idnits 2.17.1 draft-ietf-rtcweb-mdns-ice-candidates-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([RFC6762]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 11 instances of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 22, 2018) is 2003 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'IPLeak' is defined on line 436, but no explicit reference was found in the text -- Obsolete informational reference (is this intentional?): RFC 5766 (Obsoleted by RFC 8656) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RTCWEB Y. Fablet 3 Internet-Draft Apple Inc. 4 Intended status: Informational J. de Borst 5 Expires: April 25, 2019 J. Uberti 6 Q. Wang 7 Google 8 October 22, 2018 10 Using Multicast DNS to protect privacy when exposing ICE candidates 11 draft-ietf-rtcweb-mdns-ice-candidates-02 13 Abstract 15 WebRTC applications collect ICE candidates as part of the process of 16 creating peer-to-peer connections. To maximize the probability of a 17 direct peer-to-peer connection, client private IP addresses are 18 included in this candidate collection. However, disclosure of these 19 addresses has privacy implications. This document describes a way to 20 share local IP addresses with other clients while preserving client 21 privacy. This is achieved by obfuscating IP addresses with 22 dynamically generated Multicast DNS (mDNS) [RFC6762] names. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on April 25, 2019. 41 Copyright Notice 43 Copyright (c) 2018 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents 48 (https://trustee.ietf.org/license-info) in effect on the date of 49 publication of this document. Please review these documents 50 carefully, as they describe your rights and restrictions with respect 51 to this document. Code Components extracted from this document must 52 include Simplified BSD License text as described in Section 4.e of 53 the Trust Legal Provisions and are provided without warranty as 54 described in the Simplified BSD License. 56 Table of Contents 58 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Principle . . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3.1. ICE Candidate Gathering . . . . . . . . . . . . . . . . . 3 62 3.2. ICE Candidate Processing . . . . . . . . . . . . . . . . 4 63 4. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 64 5. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 65 5.1. Statistics . . . . . . . . . . . . . . . . . . . . . . . 6 66 5.2. Interactions With TURN Servers . . . . . . . . . . . . . 6 67 5.3. Generated Names Reuse . . . . . . . . . . . . . . . . . . 7 68 5.4. Specific Browsing Contexts . . . . . . . . . . . . . . . 7 69 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 70 6.1. mDNS Message Flooding . . . . . . . . . . . . . . . . . . 7 71 6.2. Malicious Responses to Deny Name Registration . . . . . . 8 72 6.3. Monitoring of Sessions . . . . . . . . . . . . . . . . . 9 73 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 74 8. Specification Requirements . . . . . . . . . . . . . . . . . 9 75 9. Informative References . . . . . . . . . . . . . . . . . . . 9 76 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 78 1. Introduction 80 As detailed in [IPHandling], exposing client private IP addresses by 81 default maximizes the probability of successfully creating direct 82 peer-to-peer connection between two clients, but creates a 83 significant surface for user fingerprinting. [IPHandling] recognizes 84 this issue, but also admits that there is no current solution to this 85 problem; implementations that choose to use Mode 3 to address the 86 privacy concerns often suffer from failing or suboptimal connections 87 in WebRTC applications. This is particularly an issue on unmanaged 88 networks, typically homes or small offices, where NAT loopback may 89 not be supported. 91 This document proposes an overall solution to this problem by 92 registering ephemeral mDNS names for each local private IP address, 93 and then providing those names, rather than the IP addresses, to the 94 web application when it gathers ICE candidates. WebRTC 95 implementations resolve these names to IP addresses and perform ICE 96 processing as usual, but the actual IP addresses are not exposed to 97 the web application. 99 2. Terminology 101 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 102 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 103 document are to be interpreted as described in [RFC2119]. 105 3. Principle 107 This section uses the concept of ICE agent as defined in [RFC8445]. 108 In the remainder of the document, it is assumed that each browsing 109 context (as defined in Section 7.1 of [HTMLSpec]) has its own ICE 110 agent. 