Re: [martini] #56: GRUU mechanism security review
"martini issue tracker" <trac@tools.ietf.org> Fri, 16 July 2010 22:15 UTC
Return-Path: <trac@tools.ietf.org>
X-Original-To: martini@core3.amsl.com
Delivered-To: martini@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6FF463A6940 for <martini@core3.amsl.com>; Fri, 16 Jul 2010 15:15:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.563
X-Spam-Level:
X-Spam-Status: No, score=-102.563 tagged_above=-999 required=5 tests=[AWL=0.037, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HCre4LFXMAyl for <martini@core3.amsl.com>; Fri, 16 Jul 2010 15:15:53 -0700 (PDT)
Received: from zinfandel.tools.ietf.org (unknown [IPv6:2001:1890:1112:1::2a]) by core3.amsl.com (Postfix) with ESMTP id 826133A6823 for <martini@ietf.org>; Fri, 16 Jul 2010 15:15:53 -0700 (PDT)
Received: from localhost ([::1] helo=zinfandel.tools.ietf.org) by zinfandel.tools.ietf.org with esmtp (Exim 4.72) (envelope-from <trac@tools.ietf.org>) id 1OZtCM-0004yH-Bm; Fri, 16 Jul 2010 15:16:02 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: martini issue tracker <trac@tools.ietf.org>
X-Trac-Version: 0.11.7
Precedence: bulk
Auto-Submitted: auto-generated
X-Mailer: Trac 0.11.7, by Edgewall Software
To: adam@nostrum.com
X-Trac-Project: martini
Date: Fri, 16 Jul 2010 22:16:02 -0000
X-URL: http://tools.ietf.org/martini/
X-Trac-Ticket-URL: https://wiki.tools.ietf.org/wg/martini/trac/ticket/56#comment:1
Message-ID: <066.76eeb32e1df71e2c3b69a49087cda727@tools.ietf.org>
References: <057.f315a40650bef16891c861df51826fc3@tools.ietf.org>
X-Trac-Ticket-ID: 56
In-Reply-To: <057.f315a40650bef16891c861df51826fc3@tools.ietf.org>
X-SA-Exim-Connect-IP: ::1
X-SA-Exim-Rcpt-To: adam@nostrum.com, martini@ietf.org
X-SA-Exim-Mail-From: trac@tools.ietf.org
X-SA-Exim-Scanned: No (on zinfandel.tools.ietf.org); SAEximRunCond expanded to false
Cc: martini@ietf.org
Subject: Re: [martini] #56: GRUU mechanism security review
X-BeenThere: martini@ietf.org
X-Mailman-Version: 2.1.9
List-Id: Discussion of en-mass SIP PBX registration mechanisms <martini.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/martini>
List-Post: <mailto:martini@ietf.org>
List-Help: <mailto:martini-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jul 2010 22:15:54 -0000
#56: GRUU mechanism security review -----------------------------+---------------------------------------------- Reporter: rbarnes@… | Owner: Type: defect | Status: new Priority: major | Milestone: milestone1 Component: gin | Version: 1.0 Severity: In WG Last Call | Keywords: -----------------------------+---------------------------------------------- Comment(by adam@…): More from Richard: I guess the attack you can accomplish by sending messages to another PBX is a DoS, when SSP-capability > PBX-capability. To that extent, it makes sense to have the HMAC on I. The countervailing risk is that you could overwhelm the SSP server with HMAC computations by sending bogus HMACs, but HMACs are so cheap that seems unlikely -- it would get overwhelmed by the RSA decryptions first. (Actually, that risk might be worth documenting in the Security Considerations; might want to rate-limit requests to temp-GRUUs. No, I haven't looked to see if it's already there) I don't see any harm in removing 2 and 3, in any case. -- Ticket URL: <https://wiki.tools.ietf.org/wg/martini/trac/ticket/56#comment:1> martini <http://tools.ietf.org/martini/>
- [martini] #56: GRUU mechanism security review martini issue tracker
- Re: [martini] #56: GRUU mechanism security review martini issue tracker
- Re: [martini] #56: GRUU mechanism security review martini issue tracker
- Re: [martini] #56: GRUU mechanism security review martini issue tracker
- Re: [martini] #56: GRUU mechanism security review martini issue tracker
- Re: [martini] #56: GRUU mechanism security review martini issue tracker
- Re: [martini] #56: GRUU mechanism security review martini issue tracker