[VOIPSEC] Actual Attacks

Simon Horne security at isvo.net
Tue Feb 22 20:47:26 CST 2005 

At 03:35 AM 23/02/2005, you wrote:
>Simon - Why do say security would be less problematic with H323 than SIP?

Sorry I was speaking from a developers/Implementor point of view not from
a users prospective. Absolutely, the same issues in equal measure are
present on both.

 From a developers point of view to secure H323 would be easier than SIP
as the H323 has a rich (some say too much) array of call control mechanisms
(H225,H245) which already supports credential exchange (but are rarely 
Implemented)
All security features within the messaging are optional which means that there
is a high degree of inter operability between secure and non-secure 
Clients. If the
message is present use it if not assume non secure call. The leads to the 
ability
for secure H323 devices to exist comfortably with other non secure H323 devices
and when another secure H323 devices is encountered security associations SA
can then ensue. If voice/video/data is to be encrypted, SA is done 
previously out of
band so there is no initial "dead' spot for 'handshaking", the traffic can 
utilize
existing Firewalls, Proxies, Gatekeepers just as if were unsecured.
 From a rolling out point of view secure H323 devices can be deployed
within existing networks without having to upgrade infrastructure.
Given the pre-existing wide deployment of H323, Network Managers implementing
security can still use their existing infrastructure, extending its useful 
life considerably.

This is a problem for SIP as it doesn't have the degree of standardized 
framework.
As far as I can tell (correct me if I'm wrong) there is no current 
comprehensive standard
framework or call control mechanism to secure SIP.
Security Features available such as external IPSec or SRTP (inband SA) can 
be deployed
but there is inter operability issue with other network appliances and 
Infrastructure.
There may have to wholesale infrastructure upgrades to accommodate 
security. For Network
managers this can be a very expensive exercise and adoption could be very slow.

I hope that clears up what I meant?

Simon

More information about the Voipsec mailing list