IETF Logo Mail Archive

Re: [Sip] draft-state-sip-relay-attack-00

Raphael Coeffic <rco@iptel.org> Wed, 11 March 2009 08:52 UTC

Return-Path: <rco@iptel.org>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 771E63A67A1 for <sip@core3.amsl.com>; Wed, 11 Mar 2009 01:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.389
X-Spam-Level:
X-Spam-Status: No, score=-2.389 tagged_above=-999 required=5 tests=[AWL=0.210, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q89qGaarZf0t for <sip@core3.amsl.com>; Wed, 11 Mar 2009 01:52:26 -0700 (PDT)
Received: from mail.iptel.org (smtp.iptel.org [213.192.59.67]) by core3.amsl.com (Postfix) with ESMTP id 0DB6F3A6AAE for <sip@ietf.org>; Wed, 11 Mar 2009 01:52:26 -0700 (PDT)
Received: by mail.iptel.org (Postfix, from userid 103) id 593241810C69; Wed, 11 Mar 2009 09:53:01 +0100 (CET)
Received: from rco-imac.local (unknown [217.9.54.26]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.iptel.org (Postfix) with ESMTPSA id 28E2C1810C67; Wed, 11 Mar 2009 09:53:00 +0100 (CET)
Message-ID: <49B77BEB.4000501@iptel.org>
Date: Wed, 11 Mar 2009 09:52:59 +0100
From: Raphael Coeffic <rco@iptel.org>
User-Agent: Thunderbird 2.0.0.19 (Macintosh/20081209)
MIME-Version: 1.0
To: Hadriel Kaplan <HKaplan@acmepacket.com>
References: <49AE593F.6080807@iptel.org> <e4c7495a3f98d5a2a85ccf85047515f0.squirrel@www.ohlmeier.com> <20090307183313.GA4364@x61s.janakj.ryngle.net> <E6C2E8958BA59A4FB960963D475F7AC314C4DE6292@mail> <49B2F7F2.6030804@ohlmeier.org> <E6C2E8958BA59A4FB960963D475F7AC314C4DE62D4@mail> <E6C2E8958BA59A4FB960963D475F7AC314C4DE62F0@mail> <49B5006D.8050702@iptel.org> <E6C2E8958BA59A4FB960963D475F7AC314C4FAA08C@mail> <49B63B9F.9000101@iptel.org> <E6C2E8958BA59A4FB960963D475F7AC314E2E0A466@mail>
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC314E2E0A466@mail>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: Nils Ohlmeier <lists@ohlmeier.org>, "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2009 08:52:27 -0000

Hadriel Kaplan wrote:
>   
>> -----Original Message-----
>> From: Raphael Coeffic [mailto:rco@iptel.org]
>> Sent: Tuesday, March 10, 2009 6:06 AM
>>
>> Hadriel Kaplan wrote:
>>
>> Forcing registrations is the path that IMS went for, I believe. But if
>> you want to take advantage of this, you may have to deploy a little more
>> IMS than you'd like to. 
>>     
>
> The concept and practice of "forcing" UA's, which have AoR's belonging to a domain, to REGISTER their contact binding for those AoR's in order to make calls, has been around a lot longer than IMS has.  Invoking the "that sounds like IMS" defense is a cheap guilt-by-association argument, and not relevant.  One might as well argue that using INVITE's or RTP "is the path that IMS went for".
>
> You keep making it sound like sending a SIP request which does not create a dialog is somehow a difficult mechanism to implement, or "forces" people to do something they don't want to.  What is it forcing?
>
>   
Well, it is not required as per RFC 3261 ;-)

> You're looking for a means of authenticating a UA without being subject to a relay attack.  Using a different SIP Method name, which can only be initiated by the client with the credentials, and one that UA's cannot be baited to provide by random third parties, is one solution to the problem.  If you don't like the string "REGISTER", then how about "OPTIONS"?
>
>   
No, I think you missunderstood me. I still think that requiring a 
registration and checking the source IP and port against the registered 
contact is a fair measure to take. However, it introduces more traffic 
in some scenarios, where it is not necessarily needed. REGISTERs could 
become the "background load" in the servers. This also puts a lot of 
state into some proxies that does not need it, etc...
My concern is just that it seems like there is no better solution.
>> Maybe just an example: let's say you have a home SIP server, doing the
>> usual least cost routing. Your least cost router might have something
>> like 50 different routes. Do you want this box, or maybe your phones to
>> have 50 running registrations, just for the purpose of having cheap
>> calls? Well, personaly, I would prefer to just install my certificate on
>> this box, and use TLS. But as very very few of those PSTN providers do
>> support TLS, I cannot. By the way, there are already commercial products
>> supporting this scenario.
>>     
>
> So you have a mechanism that people don't seem to want to implement - and meanwhile you have another mechanism, which is widely implemented.  And the problem is...?
>
>   
See previous answer.

Cheers
Raphael.

v2.23.0 | Report a Bug | By Email