I don't think I'm describing any novel attack here, and really I am trying to speak more to higher-level requirements than the properties of any specific proposal, but I'd like to understand what our disconnect is. I'm talking about an attack that is purely in the signaling layer, so I'm not sure in what sense Alice has a private key applicable to that layer (unless she is acting as her own authentication service, say). "This is Alice again" here means that, for example, the re-INVITE is a clever cut-and-paste attack that appears to have a valid signature to verifier. The decision about where media is sent is always something negotiated in the rendezvous layer; if the rendezvous layer is persuaded to send media somewhere unhelpful, no amount of media layer security will prevent this disruption.
The only thing this attack is meant to illustrate is why it does matter who sets the IP/port. I've gathered that some people in the discussion reject the notion that there are any threats related to the setting the IP/port in the signaling layer, so I'm trying to provide an example. Jon Peterson NeuStar, Inc. On 4/13/09 10:38 AM, "Dan Wing" <dw...@cisco.com> wrote: > The 'Alice again' attacker would need to prove Alice's identity which > the attacker cannot accomplish (unless the attacker knows Alice's > private key). This is true of RFC4474 and > draft-fischer-sip-e2e-sec-media and draft-wing-sip-identity-media. > All three of those require the attacker to sign SIP headers and, > in the case of the two I-D's, the attacker has to also perform > a handshake proving possession of Alice's private key. > > I don't see the new attack that you are seeing. > > -d _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implement...@cs.columbia.edu for questions on current sip Use sipp...@ietf.org for new developments on the application of sip
