IETF Logo Mail Archive

RE: verifying registration bindings (was [Sip]draft-ietf-sip-fork-loop-fix)

"Samir Srivastava" <samirsr@nortel.com> Mon, 03 April 2006 21:09 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FQWIm-0001SU-Ma; Mon, 03 Apr 2006 17:09:32 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FQWIk-00018V-J6 for sip@ietf.org; Mon, 03 Apr 2006 17:09:30 -0400
Received: from zrtps0kn.nortelnetworks.com ([47.140.192.55] helo=zrtps0kn.nortel.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FQWIk-0005mC-60 for sip@ietf.org; Mon, 03 Apr 2006 17:09:30 -0400
Received: from zrc2hxm2.corp.nortel.com (zrc2hxm2.corp.nortel.com [47.103.123.73]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id k33L9JD21344; Mon, 3 Apr 2006 17:09:19 -0400 (EDT)
X-MimeOLE: Produced By Microsoft Exchange V6.5.7226.0
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: verifying registration bindings (was [Sip]draft-ietf-sip-fork-loop-fix)
Date: Mon, 03 Apr 2006 16:09:16 -0500
Message-ID: <62B9B0847CC47543B6B3B5E26BD268E60B46D86B@zrc2hxm2.corp.nortel.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: verifying registration bindings (was [Sip]draft-ietf-sip-fork-loop-fix)
Thread-Index: AcZXWa/dDMgE3ljfRsah1fS5b30pSgAB8PRg
From: Samir Srivastava <samirsr@nortel.com>
To: Jeroen van Bemmel <jbemmel@zonnet.nl>, Robert Sparks <rjsparks@nostrum.com>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: f2984bf50fb52a9e56055f779793d783
Cc: Sip <sip@ietf.org>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org

Hi Robert,

Thx for clarifying on either / or approach for the fix which I was
thinking of.

I was suggesting for REGISTER is similar to REFER


 UA               Registrar                Registrar/Proxy for Contact
in REG
 |                    |                                |
 |---REG ------------>|                                |
 |                    |                                | 
 |<-- 202 Accepted----|                                |
 |                    |<----- Audit on Reg Contact --->|
 |                    |                                |
 |<-- NOTIFY (REG EV)-|                                |
 |                    |                                |
 |-- 200 OK (NOT)---->|                                |


 At the time Registrar/Proxy sends NOTIFY it has confirmed knowledge of
goodness of contact at that point of time. Is this bad ? REFER works
this way.

Thx
Samir

-----Original Message-----
From: Jeroen van Bemmel [mailto:jbemmel@zonnet.nl] 
Sent: Monday, April 03, 2006 1:03 PM
To: Robert Sparks; Srivastava, Samir [SC100:8826:EXCH]
Cc: Sip
Subject: Re: verifying registration bindings (was
[Sip]draft-ietf-sip-fork-loop-fix)

Robert,

Also for the connection reuse draft it seems we will need a kind of
"reverse challenge" mechanism to verify that a client requesting an
alias actually owns / listens on the port that it is trying to shortcut
(Via port instead of Contact, but similar).

When you say "in the path of a non-INVITE transaction", you mean the
following would be bad?

UAC            UAS
    |     nit          |
    |----------->|
    |       100      |        // or some other 1xx meaning
"challenging..."
    |<-----------|
    |   challenge  |
    |<-----------|
    |    answer    |
    |----------->|
    |                   |
    |    ok nit      |
    |<-----------|

Regards,

Jeroen

----- Original Message -----
From: "Robert Sparks" <rjsparks@nostrum.com>
To: "Samir Srivastava" <samirsr@nortel.com>
Cc: "Sip" <sip@ietf.org>
Sent: Monday, April 03, 2006 9:49 PM
Subject: verifying registration bindings (was
[Sip]draft-ietf-sip-fork-loop-fix)


