On Thu, 2008-01-17 at 11:01 +0100, Iñaki Baz Castillo wrote: > Hi, because SIP design an UAC is responsible for setting its "Contact" field > in the REGISTER. This can be used to spoof other UAS or gateways location by > malicious users. > > There are "not very ellegant" solutions for this issue but I'm thinking about > forcing a convention: > > A SIP UAC with AoR "sip:[EMAIL PROTECTED]" SHOULD send a REGISTER with: > Contact: <sip:[EMAIL PROTECTED]> > and the registrar server SHOULD reject any REGISTER with a "Contact" not > respecting this convention for the registering AoR. > > I set "[EMAIL PROTECTED]" since "[EMAIL PROTECTED]" > would not be secure in multidomain enviroments. > > > What could be wrong with this convention? Would it break any feature, SIP > extension or rule according to any existing RFC?
Well, to start with, nothing that I know of does that now, and I don't know of any SIP device that let's you configure the user part of a Contact address. Good luck getting the vendors to change... In any event - what's to keep the bad guy from just obeying your convention? It doesn't prevent the abuse you're worried about. Just requiring that the REGISTER be authenticated such that the authentication identity is valid for the To address (the AOR) seems good enough to me. -- Scott Lawrence tel:+1.781.229.0533;ext=162 or sip:[EMAIL PROTECTED] sipXecs project coordinator - SIPfoundry http://www.sipfoundry.org/sipXecs CTO, Voice Solutions - Bluesocket Inc. http://www.bluesocket.com/ http://www.pingtel.com/ _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
