Re: [Sip-implementors] The insecurity of user provider "Contact"inREGISTER

Thu, 17 Jan 2008 03:25:01 -0800 

> On Thursday 17 January 2008 11:28:50 Steve Langstaff wrote:
> > > Hi, because SIP design an UAC is responsible for setting its 
> > > "Contact" field in the REGISTER. This can be used to 
> spoof other UAS 
> > > or gateways location by malicious users.
> > >
> > > There are "not very ellegant" solutions for this issue but I'm 
> > > thinking about forcing a convention:
> > >
> > > A SIP UAC with AoR "sip:[EMAIL PROTECTED]" SHOULD send a 
> REGISTER with:
> > >   Contact: <sip:[EMAIL PROTECTED]> and the registrar server 
> > > SHOULD reject any REGISTER with a "Contact" not respecting this 
> > > convention for the registering AoR.
> > >
> > > I set "[EMAIL PROTECTED]" since 
> > > "[EMAIL PROTECTED]"
> > > would not be secure in multidomain enviroments.
> >
> > How would you cope with multi-port gateway devices that 
> (say) wanted 
> > to register the same AoR for mutliple ports, but uses a single IP 
> > address for both, or when you have the case of multiple 
> instances of 
> > the same AoR behind an SBC?
> 
> Do you mean that in these cases the SBC rewrites UAC's 
> "Contact" to give each one a distintive URI?

I'm not sure about the SBC case, but for a mult-port phone gateway,
consider the case where Alice has 2 phones registering sip:[EMAIL PROTECTED]
on different ports of the gateway.

Currently phone 1 may send out a REGISTER with, for example,

    From: <sip:[EMAIL PROTECTED]>
    Contact: <sip:[EMAIL PROTECTED]>

And phone 2 may send out a REGISTER with

    From: <sip:[EMAIL PROTECTED]>
    Contact: <sip:[EMAIL PROTECTED]>

This is good - the registrar has 2 registrations for Alice,
with distinct contact addresses. All is good.

With your proposed scheme phone 1 would send out a REGISTER with

    From: <sip:[EMAIL PROTECTED]>
    Contact: <sip:[EMAIL PROTECTED]>

and phone 2 would send out a REGISTER with

    From: <sip:[EMAIL PROTECTED]>
    Contact: <sip:[EMAIL PROTECTED]>

I don't think that the registrar would be aware that Alice has registered from 
2 devices.


_______________________________________________
Sip-implementors mailing list
[email protected]
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors

Reply via email to