IETF Logo Mail Archive

RE: [Sip] SIP WG - 5 - Last Call Open Discussion - draft-ietf-sip-refer-02.txt

William Marshall <wtm@research.att.com> Fri, 28 December 2001 18:39 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10560 for <sip-archive@odin.ietf.org>; Fri, 28 Dec 2001 13:39:00 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id NAA00417 for sip-archive@odin.ietf.org; Fri, 28 Dec 2001 13:39:03 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA29803; Fri, 28 Dec 2001 13:16:59 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA29772 for <sip@optimus.ietf.org>; Fri, 28 Dec 2001 13:16:57 -0500 (EST)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA10417 for <sip@ietf.org>; Fri, 28 Dec 2001 13:16:53 -0500 (EST)
Received: from alliance.research.att.com (alliance.research.att.com [135.207.26.26]) by mail-blue.research.att.com (Postfix) with ESMTP id E64094CE34 for <sip@ietf.org>; Fri, 28 Dec 2001 13:16:54 -0500 (EST)
Received: from fish.research.att.com (fish.research.att.com [135.207.27.137]) by alliance.research.att.com (8.8.7/8.8.7) with ESMTP id NAA01146; Fri, 28 Dec 2001 13:16:51 -0500 (EST)
From: William Marshall <wtm@research.att.com>
Received: (from wtm@localhost) by fish.research.att.com (SGI-8.9.3/8.8.5) id NAA38120; Fri, 28 Dec 2001 13:18:05 -0500 (EST)
Date: Fri, 28 Dec 2001 13:18:05 -0500
Message-Id: <200112281818.NAA38120@fish.research.att.com>
To: sip@ietf.org
Subject: RE: [Sip] SIP WG - 5 - Last Call Open Discussion - draft-ietf-sip-refer-02.txt
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org

Robert Sparks wrote, in part:
> 			... The current proposal
> is to leave REFER as is, and specify usage of the parameters available
> on the Referred-By header to get exactly the protection you describe for
> the transfer application. 

I've looked through draft-ietf-sip-cc-transfer-05 again, and don't see
it.  What I see in the transfer draft is more of a "transferree/
transfer-target just do exactly as they are told, don't question
anything, and it will work".

The transferee and transfer target need some way to protect themselves
from malicious REFER requests, and from malicious INVITES that contain
Referred-By values.  I'm afraid that if the restricted usage is
documented in the transfer draft, then deployed implementations
will accept ONLY the combinations of parameters given in the transfer 
draft, effectively cutting off new and different services.  I feel
a generic method is needed in the refer draft that achieves some level 
of  protection against bogus and replayed requests, which can then
be used (at the recipient's option) in all the flows appearing in
call-control drafts.

If the usage restrictions were to be included in the transfer draft,
they would be something like: accept a REFER only within an active
dialog; accept an INVITE with a Replaces header only if the Call-ID
in the Replaces header matches an active dialog and the Referred-by
header matches either From or To of the same dialog, etc.  But
these kind of restrictions kill the blind transfer case (6.1).
But the transfer-target needs to know that the INVITE in step 9 is 
not a replay of an ancient REFER (step 7).  If all the flows in
the transfer draft were to be allowed, there would be no restrictions
at all.  Hardly a workable end state.

Bill Marshall
wtm@research.att.com

-----original message-----
From: Robert Sparks <rsparks@dynamicsoft.com>
To: "'William Marshall'" <wtm@research.att.com>, sip@ietf.org
Subject: RE: [Sip] SIP WG - 5 - Last Call Open Discussion - draft-ietf-sip
	-refer-02.txt
Date: Thu, 27 Dec 2001 16:05:04 -0500


> -----Original Message-----
> From: William Marshall [mailto:wtm@research.att.com]
> Sent: Thursday, December 27, 2001 10:50 AM
> To: sip@ietf.org
> Subject: Re: [Sip] SIP WG - 5 - Last Call Open Discussion -
> draft-ietf-sip-refer-02.txt
> 
> 
> I don't believe there has been any conclusion posted about security
> aspects of the Referred-By header, which I raised as issues in my
> initial review of this draft.
> 
> Without an adequate mechanism to verify the information in 
> the Referred-By
> header, and to verify the timeliness of that information, the 
> header is
> worse than useless.  It should be removed from the draft.
> 
> To repeat the problem, consider three parties, A, B, and C, where
> A sends a REFER to B, causing B to send an INVITE to C.  Procedures
> exist whereby B can authenticate A; procedures also exist whereby
> C can authenticate B.  
> 
> However, nothing prevents B from including a bogus Referred-By header 
> in its INVITE request to C.  Nothing prevents B from including a
> previously-valid-but-expired Referred-By header in its INVITE (i.e. 
> a form of replay attack).  Anything done by C based on information
> in the Referred-By header may be incorrect or harmful.

Anything done by C based on information in the Referred-By header
would be determined by the application using the primative. The first
application we're talking about is Transfer. The current proposal
is to leave REFER as is, and specify usage of the parameters available
on the Referred-By header to get exactly the protection you describe for
the transfer application. 

Are you objecting to this approach? If we actually remove the header,
we will be left without a conduit between the REFER and the triggered
action to include such procection mechanisms...

RjS

_______________________________________________
Sip mailing list  http://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email