[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] RE: connected-identity before 200 Ok

To: "'Elwell, John'" <john.elwell@xxxxxxxxxxx>, <sip@xxxxxxxx>
Subject: RE: [Sip] RE: connected-identity before 200 Ok
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Mon, 19 Feb 2007 11:47:39 -0800
Authentication-results: sj-dkim-3; header.From=dwing@xxxxxxxxx; dkim=pass (s ig from cisco.com/sjdkim3002 verified; );
Cc: <ietf-rtpsec@xxxxxxx>, "'Rob Raymond'" <rob@xxxxxxxxxxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=6232; t=1171914468; x=1172778468; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20RE=3A=20[Sip]=20RE=3A=20connected-identity=20before=20200=20O k |Sender:=20; bh=4l9hJNGihZcqPTI0fL4rAIXVbsPpi7WqCTKSniZt/L0=; b=sXx0PSfK2xMItcYmVk8AddtmtEIxvVptvnzwSJDyN25h5Q2Cz+K2etjVT2Ashx9S8buFfzVP s7h21LttJtbMjxhYDE3xIuC7lxPJh92AWb75dUM1Bx3uV6gwntVv/Utl;
In-reply-to: <50B1CBA96870A34799A506B2313F26670B0F8AEC@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: AcdUCFB6opLzHupUTS+gCRDAq3opCAAVWibg


> The important thing is that there be evidence that the 18x has
> reached the calling UA before sending an UPDATE request to the
> calling UA. Otherwise the UPDATE request might receive a 481
> response.  So I suppose the called UA could send an UPDATE request
> and be prepared to repeat it (and the 18x response) if a 481
> response is received.  This would be another example of "poor man's
> PRACK". A problem could arise if the calling UA holds state to say
> whether a 18x has been received reliably and rejects an UPDATE
> request if not - I guess this depends on how it is implemented in
> practice.  Also a calling UA that does not implement PRACK might
> also be unable to accept UPDATE before answer, but the option tag
> that indicates support for UPDATE will not tell you this.
>
> Another issue is whether the presence or absence of SDP offer in an
> UPDATE request has impact on when it can/cannot be sent.

To detect the attacks that Rob brought up on the RTPSEC mailing list,
we would want the UPDATE to contain the same SDP as it has in the
18x (183).

> If it contains an SDP offer, obviously it has to obey the strict
> offer-answer rules, so clearly has to be sent after any previous
> offer-answer sequence has completed.  Without waiting for the PRACK
> it could be dangerous.  Consider the following slightly revised
> sequence:
> 
>     Alice                      Bob
>       |                         |
>   1.  |--Invite with SDP offer->|
>   1a  |<--18x without SDP answer|
>   2.  |x--183 with SDP answer---|  (183 is unreliable)
>   3.  |<--UPDATE with SDP-------|
>   4.  |---Ack Update----------->|
> 
> The first 18x is send unreliably and established the early dialog. The
> second 183 containing SDP answer is lost. The UPDATE request will not
> receive a 481 response (because the early dialog is already 
> established) but the SDP offer will be illegal. It is unclear what 
> response Alice would give.

Ok.

> So in this particular case it is a lot safer to wait for the PRACK.
> Therefore I think the 

[looks like something got cut off from your email.]

> However, if the UPDATE request does NOT contain an SDP offer 
> (which for connected-identity purposes it doesn't need to), 

That's my point:  it does need to contain SDP in order to protect
against the very same attacks that Identity protected against:  
if the SDP isn't included, the Connected-Identity isn't useful
because anybody could send RTP to the calling party.  That RTP
could be audio saying "your mother wears combat boots".  Because
the SDP isn't signed, there isn't any assurance it's coming from
the expected IP addresses, nor can we use a=fingerprint to create
cryptographic assurance.

> the following are questionable:
> - the need to wait for PRACK if the 18x is sent reliably;
> - the need to send the 18x reliably
> - the whether the UPDATE request can be sent even if the only 
> 18x sent does not contain SDP answer;
> - whether an UPDATE request containing an offer for early session
> disposition can be sent before the normal answer has been 
> sent or before it has been acknowledged through PRACK.
> 
> I don't think these points are covered by RFC3311.

Yes, we need this standardized somewhere.

-d


> John
> 
> > -----Original Message-----
> > From: Dan Wing [mailto:dwing@xxxxxxxxx] 
> > Sent: 17 February 2007 00:49
> > To: sip@xxxxxxxx
> > Cc: ietf-rtpsec@xxxxxxx; Elwell, John; Rob Raymond
> > Subject: connected-identity before 200 Ok
> > 
> > This message is a result of some offline discussions with Rob 
> > and ample
> > caffeine consumption on my part.  The concern is if PRACK is 
> > necessary in
> > order to use connected-identity before the call is answered 
> > in order to
> > avoid some of the attacks Robin brought up on RTPSEC.
> > 
> > 
> > Reading RFC3311 (SIP UPDATE), it says:
> > 
> >       o  If the UPDATE is being sent before completion of 
> the initial
> >          INVITE transaction, and the initial INVITE contained 
> > an offer,
> >          the UPDATE can contain an offer if the callee generated an
> >          answer in a reliable provisional response, and the 
> caller has
> >          received answers to any other offers it sent in 
> > either PRACK or
> >          UPDATE, and has generated answers for any offers it 
> > received in
> >          an UPDATE from the callee.
> > 
> > draft-ietf-sip-connected-identity seems to say you need to 
> > use PRACK if you
> > want connected-identity before the 200 Ok:
> > 
> >    After an early dialog has been formed, if the 
> "from-change" option
> >    tag has been received in a Supported header field the UA 
> > MAY issue an
> >    UPDATE request (RFC 3311 [4]) on the same dialog, 
> subject to having
> >    sent a reliable provisional response to the INVITE request 
> > and having
> >    received and responded to a PRACK request. 
> > 
> > Which I interpret to mean that the following is illegal, even 
> > if the SDP in
> > message 2 and 3 are identical:  
> > 
> >     Alice                      Bob
> >       |                         |
> >   1.  |--Invite with SDP offer->|
> >   2.  |<--183 with SDP answer---|  (183 is unreliable)
> >   3.  |<--UPDATE with SDP-------|
> >   4.  |---Ack Update----------->|
> > 
> > Please confirm that the above call flow is disallowed per 
> the rules of
> > RFC3311 and per the rules of draft-ietf-sip-connected-identity.
> > 
> > 
> > Question:  would ICE's "poor-man's PRACK" (as I call it) be 
> > sufficient to
> > meet the needs of RFC3311 and -sip-connected-identity for a reliable
> > provisional response?  ICE's "poor-man's PRACK" is described in
> > <http://tools.ietf.org/html/draft-ietf-mmusic-ice-13#section-1
> > 2.1>, around
> > the middle of section 12.1.
> > 
> > -d
> > 
> 
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@xxxxxxxxxxxxxxx for questions on current sip
> Use sipping@xxxxxxxx for new developments on the application of sip

References:
- RE: connected-identity before 200 Ok
  - From: Elwell, John

Prev by Date: RE: connected-identity before 200 Ok
Previous by thread: RE: connected-identity before 200 Ok
Index(es):
- Date
- Thread