[Sip] More security issues in draft-ietf-sip-session-policy-framework

Subject: [Sip] More security issues in draft-ietf-sip-session-policy-framework

Date: Wed, 7 May 2008 00:11:40 +0800 (CST)

Delivered-to: ietfarch-sip-web-archive at core3.amsl.com

Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.cn; h=X-YMail-OSG:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=btIInmU5QRhv7CActBMdKyPRNaCRa5csF8/DWEu+Q0S6ktJ9Ylpuw4VSnQ0CYCQ5pDLblGNC0Zhl6ylY4OHVogmO38hnOj5wXlCGxP6lRiDF0s/cQL5RDEll8TQi9N4bfqtx3iak97Hzxu3rKRLhhJNw63Npjh5MT4DbAanVYaw=;

List-help: <mailto:sip-request@ietf.org?subject=help>

List-id: Session Initiation Protocol <sip.ietf.org>

List-post: <mailto:sip@ietf.org>

List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>

List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>

Sender: sip-bounces at ietf.org

I've read sip-policy-framework draft recently

The "Security Consideration" part mainly talks about the confidentiality issues . But I think there is one more security consideration which isn't taken into account in this draft. As there is no mechanism helping the proxy ensure the UA has changed the parameter of the request according to the policy received from a policy server. Thus the UA or attacker may change the policy for some malicious purposes, and proxy will foward the session since there are already "Policy-Id" in place.

Do you think it's a security problem or not? Can anyone give some suggest of how to solve it?

Any comment is appreciated.

雅虎邮箱，您的终生邮箱！

_______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors at cs.columbia.edu for questions on current sip Use sipping at ietf.org for new developments on the application of sip