[VOIPSEC] Actual Attacks

Simon Horne security at isvo.net
Wed Mar 2 10:13:02 CST 2005 

I sent this direct but I thought I'd share some of it with the List.

At 08:46 PM 2/03/2005, you wrote:
>Simon
>
>I was replying to a message that claimed ITU specs were designed better than
>IETF specs, and specifically, that it was trivial to send information, such
>as an actual IP address, using the signaling between end points which the
>service provider is unaware of, using SIP, but not with ITU protocols.  The
>specific example given was:
>X-HACKBYPASS:24.2.2.1

The IETF specs do things one way ITU does things different. If a developer 
decides to use ITU than they have to be aware of the issues. I really do 
thankyou for pointing out the ASN holes because as a developer I want to 
make sure that holes that are there are plugged and plugged quickly. The 
Open source projects are ideal for this purpose.

>The examples I gave were messages I believe most firewalls, SBCs and other
>H.323 elements would ignore if passed between two consenting end points.
>You can take OpenH323 and use it to do that.  Even in the cases
>where the current code rejects a message, the code could easily be changed
>to accept it.  As long as the carrier's network elements don't reject the
>message, you can misuse the protocol to pass information end to end.
>The firewalls, SBCs and gateways don't know that you are misusing the
>syntax.  They only can check if it's legal syntax.

I agree in part with you however by design H.245 messages (although 
included in H225) are for call control and in general intermediate devices 
(if any) don't touch them, just pass them on. So the security must be done 
at the Endpoint and that is the responsibility of the developer to ensure 
these things don't happen. The choice of which standard to use (for me 
anyway) is nothing to do with which standard is better ITU or IETF. It's 
about Business. I'm not in the US and SIP is not the major standard 
deployed. H.320, H.323 & the new H324M are, and they all use H.245 call 
control. For interop you MUST work with it. Its just Different strokes...

>What you need to do is to see if your firewalls and SBCs would not permit
>these messages to pass.  I believe all of them will allow at least a subset
>of these through.

In general they will pass straight thro' Gatekeepers and proxys.

>As for mudslinging, please see the original message from Geoff, but I'll
>refrain from further comment on that aspect.

Please accept my apologies as it wasn't my intention to take sides.

Simon

More information about the Voipsec mailing list