Re: [Sip] draft-state-sip-relay-attack-00
"Nils Ohlmeier" <lists@ohlmeier.org> Thu, 12 March 2009 18:38 UTC
Return-Path: <lists@ohlmeier.org>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A3C9C3A6881 for <sip@core3.amsl.com>; Thu, 12 Mar 2009 11:38:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e+Zpn-vOCkJf for <sip@core3.amsl.com>; Thu, 12 Mar 2009 11:38:37 -0700 (PDT)
Received: from bespin.rfc3261.net (cl-395.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:18a::2]) by core3.amsl.com (Postfix) with ESMTP id B0F5B3A67F3 for <sip@ietf.org>; Thu, 12 Mar 2009 11:38:37 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by bespin.rfc3261.net (Postfix) with ESMTP id C0D287F97; Thu, 12 Mar 2009 19:39:13 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at bespin.rfc3261.net
Received: from bespin.rfc3261.net ([127.0.0.1]) by localhost (bespin.rfc3261.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hffrHrKcP1qt; Thu, 12 Mar 2009 19:39:13 +0100 (CET)
Received: from www.ohlmeier.com (localhost [127.0.0.1]) by bespin.rfc3261.net (Postfix) with ESMTP id 41B157F82; Thu, 12 Mar 2009 19:39:13 +0100 (CET)
Received: from 192.100.130.229 (SquirrelMail authenticated user lando) by www.ohlmeier.com with HTTP; Thu, 12 Mar 2009 19:39:13 +0100 (CET)
Message-ID: <391edc72be6bc16fcc1ff6f3b0e1951c.squirrel@www.ohlmeier.com>
In-Reply-To: <618e24240903120959t7199623en2e265686311c090a@mail.gmail.com>
References: <49AE593F.6080807@iptel.org> <49B2F7F2.6030804@ohlmeier.org> <E6C2E8958BA59A4FB960963D475F7AC314C4DE62D4@mail> <E6C2E8958BA59A4FB960963D475F7AC314C4DE62F0@mail> <49B5006D.8050702@iptel.org> <E6C2E8958BA59A4FB960963D475F7AC314C4FAA08C@mail> <49B63B9F.9000101@iptel.org> <E6C2E8958BA59A4FB960963D475F7AC314E2E0A466@mail> <49B77BEB.4000501@iptel.org> <2ec0d47f2557274d61ca48882a379aa1.squirrel@www.ohlmeier.com> <618e24240903120959t7199623en2e265686311c090a@mail.gmail.com>
Date: Thu, 12 Mar 2009 19:39:13 +0100
From: Nils Ohlmeier <lists@ohlmeier.org>
To: Victor Pascual Ávila <victor.pascual.avila@gmail.com>
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Nils Ohlmeier <lists@ohlmeier.org>, "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Mar 2009 18:38:38 -0000
> On Wed, Mar 11, 2009 at 2:49 PM, Nils Ohlmeier <lists@ohlmeier.org> wrote: >> Sure to create a Contact binding via an authenticated REGISTER is one >> possible solution. >> But I think this only works because you rely on the fact that REGISTERs >> are not being retargeted like INVITEs. Which then in the end means you >> simply can forget about authenticating all other requests, as long as >> the >> Contact or IP/port was successfully authenticated via the "one hop" >> REGISTER method (refer-to: IMS). >> The advantage of this solution is clearly that it can be easily deployed >> by hopefully most of the service providers today. >> >> But I believe the proper technical solution would be that the server >> authenticates itself in the challenge, plus adding protected >> informations >> to the challenge which allows the receiver of the challenge to verify >> that >> this challenge was/is targeted to himself. >> The dis-advantage is clearly that this would be only possible with >> extensions of the existing protocols. But we would/might gain other >> benefits by such a solution as well. > > I did not follow the discussion on draft-dotson-sip-mutual-auth. Has > this work been discontinued? > > http://tools.ietf.org/id/draft-dotson-sip-mutual-auth-03.txt I can not answer your question. But this draft does not solve the discussed attack, because the server is authenticated after the victim sends its credentials to the attacker alerady. To have a chance to solve the attack scenario the server/challenger would have to prove its identity together with the challenge to prevent that the victim sends out its credentials to the attacker at all. Regards Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Michael Procter
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Dan Wing
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Michael Procter
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Dan Wing
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Dale Worley
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Jan Janak
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Theo Zourzouvillys
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Scott Lawrence
- Re: [Sip] draft-state-sip-relay-attack-00 Hadriel Kaplan
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Jonathan Rosenberg
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Jonathan Rosenberg
- Re: [Sip] draft-state-sip-relay-attack-00 Nils Ohlmeier
- Re: [Sip] draft-state-sip-relay-attack-00 Raphael Coeffic
- Re: [Sip] draft-state-sip-relay-attack-00 Victor Pascual Ávila
- Re: [Sip] draft-state-sip-relay-attack-00 Jiri Kuthan