> Samir -
>
> We've talked about approaches similar to this in the past and there  
> is interest in the concept of asking a registrant "Prove to me that I 
> can reach this contact" before accepting a binding. There's been 
> discussion (and even some draft  work) around using the consent 
> framework to do something similar (but with greater scope).
>
> What we have right now is an agreement to talk about the possible 
> mechanisms, and general recognition that we need something more than 
> what we have right now.
>
> We do not have any consensus (IMHO) around a particular mechanism  
> yet. So the plan is to progress the fork-loop-fix draft as is and 
> decouple work  on these other potential mechanisms.
>
> One comment on the questions you've posted so far: It's unlikely we  
> will be able to create a mechanism that allows us to reject the actual

> REGISTER request. That puts another operation in the path of a 
> non-INVITE transaction, and  we've learned that's a dangerous thing. I

> suspect we'll end up with a mechanism  that puts bindings into an 
> "unconfirmed" state. The registrar will then send something towards 
> the contact asking for proof that it knows about the binding request. 
> Once that  proof is obtained, the contact would become confirmed and 
> used by a location server.
>
> RjS
>
> On Apr 3, 2006, at 1:59 PM, Samir Srivastava wrote:
>
>>  Hi Dale,
>>
>>    Thx for response. See in line.
>>
>> Thx
>> Samir
>>
>> -----Original Message-----
>> From: Dale R. Worley [mailto:dworley@pingtel.com]
>> Sent: Monday, April 03, 2006 10:21 AM
>> To: Sip
>> Subject: RE: [Sip] draft-ietf-sip-fork-loop-fix
>>
>> On Sat, 2006-04-01 at 16:47 -0600, Samir Srivastava wrote:
>>> It might be better to not reject the REGISTER, since later actions
>>> might cure the loop without altering *this* registration.  (Also,
>>> since a rejected registration is not in the database, the next
>>> re-registration attempt also appears to be new, and triggers the
loop
>>> test again.)
>>>
>>> SS>> Only later *UnRegistration or expired contact* can break the
>> loop.
>>> Proxy P1 is still going to forward Proxy P2, where looped contact is
>>> gone for now, and request is not going to fullfilled with proxy P1
>>> contact. So it good to reject this registration. And let  the
>>> Registering end point figure out where is the loop. If an endpoint
>>> keeps registering again and again with looped causing contacts,
>>> trigger this to IPS/IDS and take out the endpoint. This is very
>>> similar to how repeated 401/407 are handled.
>>
>> If a registration at P1 shows up a loop, the registration for P1 may
>> well be correct, and the error being some configuration problem at
P2.
>> So it is helpful to *report* the problem, but I think it is
excessive to
>> reject the registration.
>>
>> SS>> This is dependent on the order of registration. If P1 got the
>> registration first, then keeping
>> P2 registration is of no value. Since it is looped contact, how one
can
>> decide which one to keep.
>> Keeping looped registration alive in the hope of someone will correct
>> them doesn't serve much purpose, if the guy is bad and he doesn't
remove
>> it. Time window with looped contacts is open for attackers. Here  one
can
>> say, if looped contacts are detected, then further requests will  not
be
>> catered, unless they are corrected i.e. Reject the further request
with
>> error code " Looped Contact correction in progress". My position is
"Do
>> not let the faults percolate, correct them at the root itself as
soon as
>> possible".
>>
>> I am okay to finalize these minor details later, *if there is group
>> consensus that we should take this path*. Group ??
>>
>>
>>
>> Dale
>>
>>
>>
>> _______________________________________________
>> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
>> This list is for NEW development of the core SIP Protocol Use
>> sip-implementors@cs.columbia.edu for questions on current sip Use
>> sipping@ietf.org for new developments on the application of sip
>>
>>
>> _______________________________________________
>> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
>> This list is for NEW development of the core SIP Protocol
>> Use sip-implementors@cs.columbia.edu for questions on current sip
>> Use sipping@ietf.org for new developments on the application of sip
>
>
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip 



_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email