IETF Logo Mail Archive

Re: [sipcore] Security issue in -keep-08

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 24 November 2010 12:49 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8ADF528C1EA for <sipcore@core3.amsl.com>; Wed, 24 Nov 2010 04:49:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.208
X-Spam-Level:
X-Spam-Status: No, score=-5.208 tagged_above=-999 required=5 tests=[AWL=-1.509, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, MANGLED_PILL=2.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gywfNBP+H7KP for <sipcore@core3.amsl.com>; Wed, 24 Nov 2010 04:49:20 -0800 (PST)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 3184D28C1C4 for <sipcore@ietf.org>; Wed, 24 Nov 2010 04:49:19 -0800 (PST)
X-AuditID: c1b4fb3d-b7b8cae0000016b1-a3-4ced0a0a2898
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 34.C5.05809.A0A0DEC4; Wed, 24 Nov 2010 13:50:19 +0100 (CET)
Received: from ESESSCMS0356.eemea.ericsson.se ([169.254.1.175]) by esessmw0237.eemea.ericsson.se ([153.88.115.90]) with mapi; Wed, 24 Nov 2010 13:50:18 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Robert Sparks <rjsparks@nostrum.com>, SIPCORE <sipcore@ietf.org>
Date: Wed, 24 Nov 2010 13:50:17 +0100
Thread-Topic: Security issue in -keep-08
Thread-Index: AcuLSRGPLIqZJaLvQqOi7v3m/yMeMAAjAw2g
Message-ID: <7F2072F1E0DE894DA4B517B93C6A05850307D840@ESESSCMS0356.eemea.ericsson.se>
References: <9D7CD9CF-4E47-41D1-8D01-F98808851223@nostrum.com>
In-Reply-To: <9D7CD9CF-4E47-41D1-8D01-F98808851223@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [sipcore] Security issue in -keep-08
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Nov 2010 12:49:25 -0000

Hi Robert,

Thanks for reviewing the document!

I guess the attack you describe could also happen in Outbound, if someone inserts an "ob" parameter in the Path header of the proxy adjacent to the UA, and that proxy does not check its Path header before forwarding the response to the UA.

Having said that, I guess a way to protect against this attack could be to say that an entity MUST stop sending STUN messages if it doesn't receive a response to them.

Regards,

Christer




 

> -----Original Message-----
> From: Robert Sparks [mailto:rjsparks@nostrum.com] 
> Sent: 23. marraskuuta 2010 22:00
> To: SIPCORE
> Cc: Christer Holmberg
> Subject: Security issue in -keep-08
> 
> I believe there is a serious problem with the recommendations 
> in the Security Considerations section in keep-08 where it 
> discusses having downstream elements change the keep parameter.
> 
> Consider this scenario. A user agent implementing this 
> specification sends a request that goes through two proxies 
> before it arrives at its destination. The first proxy does 
> not know about this specification. The second proxy does, and 
> chooses to attempt to maliciously affect the relationship 
> between UA1 and P1 as suggested in these security considerations.
> 
> View the following flow in a fixed-width font:
> 
> UA1                  P1               P2    UA2
>  |                   |                |      | 
>  | INVITE            |                |      |
>  | Via: UA;keep      | INVITE         |      |
>  |------------------>| Via: P1        |      | 
>  |                   | Via: UA;keep   |      | 
>  |                   |--------------->|      |
>  |                   |                |----->| 
>  |                   |                | 200  |
>  |                   | 200            |<-----|
>  |                   | Via: P1        |      |
>  | 200               | Via: UA;keep=1 |      |
>  | Via: UA;keep=1    |<---------------|      |
>  |<------------------|                |      | 
>  |                   |                |      | 
> 
> 
> Since P1 doesn't support this specification, it does not know 
> to look at "it's" Via to see if some downstream element has 
> modified what it would have put in the keep parameter value - 
> the recommendation in the current draft does not mitigate 
> this attack at all. If the hop between UA1 and P1 is UDP, 
> this may result in STUN being send towards P1's SIP listening 
> port with P1 not expecting (or being able to deal with) it.
> 
> This is a general problem with attempting to use Via 
> parameters to indicate support for extensions. A similar 
> problem exists for ;rport, and for ;lr. However, if a 
> downstream element abused those parameters, signaling is 
> guaranteed to fail. This proposed parameter has a different 
> property - this abuse may only result in extra traffic for 
> someone else.
> 
> I don't think this document is the right place to solve the 
> general problem, but this discussion needs to be rewritten to 
> be clearer about the problem and the lack of any current way 
> to mitigate it.
> 
> RjS

v2.23.0 | Report a Bug | By Email