Frank W. Miller wrote:
I've heard reference to this security issue in the past but have just
gone and read it for the first time, Section 9.3 right? I'm not sure
I completely understand it. Are you saying that another program can
hijack the connection once the legitimate SIP user is not present on
the connection anymore?
Yes.
Would not the legitimate user have torn down the TCP connection
when it exited?
Yes; thereby making the default port (5060) available for
other processes.
Wouldn't the TCP connection require authentication when it was
reestablished?
If it is between a UA and a registrar, it should. If it is
between a UA and a default outbound proxy, it should. But if
it is with another proxy, then there isn't any authentication.
- vijay
--
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: [EMAIL PROTECTED],bell-labs.com,acm.org}
WWW: http://www.alcatel-lucent.com/bell-labs
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
