IETF Logo Mail Archive

Re: [Sip] Last Call: DHCPv6 Options for SIP Servers to Proposed Standard

Henning Schulzrinne <hgs@cs.columbia.edu> Tue, 28 May 2002 16:48 UTC

Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA24405 for <sip-archive@odin.ietf.org>; Tue, 28 May 2002 12:48:01 -0400 (EDT)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id MAA28371 for sip-archive@odin.ietf.org; Tue, 28 May 2002 12:48:25 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA26614; Tue, 28 May 2002 12:22:51 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA26537 for <sip@optimus.ietf.org>; Tue, 28 May 2002 12:22:47 -0400 (EDT)
Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA23827; Tue, 28 May 2002 12:22:21 -0400 (EDT)
Received: from opus.cs.columbia.edu (opus.cs.columbia.edu [128.59.20.100]) by cs.columbia.edu (8.9.3/8.9.3) with ESMTP id MAA06444; Tue, 28 May 2002 12:22:40 -0400 (EDT)
Received: from cs.columbia.edu (cta.cs.columbia.edu [128.59.19.46]) (authenticated bits=0) by opus.cs.columbia.edu (8.12.1/8.12.1) with ESMTP id g4SGMd2i012740 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 28 May 2002 12:22:39 -0400 (EDT)
Message-ID: <3CF3AEB2.5020702@cs.columbia.edu>
Date: Tue, 28 May 2002 12:22:10 -0400
From: Henning Schulzrinne <hgs@cs.columbia.edu>
Organization: Columbia University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Christian Huitema <huitema@windows.microsoft.com>
CC: iesg@ietf.org, sip@ietf.org
Subject: Re: [Sip] Last Call: DHCPv6 Options for SIP Servers to Proposed Standard
References: <F66A04C29AD9034A8205949AD0C9010401C0E538@win-msg-02.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org
Content-Transfer-Encoding: 7bit

Christian,

thanks for your comment. I'm slightly confused, however, why this 
particular problem is any different for SIP servers than for any other, 
non-SIP server identified by a DHCPv6 server. Also, Section 21 of 
http://www.ietf.org/internet-drafts/draft-ietf-dhc-dhcpv6-25.txt 
addresses this particular issue. Could you clarify your comments in 
these two aspects?

Henning

Christian Huitema wrote:
> I have a major issue with this spec, namely that the security problems
> are not addressed. The security section correctly lists one of the main
> security threats, the spoofing of a DHCP server:
> 
>    The security considerations in RFC XXXX [1], RFC 3261 [2] and RFC
>    3263 [3] apply. If an adversary manages to modify the response from a
>    DHCP server or insert its own response, a SIP user agent could be led
>    to contact a rogue SIP server, possibly one that then intercepts call
>    requests or denies service. A modified DHCP answer could also omit
>    host names that translated to TLS-based SIP servers, thus
>    facilitating intercept.
> 
> This is a very real attack, especially in the deployment phase of IPv6,
> when there may not even be an actual DHCPv6 server on the local network.
> Think for example of an 802.11 hotpoint, in which any enterprising
> attacker could publish his very own DHCPv6 server. Yet, the security
> work seems to stop here. There is no attempt at mitigating the attack.
> IMHO, we should not publish a spec that open the door for a grave attack
> and offers no mitigation.
> 
> -- Christian Huitema
> 
> 
>>-----Original Message-----
>>From: The IESG [mailto:iesg-secretary@ietf.org]
>>Sent: Wednesday, May 22, 2002 12:21 PM
>>Cc: sip@ietf.org
>>Subject: [Sip] Last Call: DHCPv6 Options for SIP Servers to Proposed
>>Standard
>>
>>
>>The IESG has received a request from the Session Initiation Protocol
>>Working Group to consider DHCPv6 Options for SIP Servers
>><draft-ietf-sip-dhcpv6-00.txt> as a Proposed Standard.
>>
>>The IESG plans to make a decision in the next few weeks, and solicits
>>final comments on this action.  Please send any comments to the
>>iesg@ietf.org or ietf@ietf.org mailing lists by June 5, 2002.
>>
>>Files can be obtained via
>>http://www.ietf.org/internet-drafts/draft-ietf-sip-dhcpv6-00.txt
>>
>>
>>
>>
>>
>>_______________________________________________
>>Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
>>This list is for NEW development of the core SIP Protocol
>>Use sip-implementors@cs.columbia.edu for questions on current sip
>>Use sipping@ietf.org for new developments on the application of sip
> 
> 
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip



_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email