[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sipping] SIP Identity Usage in Enterprise Scenarios

To: Michael Slavitch <slavitch at objectworld.com>
Subject: Re: [Sipping] SIP Identity Usage in Enterprise Scenarios
From: Jonathan Rosenberg <jdrosen at cisco.com>
Date: Wed, 14 Sep 2005 22:07:26 -0400
Cc: sipping at ietf.org, IETF MMUSIC WG <mmusic at ietf.org>, "Fries, Steffen" <steffen.fries at siemens.com>
In-reply-to: <4E2DC1ACE541B94A946B8D8657E372C50F2E39@photon.objectworld.com>
List-help: <mailto:sipping-request@ietf.org?subject=help>
List-id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-post: <mailto:sipping@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
References: <4E2DC1ACE541B94A946B8D8657E372C50F2E39@photon.objectworld.com>
Sender: sipping-bounces at ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511

moving to mmusic since we are now talking about ICE.

Michael Slavitch wrote:

As a further update to my previous email, look at the USERNAME provision
in the current ID for ICE (draft 05), which I consider a weakness of the
protocol.

Firstly, it has been pointed out to me from several sources that the security mechanism in the most recent ICE draft is severely broken. I had somehow gotten it into my head that we didnt need to convey both the username and password, which is false.

The next ICE draft will revert to what was there previously; each side conveys a username fragment and one side provides the password.


My preference would be to replace that password with some kind of MIKEY
exchange such that the password is only for that session, otherwise
you'll see cheap phones or all with the same password being vulnerable,
which I suggest is a strong weakness of ICE.

Why would this happen? The password needs to be selected randomly for each candidate. Thats a requirement of the protocol. Its not that hard to create a random number.

-Jonathan R.
--
Jonathan D. Rosenberg, Ph.D.                   600 Lanidex Plaza
Director, Service Provider VoIP Architecture   Parsippany, NJ 07054-2711
Cisco Systems
jdrosen at cisco.com                              FAX:   (973) 952-5050
http://www.jdrosen.net                         PHONE: (973) 952-5000
http://www.cisco.com

_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sip at ietf.org for new developments of core SIP

References:
- RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
  - From: Michael Slavitch

Prev by Date: [Sipping] document paths in sipping-config-framework-07
Next by Date: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
Previous by thread: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
Next by thread: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
Index(es):
- Date
- Thread