Add the option to check the source address of ClientHello message on DTLS-SRTP

[trengginas]

There is a possible issue with DTLS “ClientHello” Race Conditions leading to DDoS attack.
This is done by sending a malicious DTLS ClientHello message from any
IP address to the expected port, potentially causing a “network race condition” if the malicious
messages is processed before the legitimate one.
For ICE use, this patch will add pj_ice_sess_options::check_src_addr and PJ_ICE_SESS_CHECK_SRC_ADDR to allow ICE session
to check the source against the 'verified' remote candidate. i.e.: remote candidates which has
a completed connectivity check or received a connectivity check.
For non-ICE use, this patch will add the option (PJMEDIA_SRTP_DTLS_CHECK_HELLO_ADDR) to enable checking the source address of the "ClientHello" message is coming from the source specified in the SDP.

This patch will also add the change related to ICE behavior:

• When ICE is completed, any incoming check will be ignored.
  

  pjproject/pjnath/src/pjnath/ice_session.c

  Lines 2720 to 2727 in 205baf0

  	/* Check if ICE has been completed */
  	if (ice->is_complete) {
  	LOG4((ice->obj_name,
  	"Ignored completed STUN request after ICE nego has been "
  	"completed!"));
  	pj_grp_lock_release(ice->grp_lock);
  	return;
  	}

  
  However, the STUN request itself has been answered previously. In an aggressive nomination setting, this will be problematic since this will indicate that the new nomination was accepted. In this case, we can ignore the new nomination.

[nanangizz]

Please make sure this is tested with various scenarios, e.g:

• with & without ICE,
• ICE chooses TURN & STUN/host as valid candidate.

[sauwming]

Why do we need a compile-time setting? and why is the default 0 if it may cause a security issue?

[trengginas]

It might add a slight delay in starting the handshake (wait for the transport address and RTP source address to be available) and possible issues when using aggressive nomination.

[sauwming]

After reading the pdf, I believe the address check should be made mandatory for ICE, and the address should match one of the verified (valid?) candidates obtained during ICE check, so there should be no delay because ICE check has been done.

For no-ICE, then you can use the compile-time setting, because the best we can do is compare it with the SDP address, which may not be accurate.

[trengginas]

Please make sure this is tested with various scenarios, e.g:

• with & without ICE,
• ICE chooses TURN & STUN/host as valid candidate.

When using this option, it is recommended to use regular nomination for ICE. When enabling STUN with aggressive nomination might result in a different candidate pair type being used between endpoints and preventing the handshake.

[trengginas]

This is the case when using ICE with STUN (aggressive nomination):
caller side:

14:13:01.139        icetp00  ICE negotiation success after 0s:055
14:13:01.139        icetp00   Comp 1: sending from srflx candidate 117.90.81.147:12322 to srflx candidate 117.90.81.147:12325
14:13:01.141        icetp00   Comp 2: sending from host candidate 192.168.100.51:9938 to host candidate 192.168.100.51:4003
...
14:13:02.177   dtls0326C288 !DTLS-SRTP RTCP channel ignoring 222 bytes, src addr [117.90.81.147:12327], expecting from [192.168.100.51:4003]
14:13:02.201   dtls0326C288  DTLS-SRTP negotiation for RTP channel completed!

===

callee side:

14:13:01.142        icetp00  ICE negotiation success after 0s:069
14:13:01.143        icetp00   Comp 1: sending from srflx candidate 117.90.81.147:12325 to srflx candidate 117.90.81.147:12322
14:13:01.143        icetp00   Comp 2: sending from srflx candidate 117.90.81.147:12327 to srflx candidate 117.90.81.147:12324

===

[nanangizz]

For trickle ICE, the candidates may be added rapidly while app is allowed to send/recv data before the ICE nego is completed. So if the proposed feature is on, perhaps it should indeed check the source address against all remote candidates. This may be applicable for aggressive mode too.

[nanangizz]

So now, does it work for aggressive & trickle modes?

[trengginas]

So now, does it work for aggressive & trickle modes?

Yes, now working with aggressive and trickle

[sauwming]

For ICE:
It seems that enum_cands() will enumerate all candidates regardless of the candidate status (even the failed ones?). The recommendation is to compare it with verified candidates (i.e. the candidates that have passed the media consent verification phase).
So there are two options:
a. modify the API to return only verified candidates: enum_verified_cands(), or
b. let ICE handle the verification: pjmedia_ice_verify_remote_cand()

If no ICE is used:
The recommendation is to compare it with the SDP address.

new modification

[nanangizz]

For ICE: It seems that enum_cands() will enumerate all candidates regardless of the candidate status (even the failed ones?). The recommendation is to compare it with verified candidates (i.e. the candidates that have passed the media consent verification phase). So there are two options: a. modify the API to return only verified candidates: enum_verified_cands(), or b. let ICE handle the verification: pjmedia_ice_verify_remote_cand()

It looks like "verified" is specific to the recommendation, not really ICE things?
If it does, adding pair-check-status-info for each candidate should be more natural than adding "verified" APIs to ICE.
Then it is app/DTLS responsibility to "translate" pair-check-status to "verified".

