Sunday, June 28, 2009

Server Dialback


Server Dialback is a identity verification mechanism for XMPP server to server communication. It is a weak verification method to prevent spoofing.

The originating server sends a dialback key when the stream is initiated and the receiving server verifies the key with an authoritative server. If the verification fails, the receiving server sends a error in the response stream and closes the underlying TCP connection.



Lets say you want to federate an XMPP server with gtalk (gtalk implements server dialback for verified federation).

Originating Server generates Dialback key and presents it to receiving server for validation.
  • The originating server on the domain(mydomain.com) would resolve the receiving server domain name (gmail.com) to a TCP service of _xmpp-server using the DNS SRV records. If there are no appropriate DNS SRV records, the OS may fall back to IPv4/IPv6 address record resolution to determe the IP and assume the standard S2S port of 5269.
  • The OS then opens a TCP connection to the resolved IP and port.
  • The OS sends an initial stream header.
  • If the receiving server can process the initial stream header successfully, it must return a response stream to the originating server on the same TCP connection.
  • If the OS can process the response stream successfully, it should generate and send a dialback key.
  • The dialback key is sent to the RS for validation.
Receiving Server validates the Dialback key with an authoritative server and presents the result to originating server.
  • The RS(e.g. gtalk server) then tries to resolve the OS's domain name (mydomain.com) to a TCP service of _xmpp-server using the DNS SRV records or IPv4/IPv6 address record resolution.
  • The RS starts a TCP connection with the resolved host (authoritative server).
  • The RS sends an initial stream header.
  • If the AS can process the initial stream header successfully, it must return a response stream to the RS on the same TCP connection.
  • RS sends the dialback key received from OS to AS for validation.
  • AS validates if the key was generated from the OS's domain (mydomain.com).
  • AS then sends verified result to the RS and closes the underlying TCP connection.
  • RS then sends the result to the OS on the connection opened by OS to RS. If the result is valid, OS can start sending stanzas on the stream, else RS closes the underlying TCP connection.
This is the scenario where dialback helps security attacks:

DomainA starts a connection with DomainB pretending to be DomainC. Then DomainB validates the dialback key with DomainC to check if it really came from DomainC. This validation will fail (with a proper implementation of the Server dialback mechanism) and hence DomainA won't be able to spoof as DomainC.