending on the type of attack, the attacker needs to have different capabilities. In some cases, the attacker needs to be on the path of the connectivity checks.
根据攻击的类型,攻击者需要具备不同的能力。 在某些情况下,攻击者需要在连接检查的路径上。
In other cases, the attacker does not need to be on the path, as long as it is able to generate STUN connectivity checks.
在其他情况下,攻击者不需要在路径上,只要它能够生成 STUN 连接检查。
While attacks on connectivity checks are typically performed by network entities, if an attacker is able to control an endpoint, it might be able to trigger connectivity-check attacks.
虽然对连接检查的攻击通常由网络实体执行,但如果攻击者能够控制端点,它可能能够触发连接检查攻击。
The possible false conclusions an attacker can try and cause are:
攻击者可以尝试并导致的可能错误结论是:
False Invalid: 【假无效】
An attacker can fool a pair of agents into thinking a candidate pair is invalid, when it isn’t. This can be used to cause an agent to prefer a different candidate (such as one injected by the attacker) or to disrupt a call by forcing all candidates to fail.
攻击者可以欺骗一对代理,让他们认为候选对是无效的,而实际上并非如此。 这可用于使代理更推荐不同的候选(例如由攻击者注入的候选)或通过强制所有候选失败来中断呼叫。
False Valid: 【假有效】
An attacker can fool a pair of agents into thinking a candidate pair is valid, when it isn’t. This can cause an agent to proceed with a session but then not be able to receive any data.
攻击者可以欺骗一对代理,让他们认为候选对是有效的,而实际上并非如此。 这可能会导致代理继续进行会话,但随后无法接收任何数据。
False Peer-Reflexive Candidate: 【假的Peer-Reflexive候选】
An attacker can cause an agent to discover a new peer-reflexive candidate when it is not expected to. This can be used to redirect data streams to a DoS target or to the attacker, for eavesdropping or other purposes.
攻击者可以使代理发现一个新的Peer-Reflexive候选,而这是不期望的。 这可用于将数据流重定向到 DoS 目标或攻击者,用于窃听或其他目的。
False Valid on False Candidate: 【假候选的假有效】
An attacker has already convinced an agent that there is a candidate with an address that does not actually route to that agent (e.g., by injecting a false peer-reflexive candidate or false server-reflexive candidate).
攻击者已经让代理相信有一个候选的地址实际上并不路由到该代理(例如,通过注入虚假的对等自反候选人或虚假的server-reflexive候选)。
The attacker then launches an attack that forces the agents to believe that this candidate is valid.
然后攻击者发起攻击,迫使代理相信这个候选是有效的。
If an attacker can cause a false peer-reflexive candidate or false valid on a false candidate, it can launch any of the attacks described in [RFC5389].
如果攻击者可以导致虚假的 peer-reflexive 候选或虚假候选的假有效,它可以发起 RFC5389 中描述的任何攻击。
To force the false invalid result, the attacker has to wait for the connectivity check from one of the agents to be sent.
为了强行出现假无效结果,攻击者必须等待来自其中一个代理的连接检查被发送。
When it is, the attacker needs to inject a fake response with an unrecoverable error response (such as a 400), or drop the response so that it never reaches the agent.
如果是,攻击者需要注入一个带有不可恢复的错误响应(例如 400)的虚假响应,或者丢弃响应以使其永远不会到达代理。
However, since the candidate is, in fact, valid, the original request may reach the peer agent and result in a success response.
然而,由于候选人实际是有效的,原始请求可能会到达对等代理并导致成功响应。
The attacker needs to force this packet or its response to be dropped through a DoS attack, a Layer 2 network disruption, or another technique.
攻击者需要通过 DoS 攻击、第 2 层网络中断或其他技术强制丢弃此数据包或其响应。
If it doesn’t do this, the success response will also reach the originator, alerting it to a possible attack.
如果它不这样做,成功响应也将到达发起者,提醒它可能的攻击。
The ability for the attacker to generate a fake response is mitigated through the STUN short-term credential mechanism.