[sauwming]

It looks like "verified" is specific to the recommendation, not really ICE things?

Correct. ICE itself doesn't use the term "verified", and the document explains it in the media consent verification phase, which means that that the other party is the peer they claim to be. So this way, security can be achieved.

If it does, adding pair-check-status-info for each candidate should be more natural than adding "verified" APIs to ICE. Then it is app/DTLS responsibility to "translate" pair-check-status to "verified".

Yes, this is fine too. So, it means that enum_cands() will also return the status of the candidates, right?

[nanangizz]

Yes, this is fine too. So, it means that enum_cands() will also return the status of the candidates, right?

Yes. Note that in ICE, the status belongs to pair-check instead of candidate, a remote candidate may be paired (& checked) against multiple local candidates. If DTLS just needs to list remote candidates that has been checked, it can be done but needs to be clarified in the docs.

[trengginas]

There's an issue when using aggressive nomination/trickle:
The controlled and controlling side might use different candidates.
Controlling side:

15:15:55.315  stuse03EDF9E8  .RX 120 bytes STUN message from 192.168.100.51:4008:
--- begin STUN message ---
STUN Binding request
 Hdr: length=100, magic=2112a442, tsx_id=00002c605772139d26ca369a
 Attributes:
  ICE-CONTROLLED: length=8, data=2e4013661cd0366b
--- end of STUN message ---
15:15:55.315  stuse03EDF9E8  ..TX 88 bytes STUN message to 192.168.100.51:4008:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002c605772139d26ca369a
--- end of STUN message ---

15:15:55.323        icetp00  Starting checklist periodic check
15:15:55.323        icetp00  .Sending connectivity check for check 1: [2] 192.168.100.51:9933-->100.100.100.100:21760
15:15:55.323  stuse03EE0F50  ...TX 124 bytes STUN message to 100.100.100.100:21760:
--- begin STUN message ---
STUN Binding request
 Hdr: length=104, magic=2112a442, tsx_id=00002d906e5d1ad445091239
 Attributes:
  USE-CANDIDATE: length=0
  ICE-CONTROLLING: length=8, data=0124305e440d491c
--- end of STUN message ---
15:15:55.323   utsx03F09E00  ...STUN client transaction created
15:15:55.323   utsx03F09E00  ...STUN sending message (transmit count=1)
15:15:55.324        icetp00  ..Check 1: [2] 192.168.100.51:9933-->100.100.100.100:21760: state changed from Waiting to In Progress
15:15:55.340  stuse03EE0F50 !.RX 120 bytes STUN message from 100.100.100.100:21760:
--- begin STUN message ---
STUN Binding request
 Hdr: length=100, magic=2112a442, tsx_id=00002c607049692c26ca369b
 Attributes:
  ICE-CONTROLLED: length=8, data=2e4013661cd0366b
--- end of STUN message ---
15:15:55.340  stuse03EE0F50  ..TX 88 bytes STUN message to 100.100.100.100:21760:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002c607049692c26ca369b
 Attributes:
--- end of STUN message ---
15:15:55.341        icetp00  .Triggered check for check 1 not performed because it's in progress. Retransmitting
15:15:55.341   utsx03F09E00  ..STUN sending message (transmit count=1)
15:15:55.345        icetp00  Starting checklist periodic check
15:15:55.345        icetp00  .Sending connectivity check for check 3: [2] 192.168.100.51:9933-->192.168.100.51:4003
15:15:55.345  stuse03EE0F50  ...TX 124 bytes STUN message to 192.168.100.51:4003:
--- begin STUN message ---
STUN Binding request
 Hdr: length=104, magic=2112a442, tsx_id=00002d9063cb6bfc4509123a
 Attributes:
  USE-CANDIDATE: length=0
  ICE-CONTROLLING: length=8, data=0124305e440d491c
--- end of STUN message ---
15:15:55.345   utsx03F08CE0  ...STUN client transaction created
15:15:55.345   utsx03F08CE0  ...STUN sending message (transmit count=1)
15:15:55.346        icetp00  ..Check 3: [2] 192.168.100.51:9933-->192.168.100.51:4003: state changed from Frozen to In Progress
15:15:55.346  stuse03EE0F50  .RX 88 bytes STUN message from 192.168.100.51:4003:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002d9063cb6bfc4509123a
 Attributes:
--- end of STUN message ---
15:15:55.346        icetp00  .Check 3: [2] 192.168.100.51:9933-->192.168.100.51:4003 (nominated): connectivity check SUCCESS
15:15:55.346        icetp00  .Check 3: [2] 192.168.100.51:9933-->192.168.100.51:4003: state changed from In Progress to Succeeded
15:15:55.347        icetp00  .Check 3 is successful and nominated
15:15:55.347        icetp00  .Cancelling check 1: [2] 192.168.100.51:9933-->100.100.100.100:21760 (In Progress)
15:15:55.347 stun_session.c  .tdata 03F09CDC destroy request, force=0, tsx=03F09E00, destroying=0
15:15:55.347   utsx03F09E00  .STUN transaction 03F09E00 schedule destroy
15:15:55.347        icetp00  .Check 1: [2] 192.168.100.51:9933-->100.100.100.100:21760: state changed from In Progress to Failed
15:15:55.348        icetp00  .ICE process complete, status=Success
15:15:55.348        icetp00  .Valid list
15:15:55.348        icetp00  . 0: [1] 100.100.100.100:21818-->100.100.100.100:21823 (nominated, state=Succeeded)
15:15:55.348        icetp00  . 1: [2] 192.168.100.51:9933-->192.168.100.51:4003 (nominated, state=Succeeded)

