14 Jan
2009
14 Jan
'09
5:49 p.m.
Hi,
excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
NAT boxes reduce dramatically the scenarios for a successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
--
Victor Pascual Ávila
14 Jan
14 Jan
6:16 p.m.
Hello,
On 01/14/2009 05:49 PM, Victor Pascual Ávila wrote:
Hi,
excuse me if this message is not directly related to Kamailio.
such debates are welcome all the time.
I'm just wondering if folks could share with me if
(and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
To be sure we talk about the same thing, is this the issue described at:
http://madynes.loria.fr/TeamMembers/Abdelnur/madynes-security-advisory-sip-…
Cheers,
Daniel
NAT boxes reduce dramatically the scenarios for a
successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
--
Daniel-Constantin Mierla
http://www.asipto.com
6:58 p.m.
On Wed, Jan 14, 2009 at 5:16 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
On 01/14/2009 05:49 PM, Victor Pascual Ávila wrote:
Right. The attack is also described here:
http://kif.gforge.inria.fr/advisory/relay_attack.pdf
--
Victor Pascual Ávila
Hi,
excuse me if this message is not directly related to Kamailio.
such debates are welcome all the time.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
To be sure we talk about the same thing, is this the issue described at:
http://madynes.loria.fr/TeamMembers/Abdelnur/madynes-security-advisory-sip-…
15 Jan
15 Jan
11:48 a.m.
IIRC to solve this issue completely the UAC should never send
credentials to unknown parties - only to its SIP proxy (some clients
have a "force outbound proxy" feature which does the same). Then the SIP
proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other
parties there is nothing you can do on the proxy side.
regards
klaus
Victor Pascual Ávila schrieb:
Hi,
excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
NAT boxes reduce dramatically the scenarios for a successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
noon
Hi!
For those who are interested in this attack - I have attached the
relevant slides from my SIP security lectures.
regards
Klaus
PS: an exploit based on sipp scenario files is available too on request
(for educational purposes :-)
Klaus Darilion schrieb:
IIRC to solve this issue completely the UAC should
never send
credentials to unknown parties - only to its SIP proxy (some clients
have a "force outbound proxy" feature which does the same). Then the SIP
proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to other
parties there is nothing you can do on the proxy side.
regards
klaus
Victor Pascual Ávila schrieb:
Hi,
excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
NAT boxes reduce dramatically the scenarios for a successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
4:21 p.m.
Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy --
allow users to call only from registered devices.
Check here the example 2:
http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source
ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features:
http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers,
Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the
relevant slides from my SIP security lectures.
regards
Klaus
PS: an exploit based on sipp scenario files is available too on
request (for educational purposes :-)
Klaus Darilion schrieb:
--
Daniel-Constantin Mierla
http://www.asipto.com
IIRC to solve this issue completely the UAC
should never send
credentials to unknown parties - only to its SIP proxy (some clients
have a "force outbound proxy" feature which does the same). Then the
SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to
other parties there is nothing you can do on the proxy side.
regards
klaus
Victor Pascual Ávila schrieb:
------------------------------------------------------------------------
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users Hi,
excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
NAT boxes reduce dramatically the scenarios for a successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users 
6:20 p.m.
New subject: [Kamailio-Users] serMyAdmin
Hi list,
I would like to ask if serMyAdmin works with Kamailio and if it does what
changes would be necessary to make it work?
Cheers,
Juan.-
11:08 p.m.
What should I do to get 1.5? Is there a 1.5 branch or should I get trunk?
Thanks
Luciano
On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Hello,
thanks Klaus and Victor for details.
With kamailio 1.5 this can be solved in another way, pretty easy --
allow users to call only from registered devices.
Check here the example 2:
http://openser.blogspot.com/2008/10/registrar-enhancements.html
The condition can be extended so that you match the received(source
ip)/contact in invite with the contact in location record.
