[VOIPSEC] [Fwd: draft-state-sip-relay-attack-00]
Raphael Coeffic
rco at iptel.org
Wed Mar 4 10:18:53 CST 2009
Ali Fessi wrote:
> Hi Raphael, and authors of the draft,
>
> first, thanks for pointing out to these attacks. I think one of the
> major security threats, that the attacks you described in the draft
> are based on, is the is that SIP entities do not always verify the
> identity of the communication party. This occurs, for example, in
> message F5 (Figure 1) where Bob is talking to proxy.com and is
> impersonating Alice's UA. And this occurs again, in message F8 when
> Bob is talking to Alice and imporsonating the proxy.
>
> One possible way to alleviate the problem could be that UAs must
> verify the identity of the other party, e.g. with a TLS tunnel and a
> certificate, before replying to a challenge (this would prevent Alice
> UA to reply to the challenge coming from Bob in message F8).
>
Yes, you are right. Unfortunately, only very few SIP proxy would support
TLS. It is in fact not very much deployed due to a lot of constraints.
The public key infrastructure is one of them.
Regards,
Raphael.
More information about the Voipsec
mailing list