Re: [Sip] draft-state-sip-relay-attack-00
Nils Ohlmeier <lists@ohlmeier.org> Mon, 16 March 2009 22:00 UTC
Return-Path: <lists@ohlmeier.org>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6B6D23A659B for <sip@core3.amsl.com>; Mon, 16 Mar 2009 15:00:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.584
X-Spam-Level:
X-Spam-Status: No, score=-2.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S3zLIfH8fe7x for <sip@core3.amsl.com>; Mon, 16 Mar 2009 15:00:18 -0700 (PDT)
Received: from bespin.rfc3261.net (cl-395.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:18a::2]) by core3.amsl.com (Postfix) with ESMTP id 80AC23A680A for <sip@ietf.org>; Mon, 16 Mar 2009 15:00:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by bespin.rfc3261.net (Postfix) with ESMTP id D88207F97; Mon, 16 Mar 2009 23:00:58 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at bespin.rfc3261.net
Received: from bespin.rfc3261.net ([127.0.0.1]) by localhost (bespin.rfc3261.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oP5hHg1u1lSr; Mon, 16 Mar 2009 23:00:58 +0100 (CET)
Received: from Nils-MacBook-2.local (unknown [78.52.229.130]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by bespin.rfc3261.net (Postfix) with ESMTPSA id 741547F82; Mon, 16 Mar 2009 23:00:58 +0100 (CET)
Message-ID: <49BECC19.9080704@ohlmeier.org>
Date: Mon, 16 Mar 2009 23:00:57 +0100
From: Nils Ohlmeier <lists@ohlmeier.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; de; rv:1.9.1b3pre) Gecko/20090223 Thunderbird/3.0b2
MIME-Version: 1.0
To: Jonathan Rosenberg <jdrosen@cisco.com>
References: <49AE593F.6080807@iptel.org> <49BBA27C.4050805@cisco.com> <49BE1FEF.4020008@iptel.org> <49BEBA8C.2020406@cisco.com>
In-Reply-To: <49BEBA8C.2020406@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: sip@ietf.org
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Mar 2009 22:00:19 -0000
>>> Server identity can be verified by normal server-only auth between a >>> client and its server, but even that is not needed. >> Right, mutual authentication seems to be the best way. >> >>> A client will know which domain its proxy is representing, and once >>> connected, it only provides credentials for that domain. >>> >> What do you mean by "connected"? And why should a UA only provide >> credentials for one domain only? > > I'm saying, when a phone registers or makes a call, it does so by > connecting to a SIP server, through a domain name or IP config or > whatever. THat server will have an associated credential. For any > request sent to that server, it should never provide a credential except > the one associated with it. > > Your attack is possible only when the client sends credentials for a > domain, different than the one it is currently registered or placed the > call through in the first place. And the SIP server which relays the INVITE from the attacker to the victim has to drop (?) the challenge if it receives such from the attacker (at least if the realm is identical to the one used by the server itself). This is basically the same description which I provided already earlier. The only open "issue" is then relaying of 407/401 replies from downstream elements by the proxy. I agree with Jonathan that I also do not believe that this actually a real world scenario. But mutual authentication in the challenge might help to solve this issue if people insist of keeping this scenario. Regards Nils
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Michael Procter
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Dan Wing
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Michael Procter
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Dan Wing
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Dale Worley
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Scott Lawrence
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Jonathan Rosenberg
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Jonathan Rosenberg
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Jiri Kuthan