Addressing an Amplification Vulnerability in Session Initiation Protocol (SIP) Forking Proxies
RFC 5393

Received changes through RFC Editor sync (changed abstract to 'This document normatively updates RFC 3261, the Session Initiation Protocol (SIP), to address a security vulnerability identified in SIP proxy behavior. This vulnerability enables an attack against SIP networks where a small number of legitimate, even authorized, SIP requests can stimulate massive amounts of proxy-to-proxy traffic.

This document strengthens loop-detection requirements on SIP proxies when they fork requests (that is, forward a request to more than one destination). It also corrects and clarifies the description of the loop-detection algorithm such proxies are required to implement. Additionally, this document defines a Max-Breadth mechanism for limiting the number of concurrent branches pursued for any given request. [STANDARDS-TRACK]')

[Ballot comment]
I was a little confused by the compliance language in section 4.2.1 and 4.2.2 of this
specification.  Specifically:

In 4.2.1, the paragraph beginning with "Proxies required to perform loop-detection ..."
contains the following conformance requirement:

          "Such proxies SHOULD create a branch value separable into two parts ..."

implying that they can perform this loop detection even if they don't generate two part
branch values.

In 4.2.2, the Loop Detection Check is defined based on the presence of the second part.
This implies the statement above needs to be MUST.

I may be missing something, but I would suggest the authors review 4.2.1 and 4.2.2
to ensure that the conformance requirements are consistent.

[Ballot comment]
I was a little confused by the compliance language in section 4.2.1 and 4.2.2 of this specification.  Specifically:

In 4.2.1, the paragraph beginning with "Proxies required to perform loop-detection ..." contains the following conformance requirement:

          "Such proxies SHOULD create a branch value separable into two parts ..."

implying that they can perform this loop detection even if they don't generate two part
branch values.

In 4.2.2, the Loop Detection Check is defined based on the presence of the second part.
This implies the statement above needs to be MUST.

I may be missing something, but I would suggest the authors review 4.2.1 and 4.2.2
to ensure that the conformance requirements are consistent.

[Ballot discuss]
I would like to note up front that I support publication of this document.  I feel it is
important to publish this specification and achieve the incremental security improvements
it offers. I am not advocating any changes in the WG consensus mechanisms  - e.g., no
changes to bits on the wire - although I hope to see follow-up work in the future.

That said, I believe the document does not adequately document the limitations of the
mechanisms.  Reading this document alone, I would believe that the set of mechanisms
is a complete solution, and that further WG attention is not required.  The conversation
around Charlie Kaufman's secdir review demonstrates that is *not* the case.

In particular, the Security Considerations section is devoted primarily to four rejected
alternatives.  What is really needed here is a description of the security considerations
associated with the wg's consensus solution.  Since overload is still a distinct possibility,
the security considerations section should describe possible mitigation strategies as well.
Charlie suggested several strategies (e.g., checking parallel queries that are pending
flagging detected loops for follow-up) that might be appropriate, I'm sure the authors are
aware of mitigation strategies.

[Ballot discuss]
I have reviewed draft-ietf-sip-fork-loop-fix-07, and there's one
concern I'd like to briefly discuss before recommending approval of
the document:

It seems that proposed mechanisms don't work very well when SBCs (or
other similar B2BUAs) are present -- does this mean the "doomsday
scenario" described in Section 3 can still occur in deployments that
have SBCs? (which means most real-world deployments, right?)

IANA Last Call comments:

Action 1 (section 6.1):

Upon approval of this document, the IANA will make the following
assignmentsin the "Header Fields" registry at
http://www.iana.org/assignments/sip-parameters

Header Name compact Reference
----------------- ------- ---------
Max-Breadth [RFC-sip-fork-loop-fix-07]


Action 2 (section 6.2):

Upon approval of this document, the IANA will make the following
assignments in the "Response Codes" registry at
http://www.iana.org/assignments/sip-parameters

Response Code Reference
------------------------------------------ ---------
TBD [440] Max-Breadth Exceeded [RFC-sip-fork-loop-fix-07]

PROTO writeup for http://www.ietf.org/internet-drafts/draft-ietf-sip-fork-
loop-fix-07.txt: " Addressing an Amplification Vulnerability in
Session Initiation Protocol (SIP) Forking Proxies"

  (1.a)  Who is the Document Shepherd for this document?  Has the
          Document Shepherd personally reviewed this version of the
          document and, in particular, does he or she believe this
          version is ready for forwarding to the IESG for publication?

Keith Drage

The document has been reviewed and is ready for forwarding to IESG for
publication as a proposed standard.

