On Thu, Mar 5, 2009 at 2:41 PM, Raphael Coeffic <[email protected]> wrote:
> I really think that mutual authentication is the way to go. MTLS is indeed a good way to go for so many reasons, but it's not the only way this can be fixed. For the fig 3 attack, receiving the response down the same stream oriented connection indicates it came form the proxy, not the attacker. In the case of datagram, an adjustment to draft-zourzouvillys-via-cookies to get the proxy to re-add the cookie value in the response would solve the direct-to-source response scenario without having the evil DNS lookup hacks in place. > Having the BCP gathered into this document (or another one, I don't care) > would be a good thing to do. If you let people think by themselves, you > might end-up with the situation we have right now. We'll end up with insecure implementations whatever we do - although education is the key to minimising them. > If you provide me with the input, I'd be very happy to document those > issues. i'll see if i can find time :-) ~ Theo _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