112 3.1. ICE Candidate Gathering 114 For any host candidate gathered by an ICE agent as part of [RFC8445], 115 Section 5.1.1, the candidate is handled as follows: 117 1. Check whether the ICE agent has a usable registered mDNS hostname 118 resolving to the ICE candidate's IP address. If one exists, skip 119 ahead to Step 6. 121 2. Generate a unique mDNS hostname. The unique name MUST consist of 122 a version 4 UUID as defined in [RFC4122], followed by ".local". 124 3. Register the candidate's mDNS hostname as defined in [RFC6762]. 126 4. If registering of the mDNS hostname fails, abort these steps. 127 The candidate is not exposed. 129 5. Store the mDNS hostname and its related IP address in the ICE 130 agent for future reuse. 132 6. Replace the IP address of the ICE candidate with its mDNS 133 hostname and provide the candidate to the web application. 135 An ICE agent can implement this procedure in any way so long as it 136 produces equivalent results to this procedure. 138 An implementation may for instance pre-register mDNS hostnames by 139 executing steps 3 to 5 and prepopulate an ICE agent accordingly. By 140 doing so, only step 6 of the above procedure will be executed at the 141 time of gathering candidates. 143 An implementation may also detect that mDNS is not supported by the 144 available network interfaces. The ICE agent may skip steps 2 and 3 145 and directly decide to not expose the host candidate. 147 This procedure ensures that an mDNS name is used to replace only one 148 IP address. Specifically, an ICE agent using an interface with both 149 IPv4 and IPv6 addresses MUST expose a different mDNS name for each 150 address. 152 Any server-reflexive candidates generated from an mDNS local 153 candidate MUST have their raddr field set to 0.0.0.0 and their rport 154 field set to 0. 156 Any candidates exposed to the web application via local descriptions 157 MUST be identical to those provided during candidate gathering (i.e., 158 MUST NOT contain private host IP addresses). 160 3.2. ICE Candidate Processing 162 For any remote ICE candidate received by the ICE agent, the following 163 procedure is used: 165 1. If the connection-address field value of the ICE candidate does 166 not end with ".local" or if the value contains more than one ".", 167 then process the candidate as defined in [RFC8445]. 169 2. Otherwise, resolve the candidate using mDNS. 171 3. If it resolves to an IP address, replace the mDNS hostname of the 172 ICE candidate with the resolved IP address and continue 173 processing of the candidate. 175 4. Otherwise, ignore the candidate. 177 An ICE agent may use a hostname resolver that transparently supports 178 both Multicast and Unicast DNS. In this case the resolution of a 179 ".local" name may happen through Unicast DNS as noted in [RFC6762], 180 Section 3. 182 An ICE agent that supports mDNS candidates MUST support the situation 183 where the hostname resolution results in more than one IP address. 184 In this case, the ICE agent MUST take exactly one of the resolved IP 185 addresses and ignore the others. The ICE agent SHOULD, if available, 186 use the first IPv6 address resolved, otherwise the first IPv4 187 address. 189 4. Examples 191 In this example, mDNS candidates are exchanged between peers and 192 resolved to obtain the corresponding IP addresses. 194 ICE Agent 1 (1.1.1.1) ICE Agent 2 (2.2.2.2) 195 | | 198 |------- mDNS Candidate N1 ------>| 199 | | 202 |<------ mDNS Candidate N2 -------| 203 | | mDNS name N1> 205 |<==== STUN check to 1.1.1.1 =====| 206 |===== STUN check to 2.2.2.2 ====>| 207 | | 209 The following two examples indicate how peer-reflexive candidates for 210 host IP addresses can be created due to timing differences. 212 In this example, a peer-reflexive candidate is generated because the 213 mDNS candidate is signaled after the STUN checks begin. 215 ICE Agent 1 (1.1.1.1) ICE Agent 2 (2.2.2.2) 216 | | 219 |------- mDNS Candidate N1 ------>| 220 | | 222 |<==== STUN check to 1.1.1.1 =====| 223 prflx candidate | | 226 |<------ mDNS Candidate N2 -------| 227 | | 229 In this example, a peer-reflexive candidate is generated because the 230 mDNS resolution for name N2 does not complete until after the STUN 231 checks are received. 233 ICE Agent 1 (1.1.1.1) ICE Agent 2 (2.2.2.2) 234 | | for 2.2.2.2> 237 |------- mDNS Candidate N1 ------>| 238 |<------ mDNS Candidate N2 -------| 239 241 mDNS |<==== STUN check to 1.1.1.1 =====| 242 ... prflx candidate | | 243 name 2.2.2.2 created | | 244 ... | | 245 N2> | | 247 5. Privacy Considerations 249 The goal of this mechanism is to keep knowledge of private host IP 250 addresses within the ICE agent while continuing to allow the 251 application to transmit ICE candidates. Besides keeping private host 252 IP addresses out of ICE candidates, implementations must take steps 253 to prevent these IP addresses from being exposed to web applications 254 through other means. 