Am 07.03.2009 20:18 Uhr, schrieb Hadriel Kaplan:
So a requirement to make the attack possible is that the user agent
responds
to challenges generated for in-dialog requests.
Right, and that the attacked domain accepts INVITEs from its AoR's with
non-registered Contacts; or accepts INVITEs from its static AoR's to come in
from unknown locations. That's pretty rare in my world, but ymmv.
Luckily it seems we are not living in the same world :-)
I call it a feature that I can make authenticated calls without being
registered.
[...]
- I never unterstood why a proxy should pass through the authentication
request from a foreign domain.
Because this is how it is specified in section 22.3 of RFC3261.
And it would have to continue to do so. There are actual use-cases for this.
Could you please share one of these use-cases with me.
I think there's even a reasonable use-case for challenging in-dialog requests:
connected-identity, for example.
But you don't even need to challenge in-dialog requests for this form of
attack: if the victim calls you, then you can challenge the initial INVITE.
Sorry, but how is this going to work in world without a SBC which knows
my credentials?
Remember my proxy can not answer the challenge (CSeq mis-match). And the
caller hopefully does not know my credentials, otherwise the whole
attack would be pointless.
Cheers
Nils
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
