sip-4----Page:5
1 2 3 4 5 6 7 8 9 10
|
Impersonate who? Biggest difference between request and response identity is: In a transaction, a request can only come from one identity… But a response can legitimately come from tens or hundreds or thousands of entities Who is authorized to respond to a request? The set of corresponding addresses in the location service of the target domain But, that is just a logical concept – a domain can populate location services arbitrarily So who might an impersonator impersonate? The original target URI is one possibility As are any translated contacts (possibly a very large set) if known by the adversary But, an impersonator can just “be themselves” – how would a UAC know that they aren’t authorized? This is our first hint that the problem is architectural |