IETF Logo Mail Archive

Re: [Sip] draft-state-sip-relay-attack-00

Jonathan Rosenberg <jdrosen@cisco.com> Mon, 16 March 2009 20:45 UTC

Return-Path: <jdrosen@cisco.com>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C826F3A6AB3 for <sip@core3.amsl.com>; Mon, 16 Mar 2009 13:45:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.566
X-Spam-Level:
X-Spam-Status: No, score=-6.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JmOHOaxh3h6S for <sip@core3.amsl.com>; Mon, 16 Mar 2009 13:45:22 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id BAE323A6987 for <sip@ietf.org>; Mon, 16 Mar 2009 13:45:22 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.38,374,1233532800"; d="scan'208";a="143153113"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-3.cisco.com with ESMTP; 16 Mar 2009 20:46:05 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n2GKk5K8009426; Mon, 16 Mar 2009 13:46:05 -0700
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id n2GKk5p7013358; Mon, 16 Mar 2009 20:46:05 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 16 Mar 2009 13:46:05 -0700
Received: from [10.32.241.157] ([10.32.241.157]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 16 Mar 2009 13:46:04 -0700
Message-ID: <49BEBA8C.2020406@cisco.com>
Date: Mon, 16 Mar 2009 16:46:04 -0400
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: Raphael Coeffic <rco@iptel.org>
References: <49AE593F.6080807@iptel.org> <49BBA27C.4050805@cisco.com> <49BE1FEF.4020008@iptel.org>
In-Reply-To: <49BE1FEF.4020008@iptel.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 16 Mar 2009 20:46:04.0802 (UTC) FILETIME=[39842E20:01C9A678]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2175; t=1237236365; x=1238100365; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jdrosen@cisco.com; z=From:=20Jonathan=20Rosenberg=20<jdrosen@cisco.com> |Subject:=20Re=3A=20[Sip]=20draft-state-sip-relay-attack-00 |Sender:=20; bh=PJEJVPr0jg8c3KDcE9Or+oVHTxXXMGYcXJdOL2oTLWg=; b=UgzF2i5OO1cfTs1Gp3n44vOvPZXEAoH3X1YfVrO3kRw1vayknL7BkzgKyk 6EWE3lESoRLYH7rRmHIFxg5pssV6BX0pF2chfjoH0OfWVe8Hi1khbdiaK4BZ +G17gKNLlX2OIUHMfXi55f/8VV2uw4OR96wr0Nz7v5zONoCsOrsdg=;
Authentication-Results: sj-dkim-1; header.From=jdrosen@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: sip@ietf.org
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2009 20:45:23 -0000

Raphael Coeffic wrote:

>> As such, I dont think this attack is likely in practice. However, in 
>> theory it is possible. The essence of the attack is that the victim is 
>> providing credentials to an unauthenticated server (since the attacker 
>> is acting like a server, asking for credentials). In that way, as 
>> others have pointed out, it is similar to baiting attacks that have 
>> been previously documented. With SIP it is most easily remedied by a 
>> rule which says, 'don't pass credentials for domain X to a server that 
>> is not domain X'.
> Which means that you exclude any relays in between. I think it also 
> implies reverse DNS lookups, right?

No - no reverse DNS.
And I am excluding cases where, you are connected (meaning, the domain 
you registered to) to one domain and making a call through that domain 
reach another domain which requires your credentials. I think that is 
very unlikely.

> 
>> Server identity can be verified by normal server-only auth between a 
>> client and its server, but even that is not needed. 
> Right, mutual authentication seems to be the best way.
> 
>> A client will know which domain its proxy is representing, and once 
>> connected, it only provides credentials for that domain.
>>
> What do you mean by "connected"? And why should a UA only provide 
> credentials for one domain only?

I'm saying, when a phone registers or makes a call, it does so by 
connecting to a SIP server, through a domain name or IP config or 
whatever. THat server will have an associated credential. For any 
request sent to that server, it should never provide a credential except 
the one associated with it.

Your attack is possible only when the client sends credentials for a 
domain, different than the one it is currently registered or placed the 
call through in the first place.

-Jonathan R.

-- 
Jonathan D. Rosenberg, Ph.D.                   111 Wood Avenue South
Cisco Fellow                                   Iselin, NJ 08830
Cisco, Voice Technology Group
jdrosen@cisco.com
http://www.jdrosen.net                         PHONE: (408) 902-3084
http://www.cisco.com

v2.23.0 | Report a Bug | By Email