IETF Logo Mail Archive

Re: [sipcore] Security issue in -keep-08

Christer Holmberg <christer.holmberg@ericsson.com> Fri, 26 November 2010 07:30 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45F813A6A0B for <sipcore@core3.amsl.com>; Thu, 25 Nov 2010 23:30:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.075
X-Spam-Level:
X-Spam-Status: No, score=-5.075 tagged_above=-999 required=5 tests=[AWL=-1.376, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, MANGLED_PILL=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOAHxWTE5RtN for <sipcore@core3.amsl.com>; Thu, 25 Nov 2010 23:30:00 -0800 (PST)
Received: from mailgw9.se.ericsson.net (mailgw9.se.ericsson.net [193.180.251.57]) by core3.amsl.com (Postfix) with ESMTP id 955DA3A695C for <sipcore@ietf.org>; Thu, 25 Nov 2010 23:29:59 -0800 (PST)
X-AuditID: c1b4fb39-b7c5aae000003b0f-5a-4cef6235913e
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw9.se.ericsson.net (Symantec Mail Security) with SMTP id 45.27.15119.5326FEC4; Fri, 26 Nov 2010 08:31:01 +0100 (CET)
Received: from ESESSCMS0356.eemea.ericsson.se ([169.254.1.175]) by esessmw0184.eemea.ericsson.se ([153.88.115.81]) with mapi; Fri, 26 Nov 2010 08:31:00 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Robert Sparks <rjsparks@nostrum.com>, SIPCORE <sipcore@ietf.org>
Date: Fri, 26 Nov 2010 08:30:59 +0100
Thread-Topic: Security issue in -keep-08
Thread-Index: AcuLSRGPLIqZJaLvQqOi7v3m/yMeMAAjAw2gAFkjF5A=
Message-ID: <7F2072F1E0DE894DA4B517B93C6A0585030B1833@ESESSCMS0356.eemea.ericsson.se>
References: <9D7CD9CF-4E47-41D1-8D01-F98808851223@nostrum.com> <7F2072F1E0DE894DA4B517B93C6A05850307D840@ESESSCMS0356.eemea.ericsson.se>
In-Reply-To: <7F2072F1E0DE894DA4B517B93C6A05850307D840@ESESSCMS0356.eemea.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [sipcore] Security issue in -keep-08
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Nov 2010 07:30:02 -0000

Hi Robert,

I suggest adding the following new paragraph to the security considerations section:

"In order to prevent attacks, when an entity sends STUN keep-alives to an adjacent downstream entity that is not willing to receive keep-alives (or does not support STUN), but for which willingess to receive keep-alives has been inidicated by some other downstream entity, if the sending entity does not receive a response to any of the STUN keep-alive requests, it MUST stop 
sending the keep-alive requests for the remaining duration of the dialog (if the sending of keep-alives were negotiated for a dialog) or until the sending of keep-alives is re-negotiated for the registration (if the sending keep-alives were negotiated for a registration). Further actions taken by the sending entity is outside the scope of this specification."

Regards,

Christer

> -----Original Message-----
> From: sipcore-bounces@ietf.org 
> [mailto:sipcore-bounces@ietf.org] On Behalf Of Christer Holmberg
> Sent: 24. marraskuuta 2010 14:50
> To: Robert Sparks; SIPCORE
> Subject: Re: [sipcore] Security issue in -keep-08
> 
> 
> Hi Robert,
> 
> Thanks for reviewing the document!
> 
> I guess the attack you describe could also happen in 
> Outbound, if someone inserts an "ob" parameter in the Path 
> header of the proxy adjacent to the UA, and that proxy does 
> not check its Path header before forwarding the response to the UA.
> 
> Having said that, I guess a way to protect against this 
> attack could be to say that an entity MUST stop sending STUN 
> messages if it doesn't receive a response to them.
> 
> Regards,
> 
> Christer
> 
> 
> 
> 
>  
> 
> > -----Original Message-----
> > From: Robert Sparks [mailto:rjsparks@nostrum.com]
> > Sent: 23. marraskuuta 2010 22:00
> > To: SIPCORE
> > Cc: Christer Holmberg
> > Subject: Security issue in -keep-08
> > 
> > I believe there is a serious problem with the 
> recommendations in the 
> > Security Considerations section in keep-08 where it 
> discusses having 
> > downstream elements change the keep parameter.
> > 
> > Consider this scenario. A user agent implementing this 
> specification 
> > sends a request that goes through two proxies before it 
> arrives at its 
> > destination. The first proxy does not know about this 
> specification. 
> > The second proxy does, and chooses to attempt to maliciously affect 
> > the relationship between UA1 and P1 as suggested in these security 
> > considerations.
> > 
> > View the following flow in a fixed-width font:
> > 
> > UA1                  P1               P2    UA2
> >  |                   |                |      | 
> >  | INVITE            |                |      |
> >  | Via: UA;keep      | INVITE         |      |
> >  |------------------>| Via: P1        |      | 
> >  |                   | Via: UA;keep   |      | 
> >  |                   |--------------->|      |
> >  |                   |                |----->| 
> >  |                   |                | 200  |
> >  |                   | 200            |<-----|
> >  |                   | Via: P1        |      |
> >  | 200               | Via: UA;keep=1 |      |
> >  | Via: UA;keep=1    |<---------------|      |
> >  |<------------------|                |      | 
> >  |                   |                |      | 
> > 
> > 
> > Since P1 doesn't support this specification, it does not 
> know to look 
> > at "it's" Via to see if some downstream element has 
> modified what it 
> > would have put in the keep parameter value - the 
> recommendation in the 
> > current draft does not mitigate this attack at all. If the 
> hop between 
> > UA1 and P1 is UDP, this may result in STUN being send 
> towards P1's SIP 
> > listening port with P1 not expecting (or being able to deal 
> with) it.
> > 
> > This is a general problem with attempting to use Via parameters to 
> > indicate support for extensions. A similar problem exists 
> for ;rport, 
> > and for ;lr. However, if a downstream element abused those 
> parameters, 
> > signaling is guaranteed to fail. This proposed parameter has a 
> > different property - this abuse may only result in extra 
> traffic for 
> > someone else.
> > 
> > I don't think this document is the right place to solve the general 
> > problem, but this discussion needs to be rewritten to be 
> clearer about 
> > the problem and the lack of any current way to mitigate it.
> > 
> > RjS
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.14.0 | Report a Bug | By Email