Re: [Sip] Re: draft-ietf-sip-gruu-09
Jonathan Rosenberg <jdrosen@cisco.com> Fri, 28 July 2006 05:33 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1G6Ky6-0004p5-84; Fri, 28 Jul 2006 01:33:02 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1G6Ky4-0004ok-8c for sip@ietf.org; Fri, 28 Jul 2006 01:33:00 -0400
Received: from stsc1260-eth-s1-s1p1-vip.va.neustar.com ([156.154.16.129] helo=chiedprmail1.ietf.org) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1G6IwU-0003G4-H8 for sip@ietf.org; Thu, 27 Jul 2006 23:23:14 -0400
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1G6Iog-0001bI-9O for sip@ietf.org; Thu, 27 Jul 2006 23:15:12 -0400
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 27 Jul 2006 20:15:03 -0700
X-BrightmailFiltered: true
X-Brightmail-Tracker: AAAAAA==
X-IronPort-AV: i="4.07,190,1151910000"; d="scan'208"; a="33663503:sNHT23861880"
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-2.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k6S3F3tS017520 for <sip@ietf.org>; Thu, 27 Jul 2006 23:15:03 -0400
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id k6S3F2dU016578 for <sip@ietf.org>; Thu, 27 Jul 2006 23:15:02 -0400 (EDT)
Received: from xfe-rtp-201.amer.cisco.com ([64.102.31.38]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 27 Jul 2006 23:15:02 -0400
Received: from [10.255.255.157] ([10.86.243.26]) by xfe-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 27 Jul 2006 23:15:02 -0400
Message-ID: <44C98135.70705@cisco.com>
Date: Thu, 27 Jul 2006 23:15:01 -0400
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.8) Gecko/20050511
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Paul Kyzivat <pkyzivat@cisco.com>
Subject: Re: [Sip] Re: draft-ietf-sip-gruu-09
References: <720BC7A4-8BFF-412E-A6BC-FAC41FA1289B@cisco.com> <44C83461.4020806@cisco.com> <44C8BC2F.1000406@cisco.com>
In-Reply-To: <44C8BC2F.1000406@cisco.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 28 Jul 2006 03:15:02.0187 (UTC) FILETIME=[03E147B0:01C6B1F4]
DKIM-Signature: a=rsa-sha1; q=dns; l=3347; t=1154056503; x=1154920503; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jdrosen@cisco.com; z=From:Jonathan=20Rosenberg=20<jdrosen@cisco.com> |Subject:Re=3A=20[Sip]=20Re=3A=20draft-ietf-sip-gruu-09 |To:Paul=20Kyzivat=20<pkyzivat@cisco.com>; X=v=3Dcisco.com=3B=20h=3Dn/vq3M7BiyY/aKQt0tfUt668gig=3D; b=FSkInzdzz5KfFQ05cPEkjrMh7N/E7dWz/ZLpTcJYgVgbiKhpvy9mnU6VAK+tlMDJLVEnqcIj RDo8N1RFmGEq4r6xJ8oTyAE8gPFEBVBVKcqhxRfkkyc0/uwc4zVv8m+8;
Authentication-Results: rtp-dkim-2.cisco.com; header.From=jdrosen@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: -2.6 (--)
X-Scan-Signature: b7b9551d71acde901886cc48bfc088a6
Cc: Cullen Jennings <fluffy@cisco.com>, IETF SIP List <sip@ietf.org>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
inline. Paul Kyzivat wrote: > > > Jonathan Rosenberg wrote: > >> Cullen Jennings wrote: > > >>> Section 6, page 12, 4th para or so ... you are talking about mid- >>> dialog requests. Might be nice to mention how a transaction stateful >>> proxy knows if something is a middialog request or not. >> >> >> These days I recommend topmost route URI over tags, since its easy to >> fool a proxy into thinking something is a mid-dialog request by faking >> a tag. Its harder to fake a route URI. >> >> Text now reads: >> >> <t> Mid-dialog requests will also be sent to GRUUs, as they are >> included as the remote-target in dialog-forming and target refresh >> requests and responses. However, in those cases, a proxy SHOULD only >> apply services that are meaningful for mid-dialog requests, generally >> speaking. This excludes screening functions, as well as forwarding >> ones. A proxy can determine that a request is a mid-dialog request >> based on the Route header field in the request it receives. If the >> topmost URI matches one that the proxy placed into the Record-Route >> header field of a dialog-forming request, then the request is a >> mid-dialog request. </t> > > > Is it really harder to fake? If the objective is to fool a *proxy* into thinking a request is a mid-dialog request, then yes. If a proxy uses the mere presence of the To tag as the indicator of a mid-dialog request, then a UA can simply send an initial request with any arbitrary tag in the To header field. If a proxy uses the value of Route header field, then the UA has to construct a Route header field value which the proxy will accept. If the proxy is halfway intelligent in construction of record-routes, it'll use random numbers, hashes, and otherwise proprietary techniques to construct the URI. The odds are pretty good that the UA would not be able to construct a Route URI that the proxy would recognize as one that it would have inserted into a Record-Route. Now, a request that contains a tag not matching any dialog at the UAS is rejected anyway. However, you might be able to work with a cooperating UAS to make something useful happen. For example if a proxy is generating call start and stop records based on *initial* INVITE and BYE, respectively, cooperating UA might be able to get free calls. > > Suppose Alice is permitted to call Bob, but not to subscribe to the reg > event package. So Alice first calls Bob, and notes the Record-Route that > results. Then in a separate dialog, Alice sends a SUBSCRIBE to the reg > event package, including a Route header with a URI of Bob's home proxy > extracted from the old R-R. If the RR is constructed using hashes of the tags this won't work. > > Seems like this strategy also requires some protection against a "replay > attack" like this. > > But that isn't really an issue for this draft. No; but it makes for interesting list discussion ;) -Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Cisco Fellow Parsippany, NJ 07054-2711 Cisco Systems jdrosen@cisco.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.cisco.com _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] draft-ietf-sip-gruu-09 Dale.Worley
- [Sip] draft-ietf-sip-gruu-09 Cullen Jennings
- [Sip] Re: draft-ietf-sip-gruu-09 Jonathan Rosenberg
- [Sip] Re: draft-ietf-sip-gruu-09 Juha Heinanen
- Re: [Sip] draft-ietf-sip-gruu-09 Jonathan Rosenberg
- Re: [Sip] Re: draft-ietf-sip-gruu-09 Jiri Kuthan
- Re: [Sip] Re: draft-ietf-sip-gruu-09 Jiri Kuthan
- Re: [Sip] Re: draft-ietf-sip-gruu-09 Paul Kyzivat
- Re: [Sip] draft-ietf-sip-gruu-09 Paul Kyzivat
- Re: [Sip] draft-ietf-sip-gruu-09 Jonathan Rosenberg
- Re: [Sip] Re: draft-ietf-sip-gruu-09 Jonathan Rosenberg
- Re: [Sip] Re: draft-ietf-sip-gruu-09 Jiri Kuthan