  (1.b)  Has the document had adequate review both from key WG members
          and from key non-WG members?  Does the Document Shepherd have
          any concerns about the depth or breadth of the reviews that
          have been performed?

Document history:
* draft-lawrence-maxforward-problems-00 was submitted 16th October 2005
and expired 19th April 2006.
* draft-ietf-sip-fork-loop-fix-00 was submitted 1st March 2006 and
expired on 1st September 2006.
* draft-ietf-sip-fork-loop-fix-01 was submitted 4th April 2006 and
expired on 4th October 2006.
* draft-ietf-sip-fork-loop-fix-02 was submitted 27th June 2006 and
expired on 27th December 2006.
* draft-ietf-sip-fork-loop-fix-03 was submitted 7th September 2006 and
expired on 7th March 2007.
* draft-ietf-sip-fork-loop-fix-04 was submitted 21st October 2006 and
expired on 24th April 2007.
* draft-ietf-sip-fork-loop-fix-05 was submitted 7th March 2007 and
expired on 8th September 2007.
* draft-ietf-sip-fork-loop-fix-06 was submitted on 3rd November 2007 and
expired on 6th May 2008.
* draft-ietf-sip-fork-loop-fix-07 was submitted on 3rd July 2008 and
expires on 4th January 2009.

WGLC was initiated in the SIP WG on draft-ietf-sip-fork-loop-fix-01 on
10th April 2006 with comments requested by 7th May 2006.

Review was made and comments were received from: Christer Holmberg, Jonathan
Rosenberg, Vijay Gurbani, Cullen Jennings, Jeroen van Bemmel, Ravishankar
Shiroor, Dale Worley, Scott Lawrence, Samir Srivastava, Peter Cordell,
Thomas Froment, Juha Heinanen, Thomas Leseney, David Benoit, Kasturi
Narayanan, Atul Kumar Jha, Theo Zourzouvillys, Paul Kyzivat, Dean Willis,
Michael Thomas, Eric Rescorla.

Key discussion issues have been:

* Selection of a hash algorithm to be used. Section 4.2.3 of the
document indicates the results of the discussion in this area.
* Identification of a more optimal loop detection algorithm (see draft-
campen-sipping-stack-loop-detect-00) which was not proceeded with, as
it could not be shown to provide significant improvements for a
standards track solution.

Some elements of the original proposal were split out in draft-sparks-
sipping-max-breadth-00 and draft-campen-sipping-stack-loop-detect-00. There
was also further input in draft-srivastava-sipping-loop-avoidance-00. These
documents have not been proceeded with.

The -05 version of the document was submitted to IESG on 2nd April 2007, and
was returned from IESG on 13th December 2007. SecDir review of the -05
version submitted for publication uncovered a variation of the attack
described in this document that was not reasonably mitigated with loop-
detection alone. The document went back to the working group and the max-
breadth mechanism (draft-sparks-sipping-max-breadth-01), which was already
being discussed separately, was added to this document to address the
identified risk.

WGLC was initiated in the SIP WG on draft-ietf-sip-fork-loop-fix-06 on 7th
December 2007 with comments requested by 21st December 2007.

There was only one response to this WGLC and this was a late response from
Jan Kolomaznik.


  (1.c)  Does the Document Shepherd have concerns that the document
          needs more review from a particular or broader perspective,
          e.g., security, operational complexity, someone familiar with
          AAA, internationalization or XML?

The document defines mechanisms that are entirely internal to the Session
Initiation Protocol (SIP). The document shepherd considers that no external
review from an external specialist is necessary.

  (1.d)  Does the Document Shepherd have any specific concerns or
          issues with this document that the Responsible Area Director
          and/or the IESG should be aware of?  For example, perhaps he
          or she is uncomfortable with certain parts of the document, or
          has concerns whether there really is a need for it.  In any
          event, if the WG has discussed those issues and has indicated
          that it still wishes to advance the document, detail those
          concerns here.

The document provides a correction to the existing SIP protocol defined in
RFC 3261. The problem has been identified as part of the SIPit
interoperability testing. The document shepherd has no concerns with the
document.

  (1.e)  How solid is the WG consensus behind this document?  Does it
          represent the strong concurrence of a few individuals, with
          others being silent, or does the WG as a whole understand and
          agree with it?

The proposal has had wide discussion in all aspects in the WG and key be
represented as having consensus amongst all key individuals.

  (1.f)  Has anyone threatened an appeal or otherwise indicated extreme
          discontent?  If so, please summarise the areas of conflict in
          separate email messages to the Responsible Area Director.  (It
          should be in a separate email because this questionnaire is
          entered into the ID Tracker.)

