IETF Logo Mail Archive

Re: [Sip] draft-state-sip-relay-attack-00

Jan Janak <jan@ryngle.com> Sat, 07 March 2009 18:32 UTC

Return-Path: <jan@ryngle.com>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9856B28C0F5 for <sip@core3.amsl.com>; Sat, 7 Mar 2009 10:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ju3Y8m4NTjz0 for <sip@core3.amsl.com>; Sat, 7 Mar 2009 10:32:46 -0800 (PST)
Received: from mail-bw0-f178.google.com (mail-bw0-f178.google.com [209.85.218.178]) by core3.amsl.com (Postfix) with ESMTP id 80F3C3A68ED for <sip@ietf.org>; Sat, 7 Mar 2009 10:32:45 -0800 (PST)
Received: by bwz26 with SMTP id 26so733591bwz.37 for <sip@ietf.org>; Sat, 07 Mar 2009 10:33:16 -0800 (PST)
Received: by 10.103.252.17 with SMTP id e17mr1710735mus.14.1236450796293; Sat, 07 Mar 2009 10:33:16 -0800 (PST)
Received: from x61s.janakj (r9ea97.net.upc.cz [78.102.130.97]) by mx.google.com with ESMTPS id e8sm4132306muf.48.2009.03.07.10.33.15 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 07 Mar 2009 10:33:15 -0800 (PST)
Received: by x61s.janakj (Postfix, from userid 1000) id B5DF44403F8; Sat, 7 Mar 2009 19:33:13 +0100 (CET)
Date: Sat, 07 Mar 2009 19:33:13 +0100
From: Jan Janak <jan@ryngle.com>
To: Nils Ohlmeier <lists@ohlmeier.org>
Message-ID: <20090307183313.GA4364@x61s.janakj.ryngle.net>
References: <49AE593F.6080807@iptel.org> <e4c7495a3f98d5a2a85ccf85047515f0.squirrel@www.ohlmeier.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <e4c7495a3f98d5a2a85ccf85047515f0.squirrel@www.ohlmeier.com>
User-Agent: Mutt/1.5.18 (2008-05-17)
Cc: sip@ietf.org
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 07 Mar 2009 18:32:57 -0000

Nils,

On 05-03 14:40, Nils Ohlmeier wrote:
> Hello,
> 
> first of all I agree that the draft describes a potential problem.
> 
> One thing which is not that obvious but is implictly a requirement for the
> attack: the proxies has to challenge in-dialog requests. 

It is not the proxy who challenges the in-dialog request, it is the
attacker (Bob). 

Even if the proxy is configured not to challenge in-dialog requests, or even
if digest authentication is not used at all on the proxy, as long as it
forwards the 407 from the attacker, the attack would still be possible. The
proxy (in figure 2) is only used to make sure that the 407 generated by Bob
makes it to Alice.

See figure 2 in the I-D, the 407 is generated by Bob based on the 407 he
received from p2.com. And the 407 from p2.com is a response to an
out-of-dialog INVITE.

So a requirement to make the attack possible is that the user agent responds
to challenges generated for in-dialog requests.

> I do not see a
> big benefit in challeging in-dialog requests as these are hopefully
> rejected by the remote side if no matching dialog exists. 

Yes, hopefully :-). But what if not? What if you deploy a poorly implemented
PSTN gateway which would happily process an in-dialog request with no matching
dialog?  Of course you can test the gateway before you deploy it if it is
under your control.

There are other cases where you know nothing about the target UA
implementation, such as when the users of your proxy call other users and you
have no control over the UA implementation they use. 

> - I never unterstood why a proxy should pass through the authentication
> request from a foreign domain. 

Because this is how it is specified in section 22.3 of RFC3261.

> In which scenario do I have credentials for
> two different domains, but the traffic including authentication is passed
> through only one of them?

One such scenario is that you have a UA configured with credentials for two
different ITSPs and the UA uses another proxy server as the outbound proxy for
both of them. This outbound proxy could be your corporate proxy sitting on a
firewall, NAT conditioning proxy, SBC, etc..

   Jan.

v2.23.0 | Report a Bug | By Email