IETF Logo Mail Archive

Re: [martini] #56: GRUU mechanism security review

"martini issue tracker" <trac@tools.ietf.org> Fri, 16 July 2010 22:15 UTC

Return-Path: <trac@tools.ietf.org>
X-Original-To: martini@core3.amsl.com
Delivered-To: martini@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FF463A6940 for <martini@core3.amsl.com>; Fri, 16 Jul 2010 15:15:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.563
X-Spam-Level:
X-Spam-Status: No, score=-102.563 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCre4LFXMAyl for <martini@core3.amsl.com>; Fri, 16 Jul 2010 15:15:53 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 826133A6823 for <martini@ietf.org>; Fri, 16 Jul 2010 15:15:53 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.72) (envelope-from <trac@tools.ietf.org>) id 1OZtCM-0004yH-Bm; Fri, 16 Jul 2010 15:16:02 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: martini issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: adam@nostrum.com
X-Trac-Project: martini
Date: Fri, 16 Jul 2010 22:16:02 -0000
X-URL: http://tools.ietf.org/martini/
X-Trac-Ticket-URL: https://wiki.tools.ietf.org/wg/martini/trac/ticket/56#comment:1
Message-ID: <066.76eeb32e1df71e2c3b69a49087cda727@tools.ietf.org>
References: <057.f315a40650bef16891c861df51826fc3@tools.ietf.org>
X-Trac-Ticket-ID: 56
In-Reply-To: <057.f315a40650bef16891c861df51826fc3@tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: adam@nostrum.com, martini@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: martini@ietf.org
Subject: Re: [martini] #56: GRUU mechanism security review
X-BeenThere: martini@ietf.org
X-Mailman-Version: 2.1.9
List-Id: Discussion of en-mass SIP PBX registration mechanisms <martini.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/martini>
List-Post: <mailto:martini@ietf.org>
List-Help: <mailto:martini-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2010 22:15:54 -0000

#56: GRUU mechanism security review
-----------------------------+----------------------------------------------
 Reporter:  rbarnes@…        |       Owner:            
     Type:  defect           |      Status:  new       
 Priority:  major            |   Milestone:  milestone1
Component:  gin              |     Version:  1.0       
 Severity:  In WG Last Call  |    Keywords:            
-----------------------------+----------------------------------------------

Comment(by adam@…):

 More from Richard:

 I guess the attack you can accomplish by sending messages to another PBX
 is a DoS, when SSP-capability > PBX-capability.  To that extent, it makes
 sense to have the HMAC on I.  The countervailing risk is that you could
 overwhelm the SSP server with HMAC computations by sending bogus HMACs,
 but HMACs are so cheap that seems unlikely -- it would get overwhelmed by
 the RSA decryptions first.  (Actually, that risk might be worth
 documenting in the Security Considerations; might want to rate-limit
 requests to temp-GRUUs.  No, I haven't looked to see if it's already
 there)

 I don't see any harm in removing 2 and 3, in any case.

-- 
Ticket URL: <https://wiki.tools.ietf.org/wg/martini/trac/ticket/56#comment:1>
martini <http://tools.ietf.org/martini/>

v2.23.0 | Report a Bug | By Email