攻击者生成虚假响应的能力通过 STUN 短期凭证机制得到缓解。
In order for this response to be processed, the attacker needs the password.
为了处理此响应,攻击者需要密码。
If the candidate exchange signaling is secured, the attacker will not have the password, and its response will be discarded.
如果候选交换信令是安全的,则攻击者将没有密码,其响应将被丢弃。
Spoofed ICMP Hard Errors (Type 3, codes 2-4) can also be used to create false invalid results.
欺骗性 ICMP 硬错误(类型 3,代码 2-4)也可用于创建错误的无效结果。
If an ICE agent implements a response to these ICMP errors, the attacker is capable of generating an ICMP message that is delivered to the agent sending the connectivity check.
如果 ICE 代理响应这些 ICMP 错误,则攻击者能生成 ICMP 消息,该消息将传递给发送连接检查的代理。
The validation of the ICMP error message by the agent is its only defense.
代理对 ICMP 错误消息的验证是其唯一的防御措施。
For Type 3 code=4, the outer IP header provides no validation, unless the connectivity check was sent with DF=0.
对于类型 3 代码=4,外部 IP 标头不提供验证,除非连接检查是在 DF=0 时发送的。
For codes 2 or 3, which are originated by the host, the address is expected to be any of the remote agent’s host, reflexive, or relay candidate IP addresses.
对于由主机发起的代码 2 或 3,地址应为远程代理的主机、自反或中继候选 IP 地址中的任何一个。
The ICMP message includes the IP header and UDP header of the message triggering the error. These fields also need to be validated.
ICMP 消息包括触发错误的消息的 IP 头和 UDP 头。这些字段也需要验证。
The IP destination and UDP destination port need to match either the targeted candidate address and port or the candidate’s base address.
IP 目标和 UDP 目标端口需要匹配目标候选地址和端口或候选基地址。
The source IP address and port can be any candidate for the same base address of the agent sending the connectivity check.
源 IP 地址和端口可以是发送连接检查的代理的相同基地址的任何候选。
Thus, any attacker having access to the exchange of the candidates will have the necessary information.
因此,任何有权访问候选交换的攻击者都将拥有必要的信息。
Hence, the validation is a weak defense, and the sending of spoofed ICMP attacks is also possible for off-path attackers from a node in a network without source address validation.
因此,验证是一个薄弱的防御,并且对于来自网络中的节点的非路径攻击者也可能发送欺骗性 ICMP 攻击而无需源地址验证。
Forcing the fake valid result works in a similar way.
强行伪造的有效结果以类似的方式工作。
The attacker needs to wait for the Binding request from each agent and inject a fake success response.
攻击者需要等待来自每个代理的绑定请求并注入一个虚假的成功响应。
Again, due to the STUN short-term credential mechanism, in order for the attacker to inject a valid success response, the attacker needs the password.
同样,由于 STUN 短期凭证机制,为了让攻击者注入有效的成功响应,攻击者需要密码。
Alternatively, the attacker can route (e.g., using a tunneling mechanism) a valid success response, which normally would be dropped or rejected by the network, to the agent.
或者,攻击者可以将通常会被网络丢弃或拒绝的有效成功响应路由(例如,使用隧道机制)到代理。
Forcing the false peer-reflexive candidate result can be done with either fake requests or responses, or with replays.
可以通过虚假请求或响应或重播来强制错误的对等自反候选结果。
We consider the fake requests and responses case first. It requires the attacker to send a Binding request to one agent with a source IP address and port for the false candidate.
我们首先考虑虚假请求和响应案例。它要求攻击者向一个代理发送绑定请求,其中包含虚假候选人的源 IP 地址和端口。
In addition, the attacker needs to wait for a Binding request from the other agent and generate a fake response with a XOR-MAPPED-ADDRESS attribute containing the false candidate.
此外,攻击者需要等待来自其他代理的绑定请求,并生成一个带有包含虚假候选的 XOR-MAPPED-ADDRESS 属性的虚假响应。
Like the other attacks described here, this attack is mitigated by the STUN message integrity mechanisms and secure candidate exchanges.
