Re: [Sip] draft-state-sip-relay-attack-00

Mon, 16 Mar 2009 13:46:18 -0700 


Raphael Coeffic wrote:


As such, I dont think this attack is likely in practice. However, in 
theory it is possible. The essence of the attack is that the victim is 
providing credentials to an unauthenticated server (since the attacker 
is acting like a server, asking for credentials). In that way, as 
others have pointed out, it is similar to baiting attacks that have 
been previously documented. With SIP it is most easily remedied by a 
rule which says, 'don't pass credentials for domain X to a server that 
is not domain X'.

Which means that you exclude any relays in between. I think it also 
implies reverse DNS lookups, right?


No - no reverse DNS.

And I am excluding cases where, you are connected (meaning, the domain 
you registered to) to one domain and making a call through that domain 
reach another domain which requires your credentials. I think that is 
very unlikely.





Server identity can be verified by normal server-only auth between a 
client and its server, but even that is not needed. 

Right, mutual authentication seems to be the best way.


A client will know which domain its proxy is representing, and once 
connected, it only provides credentials for that domain.



What do you mean by "connected"? And why should a UA only provide 
credentials for one domain only?



I'm saying, when a phone registers or makes a call, it does so by 
connecting to a SIP server, through a domain name or IP config or 
whatever. THat server will have an associated credential. For any 
request sent to that server, it should never provide a credential except 
the one associated with it.



Your attack is possible only when the client sends credentials for a 
domain, different than the one it is currently registered or placed the 
call through in the first place.


-Jonathan R.

--
Jonathan D. Rosenberg, Ph.D.                   111 Wood Avenue South
Cisco Fellow                                   Iselin, NJ 08830
Cisco, Voice Technology Group
[email protected]
http://www.jdrosen.net                         PHONE: (408) 902-3084
http://www.cisco.com
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip























					Reply via email to