> On Wed, Mar 11, 2009 at 2:49 PM, Nils Ohlmeier <[email protected]> wrote: >> Sure to create a Contact binding via an authenticated REGISTER is one >> possible solution. >> But I think this only works because you rely on the fact that REGISTERs >> are not being retargeted like INVITEs. Which then in the end means you >> simply can forget about authenticating all other requests, as long as >> the >> Contact or IP/port was successfully authenticated via the "one hop" >> REGISTER method (refer-to: IMS). >> The advantage of this solution is clearly that it can be easily deployed >> by hopefully most of the service providers today. >> >> But I believe the proper technical solution would be that the server >> authenticates itself in the challenge, plus adding protected >> informations >> to the challenge which allows the receiver of the challenge to verify >> that >> this challenge was/is targeted to himself. >> The dis-advantage is clearly that this would be only possible with >> extensions of the existing protocols. But we would/might gain other >> benefits by such a solution as well. > > I did not follow the discussion on draft-dotson-sip-mutual-auth. Has > this work been discontinued? > > http://tools.ietf.org/id/draft-dotson-sip-mutual-auth-03.txt
I can not answer your question. But this draft does not solve the discussed attack, because the server is authenticated after the victim sends its credentials to the attacker alerady. To have a chance to solve the attack scenario the server/challenger would have to prove its identity together with the challenge to prevent that the victim sends out its credentials to the attacker at all. Regards Nils Ohlmeier _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [email protected] for questions on current sip Use [email protected] for new developments on the application of sip
