[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] draft-state-sip-relay-attack-00

To: Hadriel Kaplan <HKaplan at acmepacket.com>
Subject: Re: [Sip] draft-state-sip-relay-attack-00
From: Nils Ohlmeier <lists at ohlmeier.org>
Date: Sat, 07 Mar 2009 23:40:50 +0100
Cc: "sip at ietf.org" <sip at ietf.org>
Delivered-to: sip at core3.amsl.com
In-reply-to: <E6C2E8958BA59A4FB960963D475F7AC314C4DE6292 at mail>
List-archive: <http://www.ietf.org/mail-archive/web/sip>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <49AE593F.6080807 at iptel.org> <e4c7495a3f98d5a2a85ccf85047515f0.squirrel at www.ohlmeier.com> <20090307183313.GA4364 at x61s.janakj.ryngle.net> <E6C2E8958BA59A4FB960963D475F7AC314C4DE6292 at mail>
User-agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; de; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2

Am 07.03.2009 20:18 Uhr, schrieb Hadriel Kaplan:

So a requirement to make the attack possible is that the user agent
responds
to challenges generated for in-dialog requests.


Right, and that the attacked domain accepts INVITEs from its AoR's with non-registered Contacts; or accepts INVITEs from its static AoR's to come in from unknown locations.  That's pretty rare in my world, but ymmv.


Luckily it seems we are not living in the same world :-)

I call it a feature that I can make authenticated calls without beingregistered.


[...]

- I never unterstood why a proxy should pass through the authentication
request from a foreign domain.

Because this is how it is specified in section 22.3 of RFC3261.


And it would have to continue to do so.  There are actual use-cases for this.


Could you please share one of these use-cases with me.

I think there's even a reasonable use-case for challenging in-dialog requests: connected-identity, for example.

But you don't even need to challenge in-dialog requests for this form of attack: if the victim calls you, then you can challenge the initial INVITE.

Sorry, but how is this going to work in world without a SBC which knowsmy credentials?Remember my proxy can not answer the challenge (CSeq mis-match). And thecaller hopefully does not know my credentials, otherwise the wholeattack would be pointless.


Cheers
  Nils

Follow-Ups:
- Re: [Sip] draft-state-sip-relay-attack-00
  - From: Hadriel Kaplan

References:
- [Sip] draft-state-sip-relay-attack-00
  - From: Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00
  - From: Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00
  - From: Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00
  - From: Hadriel Kaplan

Prev by Date: Re: [Sip] draft-state-sip-relay-attack-00
Next by Date: Re: [Sip] draft-state-sip-relay-attack-00
Previous by thread: Re: [Sip] draft-state-sip-relay-attack-00
Next by thread: Re: [Sip] draft-state-sip-relay-attack-00
Index(es):
- Date
- Thread