Professional Documents
Culture Documents
Outline
Introduction
Session-Expires Header field Definition
Min-SE Header field Definition
422-Response Code Definition
UAC / Proxy / UAS Behavior
Security Considerations
Example call Flow
Introduction (1/3)
UAC
BYE
Introduction (2/3)
Introduction (3/3)
Session Interval
Session Expiration
Session Refresh Request
Initial Session Refresh Request
Subsequent Session Refresh Request
Refresh
10
UAC Behavior
11
Supported :timer
Session Expires: XX ; refresher =uac`
Min-SE: XX
Require: timer
200 Supported: timer
UAC
Session-Expires : ; refresher=
proxy
422
Min-SE :
12
UAC Behavior
422
UAC
Min-SE
:xx
proxy
Supported :timer
Expires: XX ; refresher =
INVITE Session
uac/uas
Min-SE: XX
13
Proxy Behavior
Proxy 2
Session Expires:
(small)
call failure
Session Expires: XX
INVITE Min-SE: XX
INVITE
Session Expires: XX
Min-SE: XX
Proxy 1
15
)
There is no session expiration for this
session
support
UAS
(proxy remembers that the UAC did support the session
timer )
16
UAS Behavior
INVITE
422
Supported
:timer
Session Expires:
Min-SE:
Min-SE:
Min-SE:
UAS
proxy
200 ok
Expires:
Session
17
UAS Behavior
UAC supports?
Refresher
parameter
refresher
parameter
in request
in response
none
uas
uac
NA
uas
NA
none
uas or uac
uac
uac
uas
uas
18
Security
Considerations(1/3)
Inside Attacks
Case 1:
a rogue UAC that wishes to force a UAS to generate
refreshes at a rapid rate
- The UAS or any proxy that objects to this low
timer
will reject the request with a 422, thereby
preventing the attack.
19
Security
Considerations(2/3)
Case2:
rogue UAS that wishes to force a UAC to generate
refreshes at a rapid rate .
- UAC copy the current session interval into the
Session-Expires header field in the request.
The proxies will reject this request and provide a
Min-SE with a higher minimum, which the UAC will
then use.
20
Security
Considerations(3/3)
Outside Attacks
- An element that can observe and modify a request
or response in transit can force rapid session
refreshes .
- proxies that record-route and request session timer
SHOULD record-route with a SIPS URI .
A UA that inserts a Session-Expires header into a
request or response SHOULD include a Contact URI
that is a SIPS URI.
21
(1)
INVITE sips:bob@biloxi.example.com SIP/2.0
Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKna
Supported: timer
Session-Expires: 90
Max-Forwards: 70
To: Bob <sips:bob@biloxi.example.com>
Proxy P2
Proxy P1
From: Alice <sips:alice@atlanta.example.com>;tag=19283017
Alice
Bob
Call-ID: a84b4c76e66710
(1)INVITE
CSeq: 314159 INVITE
SE:90
Contact: <sips:alice@pc33.atlanta.example.com>
(2)
(4)
Content-Type: application/sdp
(2)422
SIP/2.0
422 Session Interval Too SmallSIP/2.0
INVITE
sips:bob@biloxi.example.com
Content-Length:
142
MSE:3600
Via: SIP/2.0/TLS
SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKn
Via:
pc33.atlanta.example.com;branch=z9hG4bKnashds8
Supported: timer
(3)ACK
;received=192.0.2.1
Session-Expires:
3600
Min-SE: 3600
3600
Min-SE:
To: Bob <sips:bob@biloxi.example.com>;tag=9a8kz
Max-Forwards:
70
(4)INVITE
From:
To:
BobAlice
<sips:bob@biloxi.example.com>
SE:3600
<sips:alice@atlanta.example.com>;tag=1928301774
From: Alice <sips:alice@atlanta.example.com>;tag=19283017
MSE:3600
Call-ID: a84b4c76e66710
a84b4c76e66710
Call-ID:
CSeq: 314160
314159 INVITE
INVITE
CSeq:
Contact: <sips:alice@pc33.atlanta.example.com>
Content-Type: application/sdp
22
Content-Length: 142
Example
Call Flow
(10)
INVITE sips:bob@biloxi.example.com
SIP/2.0
Proxy
P2
Proxy P1
Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashd
Alice
Bob
(5)INVITE
Supported: timer
Session-Expires: 4000SE:3600
MSE:3600
Min-SE: 4000
Max-Forwards: 70 (6)422
To: Bob <sips:bob@biloxi.example.com>
MSE:4000
From: Alice <sips:alice@atlanta.example.com>;tag=1928301774
(7)ACK
Call-ID: a84b4c76e66710
(8)422
CSeq:
314161 INVITE
MSE:4000
Contact:
<sips:alice@pc33.atlanta.example.com>
Content-Type: application/sdp
(9)ACK
Content-Length:
142
(10)INVITE
SE:4000
MSE:4000
23
(15)
SIP/2.0 200 OK
Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKna
;received=192.0.2.1
Require: timer
Supported: timer
Record-Route:
Proxy P2
Proxysips:p1.atlanta.example.com
P1
Session-Expires: 4000;refresher=uac
Alice
Bob
(11)INVITE
To: Bob <sips:bob@biloxi.example.com>;tag=9as888nd
SE:4000
(12)INVITE
From: Alice <sips:alice@atlanta.example.com>;tag=192830177
MSE:4000
SE:4000
Call-ID: a84b4c76e66710
MSE:4000
CSeq: 314161 INVITE
Contact: <sips:bob@192.0.2.4>
(13)200OK
Content-Type: application/sdp
(14)200OK
Content-Length: 142
SE:4000
SE:4000
(15)200OK
SE:4000
(16)ACK
(17)ACK
24
Proxy P2
Alice
(18)UPDAT
ESE:4000
Bob
(19)UPDAT
ESE:4000
(18)
UPDATE sips:bob@192.0.2.4 SIP/2.0 (20)200OK
SE:4000
Via: SIP/2.0/TLS
pc33.atlanta.example.com;branch=z9hG4bKnashds12
(21)200OK
Route: sips:p1.atlanta.example.com
SE:4000
Supported: timer
Session-Expires: 4000;refresher=uac (22)BYE
Max-Forwards: 70
To: Bob <sips:bob@biloxi.example.com>;tag=9as888nd
(23)BYE
From: Alice <sips:alice@atlanta.example.com>;tag=1928301774
(24)408 (Request
Call-ID: a84b4c76e66710
Timeout)
CSeq: 314162 UPDATE
25
Contact: <sips:alice@pc33.atlanta.example.com>