[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] SIP Identity using Media Path

To: "'Christer Holmberg \(JO/LMF\)'" <christer.holmberg@xxxxxxxxxxxx>, <sip@xxxxxxxx>
Subject: RE: [Sip] SIP Identity using Media Path
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Mon, 2 Jul 2007 16:04:54 -0700
Authentication-results: rtp-dkim-2; header.From=dwing@xxxxxxxxx; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: <ietf-rtpsec@xxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1188; t=1183417497; x=1184281497; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20RE=3A=20[Sip]=20SIP=20Identity=20using=20Media=20Path |Sender:=20 |To:=20=22'Christer=20Holmberg=20\(JO/LMF\)'=22=20<christer.holmberg@eric sson.com>,=0A=20=20=20=20=20=20=20=20<sip@xxxxxxxx>; bh=v69xEoNL80aaVcIUi1LZPa8au1H+cC+0nek2S2L4TQc=; b=hHC1ba/OKjyteiOaZfzX6DApnGzHWJD6XRTIGvQusFLfhM7jHToPJLFJv8mUZOhF+w6WDcZE axNsRZuLH1DkTEiNt+dFtiwXxZtc2vmVhX1CUsXUGymY++srIl/ODxNz;
In-reply-to: <7374777208BDC7449D5620EF9423256706D44E57@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: Ace82p2yNu6lfaNzQcq8BXk5gCIEoQAHC+iwAAFo/cA=

> Chapter 9 says:
> 
> "in order for the mechanism to work, SBC-type-of-entities 
> must permit DTLS, TLS, ICE, or HIP messages to be exchanged 
> in the media path."
> 
> A small question for clarification: at what point must this 
> exchange (two-way, I assume) work? As soon as the UAS has 
> received the INVITE?

Yes.

The DTLS, TLS, ICE, or HIP exchange would need to occur
prior to displaying Caller-ID-like information to the
user -- otherwise, an attacker could spoof that Caller-ID
information.  It seems defective, to me, to display
Caller-ID information that was spoofed to only later
learn (after doing DTLS, TLS, ICE, or HIP) that the 
calling party had lied about their identity.  

There is some protection against such an attack that could
reduce this risk (the Date: header is signed, so the attacker
would need to obtain a relatively recent SIP request) -- that
protection might be sufficient in networks that block exchange 
of packets prior to 200 Ok.  If an attacker was able to
get ahold of such a SIP request, you would know it when the
attacker failed the DTLS, TLS, ICE, or HIP exchange, which
I suppose is better than nothing.

-d

Follow-Ups:
- RE: [Sip] SIP Identity using Media Path
  - From: Christer Holmberg (JO/LMF)
- RE: [Sip] SIP Identity using Media Path
  - From: Christer Holmberg (JO/LMF)

References:
- RE: [Sip] SIP Identity using Media Path
  - From: Christer Holmberg (JO/LMF)

Prev by Date: RE: [Sip] SIP Identity using Media Path
Next by Date: RE: [Sip] SIP Identity using Media Path
Previous by thread: RE: [Sip] SIP Identity using Media Path
Next by thread: RE: [Sip] SIP Identity using Media Path
Index(es):
- Date
- Thread