与此处描述的其他攻击一样,STUN 消息完整性机制和安全的候选交换可以缓解这种攻击。
Forcing the false peer-reflexive candidate result with packet replays is different.
使用数据包重放强制错误的peer-reflexive候选结果是不同的。
The attacker waits until one of the agents sends a check.
攻击者一直等到其中一个代理发送支票。
It intercepts this request and replays it towards the other agent with a faked source IP address.
它拦截此请求并将其重放给具有伪造源 IP 地址的其他代理。
It also needs to prevent the original request from reaching the remote agent, by either launching a DoS attack to cause the packet to be dropped or forcing it to be dropped using Layer 2 mechanisms.
它还需要通过启动 DoS 攻击导致数据包被丢弃或使用第 2 层机制强制丢弃数据包来防止原始请求到达远程代理。
The replayed packet is received at the other agent, and accepted, since the integrity check passes (the integrity check cannot and does not cover the source IP address and port).
由于完整性检查通过(完整性检查不能也不会覆盖源 IP 地址和端口),因此重放的数据包在另一个代理处接收并被接受。
It is then responded to. This response will contain a XOR-MAPPED-ADDRESS with the false candidate, and it will be sent to that false candidate.
然后对其进行响应。该响应将包含一个带有错误候选的 XOR-MAPPED-ADDRESS,并将发送给该错误候选。
The attacker then needs to receive it and relay it towards the originator.
然后,攻击者需要接收它并将其转发给发起者。
The other agent will then initiate a connectivity check towards that false candidate.
然后,另一个代理将启动对该错误候选的连接检查。
This validation needs to succeed. This requires the attacker to force a false valid on a false candidate.
此验证需要成功。这要求攻击者对错误的候选强制进行错误的验证。
The injecting of fake requests or responses to achieve this goal is prevented using the integrity mechanisms of STUN and the candidate exchange.
使用 STUN 和候选交换的完整性机制可以防止注入虚假请求或响应来实现这一目标。
Thus, this attack can only be launched through replays.
因此,这种攻击只能通过重播来发起。
To do that, the attacker needs to intercept the check towards this false candidate and replay it towards the other agent.
为此,攻击者需要拦截对这个假候选的检查并将其重放给另一个代理。
Then, it needs to intercept the response and replay that back as well.
然后,它需要拦截响应并重放该响应。
This attack is very hard to launch unless the attacker is identified by the fake candidate.
除非攻击者被假候选识别,否则这种攻击很难发起。
This is because it requires the attacker to intercept and replay packets sent by two different hosts.
这是因为它要求攻击者拦截并重放两个不同主机发送的数据包。
If both agents are on different networks (e.g., across the public Internet), this attack can be hard to coordinate, since it needs to occur against two different endpoints on different parts of the network at the same time.
如果两个代理都在不同的网络上(例如,通过公共互联网),这种攻击可能很难协调,因为它需要同时针对网络不同部分的两个不同端点发生。
If the attacker itself is identified by the fake candidate, the attack is easier to coordinate. 、
如果攻击者本身被假候选识别,则攻击更容易协调。
However, if the data path is secured (e.g., using the Secure Real-time Transport Protocol (SRTP) [RFC3711]), the attacker will not be able to process the data packets, but will only be able to discard them, effectively disabling the data stream.
但是,如果数据路径是安全的(例如,使用安全实时传输协议 (SRTP) [RFC3711]),攻击者将无法处理数据包,而只能丢弃它们,从而有效地禁用数据流。
However, this attack requires the agent to disrupt packets in order to block the connectivity check from reaching the target.
但是,此攻击需要代理中断数据包以阻止连接检查到达目标。
In that case, if the goal is to disrupt the data stream, it’s much easier to just disrupt it with the same mechanism, rather than attack ICE.
在这种情况下,如果目标是破坏数据流,那么用相同的机制破坏它比攻击 ICE 要容易得多。
19.3. Attacks on Server-Reflexive Address Gathering【对Server-Reflexive地址收集的攻击】
ICE endpoints make use of STUN Binding requests for gathering server-reflexive candidates from a STUN server. These requests are not authenticated in any way.
