[VOIPSEC] Spoof of IP address within a (large) domain

Paine, Richard H richard.h.paine at boeing.com
Wed Mar 23 16:00:33 CST 2005 

Interestingly enough, IEEE 802.11k recently added location as a
measurement and the device does "speak for itself". Only the STA
divulges its location. 

Also, in the Secure Mobile Architecture (SMA), the location is the added
element that contributes the "where" to the "what".   The SMA also uses
Bob Moskowitz's Host Identity Prototcol (HIP) that doesn't use IP or MAC
addresses to do security, but uses a namespace under which the IP
address can change during mobility events. 

Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Cell:  206-854-8199
IPPhone:  425-373-8964
Email:  richard.h.paine at boeing.com 




-----Original Message-----
From: Robert Moskowitz [mailto:rgm at icsalabs.com] 
Sent: Wednesday, March 23, 2005 11:45 AM
To: Jeffrey Skelton; Brian Rosen; VoipSec
Subject: Re: [VOIPSEC] Spoof of IP address within a (large) domain

At 01:53 PM 3/23/2005, Jeffrey Skelton wrote:
>These arguments about various "rogue" (or righteous) edge extensions 
>would seem to apply equally to IP address as a reliable key for 
>location lookup or location information pushed from a DHCP server.

Exactly.  There can be no trust in device location from a third party.
Only the device can 'speak for itself'.

I could go on with other ways the device is not where the visible IP
address seems to be.  All perfectly legit (like my use of SSH tunneling
when I am on the road).

>Don't methods claim that something other than the actual edge node 
>knows what the physical location of that edge node is?

A tunneling protocol and an application proxy has the knowledge of the
IP address of the its endpoint.  Hopefully we are dealing with only one
hop, but we are not (consider remote tunnel then an application proxy).

There is no standard way to make that information available.

Anyone that really wants to know where a device is should look at the
work being done in IEEE 802.11p.  They are addressing this the 'right
way'.  It is all about vehicle safety for them.  One of their goals in
anonymity, thus 'you don't know who I am, or probably care, but I am at
GPS .... and doing ..... (160' (your car figures out that is 8 cars)
ahead of you, moving at 80mph, and slamming on my brakes for maximum
deceleration).  Law inforcement does NOT want to know which car did
this.  The safety value outweighs any law enforcement value.  But we
also have to kick a car out of the system that has been determined to
'lie'.





>On 3/22/05 3:12 PM, "Robert Moskowitz" <rgm at icsalabs.com> wrote:
>
> > At 04:22 PM 3/17/2005, Brian Rosen wrote:
> >> Now it's my turn to "ask the experts".
> >>
> >>
> >>
> >> I have someone proposing a solution to a large problem of "where 
> >> are
> you?";
> >> that is, finding your own location.
> >>
> >> It's for 9-1-1, and we have one mechanism, DHCP, that we are pretty

> >> happy with; you can spoof within your subnet, but that's about it, 
> >> and location doesn't vary much within the subnet.
> >
> > I've read through all the comments here and see that a couple of 
> > items have not been covered that using IP addresses as a physical 
> > locator is a total waste of time.  Well not total yet, but getting
there.
> >
> > First as two subnets.
> >
> > With developments in bridging equipment over the past 5 years or so,

> > many places are running flat networks.  My colleague in 802.1 from 
> > Enterasys said that they have one university running flat with 
> > 100,000 devices.  You know the IP address is somewhere, but no more 
> > than that.  MAC address is a better indicator.
> >
> > But more likely than that are technologies like MobileIP.
> >
> > I could be running my home agent on my DSL line and be anywhere in 
> > the world, thanks to IPnIP (protocol 9, as I recall).  I could be 
> > running the call over an ESP tunnel with the same results.  The IP 
> > address does not locate the device within the Internet.
> >
> > Of course HIP does this the right way.  The IP address stays where 
> > it belongs and the system stack moves around the internet.  But then

> > HIP is only beginnig to get attention eventhough I wrote the first 
> > paper on it in Jan '99...
> >
> > The one example of a Asterisk server is another way that IP address 
> > seen is not the IP address of the device.
> >
> > Finally, how does the DSL provider really know which house that call

> > came from?  What if the homeowner is providing wireless services via

> > an 802.11 network to the neighbors?  (or the neighbor just lunching 
> > off an open network...).
> >
> > You want reliable locator, put digital certs from the vendor and GPS

> > hardware to deliver authenticated location information.  Look at 
> > what 802.11p is facing for authenticating car locations (and they 
> > are tackling anonymity).
> >
> >
> >
> >
> >
> > Robert Moskowitz
> > Senior Technical Director
> > ICSA Labs, a division of Cybertrust, Inc.
> > W:      248-968-9809
> > F:      248-968-2824
> > E:      rgm at icsalabs.com
> >
> > There's no limit to what can be accomplished if it doesn't matter 
> > who gets the credit
> >
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who
gets the credit



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list