[VOIPSEC] Put STUN in NAT Boxes?

Ari Takanen voipsa at codenomicon.com
Wed Jul 4 01:51:55 CDT 2007 

Hello all,

On Sat, 30 Jun 2007 00:03:18 +0800, Simon Horne wrote:
> Although I think it has good merit for SIP. But while over 190
> million people use SKYPE which doesn't seem to have any need for
> special routers......you get what I mean.

You have to remember that, when Skype is behind a strong NAT, Skype
probably routes ALL packets (including voice) through a third party
with public IP address (i.e. the public routers do exist). You cannot
do that with VoIP that is based on open standards, at least not
without very strong encryption scheme. And that would require
operational PKI (which will not happen any time soon). Or a closed
protocol that people have chosen to trust, due to security through
obscurity.

I know all of you should know this, but I just want to remind again. A
solid NAT/FW should not allow a third party to open connections
between other third-party computers without strong authentication of
all parties. It is not enough to just claim on the packet level that,
"it's me and you can trust me, this will be SIPS and SRTP traffic
only, and you can trust these two guys". Anyone can fake such
requests, meaning an attacker can fake all this also. If there is some
vague anonymous "authentication", the attacker will perform such
authentication also. It cannot be ad-hoc.

A firewall should not trust an unknown third party to come and tell it
to trust some specific traffic. If that happens, we can forget about
perimeter defences. They would not have any functionality
anymore. Combine SIP with such NAT/FW traversal, and add P2P and you
can sell your firewalls away as useless (well that is nothing new, is
it). Anyone can connect with anyone, or open up any ports for any two
other independent parties... A difficult equation...

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list