RE: [Sip] RE: [BEHAVE] Outbound and SPI
"Dan Wing" <dwing@cisco.com> Mon, 05 February 2007 17:26 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE7bb-0006jz-1E; Mon, 05 Feb 2007 12:26:15 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HE7ba-0006jA-Az for behave@ietf.org; Mon, 05 Feb 2007 12:26:14 -0500
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HE7bZ-0005fB-26 for behave@ietf.org; Mon, 05 Feb 2007 12:26:14 -0500
Received: from sj-dkim-5.cisco.com ([171.68.10.79]) by sj-iport-4.cisco.com with ESMTP; 05 Feb 2007 09:26:05 -0800
X-IronPort-AV: i="4.13,284,1167638400"; d="scan'208"; a="37282915:sNHT1032132699"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-5.cisco.com (8.12.11/8.12.11) with ESMTP id l15HQ5DE011230; Mon, 5 Feb 2007 09:26:05 -0800
Received: from dwingwxp ([10.32.240.194]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id l15HPsnF028108; Mon, 5 Feb 2007 09:25:54 -0800 (PST)
From: Dan Wing <dwing@cisco.com>
To: 'Christian Huitema' <huitema@windows.microsoft.com>, "'Frank W. Miller'" <fwmiller@cornfed.com>, 'Rohan Mahy' <rohan@ekabal.com>
Subject: RE: [Sip] RE: [BEHAVE] Outbound and SPI
Date: Mon, 05 Feb 2007 09:25:57 -0800
Message-ID: <01d701c7494a$b8afe050$c2f0200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcdG4rxPUkZGZpcfRJqJiecuGb7lfgCA3IFAABjjplA=
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
In-Reply-To: <70C6EFCDFC8AAD418EF7063CD132D064037B663F@WIN-MSG-21.wingroup.windeploy.ntdev.microsoft.com>
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1412; t=1170696365; x=1171560365; c=relaxed/simple; s=sjdkim5002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[Sip]=20RE=3A=20[BEHAVE]=20Outbound=20and=20SPI |Sender:=20; bh=Us8QgFJBVZJg+fqWsBM/YwO8fc2R01ZVQAK6nDUEa8w=; b=zS6E2j/RQR7KVw1P9pT3NI8J5t/p+1r48bPPGvMYeZ4XjLnKlfaHvrfigpL72GhEv9ew52f3 P5L7QmXtIJ7t7QX6fWxZckBgAtvmAsIJ+xHB2BildVrH/YBvpWCDj/ot;
Authentication-Results: sj-dkim-5; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim5002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Cc: behave@ietf.org
X-BeenThere: behave@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mailing list of BEHAVE IETF WG <behave.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/behave>
List-Post: <mailto:behave@ietf.org>
List-Help: <mailto:behave-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/behave>, <mailto:behave-request@ietf.org?subject=subscribe>
Errors-To: behave-bounces@ietf.org
Christian Huitema wrote: ... > Well, this is exactly the kind of behavior that drove inclusion of > an obfuscation mechanism in the STUN response. Some NAT tend to be > hyperactive. The proper solution is probably to obfuscate the > entire SIP traffic. Running SIP over TLS does it nicely, but if we > insist on UDP, we may need to ask the SIP group to define an > encrypted transport. There is SIP-over-DTLS, draft-jennings-sip-dtls-02.txt (which has expired). Of course, continuing to run SIP over UDP only encourages the problems discussed in draft-heffner-frag-harmful-04.txt. > By the way, SPI may or may not improve the security of your network. > SPI requires that the router parse a lot of different packets, in > order to find possible attacks and protocol violation. Parsing code > is a notorious source of bugs. There are multiple examples of > maliciously crafted packets triggering a buffer overflow in a > speedily written parser. There is also some evidence that the > quality of code in many of these small routers is not great -- > otherwise, we would not need to reboot them so often. SPI on a > small router brings the combination of "lots of parsing code" with > "questionable quality assurance". Turning on SPI in the router may > well be building a bright target for hackers just at the doorstep of > your network... I couldn't agree more. -d _______________________________________________ Behave mailing list Behave@ietf.org https://www1.ietf.org/mailman/listinfo/behave
- [BEHAVE] Outbound and SPI Frank W. Miller
- RE: [BEHAVE] Outbound and SPI Dan Wing
- Re: [Sip] RE: [BEHAVE] Outbound and SPI Frank W. Miller
- Re: [Sip] RE: [BEHAVE] Outbound and SPI Rohan Mahy
- Re: [Sip] RE: [BEHAVE] Outbound and SPI Frank W. Miller
- RE: [Sip] RE: [BEHAVE] Outbound and SPI Christian Huitema
- RE: [Sip] RE: [BEHAVE] Outbound and SPI David Barrett
- RE: [Sip] RE: [BEHAVE] Outbound and SPI Dan Wing
- Re: [Sip] RE: [BEHAVE] Outbound and SPI Spencer Dawkins
- RE: [Sip] RE: [BEHAVE] Outbound and SPI Francois Audet
- RE: [Sip] RE: [BEHAVE] Outbound and SPI Dan Wing