Re: [Sip] Last Call: DHCPv6 Options for SIP Servers to Proposed Standard
Henning Schulzrinne <hgs@cs.columbia.edu> Tue, 28 May 2002 16:48 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA24405 for <sip-archive@odin.ietf.org>; Tue, 28 May 2002 12:48:01 -0400 (EDT)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id MAA28371 for sip-archive@odin.ietf.org; Tue, 28 May 2002 12:48:25 -0400 (EDT)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA26614; Tue, 28 May 2002 12:22:51 -0400 (EDT)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id MAA26537 for <sip@optimus.ietf.org>; Tue, 28 May 2002 12:22:47 -0400 (EDT)
Received: from cs.columbia.edu (cs.columbia.edu [128.59.16.20]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA23827; Tue, 28 May 2002 12:22:21 -0400 (EDT)
Received: from opus.cs.columbia.edu (opus.cs.columbia.edu [128.59.20.100]) by cs.columbia.edu (8.9.3/8.9.3) with ESMTP id MAA06444; Tue, 28 May 2002 12:22:40 -0400 (EDT)
Received: from cs.columbia.edu (cta.cs.columbia.edu [128.59.19.46]) (authenticated bits=0) by opus.cs.columbia.edu (8.12.1/8.12.1) with ESMTP id g4SGMd2i012740 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 28 May 2002 12:22:39 -0400 (EDT)
Message-ID: <3CF3AEB2.5020702@cs.columbia.edu>
Date: Tue, 28 May 2002 12:22:10 -0400
From: Henning Schulzrinne <hgs@cs.columbia.edu>
Organization: Columbia University
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc3) Gecko/20020523
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Christian Huitema <huitema@windows.microsoft.com>
CC: iesg@ietf.org, sip@ietf.org
Subject: Re: [Sip] Last Call: DHCPv6 Options for SIP Servers to Proposed Standard
References: <F66A04C29AD9034A8205949AD0C9010401C0E538@win-msg-02.wingroup.windeploy.ntdev.microsoft.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org
Content-Transfer-Encoding: 7bit
Christian, thanks for your comment. I'm slightly confused, however, why this particular problem is any different for SIP servers than for any other, non-SIP server identified by a DHCPv6 server. Also, Section 21 of http://www.ietf.org/internet-drafts/draft-ietf-dhc-dhcpv6-25.txt addresses this particular issue. Could you clarify your comments in these two aspects? Henning Christian Huitema wrote: > I have a major issue with this spec, namely that the security problems > are not addressed. The security section correctly lists one of the main > security threats, the spoofing of a DHCP server: > > The security considerations in RFC XXXX [1], RFC 3261 [2] and RFC > 3263 [3] apply. If an adversary manages to modify the response from a > DHCP server or insert its own response, a SIP user agent could be led > to contact a rogue SIP server, possibly one that then intercepts call > requests or denies service. A modified DHCP answer could also omit > host names that translated to TLS-based SIP servers, thus > facilitating intercept. > > This is a very real attack, especially in the deployment phase of IPv6, > when there may not even be an actual DHCPv6 server on the local network. > Think for example of an 802.11 hotpoint, in which any enterprising > attacker could publish his very own DHCPv6 server. Yet, the security > work seems to stop here. There is no attempt at mitigating the attack. > IMHO, we should not publish a spec that open the door for a grave attack > and offers no mitigation. > > -- Christian Huitema > > >>-----Original Message----- >>From: The IESG [mailto:iesg-secretary@ietf.org] >>Sent: Wednesday, May 22, 2002 12:21 PM >>Cc: sip@ietf.org >>Subject: [Sip] Last Call: DHCPv6 Options for SIP Servers to Proposed >>Standard >> >> >>The IESG has received a request from the Session Initiation Protocol >>Working Group to consider DHCPv6 Options for SIP Servers >><draft-ietf-sip-dhcpv6-00.txt> as a Proposed Standard. >> >>The IESG plans to make a decision in the next few weeks, and solicits >>final comments on this action. Please send any comments to the >>iesg@ietf.org or ietf@ietf.org mailing lists by June 5, 2002. >> >>Files can be obtained via >>http://www.ietf.org/internet-drafts/draft-ietf-sip-dhcpv6-00.txt >> >> >> >> >> >>_______________________________________________ >>Sip mailing list https://www1.ietf.org/mailman/listinfo/sip >>This list is for NEW development of the core SIP Protocol >>Use sip-implementors@cs.columbia.edu for questions on current sip >>Use sipping@ietf.org for new developments on the application of sip > > > _______________________________________________ > Sip mailing list https://www1.ietf.org/mailman/listinfo/sip > This list is for NEW development of the core SIP Protocol > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sipping@ietf.org for new developments on the application of sip _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] Last Call: DHCPv6 Options for SIP Servers t… The IESG
- [Sip] Last Call: DHCPv6 Options for SIP Servers t… The IESG
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- Re: [Sip] Last Call: DHCPv6 Options for SIP Serve… Henning Schulzrinne
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- Re: [Sip] Last Call: DHCPv6 Options for SIP Serve… Henning Schulzrinne
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Dean Willis
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Dean Willis
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- Re: [Sip] Last Call: DHCPv6 Options for SIP Serve… Henning Schulzrinne
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- Re: [Sip] Last Call: DHCPv6 Options for SIP Serve… Jonathan Rosenberg
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Michael Thomas
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Dean Willis
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Dean Willis
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Dean Willis
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… Christian Huitema
- RE: [Sip] Last Call: DHCPv6 Options for SIP Serve… David R. Oran