ICE 端点利用 STUN 绑定请求从 STUN 服务器收集Server-Reflexive候选。 这些请求未以任何方式进行身份验证。
As a consequence, there are numerous techniques an attacker can employ to provide the client with a false server-reflexive candidate:
因此,攻击者可以使用多种技术为客户端提供虚假的Server-Reflexive候选:
- An attacker can compromise the DNS, causing DNS queries to return a rogue STUN server address. That server can provide the client with fake server-reflexive candidates. This attack is mitigated by DNS security, though DNSSEC is not required to address it.
攻击者可以破坏 DNS,导致 DNS 查询返回恶意 STUN 服务器地址。 该服务器可以为客户端提供虚假的server-reflexive候选。 DNS 安全性可以缓解这种攻击,尽管不需要 DNSSEC 来解决它。 - An attacker that can observe STUN messages (such as an attacker on a shared network segment, like Wi-Fi) can inject a fake response that is valid and will be accepted by the client.
可以观察 STUN 消息的攻击者(例如共享网段上的攻击者,如 Wi-Fi)可以注入一个有效的虚响应,并将被客户端接受。 - An attacker can compromise a STUN server and cause it to send responses with incorrect mapped addresses.
攻击者可以破坏 STUN 服务器并导致它发送带有不正确映射地址的响应。
A false mapped address learned by these attacks will be used as a server-reflexive candidate in the establishment of the ICE session.
通过这些攻击学习到的错误映射地址将用作建立 ICE 会话的server-reflexive候选。
For this candidate to actually be used for data, the attacker also needs to attack the connectivity checks, and in particular, force a false valid on a false candidate.
为了让这个候选真正用于数据,攻击者还需要攻击连接检查,特别是对假候选强制进行虚假有效。
This attack is very hard to launch if the false address identifies a fourth party (neither the initiator, responder, nor attacker), since it requires attacking the checks generated by each ICE agent in the session and is prevented by SRTP if it identifies the attacker itself.
如果假地址识别了第四方(既不是发起者、响应者也不是攻击者),则这种攻击很难发起,因为它需要攻击会话中每个 ICE 代理生成的检查,并且如果它识别出攻击者,则 SRTP 会阻止它本身。
If the attacker elects not to attack the connectivity checks, the worst it can do is prevent the server-reflexive candidate from being used.
如果攻击者选择不攻击连接检查,它所能做的最坏的事情就是阻止使用server-reflexive候选。
However, if the peer agent has at least one candidate that is reachable by the agent under attack, the STUN connectivity checks themselves will provide a peer-reflexive candidate that can be used for the exchange of data.
但是,如果对等代理至少有一个受攻击代理可以访问的候选,则 STUN 连接检查本身将提供可用于数据交换的peer-reflexive候选。
Peer-reflexive candidates are generally preferred over server-reflexive candidates. As such, an attack solely on the STUN address gathering will normally have no impact on a session at all.
Peer-reflexive 候选通常比 server-reflexive 候选更被推荐使用。因此,仅针对 STUN 地址收集的攻击通常不会对会话产生任何影响。
19.4. Attacks on Relayed Candidate Gathering【对Relayed候选收集的攻击】
An attacker might attempt to disrupt the gathering of relayed candidates, forcing the client to believe it has a false relayed candidate.
攻击者可能会试图破坏relayed候选的收集,迫使客户端相信它有一个假的relayed候选。
Exchanges with the TURN server are authenticated using a long-term credential.
与 TURN 服务器的交换使用长期凭证进行身份验证。
Consequently, injection of fake responses or requests will not work. In addition, unlike Binding requests, Allocate requests are not susceptible to replay attacks with modified source IP addresses and ports, since the source IP address and port are not utilized to provide the client with its relayed candidate.
因此,注入虚假响应或请求将不起作用。 此外,与绑定请求不同,分配请求不易受到修改源 IP 地址和端口的重放攻击,因为源 IP 地址和端口不用于为客户端提供其relayed候选。
Even if an attacker has caused the client to believe in a false relayed candidate, the connectivity checks cause such a candidate to be used only if they succeed.
