Voice of VOIPSA

As we’ve discussed both here and on Blue Box, the issue of securing the keys for Secure RTP is one of the remaining challenges to have secure voice transmission in the open standards world of SIP. Out of the large number of proposals to secure the key exchange, “DTLS” emerged as the choice of the IETF… but it still had the issue that an endpoint needed to be sure of the authenticity of the other endpoint’s certificate. SIP Identity (RFC 4474) and a draft “Identity-Media” from Dan Wing addressed the authenticity issue but broke in some common network configurations. Now Kai Fisher has put out an Internet Draft called “End-to-End Security for DTLS-SRTP” that proposes a mechanism to address that. In the post to the SIP mailing list, Kai explains the motivation:

I have submitted a draft proposing a solution to secure a DTLS-SRTP handshake and hence SRTP end-to-end (in terms of end-domain to end-domain). As discussed during the last IETF meetings and analyzed by Dan’s Identity-Media draft, current solutions like SIP Identity do not protect the authenticity of the fingerprint end-to-end in certain inter-domain scenarios. For example, a modification of SDP m-/c-lines or the From header field by intermediaries breaks the SIP-Identity or Identity-Media signature and causes a re-signing by a domain different to the originating one. The draft proposes a solution for such scenarios without the need to re-sign during domain traversal and which preserves the original identity information.

The abstract to the draft provides more info:

The end-to-end security properties of DTLS-SRTP depend on the authenticity of the certificate fingerprint exchanged in the signalling channel. In current approaches the authenticity is protected by SIP-Identity or SIP-Identity-Media. These types of signatures are broken if intermediaries like Session Border Controllers in other domains change specific information of the SIP header or the SIP body. The end-to-end security property between the originating and terminating domain is lost if these intermediaries re-sign the SIP message and create a new identity signature using their own domain credentials.

This document defines a new signature type ‘Fingerprint-Identity’ which is exchanged in the signalling channel. Fingerprint-Identity covers only those elements of a SIP message necessary to authenticate the certificate fingerprint and to secure media end-to-end. It is independent from SIP-Identity and SIP-Identity-Media and can be applied in parallel to them.

More details can, of course, be found in the draft. As noted in the post to the SIP mailing list, Kai is looking for feedback. This is an important issue to get done - and to get done correctly - so we strongly urge people to take a look at the document and provide feedback if you see ways the proposal can be improved.

Technorati Tags:
SIP, SRTP, IETF, standards, sip security, voip security, security, DTLS

If you are using Skype on Windows, today would be a good day to upgrade! As noted in their release notice, this new version 3.6.0.248 includes a fix to the cross-site scripting vulnerability, along with a wide range of other fixes.

Technorati Tags:
skype, skype security, security

UPDATE: The RUCUS mailing list is now open for subscription.

Want to get together with others and discuss in further detail what we can do about Spam for Internet Telephony (SPIT)? A new session has been approved for the IETF 71 meeting coming up in Philadelphia in March called “Reducing Unwanted Communications using SIP” a.k.a. “RUCUS” (Hey, it’s not a real IETF group until it has a cute acronym!) Hannes Tschofenig, who submitted the proposal, has created a RUCUS web page and is looking for feedback. The page says in part:

The topic of dealing with unwanted traffic in SIP has surfaced several times in the IETF in the context of preventing Spam for Internet telephony. Previous attempts to have a structured discussion about this topic have (among other reasons) failed due to the strong focus on selected solution approaches.

Prior work in SIP on identity management has an important role in this activity since a strong identity mechanism in SIP has been seen as a prerequisity for establishing authorization policies. Hence, the “Discussion and Analysis of SIP Identity” (DASI) BoF is relevant for this event. Even though there is no direct dependency between the two activities the number of interested participants will quite likely overlap.

This BoF focuses on the discussion of architectural aspects. The underlying theme is that the work on building blocks is more fruitful once the larger framework is understood. A number of solutions components have been submitted to the IETF, have been published in the academic literature and found their way into other standardization bodies. Reduce unwanted communication requires authorization decisions to be made. These decisions can be made based on individual sessions but also on the interaction at a higher granularity (e.g., the interaction with a specific VoIP provider network). Examples of questions with relevance for an architecture might be:

- Where does information for decision making come from?

- What are useful information items for decision making?

- Where are policy decision points located? What about the placement of
policy enforcement points?

- Are privacy aspects to consider with the exchange of information?

- How does the underlying trust model look like?

- What assumptions are certain mechanisms based on?

- Can individual proposals be combined in a reasonable way?
etc.

It is not the aim of the BoF to discuss specific solution approaches since it is likely that multiple techniques have to be used in concert.

If you are attending IETF 71 in Philadelphia in March, do plan on joining in the RUCUS! (I’ll be there.)

