IETF Logo Mail Archive

Re: [sipcore] Security issue in -keep-08

Robert Sparks <rjsparks@nostrum.com> Mon, 29 November 2010 16:23 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 010E028C143 for <sipcore@core3.amsl.com>; Mon, 29 Nov 2010 08:23:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.711
X-Spam-Level:
X-Spam-Status: No, score=-100.711 tagged_above=-999 required=5 tests=[AWL=-1.010, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, MANGLED_PILL=2.3, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e6fh0Wrqu+oZ for <sipcore@core3.amsl.com>; Mon, 29 Nov 2010 08:23:41 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by core3.amsl.com (Postfix) with ESMTP id 25FAC3A6C1D for <sipcore@ietf.org>; Mon, 29 Nov 2010 08:23:39 -0800 (PST)
Received: from dn3-177.estacado.net (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id oATGOkvK063472 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 29 Nov 2010 10:24:46 -0600 (CST) (envelope-from rjsparks@nostrum.com)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Robert Sparks <rjsparks@nostrum.com>
In-Reply-To: <7F2072F1E0DE894DA4B517B93C6A0585030B1833@ESESSCMS0356.eemea.ericsson.se>
Date: Mon, 29 Nov 2010 10:24:45 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <02688FBA-D5B4-403E-944E-FB9245936F36@nostrum.com>
References: <9D7CD9CF-4E47-41D1-8D01-F98808851223@nostrum.com> <7F2072F1E0DE894DA4B517B93C6A05850307D840@ESESSCMS0356.eemea.ericsson.se> <7F2072F1E0DE894DA4B517B93C6A0585030B1833@ESESSCMS0356.eemea.ericsson.se>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.1082)
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: SIPCORE <sipcore@ietf.org>
Subject: Re: [sipcore] Security issue in -keep-08
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 16:23:42 -0000

I don't object to the direction this text is taking, but it doesn't _prevent_ attacks. It only mitigates the damage, and it assumes the
attacked element doesn't just break when it gets the first STUN message on its SIP listening port.

On Nov 26, 2010, at 1:30 AM, Christer Holmberg wrote:

> 
> Hi Robert,
> 
> I suggest adding the following new paragraph to the security considerations section:
> 
> "In order to prevent attacks, when an entity sends STUN keep-alives to an adjacent downstream entity that is not willing to receive keep-alives (or does not support STUN), but for which willingess to receive keep-alives has been inidicated by some other downstream entity, if the sending entity does not receive a response to any of the STUN keep-alive requests, it MUST stop 
> sending the keep-alive requests for the remaining duration of the dialog (if the sending of keep-alives were negotiated for a dialog) or until the sending of keep-alives is re-negotiated for the registration (if the sending keep-alives were negotiated for a registration). Further actions taken by the sending entity is outside the scope of this specification."
> 
> Regards,
> 
> Christer
> 
>> -----Original Message-----
>> From: sipcore-bounces@ietf.org 
>> [mailto:sipcore-bounces@ietf.org] On Behalf Of Christer Holmberg
>> Sent: 24. marraskuuta 2010 14:50
>> To: Robert Sparks; SIPCORE
>> Subject: Re: [sipcore] Security issue in -keep-08
>> 
>> 
>> Hi Robert,
>> 
>> Thanks for reviewing the document!
>> 
>> I guess the attack you describe could also happen in 
>> Outbound, if someone inserts an "ob" parameter in the Path 
>> header of the proxy adjacent to the UA, and that proxy does 
>> not check its Path header before forwarding the response to the UA.
>> 
>> Having said that, I guess a way to protect against this 
>> attack could be to say that an entity MUST stop sending STUN 
>> messages if it doesn't receive a response to them.
>> 
>> Regards,
>> 
>> Christer
>> 
>> 
>> 
>> 
>> 
>> 
>>> -----Original Message-----
>>> From: Robert Sparks [mailto:rjsparks@nostrum.com]
>>> Sent: 23. marraskuuta 2010 22:00
>>> To: SIPCORE
>>> Cc: Christer Holmberg
>>> Subject: Security issue in -keep-08
>>> 
>>> I believe there is a serious problem with the 
>> recommendations in the 
>>> Security Considerations section in keep-08 where it 
>> discusses having 
>>> downstream elements change the keep parameter.
>>> 
>>> Consider this scenario. A user agent implementing this 
>> specification 
>>> sends a request that goes through two proxies before it 
>> arrives at its 
>>> destination. The first proxy does not know about this 
>> specification. 
>>> The second proxy does, and chooses to attempt to maliciously affect 
>>> the relationship between UA1 and P1 as suggested in these security 
>>> considerations.
>>> 
>>> View the following flow in a fixed-width font:
>>> 
>>> UA1                  P1               P2    UA2
>>> |                   |                |      | 
>>> | INVITE            |                |      |
>>> | Via: UA;keep      | INVITE         |      |
>>> |------------------>| Via: P1        |      | 
>>> |                   | Via: UA;keep   |      | 
>>> |                   |--------------->|      |
>>> |                   |                |----->| 
>>> |                   |                | 200  |
>>> |                   | 200            |<-----|
>>> |                   | Via: P1        |      |
>>> | 200               | Via: UA;keep=1 |      |
>>> | Via: UA;keep=1    |<---------------|      |
>>> |<------------------|                |      | 
>>> |                   |                |      | 
>>> 
>>> 
>>> Since P1 doesn't support this specification, it does not 
>> know to look 
>>> at "it's" Via to see if some downstream element has 
>> modified what it 
>>> would have put in the keep parameter value - the 
>> recommendation in the 
>>> current draft does not mitigate this attack at all. If the 
>> hop between 
>>> UA1 and P1 is UDP, this may result in STUN being send 
>> towards P1's SIP 
>>> listening port with P1 not expecting (or being able to deal 
>> with) it.
>>> 
>>> This is a general problem with attempting to use Via parameters to 
>>> indicate support for extensions. A similar problem exists 
>> for ;rport, 
>>> and for ;lr. However, if a downstream element abused those 
>> parameters, 
>>> signaling is guaranteed to fail. This proposed parameter has a 
>>> different property - this abuse may only result in extra 
>> traffic for 
>>> someone else.
>>> 
>>> I don't think this document is the right place to solve the general 
>>> problem, but this discussion needs to be rewritten to be 
>> clearer about 
>>> the problem and the lack of any current way to mitigate it.
>>> 
>>> RjS
>> _______________________________________________
>> sipcore mailing list
>> sipcore@ietf.org
>> https://www.ietf.org/mailman/listinfo/sipcore
>>

v2.23.0 | Report a Bug | By Email