IETF Logo Mail Archive

Re: [Sip] draft-state-sip-relay-attack-00

"Nils Ohlmeier" <lists@ohlmeier.org> Mon, 09 March 2009 15:04 UTC

Return-Path: <lists@ohlmeier.org>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 28C483A69BA for <sip@core3.amsl.com>; Mon, 9 Mar 2009 08:04:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X7AaEWfM1dln for <sip@core3.amsl.com>; Mon, 9 Mar 2009 08:04:11 -0700 (PDT)
Received: from bespin.rfc3261.net (cl-395.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:18a::2]) by core3.amsl.com (Postfix) with ESMTP id 3D2EC3A6C3D for <sip@ietf.org>; Mon, 9 Mar 2009 08:04:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by bespin.rfc3261.net (Postfix) with ESMTP id DC1697F97; Mon, 9 Mar 2009 16:04:41 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at bespin.rfc3261.net
Received: from bespin.rfc3261.net ([127.0.0.1]) by localhost (bespin.rfc3261.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLrxVzePOLJ5; Mon, 9 Mar 2009 16:04:41 +0100 (CET)
Received: from www.ohlmeier.com (localhost [127.0.0.1]) by bespin.rfc3261.net (Postfix) with ESMTP id A3C577F55; Mon, 9 Mar 2009 16:04:41 +0100 (CET)
Received: from 192.100.130.229 (SquirrelMail authenticated user lando) by www.ohlmeier.com with HTTP; Mon, 9 Mar 2009 16:04:41 +0100 (CET)
Message-ID: <3dc358653901c68d17436668827161f7.squirrel@www.ohlmeier.com>
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC314C4DE62D4@mail>
References: <49AE593F.6080807@iptel.org> <e4c7495a3f98d5a2a85ccf85047515f0.squirrel@www.ohlmeier.com> <20090307183313.GA4364@x61s.janakj.ryngle.net> <E6C2E8958BA59A4FB960963D475F7AC314C4DE6292@mail> <49B2F7F2.6030804@ohlmeier.org> <E6C2E8958BA59A4FB960963D475F7AC314C4DE62D4@mail>
Date: Mon, 09 Mar 2009 16:04:41 +0100
From: Nils Ohlmeier <lists@ohlmeier.org>
To: Hadriel Kaplan <HKaplan@acmepacket.com>
User-Agent: SquirrelMail/1.4.15
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] draft-state-sip-relay-attack-00
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Mar 2009 15:04:18 -0000

>> >>> - I never unterstood why a proxy should pass through the
>> authentication
>> >>> request from a foreign domain.
>> >> Because this is how it is specified in section 22.3 of RFC3261.
>> >
>> > And it would have to continue to do so.  There are actual use-cases
>> for
>> this.
>>
>> Could you please share one of these use-cases with me.
>
> Well, the 3GPP roaming case, for one.
> A pictorial version: http://www.tech-invite.com/Ti-ims-regflow-1.html

Well you are right, I was just thinking about the "typical"
proxy/registrar combination. But there are outbound or travesering
proxyies which don't do authentication at all.

To stay at your 3GPP romain case: I don't think this attack would be
possible if the S-CSCF does not pass through "unknown" auth requests.
Right?

The P-CSCF has to forward REGISTERs to non-local S-CSCF which then will
authenticate the registration with "unknown"/non-local realms. But as soon
as the UA is registered the P-CSCF should only accept terminating INVITE
requests for that UA from the S-CSCF where the user is registered to. And
again the S-CSCF of the user/UA has in my opinion no need to forward
"foreign" authentication requests, or?!

BTW as you pointed out already earlier debating this attack for IMS is
only hypothetical, because IMS allows calls only from registered UAs.

And from a more general perspective:
I believe that such a transitive proxy which does not do authentication by
himself should only accept auth requests from the serving/registrar proxy
(or however you call the element which does the authentication part).
Furthermore this transitive proxy should not allow dialogs over "just
transitive proxys" (which have now clue about authentication) only
(because that would allow the attacker again to send a challenge).

>> > I think there's even a reasonable use-case for challenging in-dialog
>> requests: connected-identity, for example.
>> >
>> > But you don't even need to challenge in-dialog requests for this form
>> of
>> attack: if the victim calls you, then you can challenge the initial
>> INVITE.
>>
>> Sorry, but how is this going to work in world without a SBC which knows
>> my credentials?
>
> SBC's don't usually know your credentials, even now.  They don't need to.
>
> But anyway, I'm not sure what you mean by the question.  How is what going
> to work?  Stopping INVITE-based authentication relay-attacks?  You don't
> need an SBC-type box to stop that.  Just disconnect the cable.  :)
> Or, use the counter-measures in the draft.  Or change the protocol, or at
> least the authentication mechanism.

My fault. I mis-read your original point.

Cheers
  Nils

v2.23.0 | Report a Bug | By Email