[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt

To: Fredrik Thulin <ft at it.su.se>
Subject: Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
From: Hadriel Kaplan <HKaplan at acmepacket.com>
Date: Wed, 7 May 2008 11:35:58 -0400
Accept-language: en-US
Acceptlanguage: en-US
Cc: "sip at ietf.org" <sip at ietf.org>, Francois Audet <audet at nortel.com>, Christer Holmberg <christer.holmberg at ericsson.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <4821636E.20303@it.su.se>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <CA9998CD4A020D418654FCDEF4E707DF046C7761@esealmw113.eemea.ericsson.se> <18464.32846.367237.654872@taimen.test.fi> <1ECE0EB50388174790F9694F77522CCF169722C3@zrc2hxm0.corp.nortel.com> <18464.40898.695492.290843@taimen.test.fi> <1ECE0EB50388174790F9694F77522CCF169723EE@zrc2hxm0.corp.nortel.com> <18464.43200.840240.726767@taimen.test.fi> <E6C2E8958BA59A4FB960963D475F7AC30BD7FD367F@mail.acmepacket.com> <4821636E.20303@it.su.se>
Sender: sip-bounces at ietf.org
Thread-index: AciwGd7gbJG66SJOR1KbtSMzjODNPwANqcTA
Thread-topic: [Sip] Draft: draft-holmberg-sip-keep-00.txt


> -----Original Message-----
> From: Fredrik Thulin [mailto:ft at it.su.se]
>
> Hadriel Kaplan wrote:
> > Actually, it will cause problems for the device sending STUN, because
> that next-hop proxy will (rightly) consider it a malformed attack and
> blacklist the sender.
>
> It's not reasonable for a proxy to blacklist source IPs sending it stuff
> it doesn't like.

Au contraire.

> If you receive a UDP packet, it's a really rare case that you can know
> that the source IP wasn't spoofed.

I absolutely agree.  It is unknowable, sans some transport or IP level auth.

> If you blacklist based on source IP addresses, it will be very easy to
> denial of service your proxy by getting it to blacklist real clients or
> other SIP proxies for example.

If someone knows your IP+port and can successfully spoof it, they can DoS your service *anyway*.  That's the whole problem.  It's game over for your phone, period.  The goal of the proxy then is to stop that from impacting anyone _else_.


> That will be a much bigger problem for
> you than actually writing code that don't die when it receives unknown
> data (which you should do anyway, of course).

This has nothing to do with writing code that won't die.

-hadriel
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Fredrik Thulin

References:
- [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Christer Holmberg
- [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Juha Heinanen
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Francois Audet
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Juha Heinanen
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Francois Audet
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Juha Heinanen
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Hadriel Kaplan
- Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
  - From: Fredrik Thulin

Prev by Date: Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
Next by Date: Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
Previous by thread: Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
Next by thread: Re: [Sip] Draft: draft-holmberg-sip-keep-00.txt
Index(es):
- Date
- Thread