[VOIPSEC] Spoof of IP address within a (large) domain

Robert Moskowitz rgm at icsalabs.com
Wed Mar 23 13:44:49 CST 2005 

At 01:53 PM 3/23/2005, Jeffrey Skelton wrote:
>These arguments about various "rogue" (or righteous) edge extensions would
>seem to apply equally to IP address as a reliable key for location lookup or
>location information pushed from a DHCP server.

Exactly.  There can be no trust in device location from a third 
party.  Only the device can 'speak for itself'.

I could go on with other ways the device is not where the visible IP 
address seems to be.  All perfectly legit (like my use of SSH tunneling 
when I am on the road).

>Don't methods claim that something other than the actual edge node knows
>what the physical location of that edge node is?

A tunneling protocol and an application proxy has the knowledge of the IP 
address of the its endpoint.  Hopefully we are dealing with only one hop, 
but we are not (consider remote tunnel then an application proxy).

There is no standard way to make that information available.

Anyone that really wants to know where a device is should look at the work 
being done in IEEE 802.11p.  They are addressing this the 'right way'.  It 
is all about vehicle safety for them.  One of their goals in anonymity, 
thus 'you don't know who I am, or probably care, but I am at GPS .... and 
doing ..... (160' (your car figures out that is 8 cars) ahead of you, 
moving at 80mph, and slamming on my brakes for maximum deceleration).  Law 
inforcement does NOT want to know which car did this.  The safety value 
outweighs any law enforcement value.  But we also have to kick a car out of 
the system that has been determined to 'lie'.





>On 3/22/05 3:12 PM, "Robert Moskowitz" <rgm at icsalabs.com> wrote:
>
> > At 04:22 PM 3/17/2005, Brian Rosen wrote:
> >> Now it's my turn to "ask the experts".
> >>
> >>
> >>
> >> I have someone proposing a solution to a large problem of "where are 
> you?";
> >> that is, finding your own location.
> >>
> >> It's for 9-1-1, and we have one mechanism, DHCP, that we are pretty happy
> >> with; you can spoof within your subnet, but that's about it, and location
> >> doesn't vary much within the subnet.
> >
> > I've read through all the comments here and see that a couple of items have
> > not been covered that using IP addresses as a physical locator is a total
> > waste of time.  Well not total yet, but getting there.
> >
> > First as two subnets.
> >
> > With developments in bridging equipment over the past 5 years or so, many
> > places are running flat networks.  My colleague in 802.1 from Enterasys
> > said that they have one university running flat with 100,000 devices.  You
> > know the IP address is somewhere, but no more than that.  MAC address is a
> > better indicator.
> >
> > But more likely than that are technologies like MobileIP.
> >
> > I could be running my home agent on my DSL line and be anywhere in the
> > world, thanks to IPnIP (protocol 9, as I recall).  I could be running the
> > call over an ESP tunnel with the same results.  The IP address does not
> > locate the device within the Internet.
> >
> > Of course HIP does this the right way.  The IP address stays where it
> > belongs and the system stack moves around the internet.  But then HIP is
> > only beginnig to get attention eventhough I wrote the first paper on it in
> > Jan '99...
> >
> > The one example of a Asterisk server is another way that IP address seen is
> > not the IP address of the device.
> >
> > Finally, how does the DSL provider really know which house that call came
> > from?  What if the homeowner is providing wireless services via an 802.11
> > network to the neighbors?  (or the neighbor just lunching off an open
> > network...).
> >
> > You want reliable locator, put digital certs from the vendor and GPS
> > hardware to deliver authenticated location information.  Look at what
> > 802.11p is facing for authenticating car locations (and they are tackling
> > anonymity).
> >
> >
> >
> >
> >
> > Robert Moskowitz
> > Senior Technical Director
> > ICSA Labs, a division of Cybertrust, Inc.
> > W:      248-968-9809
> > F:      248-968-2824
> > E:      rgm at icsalabs.com
> >
> > There's no limit to what can be accomplished
> > if it doesn't matter who gets the credit
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
E:      rgm at icsalabs.com

There's no limit to what can be accomplished
if it doesn't matter who gets the credit

More information about the Voipsec mailing list