I agree.
I think the issue Jon is pointing out is that one could interrupt the media
stream.
________________________________
From: [email protected] [mailto:[email protected]] On Behalf Of
Anthony D Pike
Sent: Monday, April 13, 2009 06:16
To: Audet, Francois (SC100:3055)
Cc: Cullen Jennings; Jon Peterson; [email protected]; DRAGE, Keith (Keith);
Dean Willis
Subject: Re: [Sip] francois' comments and why RFC4474 not used in the
field
hi Francios,
Surely if you correlate the signallng with the initial media stream
from the endpoint as Jonathan mentioned in his original email a couple of weeks
ago then you will know that that there has been a problem and you would not
pick up the call and you might report the call to the appropriate authorities
who could then trace the call potentailly.
Quite how this correlation takes place is not 100% clear to me as yet,
but I'm thinking on it.
Tony
This is a PRIVATE message. If you are not the intended recipient,
please delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC
to any order or other contract unless pursuant to explicit written agreement or
government initiative expressly permitting the use of e-mail for such purpose.
•
[email protected] wrote: -----
To: "Jon Peterson" <[email protected]>, "Elwell, John"
<[email protected]>, "Dean Willis" <[email protected]>
From: "Francois Audet" <[email protected]>
Sent by: [email protected]
Date: 04/10/2009 04:43PM
cc: Cullen Jennings <[email protected]>, [email protected], "DRAGE,
Keith \(Keith\)" <[email protected]>
Subject: Re: [Sip] francois' comments and why RFC4474 not used
in the field
Right, the signalling gets impersonated, but not the media.
So the only practical thing that can be done by the attacker
is interup media.
> -----Original Message-----
> From: Jon Peterson [mailto:[email protected]]
> Sent: Friday, April 10, 2009 12:28
> To: Audet, Francois (SC100:3055); Elwell, John; Dean Willis
> Cc: Cullen Jennings; [email protected]; DRAGE,Keith (Keith)
> Subject: Re: [Sip] francois' comments and why RFC4474 not
> used in the field
>
> If I may quibble here:
>
> > The attack is not impersonation, it's interruption of media.
>
> The attack relies on impersonation to accomplish interruption
> of media. The attacker listens to Alice's INVITE, and then
> sends a cut-and-pasted re-INVITE saying "This is Alice again,
> would you mind sending my media here instead please."
> Impersonation is almost always a tool that attackers use to
> accomplish some particular goal, even if it's just tricking
> you into accepting unwanted communications. I'm not sure I'd
> say impersonation is an attack as such, but by preventing it,
> we prevent whole categories of attacks and grant ourselves
> more powers in crafting authorization policies.
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current
sip
Use [email protected] for new developments on the application of
sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [email protected] for questions on current sip
Use [email protected] for new developments on the application of sip