So guys, start testing 1.5, it does have lot of cool new features:
http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers,
Daniel
On 01/15/2009 12:00 PM, Klaus Darilion wrote:
Hi!
For those who are interested in this attack - I have attached the
relevant slides from my SIP security lectures.
regards
Klaus
PS: an exploit based on sipp scenario files is available too on
request (for educational purposes :-)
Klaus Darilion schrieb:
--
Daniel-Constantin Mierla
http://www.asipto.com
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users IIRC to solve this issue completely the UAC
should never send
credentials to unknown parties - only to its SIP proxy (some clients
have a "force outbound proxy" feature which does the same). Then the
SIP proxy can remove credentials before forwarding to other parties.
As soon as a client send messages (with credentials) directly to
other parties there is nothing you can do on the proxy side.
regards
klaus
Victor Pascual Ávila schrieb:
------------------------------------------------------------------------
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users Hi,
excuse me if this message is not directly related to Kamailio.
I'm just wondering if folks could share with me if (and how) they have
prevented the "SIP Digest Access Authentication RELAY" in their
networks (and what worked for them or not).
NAT boxes reduce dramatically the scenarios for a successful attack.
Otherwise, some might be mitigating the attack by means of forcing UAs
to use outbound proxies while others might be reducing the attack
incentives by means of message integrity.
Any comment would be appreciated,
_______________________________________________
Kamailio (OpenSER) - Users mailing list
Users(a)lists.kamailio.org
http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
16 Jan
16 Jan
11:04 a.m.
Luciano Afranllie schrieb:
What should I do to get 1.5? Is there a 1.5 branch or
should I get trunk?
Trunk. 1.5 branch will be created when 1.5 will be released (somewhere
in February)
klaus
Thanks
Luciano
On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
> Hello,
>
> thanks Klaus and Victor for details.
>
> With kamailio 1.5 this can be solved in another way, pretty easy --
> allow users to call only from registered devices.
>
> Check here the example 2:
> http://openser.blogspot.com/2008/10/registrar-enhancements.html
>
> The condition can be extended so that you match the received(source
> ip)/contact in invite with the contact in location record.
>
> So guys, start testing 1.5, it does have lot of cool new features:
> http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
>
> Cheers,
> Daniel
>
> On 01/15/2009 12:00 PM, Klaus Darilion wrote:
>> Hi!
>>
>> For those who are interested in this attack - I have attached the
>> relevant slides from my SIP security lectures.
>>
>> regards
>> Klaus
>>
>> PS: an exploit based on sipp scenario files is available too on
>> request (for educational purposes :-)
>>
>>
>>
>> Klaus Darilion schrieb:
>>> IIRC to solve this issue completely the UAC should never send
>>> credentials to unknown parties - only to its SIP proxy (some clients
>>> have a "force outbound proxy" feature which does the same). Then
the
>>> SIP proxy can remove credentials before forwarding to other parties.
>>>
>>> As soon as a client send messages (with credentials) directly to
>>> other parties there is nothing you can do on the proxy side.
>>>
>>> regards
>>> klaus
>>>
>>> Victor Pascual Ávila schrieb:
>>>> Hi,
>>>> excuse me if this message is not directly related to Kamailio.
>>>>
>>>> I'm just wondering if folks could share with me if (and how) they
have
>>>> prevented the "SIP Digest Access Authentication RELAY" in
their
>>>> networks (and what worked for them or not).
>>>> NAT boxes reduce dramatically the scenarios for a successful attack.
>>>> Otherwise, some might be mitigating the attack by means of forcing UAs
>>>> to use outbound proxies while others might be reducing the attack
>>>> incentives by means of message integrity.
>>>>
>>>> Any comment would be appreciated,
>>> _______________________________________________
>>> Kamailio (OpenSER) - Users mailing list
>>> Users(a)lists.kamailio.org
>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Kamailio (OpenSER) - Users mailing list
>> Users(a)lists.kamailio.org
>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
> --
> Daniel-Constantin Mierla
> http://www.asipto.com
>
>
> _______________________________________________
> Kamailio (OpenSER) - Users mailing list
> Users(a)lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
12:37 p.m.
