At Tue, 5 Aug 2008 13:57:34 -0700,
Dan Wing wrote:
> > What I'm saying is that a message-oriented system like SIP inherently
> > has replay attacks. If you want to remove replay attacks, you'll
> > need to do it at a separate layer.
>
> And both draft-fischer-sip-e2e-sec-media and draft-wing-sip-identity-media
> provide the security at a separate layer: the media layer.
Unfortunately, this is the same conflation of concerns that has
characterized discussion of these drafts from the beginning. Quoting
my review of -01 from 2007/11:
This draft seems to do two distinct things:
- One specify a variant of RFC 4474 which signs a lot fewer headers.
[This should have said less of the message -- EKR]
- Specify a set of mechanisms to cryptographically prove that a given media
stream corresponds to a given SDP offer/answer.
These issues are wholly orthogonal and it just confuses the discussion
to try to discuss them together. If the WG thinks it's important to
prevent the Baiting attack then we can discuss mechanisms for that.
However, I'd note that I didn't see anyone arguing for that in Dublin,
so I question whether it is in fact something people care about
much. [For my part, I don't think that it's important to do so in the
absence of DTLS-SRTP, where it's more or less automatically blocked.]
However, those mechanisms can be introduced without modifying the
procedures of RFC 4474.
This brings us back to the idea of exempting more of the message
from the signature, which would require modifications to RFC 4474.
Again, this may (or may not) be something we need to do, but I
don't see that the Baiting attack is an argument for doing so.
(Though I would note that removing some properties of the message,
such as Call-Id, from the signature, will probably make replay
attacks easier to mount).
-Ekr
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
