|
11.2 Inside Attacks
<< consider the case of a
rogue UAS that wishes to force a UAC to
generate refreshes at a rapid rate. In that case, the UAC has to support session timer. The initial INVITE arrives at the rogue UAS, which returns a 2xx with a very small session interval. The UAC uses this timer, and quickly sends a refresh. Section 7.1 requires the UAC to copy the current session interval into the Session-Expires header field in the request. This enables the proxies to see the current value. The proxies will reject this request, and provide a Min-SE with a higher minimum. The UAC will then use this higher minimum. Note, that if the proxies did not reject the request, but rather proxied the request with a Min-SE header field, an attack would still be possible. The UAS could discard this header field in a 2xx response, and force the UAC to continue to generate rapid requests. >> In this case the proxies or UAC
does not check the SE header in the 2xx response is greater than its locally
defined Min-SE value or NOT. If so it would have been better.
In the current design,
unnecessarily the UAC & proxy's resources will be wasted in negotiating the
Min-SE in every session refresh request.
Instead I propose to forward the 2xx response ONLY in case SE value in response is
greater than its Min-SE(configured value) else drop the response. because
there is no point in stablishing a connection with a roughe UAS.
In addition I have one more query
:: In most of the scenarios which I came across in the draft Min-SE and SE
values in teh session refresh request will be same.
I feel session refresh request
could just carry the increased SE value no need for carrying the Min-SE value
also. In this case Min-SE does not serve any purpose (I assume so).
Am I missing anywhere
???
Regards,
------------------------------------------- Nataraju A.B. Huawei Technologies India Pvt. Ltd., Tel : +91-98455-95744 ------------------------------------------- |
_______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
