[VOIPSEC] Spoof of IP address within a (large) domain
Daniel-Constantin Mierla
daniel at voice-system.ro
Tue Apr 4 09:41:39 CDT 2006
Hello,
On 04/04/06 14:54, Diana Cionoiu wrote:
> Hello Dan,
>
> It requires a special device as far as i remember.
>
if the dsl modem/router is a linux/unix box, then you can just use
iptables to rewrite the source address to whatsoever. But when doing so,
the call cannot be established, the replies will not reach the caller
(they should be send back to the source IP of the request, rfc3581). IP
spoofing could be used for DoS attacks, not for making "anonymous"
calls. Since dsl create a point-to-point tunnel and assign the address
for the remote end, the provider can detect IP spoofing pretty easy, but
no sure that all of them are doing so.
Back to the initial problem, using IP address as a key for user
location, it might be a solution for wired networks, but with upcoming
long range wireless technologies it might be quite impossible to detect
useful geographic position without other details or user interaction
(users should be warned about the migration and its implication in
wireless networks).
In a dsl network, IP address is enough -- 911 service has to access the
database of dsl provider to get the location of a certain IP.
Daniel
> Diana
>
> P.S. Is nice to see so many romanians on this list. :)
>
> Romascanu, Dan (Dan) wrote:
>
>
>> Diana,
>>
>> If I understand well, the threat is on the confidentiality of the
>> location information. So, when you say 'is possible .... but the
>> procedure is so complicated' do you mean software intensive, or some
>> special device, or what?
>>
>> Thanks and Regards,
>>
>> Dan
>>
>>
>>
>>
>>
>>
>>
>>
>>> -----Original Message-----
>>> From: Voipsec-bounces at voipsa.org
>>> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Diana Cionoiu
>>> Sent: Tuesday, April 04, 2006 2:36 PM
>>> To: Brian Rosen
>>> Cc: voipsec at voipsa.org
>>> Subject: Re: [VOIPSEC] Spoof of IP address within a (large) domain
>>>
>>> Hello Brian,
>>>
>>> Is possibile to spoof inside a DSL network the IP address but
>>> the procedure is so complicated that doesn't work the trouble
>>> just to now show the right address for 911.
>>>
>>> Diana
>>>
>>> Brian Rosen wrote:
>>>
>>>
>>>
>>>
>>>> Now it's my turn to "ask the experts".
>>>>
>>>>
>>>>
>>>> I have someone proposing a solution to a large problem of "where are
>>>> you?"; that is, finding your own location.
>>>>
>>>> It's for 9-1-1, and we have one mechanism, DHCP, that we are pretty
>>>> happy with; you can spoof within your subnet, but that's
>>>>
>>>>
>>>>
>>> about it, and
>>>
>>>
>>>
>>>> location doesn't vary much within the subnet.
>>>>
>>>>
>>>>
>>>> For various reasons, there are folks who don't like that
>>>>
>>>>
>>>>
>>> idea and are
>>>
>>>
>>>
>>>> pushing another. They want server in the domain to return
>>>>
>>>>
>>>>
>>> your address
>>>
>>>
>>>
>>>> when asked. They propose to use your IP address as the key
>>>>
>>>>
>>>>
>>> to who "you" is.
>>>
>>>
>>>
>>>> Just for the moment, ignore the issues of what the protocol
>>>>
>>>>
>>>>
>>> is and what
>>>
>>>
>>>
>>>> its security characteristics are. They say that within
>>>>
>>>>
>>>>
>>> their network
>>>
>>>
>>>
>>>> (think a big DSL network), you cannot spoof IP addresses.
>>>>
>>>>
>>>>
>>>> I was pretty taken aback by that. I thought it was pretty easy to
>>>> spoof. I understand that they have the DSL modems pretty wired down
>>>> (they won't let you spoof an address coming from the DSL modem; they
>>>> know what IP address it should be), but I thought there were
>>>>
>>>>
>>>>
>>> other was to spoof.
>>>
>>>
>>>
>>>> So that's my question: is IP address good enough, or are they just
>>>> delusional that they can prevent spoofing within the domain.
>>>>
>>>>
>>>>
>>>> Brian
>>>>
>>>>
>>>>
>>>>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
More information about the Voipsec
mailing list