< Previous by Date Date Index Next by Date >
< Previous in Thread Thread Index Next in Thread >

RE: [reSIProcate] FlowId Class Questions


Point taken.  That's more intersting w/ respect to the connectionId part.
The "use other flow id" attack will still happen if somebody is sniffing
flowIds and re-using them.  Of course, it would be nice to force them to
sniff.  

> -----Original Message-----
> From: resiprocate-devel-bounces@xxxxxxxxxxxxxxxxxxx [mailto:resiprocate-
> devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Alan Hawrylyshen
> Sent: Wednesday, June 08, 2005 4:13 PM
> To: resiprocate-devel@xxxxxxxxxxxxxxxxxxx resiprocate-devel
> Subject: [reSIProcate] FlowId Class Questions
> 
> 
> Oops, posting to the list too.
> 
> On Jun 8, 2005, at 16:50, Derek MacDonald wrote:
> 
> > Dlb & I talked about this; if that pointer isn't in a set of valid
> > pointers
> > it will be treated as bad. It really doesn't matter if we use a map
> > token or
> > an existence check by a set in this case.
> >
> > Once the GruuMonkey is more written FlowId can be tweaked to work
> > the other
> > way.
> >
> >
> 
> 
> I disagree -- pointers will follow a particular pattern and a
> malicious client will be able to convince you to use someone else's
> response context or connection by guessing a flowid. I would argue
> that a map, with random keys is a lightweight approach that mitigates
> this attack.
> 
> You don't want to answer the question "is this pointer valid?" but
> "is this pointer valid for this  SIP transaction / context?".
> Therefore, in order to prevent a trivial attack mechanism, there
> needs to be some way of preventing the 'wire-space' people from
> suggesting a flowid.  This can be done with randomization and a
> porous key-space or by incorporating some sort of message
> authentication technique for the flowid.  I get the shivers thinking
> about taking  a pointer value or index from the wire without a way to
> qualify it to the appropriate scope.
> 
> Thoughts?
> 
> A
> 
> 
> 
> 
> 
> _______________________________________________
> resiprocate-devel mailing list
> resiprocate-devel@xxxxxxxxxxxxxxxxxxx
> https://list.sipfoundry.org/mailman/listinfo/resiprocate-devel