None indicated.

  (1.g)  Has the Document Shepherd personally verified that the
          document satisfies all ID nits?  (See
          http://www.ietf.org/ID-Checklist.html and
          http://tools.ietf.org/tools/idnits/).  Boilerplate checks are
          not enough; this check needs to be thorough.  Has the document
          met all formal review criteria it needs to, such as the MIB
          Doctor, media type and URI type reviews?

Normally SIP documents should conform to RFC 4485. However as this document
identifies a correction to RFC 3261, it does not need to follow those
guidelines, but merely has to state the changed to RFC 3261.

There are no conformance issues with RFC 3427.

For ID-NITS the checks against idnits 2.08.10 report no NITS found.

  (1.h)  Has the document split its references into normative and
          informative?  Are there normative references to documents that
          are not ready for advancement or are otherwise in an unclear
          state?  If such normative references exist, what is the
          strategy for their completion?  Are there normative references
          that are downward references, as described in [RFC3967]?  If
          so, list these downward references to support the Area
          Director in the Last Call procedure for them [RFC3967].

The document has appropriately split its references into normative and
informative references. All the normative references are now published
standards track RFCs.

There is one informative reference (draft-ietf-sip-outbound) that is not yet
published.

  (1.i)  Has the Document Shepherd verified that the document IANA
          consideration section exists and is consistent with the body
          of the document?  If the document specifies protocol
          extensions, are reservations requested in appropriate IANA
          registries?  Are the IANA registries clearly identified?  If
          the document creates a new registry, does it define the
          proposed initial contents of the registry and an allocation
          procedure for future registrations?  Does it suggested a
          reasonable name for the new registry?  See
          [I-D.narten-iana-considerations-rfc2434bis].  If the document
          describes an Expert Review process has Shepherd conferred with
          the Responsible Area Director so that the IESG can appoint the
          needed Expert during the IESG Evaluation?

The document defines one new header field, and one new response code. The
process for adding these is defined in RFC 3427 and those requirements have
been completed with. The IANA registrations have been verified to be in
conformance with the existing IANA registries.

  (1.j)  Has the Document Shepherd verified that sections of the
          document that are written in a formal language, such as XML
          code, BNF rules, MIB definitions, etc., validate correctly in
          an automated checker?

The document defines a Max-Breadth header field, defined using ABNF. This is
trivial and has been verified to be correct by inspection only.

  (1.k)  The IESG approval announcement includes a Document
          Announcement Write-Up.  Please provide such a Document
          Announcement Writeup?  Recent examples can be found in the
          "Action" announcements for approved documents.  The approval
          announcement contains the following sections:

Technical Summary

This document normatively updates RFC 3261, the Session Initiation Protocol
(SIP), to address a security vulnerability identified in SIP proxy behavior. 
This vulnerability enables an attack against SIP networks where a small
number of legitimate, even authorized, SIP requests can stimulate massive
amounts of proxy-to-proxy traffic.

This document strengthens loop-detection requirements on SIP proxies when
they fork requests (that is, forward a request to more than one destination). 
It also corrects and clarifies the description of the loop-detection
algorithm such proxies are required to implement. Additionally, this
document defines a Max-Breadth mechanism for limiting the number of
concurrent branches pursued for any given request.

Working Group Summary

The document was produced by the SIP working group. There is consensus in
the WG to publish this document.

Document Quality

The document has been produced as a result of an issue identified during
SIPit interoperability testing.

Personnel

Keith Drage is the document shepherd for this document. Cullen Jennings is
the responsible Area Director. The IANA Expert(s) for the registries in this
document are .

PROTO Write-up

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the
document and, in particular, does he or she believe this
version is ready for forwarding to the IESG for publication?

Keith Drage

The document has been reviewed and is ready for forwarding to IESG for
publication as a proposed standard.

(1.b) Has the document had adequate review both from key WG members
and from key non-WG members? Does the Document Shepherd have
any concerns about the depth or breadth of the reviews that
have been performed?

Document history:
* draft-lawrence-maxforward-problems-00 was submitted 16th October 2005
and expired 19th April 2006.
* draft-ietf-sip-fork-loop-fix-00 was submitted 1st March 2006 and
expired on 1st September 2006.
* draft-ietf-sip-fork-loop-fix-01 was submitted 4th April 2006 and
expired on 4th October 2006.
* draft-ietf-sip-fork-loop-fix-02 was submitted 27th June 2006 and
expired on 27th December 2006.
* draft-ietf-sip-fork-loop-fix-03 was submitted 7th September 2006 and
expired on 7th March 2007.
* draft-ietf-sip-fork-loop-fix-04 was submitted 21st October 2006 and
will expire on 24th April 2007.
* draft-ietf-sip-fork-loop-fix-05 was submitted 7th March 2007 and will
expire on 8th September 2007.