即使攻击者使客户端相信假的relayed候选,连接性检查也会导致此类候选仅在成功时才被使用。
Thus, an attacker needs to launch a false valid on a false candidate, per above, which is a very difficult attack to coordinate.
因此,攻击者需要对错误的候选发起错误的验证,如上所述,这是一个非常难以协调的攻击。
19.5. Insider Attacks【内部攻击】
In addition to attacks where the attacker is a third party trying to insert fake candidate information or STUN messages, there are attacks possible with ICE when the attacker is an authenticated and valid participant in the ICE exchange.
除了攻击者是试图插入虚假候选信息或 STUN 消息的第三方的攻击之外,当攻击者是 ICE 交换中经过身份验证且有效的参与者时,ICE 还可能进行攻击。
19.5.1. STUN Amplification Attack【STUN 扩大攻击】
The STUN amplification attack is similar to a “voice hammer” attack, where the attacker causes other agents to direct voice packets to the attack target.
STUN 扩大攻击类似于“语音锤”攻击,攻击者使其他代理将语音数据包定向到攻击目标。
However, instead of voice packets being directed to the target, STUN connectivity checks are directed to the target. The attacker sends a large number of candidates, say, 50.
但是,不是将语音数据包定向到目标,而是将 STUN 连接检查定向到目标。攻击者发送大量候选者,例如 50 个。
The responding agent receives the candidate information and starts its checks, which are directed at the target, and consequently, never generate a response.
响应代理接收候选信息并开始针对目标的检查,因此永远不会产生响应。
In the case of WebRTC, the user might not even be aware that this attack is ongoing, since it might be triggered in the background by malicious JavaScript code that the user has fetched.
在 WebRTC 的情况下,用户甚至可能不知道这种攻击正在进行,因为它可能是由用户获取的恶意 JavaScript 代码在后台触发的。
The answerer will start a new connectivity check every Ta ms (say, Ta=50ms).
应答者将每隔 Ta ms(例如 Ta=50ms)启动一次新的连接检查。
However, the retransmission timers are set to a large number due to the large number of candidates.
然而,由于大量候选,重传定时器被设置为很大的数量。
As a consequence, packets will be sent at an interval of one every Ta milliseconds and then with increasing intervals after that.
因此,数据包将以每 Ta 毫秒一个间隔发送,然后间隔增加。
Thus, STUN will not send packets at a rate faster than data would be sent, and the STUN packets persist only briefly, until ICE fails for the session.
因此,STUN 不会以比数据发送速度更快的速率发送数据包,并且 STUN 数据包只会短暂持续,直到 ICE 会话失败。
Nonetheless, this is an amplification mechanism. It is impossible to eliminate the amplification, but the volume can be reduced through a variety of heuristics.
尽管如此,这是一种扩大机制。 消除扩大是不可能的,但可以通过各种启发式方法来减小体积。
ICE agents SHOULD limit the total number of connectivity checks they perform to 100.
ICE 代理应该将它们执行的连接检查的总数限制为 100。
Additionally, agents MAY limit the number of candidates they will accept.
此外,代理可能会限制他们接受的候选数量。
Frequently, protocols that wish to avoid these kinds of attacks force the initiator to wait for a response prior to sending the next message.
通常,希望避免此类攻击的协议会强制发起者在发送下一条消息之前等待响应。
However, in the case of ICE, this is not possible. It is not possible to differentiate the following two cases:
然而,在 ICE 的情况下,这是不可能的。无法区分以下两种情况:
- There was no response because the initiator is being used to launch a DoS attack against an unsuspecting target that will not respond.
没有响应,因为发起者正被用来对一个信任的目标发起 DoS 攻击,该目标不会响应。 - There was no response because the IP address and port are not reachable by the initiator.
没有响应,因为发起程序无法访问 IP 地址和端口。
In the second case, another check will be sent at the next opportunity, while in the former case, no further checks will be sent.
在第二种情况下,下次有机会发送另一个检查,而在前一种情况下,将不再发送检查。
248
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
