Hi Michael, > I've read sip-policy-framework draft recently > > The "Security Consideration" part mainly talks about the confidentiality > issues . But I think there is one more security consideration which > isn't taken into account in this draft. As there is no mechanism helping > the proxy ensure the UA has changed the parameter of the request > according to the policy received from a policy server. Thus the UA or > attacker may change the policy for some malicious purposes, and proxy > will foward the session since there are already "Policy-Id" in place. > You are talking about policy enforcement and not a security issue. In the scenario you are describing, the UA ignores or only partially applies a policy and tries to set up a session anyway. To prevent this from happening a policy enforcement mechanism is needed as explained in the draft.
> Do you think it's a security problem or not? Can anyone give some > suggest of how to solve it? > To prevent UAs from setting up unauthorized sessions, a policy enforcement mechanism is needed. Thanks, Volker > > ------------------------------------------------------------------------ > > _______________________________________________ > Sip mailing list https://www.ietf.org/mailman/listinfo/sip > This list is for NEW development of the core SIP Protocol > Use [EMAIL PROTECTED] for questions on current sip > Use [EMAIL PROTECTED] for new developments on the application of sip _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
