draft-ietf-sip-fork-loop-fix-04.txt   draft-ietf-sip-fork-loop-fix-05.txt 
Network Working Group R. Sparks, Ed. Network Working Group R. Sparks, Ed.
Internet-Draft Estacado Systems Internet-Draft Estacado Systems
Updates: 3261 (if approved) S. Lawrence Updates: 3261 (if approved) S. Lawrence
Expires: April 24, 2007 Pingtel Corp. Intended status: Standards Track Pingtel Corp.
A. Hawrylyshen Expires: September 8, 2007 A. Hawrylyshen
Ditech Networks Inc. Ditech Networks Inc.
October 21, 2006 March 7, 2007
Addressing an Amplification Vulnerability in Session Initiation Protocol Addressing an Amplification Vulnerability in Session Initiation Protocol
(SIP) Forking Proxies (SIP) Forking Proxies
draft-ietf-sip-fork-loop-fix-04 draft-ietf-sip-fork-loop-fix-05
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 24, 2007. This Internet-Draft will expire on September 8, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document normatively updates RFC 3261, the Session Initiation This document normatively updates RFC 3261, the Session Initiation
Protocol (SIP), to address a security vulnerability identified in SIP Protocol (SIP), to address a security vulnerability identified in SIP
proxy behavior. This vulnerability enables an attack against SIP proxy behavior. This vulnerability enables an attack against SIP
networks where a small number of legitimate, even authorized, SIP networks where a small number of legitimate, even authorized, SIP
requests can stimulate massive amounts of proxy-to-proxy traffic. requests can stimulate massive amounts of proxy-to-proxy traffic.
This document strengthens loop-detection requirements on SIP proxies This document strengthens loop-detection requirements on SIP proxies
skipping to change at page 6, line 14 skipping to change at page 6, line 14
When a SIP proxy forks a particular request to more than one When a SIP proxy forks a particular request to more than one
destination, it MUST ensure that request is not looping through this destination, it MUST ensure that request is not looping through this
proxy. It is RECOMMENDED that proxies meet this requirement by proxy. It is RECOMMENDED that proxies meet this requirement by
performing the Loop-Detection steps defined in this document. performing the Loop-Detection steps defined in this document.
The requirement to use this document's refinement of the loop- The requirement to use this document's refinement of the loop-
detection algorithm in RFC 3261 is set at should-strength to allow detection algorithm in RFC 3261 is set at should-strength to allow
for future standards track mechanisms that will allow a proxy to for future standards track mechanisms that will allow a proxy to
determine it is not looping. For example, a proxy forking to determine it is not looping. For example, a proxy forking to
destinations established using the sip-outbound mechanism [I-D.ietf- destinations established using the sip-outbound mechanism
sip-outbound] would know those branches will not loop. [I-D.ietf-sip-outbound] would know those branches will not loop.
A SIP proxy forwarding a request to only one location MAY perform A SIP proxy forwarding a request to only one location MAY perform
loop detection but is not required to. When forwarding to only one loop detection but is not required to. When forwarding to only one
location, the amplification risk being exploited is not present, and location, the amplification risk being exploited is not present, and
the Max-Forwards mechanism is sufficient to protect the network. A the Max-Forwards mechanism is sufficient to protect the network. A
proxy is not required to perform loop detection when forwarding a proxy is not required to perform loop detection when forwarding a
request to a single location even if it happened to have previously request to a single location even if it happened to have previously
forked that request (and performed loop detection) in its progression forked that request (and performed loop detection) in its progression
through the network. through the network.
skipping to change at page 11, line 40 skipping to change at page 11, line 40
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002. June 2002.
10.2. Informative References 10.2. Informative References
[I-D.ietf-sip-outbound] [I-D.ietf-sip-outbound]
Jennings, C. and R. Mahy, "Managing Client Initiated Jennings, C. and R. Mahy, "Managing Client Initiated
Connections in the Session Initiation Protocol (SIP)", Connections in the Session Initiation Protocol (SIP)",
draft-ietf-sip-outbound-04 (work in progress), June 2006. draft-ietf-sip-outbound-08 (work in progress), March 2007.
[RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321, [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC 1321,
April 1992. April 1992.
[RFC3309] Stone, J., Stewart, R., and D. Otis, "Stream Control [RFC3309] Stone, J., Stewart, R., and D. Otis, "Stream Control
Transmission Protocol (SCTP) Checksum Change", RFC 3309, Transmission Protocol (SCTP) Checksum Change", RFC 3309,
September 2002. September 2002.
Authors' Addresses Authors' Addresses
skipping to change at page 13, line 5 skipping to change at page 13, line 5
Alan Hawrylyshen Alan Hawrylyshen
Ditech Networks Inc. Ditech Networks Inc.
1167 Kensington Rd NW 1167 Kensington Rd NW
Suite 200 Suite 200
Calgary, Alberta T2N 1X7 Calgary, Alberta T2N 1X7
Canada Canada
Phone: +1 403 806 3366 Phone: +1 403 806 3366
Email: ahawrylyshen@ditechnetworks.com Email: ahawrylyshen@ditechnetworks.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 13, line 29 skipping to change at page 13, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 10 change blocks. 
26 lines changed or deleted 26 lines changed or added

This html diff was produced by rfcdiff 1.33. The latest version is available from http://tools.ietf.org/tools/rfcdiff/