Controlled side:

15:15:55.313        icetp00  .Sending connectivity check for check 2: [1] 192.168.100.51:4008-->192.168.100.51:9937
15:15:55.313  stuse035B3770  ...TX 120 bytes STUN message to 192.168.100.51:9937:
--- begin STUN message ---
STUN Binding request
 Hdr: length=100, magic=2112a442, tsx_id=00002c605772139d26ca369a
 Attributes:
  ICE-CONTROLLED: length=8, data=2e4013661cd0366b
--- end of STUN message ---

15:15:55.313   utsx035A0A4C  ...STUN client transaction created
15:15:55.313   utsx035A0A4C  ...STUN sending message (transmit count=1)
15:15:55.313        icetp00  ..Check 2: [1] 192.168.100.51:4008-->192.168.100.51:9937: state changed from Waiting to In Progress
15:15:55.315  stuse035B3770  .RX 88 bytes STUN message from 192.168.100.51:9937:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002c605772139d26ca369a
--- end of STUN message ---

15:15:55.315        icetp00  .Check 2: [1] 192.168.100.51:4008-->192.168.100.51:9937 (not nominated): connectivity check SUCCESS
15:15:55.315        icetp00  .Check 2: [1] 192.168.100.51:4008-->192.168.100.51:9937: state changed from In Progress to Succeeded
15:15:55.315        icetp00  .Check 3: [2] 192.168.100.51:4003-->192.168.100.51:9933: state changed from Frozen to Waiting
15:15:55.316        icetp00  .Check 2 is successful
15:15:55.316 stun_session.c  .tdata 035A092C destroy request, force=0, tsx=035A0A4C, destroying=0
15:15:55.316   utsx035A0A4C  .STUN transaction 035A0A4C schedule destroy
15:15:55.317  stuse035B3770  .RX 88 bytes STUN message from 100.100.100.100:21818:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002c6009027bb926ca3699
--- end of STUN message ---

15:15:55.317        icetp00  .Check 0: [1] 192.168.100.51:4008-->100.100.100.100:21818 (nominated): connectivity check SUCCESS
15:15:55.317        icetp00  .Check 0: [1] 192.168.100.51:4008-->100.100.100.100:21818: state changed from In Progress to Succeeded
15:15:55.318        icetp00  .Check 1: [2] 192.168.100.51:4003-->100.100.100.100:21821: state changed from Frozen to Waiting
15:15:55.318        icetp00  .Check 0 is successful and nominated
15:15:55.318 stun_session.c  .tdata 035A3844 destroy request, force=0, tsx=035A3964, destroying=0
15:15:55.318   utsx035A3964  .STUN transaction 035A3964 schedule destroy
15:15:55.335        icetp00 !Starting checklist periodic check
15:15:55.335        icetp00  .Sending connectivity check for check 1: [2] 192.168.100.51:4003-->100.100.100.100:21821
15:15:55.336  stuse035B5568  ...TX 120 bytes STUN message to 100.100.100.100:21821:
--- begin STUN message ---
STUN Binding request
 Hdr: length=100, magic=2112a442, tsx_id=00002c607049692c26ca369b
 Attributes:
  ICE-CONTROLLED: length=8, data=2e4013661cd0366b
--- end of STUN message ---

