Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Hello,
On 01/14/2009 05:49 PM, Victor Pascual Ávila wrote:
Hi, excuse me if this message is not directly related to Kamailio.
such debates are welcome all the time.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not).
To be sure we talk about the same thing, is this the issue described at: http://madynes.loria.fr/TeamMembers/Abdelnur/madynes-security-advisory-sip-d...
Cheers, Daniel
NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
On Wed, Jan 14, 2009 at 5:16 PM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
On 01/14/2009 05:49 PM, Victor Pascual Ávila wrote:
Hi, excuse me if this message is not directly related to Kamailio.
such debates are welcome all the time.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not).
To be sure we talk about the same thing, is this the issue described at: http://madynes.loria.fr/TeamMembers/Abdelnur/madynes-security-advisory-sip-d...
Right. The attack is also described here: http://kif.gforge.inria.fr/advisory/relay_attack.pdf
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Hi!
For those who are interested in this attack - I have attached the relevant slides from my SIP security lectures.
regards Klaus
PS: an exploit based on sipp scenario files is available too on request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy -- allow users to call only from registered devices.
Check here the example 2: http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features: http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers, Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the relevant slides from my SIP security lectures.
regards Klaus
PS: an exploit based on sipp scenario files is available too on request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Hi list,
I would like to ask if serMyAdmin works with Kamailio and if it does what changes would be necessary to make it work?
Cheers,
Juan.-
What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?
Thanks Luciano
On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy -- allow users to call only from registered devices.
Check here the example 2: http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features: http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers, Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the relevant slides from my SIP security lectures.
regards Klaus
PS: an exploit based on sipp scenario files is available too on request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-- Daniel-Constantin Mierla http://www.asipto.com
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Luciano Afranllie schrieb:
What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?
Trunk. 1.5 branch will be created when 1.5 will be released (somewhere in February)
klaus
Thanks Luciano
On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy -- allow users to call only from registered devices.
Check here the example 2: http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features: http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers, Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the relevant slides from my SIP security lectures.
regards Klaus
PS: an exploit based on sipp scenario files is available too on request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-- Daniel-Constantin Mierla http://www.asipto.com
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
I added this information in the wiki: http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers, Daniel
On 01/16/2009 11:04 AM, Klaus Darilion wrote:
Luciano Afranllie schrieb:
What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?
Trunk. 1.5 branch will be created when 1.5 will be released (somewhere in February)
klaus
Thanks Luciano
On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla miconda@gmail.com wrote:
Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy -- allow users to call only from registered devices.
Check here the example 2: http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features: http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers, Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the relevant slides from my SIP security lectures.
regards Klaus
PS: an exploit based on sipp scenario files is available too on request (for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should never send credentials to unknown parties - only to its SIP proxy (some clients have a "force outbound proxy" feature which does the same). Then the SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other parties there is nothing you can do on the proxy side.
regards klaus
Victor Pascual Ávila schrieb:
Hi, excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have prevented the "SIP Digest Access Authentication RELAY" in their networks (and what worked for them or not). NAT boxes reduce dramatically the scenarios for a successful attack. Otherwise, some might be mitigating the attack by means of forcing UAs to use outbound proxies while others might be reducing the attack incentives by means of message integrity.
Any comment would be appreciated,
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-- Daniel-Constantin Mierla http://www.asipto.com
Kamailio (OpenSER) - Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
-
Daniel-Constantin Mierla -
Juan Asencio -
Klaus Darilion -
Luciano Afranllie -
Victor Pascual Ávila