WGLC was initiated in the SIP WG on draft-ietf-sip-fork-loop-fix-01 on
10th April 2006 with comments requested by 7th May 2006.

Review was made and comments were received from: Christer Holmberg, Jonathan
Rosenberg, Vijay Gurbani, Cullen Jennings, Jeroen van Bemmel, Ravishankar
Shiroor, Dale Worley, Scott Lawrence, Samir Srivastava, Peter Cordell,
Thomas Froment, Juha Heinanen, Thomas Leseney, David Benoit, Kasturi
Narayanan, Atul Kumar Jha, Theo Zourzouvillys, Paul Kyzivat, Dean Willis,
Michael Thomas, Eric Rescorla.

Key discussion issues have been:

* Selection of a hash algorithm to be used. Section 4.2.3 of the
document indicates the results of the discussion in this area.
* Identification of a more optimal loop detection algorithm (see draft-
campen-sipping-stack-loop-detect-00) which was not proceeded with, as
it could not be shown to provide significant improvements for a
standards track solution.

Some elements of the original proposal were split out in draft-sparks-
sipping-max-breadth-00 and draft-campen-sipping-stack-loop-detect-00. There
was also further input in draft-srivastava-sipping-loop-avoidance-00. These
documents have not been proceeded with.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective,
e.g., security, operational complexity, someone familiar with
AAA, internationalization or XML?

The document defines mechanisms that are entirely internal to the Session
Initiation Protocol (SIP). The document shepherd considers that no external
review from an external specialist is necessary.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he
or she is uncomfortable with certain parts of the document, or
has concerns whether there really is a need for it. In any
event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those
concerns here.

The document provides a correction to the existing SIP protocol defined in
RFC 3261. The problem has been identified as part of the SIPit
interoperability testing. The document shepherd has no concerns with the
document.

(1.e) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with
others being silent, or does the WG as a whole understand and
agree with it?

The proposal has had wide discussion in all aspects in the WG and key be
represented as having consensus amongst all key individuals.

(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

None indicated.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are
not enough; this check needs to be thorough. Has the document
met all formal review criteria it needs to, such as the MIB
Doctor, media type and URI type reviews?

Normally SIP documents should conform to RFC 4485. However as this document
identifies a correction to RFC 3261, it does not need to follow those
guidelines, but merely has to state the changed to RFC 3261.

There are no conformance issues with RFC 3427.

For ID-NITS the checks against idnits 2.03.16 report no NITS found.

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that
are not ready for advancement or are otherwise in an unclear
state? If such normative references exist, what is the
strategy for their completion? Are there normative references
that are downward references, as described in [RFC3967]? If
so, list these downward references to support the Area
Director in the Last Call procedure for them [RFC3967].

The document has appropriately split its references into normative and
informative references. All the normative references are now published
standards track RFCs.

There is one informative reference (draft-ietf-sip-outbound) that is not yet
published.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body
of the document? If the document specifies protocol
extensions, are reservations requested in appropriate IANA
registries? Are the IANA registries clearly identified? If
the document creates a new registry, does it define the
proposed initial contents of the registry and an allocation
procedure for future registrations? Does it suggested a
reasonable name for the new registry? See
[I-D.narten-iana-considerations-rfc2434bis]. If the document
describes an Expert Review process has Shepherd conferred with
the Responsible Area Director so that the IESG can appoint the
needed Expert during the IESG Evaluation?

There are no IANA considerations for this document, and none are needed.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML
code, BNF rules, MIB definitions, etc., validate correctly in
an automated checker?

The document contains no entries written in formal language.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Writeup? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary

This document normatively updates RFC 3261, the Session Initiation Protocol
(SIP), to address a security vulnerability identified in SIP proxy behavior.
This vulnerability enables an attack against SIP networks where a small
number of legitimate, even authorized, SIP requests can stimulate massive
amounts of proxy-to-proxy traffic.

This document strengthens loop-detection requirements on SIP proxies when
they fork requests (that is, forward a request to more than one destination).
It also corrects and clarifies the description of the loop-detection
algorithm such proxies are required to implement.

Working Group Summary

The document was produced by the SIP working group. There is consensus in
the WG to publish this document.

Document Quality

The document has been produced as a result of an issue identified during
SIPit interoperability testing.

Personnel

Keith Drage is the document shepherd for this document. Cullen Jennings is
the responsible Area Director.