15:15:55.336   utsx035A4ECC  ...STUN client transaction created
15:15:55.336   utsx035A4ECC  ...STUN sending message (transmit count=1)
15:15:55.336        icetp00  ..Check 1: [2] 192.168.100.51:4003-->100.100.100.100:21821: state changed from Waiting to In Progress
15:15:55.346  stuse035B5568  .RX 124 bytes STUN message from 192.168.100.51:9933:
--- begin STUN message ---
STUN Binding request
 Hdr: length=104, magic=2112a442, tsx_id=00002d9063cb6bfc4509123a
 Attributes:
  USE-CANDIDATE: length=0
  ICE-CONTROLLING: length=8, data=0124305e440d491c
--- end of STUN message ---

15:15:55.346  stuse035B5568  ..TX 88 bytes STUN message to 192.168.100.51:9933:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002d9063cb6bfc4509123a
--- end of STUN message ---

15:15:55.346        icetp00  .Performing triggered check for check 3
15:15:55.346        icetp00  ..Sending connectivity check for check 3: [2] 192.168.100.51:4003-->192.168.100.51:9933
15:15:55.347  stuse035B5568  ....TX 120 bytes STUN message to 192.168.100.51:9933:
--- begin STUN message ---
STUN Binding request
 Hdr: length=100, magic=2112a442, tsx_id=00002c604a80187e26ca369c
 Attributes:
  ICE-CONTROLLED: length=8, data=2e4013661cd0366b
--- end of STUN message ---

15:15:55.347   utsx035A1724  ....STUN client transaction created
15:15:55.347   utsx035A1724  ....STUN sending message (transmit count=1)
15:15:55.347        icetp00  ...Check 3: [2] 192.168.100.51:4003-->192.168.100.51:9933: state changed from Waiting to In Progress
15:15:55.347  stuse035B5568  .RX 88 bytes STUN message from 100.100.100.100:21821:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002c607049692c26ca369b
--- end of STUN message ---

15:15:55.347        icetp00  .Check 1: [2] 192.168.100.51:4003-->100.100.100.100:21821 (not nominated): connectivity check SUCCESS
15:15:55.347        icetp00  .Check 1: [2] 192.168.100.51:4003-->100.100.100.100:21821: state changed from In Progress to Succeeded
15:15:55.348        icetp00  .Check 1 is successful
15:15:55.348 stun_session.c  .tdata 035A4DAC destroy request, force=0, tsx=035A4ECC, destroying=0
15:15:55.348   utsx035A4ECC  .STUN transaction 035A4ECC schedule destroy
15:15:55.348  stuse035B5568  .RX 124 bytes STUN message from 100.100.100.100:21821:
--- begin STUN message ---
STUN Binding request
 Hdr: length=104, magic=2112a442, tsx_id=00002d906e5d1ad445091239
 Attributes:
  USE-CANDIDATE: length=0
  ICE-CONTROLLING: length=8, data=0124305e440d491c
--- end of STUN message ---

15:15:55.348  stuse035B5568  ..TX 88 bytes STUN message to 100.100.100.100:21821:
--- begin STUN message ---
STUN Binding success response
 Hdr: length=68, magic=2112a442, tsx_id=00002d906e5d1ad445091239
--- end of STUN message ---

15:15:55.348        icetp00  .Valid check 1: [2] 100.100.100.100:21760-->100.100.100.100:21821 is nominated
15:15:55.348        icetp00  .Triggered check for check 1 not performed because it's completed
15:15:55.349        icetp00  ..Check 1 is successful and nominated
15:15:55.349        icetp00  ..Cancelling check 3: [2] 192.168.100.51:4003-->192.168.100.51:9933 (In Progress)
15:15:55.349 stun_session.c  ..tdata 035A1604 destroy request, force=0, tsx=035A1724, destroying=0
15:15:55.349   utsx035A1724  ..STUN transaction 035A1724 schedule destroy
15:15:55.349        icetp00  ..Check 3: [2] 192.168.100.51:4003-->192.168.100.51:9933: state changed from In Progress to Failed
15:15:55.349        icetp00  ..ICE process complete, status=Success
15:15:55.349        icetp00  ..Valid list
15:15:55.350        icetp00  .. 0: [1] 100.100.100.100:21823-->100.100.100.100:21818 (nominated, state=Succeeded)
15:15:55.350        icetp00  .. 1: [2] 100.100.100.100:21760-->100.100.100.100:21821 (nominated, state=Succeeded)
15:15:55.350        icetp00  .. 2: [1] 192.168.100.51:4008-->192.168.100.51:9937 (not nominated, state=Succeeded)

Check 1 connectivity check was received late, so the controlling side will use Check 3 instead and fail the Check 1.
However on the controlled side, it uses Check 1.