256 5.1. Statistics 258 Statistics related to ICE candidates that are accessible to the web 259 application MUST NOT contain the IP address of a local or remote mDNS 260 candidate; the mDNS name SHOULD be used instead. 262 In addition, a peer-reflexive remote candidate may be constructed 263 from a remote host IP address as a result of an ICE connectivity 264 check, as described in Section 7.3.1.3 of [RFC8445]. This check may 265 arrive before the candidate due to signaling or mDNS resolution 266 delays, as shown in the examples above. 268 To prevent disclosure of the host IP address to the application in 269 this scenario, statistics related to ICE candidates MUST NOT contain 270 the IP address of any peer-reflexive candidate, unless that IP has 271 already been learned through signaling of a candidate with the same 272 address and either the same or a different port; this includes cases 273 where the signaled candidate is discarded as redundant according to 274 Section 5.1.3 of [RFC8445]. 276 5.2. Interactions With TURN Servers 278 When sending data to a TURN [RFC5766] server, the sending client 279 tells the server the destination IP and port for the data. This 280 means that if the client uses TURN to send to an IP that was obtained 281 by mDNS resolution, the TURN server will learn the underlying host IP 282 and port, and this information can then be relayed to the web 283 application, defeating the value of the mDNS wrapping. 285 To prevent disclosure of the host IP address to a TURN server, the 286 ICE agent MUST NOT form candidate pairs between its own relay 287 candidates and remote mDNS candidates. Note that the converse is not 288 an issue; the ICE agent MAY form candidate pairs between its own mDNS 289 candidates and remote relay candidates, as in this situation host IPs 290 will not be sent directly to the TURN server. 292 This restriction has no effect on connectivity; in the cases where 293 host IP addresses are private and need to be wrapped with mDNS names, 294 they will be unreachable from the TURN server, and as noted above, 295 the reverse path will continue to work normally. 297 5.3. Generated Names Reuse 299 It is important that use of registered mDNS hostnames is limited in 300 time and/or scope. Indefinitely reusing the same mDNS hostname 301 candidate would provide applications an even more reliable tracking 302 mechanism than the private IP addresses that this specification is 303 designed to hide. The use of registered mDNS hostnames SHOULD be 304 scoped by origin, and SHOULD have the lifetime of the page. 306 5.4. Specific Browsing Contexts 308 As noted in [IPHandling], privacy may be breached if a web 309 application running in two browsing contexts can determine whether it 310 is running on the same device. While the approach in this document 311 prevents the application from directly comparing local private IP 312 addresses, a successful local WebRTC connection can also present a 313 threat to user privacy. Specifically, when the latency of a WebRTC 314 connection latency is close to zero, the probability is high that the 315 two peers are running on the same device. 317 To avoid this issue, browsers SHOULD NOT register mDNS names for 318 WebRTC applications running in a third-party browsing context (i.e., 319 a context that has a different origin than the top-level browsing 320 context), or a private browsing context. 322 6. Security Considerations 324 6.1. mDNS Message Flooding 326 The implementation of this proposal requires the mDNS querying 327 capability of the browser for registering mDNS names or adding remote 328 ICE host candidates with such names. It also requires the mDNS 329 responding capability of either the browser or the operating platform 330 of the browser for registering, removing or resolving mDNS names. In 331 particular, 333 o the registration of name requires optional probing queries and 334 mandatory announcing responses ([RFC6762], Section 8), and this is 335 performed at the beginning of ICE gathering; 337 o the addition of remote ICE host candidates with mDNS names 338 generates mDNS queries for names of each candidate; 340 o the removal of names could happen when the browsing context of the 341 ICE agent is destroyed in an implementation, and goodbye responses 342 should be sent to invalidate records generated by the ICE agent in 343 the local network ([RFC6762], Section 10.1). 