Jonathan Rosenberg wrote:
Raphael and others,
Thanks for putting this together.
Considering for a moment figure 1, this attack is possible only if UAs
accept incoming requests from any place, and not just their proxy. In
practice, this is seldom allowed. Indeed, if it is allowed, there are
worse attacks than this which can be launched (free phone calls, spam
calling, etc.). Using the SIP recommended TLS between UA and proxy
also mitigates that.
That's right, and also the reason we called this the basic attack. Using
TLS would be indeed a good choice, unfortunately, only few providers do
offer it to their customers (but of course, only for the small panel I
know of, and those I use).
So really figure 2 is the interesting one. However, this attack
assumes that Alice has credentials on multiple systems. Again, in
practice, this is extremely uncommon. Certainly none of the existing
deployed enterprise or service provider consumer deployments are of
this nature.
I understand that this might not be a common case, as the common case is
more focused on a vonage (or alike) customer, receiving a
ready-configured phone that just has to be pluged into the residential
gateway. However, a lot of SIP freaks like us do have a lot of
configured accounts on the same phone, and not only for test purposes.
For my part, my home phone is connected with 3 accounts: one default
(PSTN), my iptel.org account, and another provider that own one of our
PSTN numbers (only inbound).
I have seen one year ago an application for a residential gateway
implementing a SIP least cost router. It was available as an unofficial
upgrade for a very popular type of resential gateway. In the case, the
configuration was at its minimum: all the required config was downloaded
by the least cost router application. All you had to do was to create
some accounts at some PSTN provider, and configure them into the box,
which would do the rest.
I can believe that this kind of application could become more popular,
just like they were in the PSTN.
As such, I dont think this attack is likely in practice. However, in
theory it is possible. The essence of the attack is that the victim is
providing credentials to an unauthenticated server (since the attacker
is acting like a server, asking for credentials). In that way, as
others have pointed out, it is similar to baiting attacks that have
been previously documented. With SIP it is most easily remedied by a
rule which says, 'don't pass credentials for domain X to a server that
is not domain X'.
Which means that you exclude any relays in between. I think it also
implies reverse DNS lookups, right?
Server identity can be verified by normal server-only auth between a
client and its server, but even that is not needed.
Right, mutual authentication seems to be the best way.
A client will know which domain its proxy is representing, and once
connected, it only provides credentials for that domain.
What do you mean by "connected"? And why should a UA only provide
credentials for one domain only?
Is that about TCP or SCTP connections? and providing only credentials
for a particular domain on a particular connection?
-Raphael.
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
