[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Thoughts on SIP Identity issues

To: "Dan Wing" <dwing at cisco.com>
Subject: Re: [Sip] Thoughts on SIP Identity issues
From: Eric Rescorla <ekr at networkresonance.com>
Date: Tue, 05 Aug 2008 13:47:56 -0700
Cc: 'Cullen Jennings' <fluffy at cisco.com>, "'Uzelac, Adam'" <Adam.Uzelac at globalcrossing.com>, 'SIP IETF' <sip at ietf.org>, "'Elwell, John'" <john.elwell at siemens.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <053c01c8f720$647c21d0$c2f0200a@cisco.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <0D5F89FAC29E2C41B98A6A762007F5D0F266CD@GBNTHT12009MSX.gb002.siemens.net> <02829328-7B0E-41AB-B325-01246363D09C@cisco.com> <4DAE5E60BA49D8419D7C8832503F5FFC072817AF26@EVS10.ams.gblxint.com> <0D5F89FAC29E2C41B98A6A762007F5D0F26CCB@GBNTHT12009MSX.gb002.siemens.net> <48919248.7060600@cisco.com> <0ae201c8f310$d183a0f0$3675150a@cisco.com> <E6C2E8958BA59A4FB960963D475F7AC30F04C561DB@mail.acmepacket.com> <20080731205152.03E7E514892@kilo.rtfm.com> <E6C2E8958BA59A4FB960963D475F7AC30F04C5632F@mail.acmepacket.com> <20080801010212.654B5515743@kilo.rtfm.com> <0a2101c8f3b1$b75dd500$6a94150a@cisco.com> <20080801134611.1B8C9516C54@kilo.rtfm.com> <0D5F89FAC29E2C41B98A6A762007F5D0F565E1@GBNTHT12009MSX.gb002.siemens.net> <20080805145945.5B61650846@romeo.rtfm.com> <02b801c8f70b$675fed60$c2f0200a@cisco.com> <20080805151333.DDB5350846@romeo.rtfm.com> <038e01c8f713$84e3cca0$c2f0200a@cisco.com> <20080805161109.ABB8F50846@romeo.rtfm.com> <053c01c8f720$647c21d0$c2f0200a@cisco.com>
Sender: sip-bounces at ietf.org
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

>At Tue, 5 Aug 2008 10:26:26 -0700,
Dan Wing wrote:
> 
> > -----Original Message-----
> > From: Eric Rescorla [mailto:ekr at networkresonance.com] 
> > Sent: Tuesday, August 05, 2008 9:11 AM
> > To: Dan Wing
> > Cc: 'Eric Rescorla'; 'Elwell, John'; 'Hadriel Kaplan'; 
> > 'Jonathan Rosenberg'; 'Cullen Jennings'; 'SIP IETF'; 'Uzelac, Adam'
> > Subject: Re: [Sip] Thoughts on SIP Identity issues
> > 
> > At Tue, 5 Aug 2008 08:54:16 -0700,
> > Dan Wing wrote:
> > > > I haven't spent a long time examining 
> > > > draft-kaplan-sip-baiting, but as
> > > > I recall, it's not the fault of 4474 failing to sign 
> > > > something that
> > > > it should have but rather that it's inherent in the 
> > > > message-oriented 
> > > > nature of SIP.
> > > 
> > > That distinction is not relevant to the victim.
> > 
> > No, the distinction is relevant to the people responsible for 
> > technically addressing the issue, namely us.
> 
> My interpretation of what you are saying is "SIP is message-
> oriented, so SIP is vulnerable to baiting as described in
> draft-kaplan-sip-baiting, and we can't fix it".  
> 
> I don't know if that is what you intended to say; if not, 
> please clarify.

What I'm saying is that a message-oriented system like SIP inherently
has replay attacks. If you want to remove replay attacks, you'll
need to do it at a separate layer.


> > I don't actually think this characterization of 4474 is that accurate.
> > RFC 4474 does not use the IP address for authenticating the media.
> > Rather, it authenticates the IP address as well as the rest of the
> > SDP 
> 
> Which draft-kaplan-sip-baiting shows is insufficient at its intended
> purpose.

Well, I guess that's one interpretation, but it's not mine.

-Ekr
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Dan Wing

References:
- [Sip] Thoughts on SIP Identity issues
  - From: Elwell, John
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Cullen Jennings
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Uzelac, Adam
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Elwell, John
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Jonathan Rosenberg
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Dan Wing
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Hadriel Kaplan
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Eric Rescorla
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Hadriel Kaplan
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Eric Rescorla
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Dan Wing
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Eric Rescorla
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Elwell, John
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Eric Rescorla
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Dan Wing
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Eric Rescorla
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Dan Wing
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Eric Rescorla
- Re: [Sip] Thoughts on SIP Identity issues
  - From: Dan Wing

Prev by Date: Re: [Sip] Inadequate Requirements for draft-ietf-sip-199-00
Next by Date: Re: [Sip] Thoughts on SIP Identity issues
Previous by thread: Re: [Sip] Thoughts on SIP Identity issues
Next by thread: Re: [Sip] Thoughts on SIP Identity issues
Index(es):
- Date
- Thread