[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] SIP Identity using Media Path

To: "'Christer Holmberg \(JO/LMF\)'" <christer.holmberg@xxxxxxxxxxxx>, "'Hans Persson'" <hasse@xxxxxxxxxx>, <sip@xxxxxxxx>
Subject: RE: [Sip] SIP Identity using Media Path
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Mon, 16 Jul 2007 09:17:25 -0700
Authentication-results: sj-dkim-4; header.From=dwing@xxxxxxxxx; dkim=pass (s ig from cisco.com/sjdkim4002 verified; );
Cc: <ietf-rtpsec@xxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1214; t=1184602646; x=1185466646; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20RE=3A=20[Sip]=20SIP=20Identity=20using=20Media=20Path |Sender:=20; bh=8BRHP7wtA6+C63K0sAzuR++Nd9FHBVQ60cbyb+Y3LKM=; b=FcSNFpyWMbfJdCN2H3CruN0IzJ/W3cG4usiQLkO52z5SnLqqBL9VHpzPtaHQLETZhTmaHdVw LN6wgDnH9rKjs4p7f6wPi71GEYUpQuQMUBACHochVKZdz45bKlsey1Q4;
In-reply-to: <7374777208BDC7449D5620EF942325670730AA22@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: Ace+Gd+1mZGbB63fSbi5GA3N5+TpCwAPyvDwAlSiz8AABWk4IA==


> An SBC can modify almost any header.

Yes.

> Looking at chapter 4.1, 
> I would say that at least the To- and From headers are in 
> the "risk zone" (EVEN if you only use the addr-spec part).

If the From header is modified, the identity is broken 
anyway.  Such modifications of the From header are discussed
in the Background section of draft-wing-sip-identity-media-00.

Allowing modifications of the To header creates the 
opportunity for an attacker to launch a replay attack by
substituting the To address and replaying the message 
until the Date: header is old enough that receiving 
authentication servers reject the Date: header out of 
hand.

> The CSeq (at least the digit portion) may also be modified, 
> for example if there has been some "dialog piggybacked" requests 
> sent between the SBC and another entity, but not end-to-end. In 
> that case the the SBC may have to increase the CSeq before 
> forwarding the request, if the digit portion value has already 
> been used in a request sent by the SBC in the same direction.

That seems like a good opportunity, within that trust domain 
between the SBC and the other entity, to use 
P-Asserted-Identity.

-d

Follow-Ups:
- RE: [Sip] SIP Identity using Media Path
  - From: Christer Holmberg (JO/LMF)

References:
- RE: [Sip] SIP Identity using Media Path
  - From: Christer Holmberg (JO/LMF)

Prev by Date: RE: [Sip] SIP Identity using Media Path
Next by Date: RE: [Sip] SIP Identity using Media Path
Previous by thread: RE: [Sip] SIP Identity using Media Path
Next by thread: RE: [Sip] SIP Identity using Media Path
Index(es):
- Date
- Thread