[sauwming]

It looks like it's caused by PJ_ICE_CANCEL_ALL (by default 1):

pjproject/pjnath/src/pjnath/ice_session.c

Lines 1734 to 1741 in f986ad8

	} else if (c->state == PJ_ICE_SESS_CHECK_STATE_IN_PROGRESS
	&& (PJ_ICE_CANCEL_ALL ||
	CMP_CHECK_PRIO(c, check) < 0)) {
	/* State is IN_PROGRESS, cancel transaction */
	if (c->tdata) {
	LOG5((ice->obj_name,
	"Cancelling check %s (In Progress)",

pjproject/pjnath/include/pjnath/config.h

Lines 352 to 360 in f986ad8

	* If a higher priority check is In Progress, this rule would cause that
	* check to be performed even when it most likely will fail.
	*
	* The macro here controls if ICE session should cancel all In Progress
	* checks for the same component regardless of its priority.
	*
	* Default: 1 (yes, cancel all)
	*/
	#ifndef PJ_ICE_CANCEL_ALL

I don't quite understand the reasoning why we enable this setting by default though, especially about the statement even when it most likely will fail.
So perhaps try disabling this setting?

[trengginas]

After setting PJ_ICE_CANCEL_ALL 0, the check still got cancelled because it has less priority.
On the controlled side, the ICE check is already completed (received a connectivity check response) and will ignore any
other connectivity check response. (e.g.: on the controlled side Check 3 response was received first and ICE is completed, after Check 1 response will be ignored).
If we want to mandate this feature for ICE, perhaps we can add and option to check the source address against all the candidates instead of valid candidates, to accommodate the aggressive nomination.

[sauwming]

Yes, we need to check against all verified remote candidates. According to my understanding (let me know if this is not correct), a verified remote candidate is a remote candidate that has successfully sent an ICE check to us.

[trengginas]

I assume verified means it has the connectivity check done successfully. If using an aggressive nomination (as above), the controlling and controlled agent might use different candidates.
The check is done on the controlling side, and it will fail the connectivity check for the candidate used by the controlled side.
The source address check will fail if using verified candidates.
Note:
The document bases the ICE operation on rfc8445, which already deprecates aggressive nomination.

Nomination:  The process of the controlling agent indicating to the
      controlled agent which candidate pair the ICE agents will use for
      sending and receiving data.  The nomination process defined in
      this specification was referred to as "regular nomination" in [RFC](https://datatracker.ietf.org/doc/html/rfc5245)
      [5245](https://datatracker.ietf.org/doc/html/rfc5245).  The nomination process that was referred to as "aggressive
      nomination" in [RFC 5245](https://datatracker.ietf.org/doc/html/rfc5245) has been deprecated in this specification.

[nanangizz]

From the docs:

Media consent verification uses the ICE candidate information to verify that both WebRTC peers can
(a) communicate with each other via a reliable path and
(b) that the other party is the peer they claim to be.

I think we can interpret it as:
(a) remote STUN check request has reached us (connectivity)
(b) remote uses correct user/pass in its STUN check request (authentication)

So I agree with @sauwming that a verified remote candidate is a remote candidate that has successfully sent an ICE check to us, with additional note, it uses the correct user & pass (I think our ICE/STUN implementation has checked the user/pass before responding, need to verify though). IIRC ICE doesn't maintain a list of them.

Furthermore, if ICE is active, what if we put the source check in ICE itself, e.g: in pj_ice_sess_on_rx_pkt(), and as usual, it is better configurable.

[nanangizz]

• Specify the reason of ignoring, e.g: s/"component [%d], from src addr [%s]"/"component %d because source address %s is unrecognized"? Note that pj_sockaddr_print(..,3) will also print bracket for IPv6.
• Won't log level 2 be too verbose for low level API, perhaps 4?

[nanangizz]

This part seems rather OOT and change the ICE flow/algo? Usually this kind of changes is specified (including the reason) in the PR desc.

[nanangizz]

why not boolean?

[nanangizz]

still used?

[nanangizz]

still used?

[nanangizz]

Need to specify that this flag is only used by remote candidate?

[sauwming]

Is this still needed if the check is already done in ICE?

And if we don't use ICE, should we compare it against the SDP?
I don't mind if we don't, but we need to document it somewhere

[sauwming]

Won't this slow down ICE tp considerably, if we have to iterate through all remote candidates for every packet?