[VOIPSEC] VPNs and VoIP (was: Re: VoIP Attack : How feasible)
Volker Tanger
vtlists at wyae.de
Fri Jul 28 19:16:17 CDT 2006
Good evening!
On Fri, 28 Jul 2006 17:50:14 -0400
"Michael Slavitch" <slavitch at gmail.com> wrote:
> IPSec deployments are dwarfed by PPTP implementations
Sources? I've yet to see one PPTP inplementation in real use (over here
in Germany). I have heard of people using PPTP as a way to do NAT-T for
IPSec-VPNs, but most either use net2net IPSec VPN, proprietary
UDP-encapsulated IPSec VPN clients for road warriors (Cisco, CheckPoint,
Nortel) or (a small but rising percentage) OpenVPN for both.
> Windows credentials to authenticate at the "layer-2" level, largely
> based on a locally-generated cert.
PPTP either just is password(MSCHAPv2)-based or on EAP-TLS certificates
generated on the AD-Server - so nothing with "locally-generated". The
user-certificates have to individually distributed, losing the
"signon-from-any*" capacity that usually comes with SSO.
What a pity.
> Single login / single signon / single identity isn't just a matter of
> convenience, it's a matter of correct architecture.
...or in this case just monopoly.
but now: Back to VoIP attacks!
VPN is just a workaround for securing VoIP connections as audio streams
and control channels were - disputably - designed to be independent of
each other within "the usual suspects" SIP and H.323, bringing all kinds
of problems when introducing encryption: encrypt SIP end2end (or at
least: client2registrar e.g. by plainly using an SSL wrapper) and you
loose firewall inspection for RTP port openings. SIP basically is a
non-authorized/-verified protocol, so forging connection data (e.g.
Caller-ID) is as easy as with SMTP.
VPNs are workarounds to bring the SIP/H.323 protocols back into a
protected/friendly network where you hope such forgings will not happen.
Looking at other protocols:
IAX/IAX2 and XARSIM both only use one single data stream for
control channel and up-/downstream audio, making the protocols much
easier to NAT. Skype seems to be similar.
IAX (the Asterisk protocol) is designed to work client-server and
server-server, is offering (static key) encryption (currently in
alpha-stage) within the protocol, but lacking the nice decentralization
of audio/video traffic - here all goes through the server, which can
become a capacity problem for larger installations.
In contrast to that XARSIM is working heavily decentralized and has
reduced the "server" down to a simple lookup/YP function. It offers a
simple yet effective Caller-ID authentication, end2end encryption and
traffic decentralization - but just is starting to produce the first
code.
Skype is - just proprietary. Works fine through NAT, but
everything other detail is off-limits. Server software is not available.
The field still is wide open.
Let the competition begin.
May the best protocol win.
;-)
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists at wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
More information about the Voipsec
mailing list