[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sip] comments on draft-zourzouvillys-sip-via-cookie-02

To: IETF SIP List <sip at ietf.org>
Subject: [Sip] comments on draft-zourzouvillys-sip-via-cookie-02
From: Jonathan Rosenberg <jdrosen at cisco.com>
Date: Sat, 14 Mar 2009 09:38:29 -0400
Authentication-results: sj-dkim-1; header.From=jdrosen at cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=1386; t=1237037911; x=1237901911; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jdrosen at cisco.com; z=From:=20Jonathan=20Rosenberg=20<jdrosen at cisco.com> |Subject:=20comments=20on=20draft-zourzouvillys-sip-via-coo kie-02 |Sender:=20; bh=Vj7py1AjFMlDpXMrtjbSnWoCIPw79sJhqwsLPpiWKVE=; b=Sz5+6yuQ78XeXx2Z3r25n5WDbNN4ijDNmqpvc1m0N/AfAB+l4WNcDVMDEN 6rhPRQrJwBQR3gHDmwXxm8M0exUgAjN03V6LYevUmWDqaGo4dKWsETNODtU1 vx/T/OmCKAXMDGYAwSmRs6/GDCK79JJ0hSQAYshW8B4asJ2Q8z9tE=;
List-archive: <http://www.ietf.org/mail-archive/web/sip>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
User-agent: Thunderbird 2.0.0.9 (Windows/20071031)

Theo,

Thanks for writing this up.

A few comments.

Firstly, it seems that the easiest solution is just 'use tcp'. This isone of many reasons (and growing) why we need to be pushingimplementations to tcp.

Secondly, if you want to do this for UDP, you could instead useanonymous authentication. Then, the existing nonce takes on the role ofa cookie. I suspect that anonymous authentication is not widelyimplemented, but neither is a new protocol. That said, I think the rightanswer still is 'use tcp'.

Finally, the media portion of this attack, as you point out, is far moredisruptive. That attack does not require spoofing even; just listing theIP address/port of the target in the SDP of the INVITE. We were callingthis the 'voice hammer' attack, originally documented here:


http://tools.ietf.org/html/draft-rosenberg-mmusic-rtp-denialofservice-00

and described in Section 18.5.1 of ICE. The via cookie mechanism youpropose, SIP-over-TCP, or anonymous authentication, none of them fixthis attack. AFAIK, ICE is the only remedy.


-Jonathan R.



--
Jonathan D. Rosenberg, Ph.D.                   111 Wood Avenue South
Cisco Fellow                                   Iselin, NJ 08830
Cisco, Voice Technology Group
jdrosen at cisco.com
http://www.jdrosen.net                         PHONE: (408) 902-3084
http://www.cisco.com

Follow-Ups:
- Re: [Sip] comments on draft-zourzouvillys-sip-via-cookie-02
  - From: Theo Zourzouvillys

Prev by Date: Re: [Sip] draft-state-sip-relay-attack-00
Next by Date: Re: [Sip] comments on draft-zourzouvillys-sip-via-cookie-02
Previous by thread: [Sip] draft-ietf-sip-199-06
Next by thread: Re: [Sip] comments on draft-zourzouvillys-sip-via-cookie-02
Index(es):
- Date
- Thread