345 A malicious Web application could flood the local network with mDNS 346 messages by: 348 o creating browsing contexts that create ICE agents and start 349 gathering of local ICE host candidates; 351 o destroying these local candidates soon after the name registration 352 is done; 354 o adding fictitious remote ICE host candidates with mDNS names. 356 [RFC6762] defines a per-record multicast rate limiting rule, in which 357 a given record on a given interface cannot be sent less than one 358 second since its last transmission. This rate limiting rule however 359 does not mitigate the above attacks, in which new names, hence new 360 records, are constantly created and sent. A browser-wide mDNS 361 message rate limit MUST be provided for all messages that can be 362 indirectly dispatched by a web application, namely the probing 363 queries, announcement responses, resolution queries, and goodbye 364 responses associated with mDNS. 366 6.2. Malicious Responses to Deny Name Registration 368 If the optional probing queries are implemented for the name 369 registration, a malicious endpoint in the local network, which is 370 capable of responding mDNS queries, could send responses to block the 371 use of the generated names. This would lead to the discarding of 372 this ICE host candidate as in Step 5 in Section 3.1. 374 The above attack can be mitigated by skipping the probing when 375 registering a name, which also conforms to Section 8 in [RFC6762], 376 given that the name is randomly generated for the probabilistic 377 uniqueness (e.g. a version 4 UUID) in Step 3 in Section 3.1. 378 However, a similar attack can be performed by exploiting the negative 379 responses (defined in [RFC6762], Section 8.1), in which NSEC resource 380 records are sent to claim the nonexistence of records related to the 381 gathered ICE host candidates. 383 The existence of malicious endpoints in the local network poses a 384 generic threat, and requires dedicated protocol suites to mitigate, 385 which is beyond the scope of this proposal. 387 6.3. Monitoring of Sessions 389 A malicious endpoint in the local network may also record other 390 endpoints who are registering, unregistering, and resolving mDNS 391 names. By doing so, they can create a session log that shows which 392 endpoints are communicating, and for how long. If both endpoints in 393 the session are on the same network, the fact they are communicating 394 can be discovered. 396 As above, mitigation of this threat is beyond the scope of this 397 proposal. 399 7. IANA Considerations 401 This document requires no actions from IANA. 403 8. Specification Requirements 405 The proposal relies on identifying and resolving any mDNS-based ICE 406 candidates as part of adding/processing a remote candidate. [ICESDP] 407 section 4.1 could be updated to explicitly allow mDNS names in the 408 connection-address field. 410 The proposal relies on adding the ability to register mDNS names at 411 ICE gathering time. This could be described in [ICESDP] and/or 412 [WebRTCSpec]. 414 The proposal allows updating [IPHandling] so that mode 2 is not the 415 mode used by default when user consent is not required. Instead, the 416 default mode could be defined as mode 3 with mDNS-based ICE 417 candidates. 419 9. Informative References 421 [HTMLSpec] 422 "HTML Living Standard", n.d., 423 . 425 [ICESDP] Keranen, A., "Session Description Protocol (SDP) Offer/ 426 Answer procedures for Interactive Connectivity 427 Establishment (ICE)", April 2018, 428 . 431 [IPHandling] 432 Shieh, G., "WebRTC IP Address Handling Requirements", 433 April 2018, . 436 [IPLeak] "IP/DNS Detect", n.d., . 438 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 439 Requirement Levels", BCP 14, RFC 2119, 440 DOI 10.17487/RFC2119, March 1997, 441 . 443 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 444 Unique IDentifier (UUID) URN Namespace", RFC 4122, 445 DOI 10.17487/RFC4122, July 2005, 446 . 448 [RFC5766] Mahy, R., Matthews, P., and J. Rosenberg, "Traversal Using 449 Relays around NAT (TURN): Relay Extensions to Session 450 Traversal Utilities for NAT (STUN)", RFC 5766, 451 DOI 10.17487/RFC5766, April 2010, 452 . 454 [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, 455 DOI 10.17487/RFC6762, February 2013, 456 . 458 [RFC8445] Keranen, A., Holmberg, C., and J. Rosenberg, "Interactive 459 Connectivity Establishment (ICE): A Protocol for Network 460 Address Translator (NAT) Traversal", RFC 8445, 461 DOI 10.17487/RFC8445, July 2018, 462 . 464 [WebRTCSpec] 465 Bruaroey, J., "The WebRTC specification", n.d., 466 . 468 Authors' Addresses 469 Youenn Fablet 470 Apple Inc. 472 Email: youenn@apple.com 474 Jeroen de Borst 475 Google 477 Email: jeroendb@google.com 479 Justin Uberti 480 Google 482 Email: juberti@google.com 484 Qingsi Wang 485 Google 487 Email: qingsi@google.com