It is an abnormal situation for the 200 response's Session-Expires value
to be lower than the Min-SE sent within the corresponding request.
Because it is an abnormal situation, the UAC can basically act however
it desires. Although section 11 type security impacts should be
considered when deciding how to handle the abnormal situation.
The following are a few of the potential options:
1) Release call (as you mentioned).
2) Refuse to refresh at that interval; generate a non compliance
alarm/log and start timers as though other side acting as refresher.
3) Assume dealing with non compliant device instead of an attack; thus
generate a non compliance alarm/log and honor the Session-Expires as
though there was no conflict with corresponding Min-SE.
________________________________
From: praveen dandin [mailto:[EMAIL PROTECTED]
Sent: Monday, January 14, 2008 10:18 PM
To: Brett Tate; [email protected]
Subject: RE: [Sip-implementors] Query on UAC behaviour when
supporting sessiontimer
Hi,
The section 11.1 of RFC 4028 talks about the possible behavior
of the proxy in this case when it states the following:
"The proxies will reject this request and provide a
Min-SE with a higher minimum, which the UAC will then use. Note,
that if the proxies did not reject the request, but rather
proxied
the request with a Min-SE header field, an attack would still be
possible."
As per above statements the proxy can reject request when the
Session-Expires<MinSE to avoid further attacks by rogue UAS. In a
similar way can UAC terminate the call when it sees the Session-Expires
value to be less than MinSE value in 200 OK ?? [ Here as UAS can not
send Session-Expires value less than MinSE , UAC treats such a 200 OK
response has arrived from a rogue UAS and can terminate the call to
avoid further attacks].
Regards,
Praveen Dandin
Brett Tate <[EMAIL PROTECTED]> wrote:
> Suppose an UAC supporting the session-timer sends the
> INVITE with session-expires value (say 'x') greater
than
> MinSE (say 'y') and it receives 200 OK response with
session-
> expires value ( say 'z') which is smaller than the
value 'y'
> [ though this is not possible as per RFC 4028 section
9
> (i.e, it is not a valid UAS behaviour) let us treat it
as an
> error scenario] .
> In such a case UAC's behaviour can be any one of the
two:
> 1) UAC considers such a 200 OK as a invalid response
and
> ignores such a response.
> 2) UAC accepts the 200 OK and sets the value of
> session-interval to the value 'y' (i.e, it increases
the
> value of session-expires 'z' to value of MinSE 'y' the
least
> value which the UAC was expecting) and starts the
session timer.
>
> Please let me know which one is the correct behaviour.
Because it is an abnormal situation, the UAC can
basically act however
it desires. Although section 11 type security impacts
should be
considered when deciding how to handle the abnormal
situation.
________________________________
Why delete messages? Unlimited storage is just a click away.
<http://in.rd.yahoo.com/tagline_mail_1/*http://help.yahoo.com/l/in/yahoo
/mail/yahoomail/tools/tools-08.html/>
_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