I added this information in the wiki:
http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
Cheers,
Daniel
On 01/16/2009 11:04 AM, Klaus Darilion wrote:
Luciano Afranllie schrieb:
--
Daniel-Constantin Mierla
http://www.asipto.com
What should I do to get 1.5? Is there a 1.5
branch or should I get
trunk?
Trunk. 1.5 branch will be created when 1.5 will be released (somewhere
in February)
klaus
>
> Thanks
> Luciano
>
> On Thu, Jan 15, 2009 at 12:21 PM, Daniel-Constantin Mierla
> <miconda(a)gmail.com> wrote:
>> Hello,
>>
>> thanks Klaus and Victor for details.
>>
>> With kamailio 1.5 this can be solved in another way, pretty easy --
>> allow users to call only from registered devices.
>>
>> Check here the example 2:
>> http://openser.blogspot.com/2008/10/registrar-enhancements.html
>>
>> The condition can be extended so that you match the received(source
>> ip)/contact in invite with the contact in location record.
>>
>> So guys, start testing 1.5, it does have lot of cool new features:
>> http://www.kamailio.org/dokuwiki/doku.php/features:new-in-1.5.x
>>
>> Cheers,
>> Daniel
>>
>> On 01/15/2009 12:00 PM, Klaus Darilion wrote:
>>> Hi!
>>>
>>> For those who are interested in this attack - I have attached the
>>> relevant slides from my SIP security lectures.
>>>
>>> regards
>>> Klaus
>>>
>>> PS: an exploit based on sipp scenario files is available too on
>>> request (for educational purposes :-)
>>>
>>>
>>>
>>> Klaus Darilion schrieb:
>>>> IIRC to solve this issue completely the UAC should never send
>>>> credentials to unknown parties - only to its SIP proxy (some clients
>>>> have a "force outbound proxy" feature which does the same).
Then the
>>>> SIP proxy can remove credentials before forwarding to other parties.
>>>>
>>>> As soon as a client send messages (with credentials) directly to
>>>> other parties there is nothing you can do on the proxy side.
>>>>
>>>> regards
>>>> klaus
>>>>
>>>> Victor Pascual Ávila schrieb:
>>>>> Hi,
>>>>> excuse me if this message is not directly related to Kamailio.
>>>>>
>>>>> I'm just wondering if folks could share with me if (and how) they
>>>>> have
>>>>> prevented the "SIP Digest Access Authentication RELAY" in
their
>>>>> networks (and what worked for them or not).
>>>>> NAT boxes reduce dramatically the scenarios for a successful attack.
>>>>> Otherwise, some might be mitigating the attack by means of
>>>>> forcing UAs
>>>>> to use outbound proxies while others might be reducing the attack
>>>>> incentives by means of message integrity.
>>>>>
>>>>> Any comment would be appreciated,
>>>> _______________________________________________
>>>> Kamailio (OpenSER) - Users mailing list
>>>> Users(a)lists.kamailio.org
>>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>>> ------------------------------------------------------------------------
>>>
>>>
>>> _______________________________________________
>>> Kamailio (OpenSER) - Users mailing list
>>> Users(a)lists.kamailio.org
>>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
>> --
>> Daniel-Constantin Mierla
>> http://www.asipto.com
>>
>>
>> _______________________________________________
>> Kamailio (OpenSER) - Users mailing list
>> Users(a)lists.kamailio.org
>> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>> http://lists.openser-project.org/cgi-bin/mailman/listinfo/users
5793
days inactive
5795
days old
9 comments
5 participants
participants (5)
-
Daniel-Constantin Mierla -
Juan Asencio -
Klaus Darilion -
Luciano Afranllie -
Victor Pascual Ávila