[VOIPSEC] Actual Attacks
Geoff Devine
gdevine at cedarpointcom.com
Tue Mar 1 09:29:39 CST 2005
Brian Rosen writes:
> I don't agree with your analysis of vulnerabilities in protocol design:
>> You have the IETF way where pretty much any message will get through the
>> firewall. You have the ITU way where only messages that conform to a
>> known profile get through the firewall.
>That's simply untrue. The specifications for each are about as exacting as
>the other with respect to "legal" messages. They have stylistic
>differences, but in practice, the differences do not change the ability of a
>firewall to detect a "good" from a "bad" PDU. I don't see firewalls going
>away, but I see them having less and less relevance to the actual threats.
OK. Here's a real-world example:
In SDP in a SIP Invite message, I can embed:
X-HACKBYPASS:24.2.2.1
where 24.2.2.1 is my IP address. The other endpoint can reject the Invite and bypass the service provider since they know my IP address.
A SIP Proxy built in the spirit of the IETF is required to pass through any SDP even if it doesn't understand it. The ITU, where protocols are designed by service providers, wouldn't allow such a thing. That's why 3GPP uses a Back2Back User Agent model of SIP. You can enhance and profile an IETF protocol to give it the robustness of the typical ITU protocol but you certainly won't get there if you merely follow the normative requirements of the root RFC. It all boils down to a difference in philosophy. In the IETF, the network is a testbed. In the ITU, the network and services provided by the network is a source of revenue.
Geoff
More information about the Voipsec
mailing list