Hi, "If the attacker sends an UPDATE message with Cseq as 1000, then that message could be rejected with a 4xx (bad parameter / count). But UAS cannot send 500." I didn't understand what you meant. But our stack is compliant to RFC 3261 Section 12.2.2 UAS Behavior.
"As another option, use TLS which provides end to end security to avoid MITM attacks." I am not convinced with this idea as we don't want to use TLS just to avoid this kind of problem. Any better idea? Regards, RadhaKrishna -----Original Message----- From: Avasarala Ranjit-A20990 [mailto:[email protected]] Sent: Wednesday, July 14, 2010 4:29 PM To: radhakrishna; [email protected] Subject: RE: [Sip-implementors] How sip stack can recover from the followingerror condition..... Hi If the attacker sends an UPDATE message with Cseq as 1000, then that message could be rejected with a 4xx (bad parameter / count). But UAS cannot send 500. As another option, use TLS which provides end to end security to avoid MITM attacks. Regards Ranjit -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of radhakrishna Sent: Wednesday, July 14, 2010 2:01 PM To: [email protected] Subject: [Sip-implementors] How sip stack can recover from the followingerror condition..... Dear All, I want to know if there is any way to come out of the following problem. UAC UAS ----------------------------INV (CSEQ: 1) ------------------------> <---------------------------200 OK---------------------------------- ----------------------------ACK ------------------------------------> Attacker ----------------Update (CSEQ: 10000) ----------> <------------------- 401/407 ------------------------------ -----------------------UPDATE (CSEQ: 2) ------------------> <----------------------- 500 -------------------------------------- Now since the actual UAC is not aware of the attacker, he will keep incrementing the CSEQ every time and will try to send the request. The request would be successful only after trying for some 9999 times. How do we overcome this kind of situation? We suggest that RFC should have a way to convey the CSEQ value stored by UAS in 500 response message so that UAC can come out of the loop. Can anyone please share your opinion on this issue? Regards, RadhaKrishna _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
