Re: [Sip] draft-state-sip-relay-attack-00
Hadriel Kaplan <HKaplan@acmepacket.com> Sun, 08 March 2009 00:30 UTC
Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BE523A68BD for <sip@core3.amsl.com>; Sat, 7 Mar 2009 16:30:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.525
X-Spam-Level:
X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.074, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sb00ka5w-AMM for <sip@core3.amsl.com>; Sat, 7 Mar 2009 16:30:04 -0800 (PST)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 833113A6A88 for <sip@ietf.org>; Sat, 7 Mar 2009 16:30:04 -0800 (PST)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.291.1; Sat, 7 Mar 2009 19:30:35 -0500
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Sat, 7 Mar 2009 19:30:33 -0500
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Nils Ohlmeier <lists@ohlmeier.org>
Date: Sat, 07 Mar 2009 19:30:30 -0500
Thread-Topic: [Sip] draft-state-sip-relay-attack-00
Thread-Index: AcmfdcpVzceegU5LQJi8tV3rXHaJDQAACpUA
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC314C4DE62D4@mail>
References: <49AE593F.6080807@iptel.org> <e4c7495a3f98d5a2a85ccf85047515f0.squirrel@www.ohlmeier.com> <20090307183313.GA4364@x61s.janakj.ryngle.net> <E6C2E8958BA59A4FB960963D475F7AC314C4DE6292@mail> <49B2F7F2.6030804@ohlmeier.org>
In-Reply-To: <49B2F7F2.6030804@ohlmeier.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2009 00:30:10 -0000
> -----Original Message----- > From: Nils Ohlmeier [mailto:lists@ohlmeier.org] > Sent: Saturday, March 07, 2009 5:41 PM > > Am 07.03.2009 20:18 Uhr, schrieb Hadriel Kaplan: > >> So a requirement to make the attack possible is that the user agent > >> responds > >> to challenges generated for in-dialog requests. > > > > Right, and that the attacked domain accepts INVITEs from its AoR's with > non-registered Contacts; or accepts INVITEs from its static AoR's to come > in from unknown locations. That's pretty rare in my world, but ymmv. > > Luckily it seems we are not living in the same world :-) > I call it a feature that I can make authenticated calls without being > registered. Why, is sending a REGISTER hard?? It looks like a simple enough message to generate. How about OPTIONS? (has anyone ever noticed that OPTIONS is an anagram for POTIONS, or "O, NOT SIP" or "ON TO SIP" or "TON-O-SIP" or "TIS NO-OP" or "I NO POTS"? weird) But anyway, sure - I'm not saying the attack isn't interesting or worth figuring out a solution/prevention for. I think it *is*. I was only challenging a claim that Service Providers on the Internet are currently exposed to it. Not all of them are. > >>> - I never unterstood why a proxy should pass through the > authentication > >>> request from a foreign domain. > >> Because this is how it is specified in section 22.3 of RFC3261. > > > > And it would have to continue to do so. There are actual use-cases for > this. > > Could you please share one of these use-cases with me. Well, the 3GPP roaming case, for one. A pictorial version: http://www.tech-invite.com/Ti-ims-regflow-1.html > > I think there's even a reasonable use-case for challenging in-dialog > requests: connected-identity, for example. > > > > But you don't even need to challenge in-dialog requests for this form of > attack: if the victim calls you, then you can challenge the initial > INVITE. > > Sorry, but how is this going to work in world without a SBC which knows > my credentials? SBC's don't usually know your credentials, even now. They don't need to. But anyway, I'm not sure what you mean by the question. How is what going to work? Stopping INVITE-based authentication relay-attacks? You don't need an SBC-type box to stop that. Just disconnect the cable. :) Or, use the counter-measures in the draft. Or change the protocol, or at least the authentication mechanism. -hadriel
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Michael Procter
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Dan Wing
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Michael Procter
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Dan Wing
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Dale Worley
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Scott Lawrence
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Jonathan Rosenberg
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Jonathan Rosenberg
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Jiri Kuthan