On Thursday 17 January 2008 13:22:04 Scott Lawrence wrote: > On Thu, 2008-01-17 at 11:01 +0100, Iñaki Baz Castillo wrote: > > Hi, because SIP design an UAC is responsible for setting its "Contact" > > field in the REGISTER. This can be used to spoof other UAS or gateways > > location by malicious users. > > > > There are "not very ellegant" solutions for this issue but I'm thinking > > about forcing a convention: > > > > A SIP UAC with AoR "sip:[EMAIL PROTECTED]" SHOULD send a REGISTER with: > > Contact: <sip:[EMAIL PROTECTED]> > > and the registrar server SHOULD reject any REGISTER with a "Contact" not > > respecting this convention for the registering AoR. > > > > I set "[EMAIL PROTECTED]" since "[EMAIL PROTECTED]" > > would not be secure in multidomain enviroments. > > > > > > What could be wrong with this convention? Would it break any feature, SIP > > extension or rule according to any existing RFC? > > Well, to start with, nothing that I know of does that now, and I don't > know of any SIP device that let's you configure the user part of a > Contact address. Good luck getting the vendors to change...
I just know Twinkle softphone that, opcionally, creates a username part as: user_domain_com > In any event - what's to keep the bad guy from just obeying your > convention? It doesn't prevent the abuse you're worried about. But the registrar could match the "Contact" URI with the AoR in "To" following the convention. If they don't match then the registrar should reject the REGISTER. > Just requiring that the REGISTER be authenticated such that the > authentication identity is valid for the To address (the AOR) seems good > enough to me. Not at all. Suposse two AoR's: [EMAIL PROTECTED] [EMAIL PROTECTED] A phone1 has registered the first AoR. A second device of second AoR could send a malicious REGISTER: REGISTER sip:registrar_server.com SIP/2.0 From: <sip:[EMAIL PROTECTED]> To: <sip:[EMAIL PROTECTED]> Contact: <sip:[EMAIL PROTECTED]> <-- NOTE user1 !! Authentication: [EMAIL PROTECTED] ... So when someone calls "sip:[EMAIL PROTECTED]" then phone1 will ring. Now replace "[EMAIL PROTECTED]" with "[EMAIL PROTECTED]". The risk exists, sure. Authentication is not enouch at all. -- ilimit... *Iñaki Baz Castillo* [EMAIL PROTECTED] ÀREA SISTEMES 0034 937 333 375 VOLTA 1, PIS 5 08224 TERRASSA.BCN Aquest enviament és confidencial i està destinat únicament a la persona a qui s'ha enviat. Pot contenir informació privada sotmesa al secret professional, la distribució de la qual està prohibida per la legislació vigent. _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
