Iñaki Baz Castillo wrote: > El Lunes, 14 de Julio de 2008, Anders Kristensen escribió: >> Inaki, >> >> I think you're outside the specs here. > > Why? Of course my aim is being specs compliant, but I don't know which are > the > specs for the case I tell about. Which are they?
It would be RFC3261 and updates thereof (none exists that are relevant). > > >> What you propose makes sense but >> a word of warning: don't make routing or authorization decisions based >> on source IP/port. Not that I'd recommend doing so anyway. > > But I'm not speaking about autorization decisions, I'm just suggesting the > case in which a retransmission arrives to the UAS from a different address > so, where to send future responses in this transaction? to the original > request source address? to the new request (retransmission) source address? > just it. I understand what you're saying. The point I was trying to make is just that *if* your SIP node were making policy decisions based on source IP then an attacker might find it useful to exploit the fact that you modify the destination of response. He'd do this by spoofing a source address of A:a in the first request to get your node to process the request using policy X and then he'd send a retransmission with source address B:b to get you to send the response to where he can easily get to it, e.g. the actual sending node. I think this would make that kind of spoofing attacks much easier to mount. Anders > > > Thanks a lot. > _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