Technorati Tags:
rucus, spit, spam, voice spam, voip, voip security, security, ietf, standards

Over on his new No Jitter blog, Eric Krapf notes in his SIP Security post that at VoiceCon Orlando they will be running a SIP security talk again:

“As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we’re bringing back Cullen Jennings and Eric Rescorla to once again give their ‘SIP Security’ tutorial, which offers enterprises a jump on many of the key issues.”

Long-time readers will remember that I wrote about Cullen & Eric’s appearance at VoiceCon San Francisco back in August and I am glad to see they’ll be back again in Orlando. Since I’ll be down there at VoiceCon Orlando, I’ll look forward to seeing them both again (and yes, I’ll probably sit in their presentation again :-).

Eric also reviews a couple of the ETSI security presentations I recently mentioned, giving a better glimpse than I did here!

Technorati Tags:
cullen jennings, eric rescorla, sip, security, sip security, voip, voip security

Previously I mentioned that Hannes Tschofenig had a presentation up about SIP security that he gave at the ETSI Security Workshop early this month. We were contacted by folks at ETSI to let us know that all the workshop presentations are now available online. I haven’t looked through them yet, but the workshop agenda looked good to I am looking forward to checking these presos out. Thanks to ETSI for making them publicly available.

Technorati Tags:
sip, etsi, standards, security, voip security

After I pointed out that I’ll be speaking next week at Internet Telephony Expoin Miami, I realized that I should have also pointed out that there is are other talks about VoIP security (in order of the schedule):

• Security Challenges in the Enterprise with representatives of Foundry, Sipera Systems, Juniper Networks
• Security Today’s Networks with representatives of EMBARQ, NextPoint Networks and Integrated Customer Solutions
• Understanding SIP Security with representatives of Sipera Systems, AudioCodes and Inter-Tel/Mitel

I’ll probably only be able to get to the last one but will try to post a report here (and perhaps record it if I get appropriate permissions).

(If anyone attends either of the first two talks and would like to provide a brief writeup for this blog about what was discussed, we’d be glad to post it.)

Technorati Tags:
conferences, itexpo, internettelephonyexpo, voip, voip security, security

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA’s behalf at Ingate’s SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled “Seminar/myth 1: VoIP is not secure“. Should be fun.

If you are going to be down at IT Expo, do check out the full schedule for Ingate’s SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I’m always interested in meeting readers.

Technorati Tags:
sip, sip trunking, ingate, itexpo, conferences

Back at the end of September, I gave a presentation down at Astricon 2007 called “Hacking and Attacking VoIP Systems: What you need to know” which talked generically about VoIP security and then got into some specific suggestions for securing Asterisk (which I posted on this blog). A number of folks have asked for the slides… and so here they are:

| View | Upload your own

If you’ve seen other presentations I’ve given, it’s a fairly typical presentation of mine with the addition of Asterisk-specific information toward the end.

Comments are, of course, welcome.

P.S. And yes, there is an audio recording of this presentation which I will, eventually, get up as a Blue Box podcast.

Technorati Tags:
asterisk, security, voip, voip security, voipsa, conferences, astricon

Within the IETF there’s been a bit of discussion in the past months
about voice spam/SPIT and just recently RFC 5039 from Jonathan
Rosenberg and Cullen Jennings was published that specifically
addresses the issue of SIP and Spam.

The RFC is an excellent summary of the current thinking about the
SPIT problem and potential solutions to address it. If you haven’t
read the document, I would *highly* recommend it.

A concern I had, though, was that it did not appear to me that
existing documents address the issue of what SPIT could look like at
a network level. For instance, if a network administrator monitoring
network traffic suddenly saw a large flood of SIP INVITE packets
coming into his/her network, it could be:

1. a telemarketer/spammer launching a flood of SIP connections to
deliver SPIT;
2. an attacker launching a DoS attack through one of the various SIP
attack tools out there; or
3. a legitimate notification system starting to notify a range of SIP
endpoints.

I could very easily see existing network tools that look at traffic
and perform anomaly detection (and potentially source suppression)
being modified to suppress large flows of SIP traffic. This last case
of legitimate traffic concerned me and so I put together an Internet-
Draft talking about the types of legitimate systems that might
generate a significant volume of traffic that could resemble SPIT (or
a DoS attack).

I put the document out primarily to stimulate discussion. Are these
legitimate scenarios being addressed in current thinking about
SPIT? If not, my point really is that they need to be considered.

Comments about the document are very definitely welcome. Are there other scenarios I
should include? Am I accurate? Am I overstating the case? or what?

Technorati Tags:
ietf, security, sip, standards, voip, voip security

Hannes Tschofenig is over at the 3rd ETSI Security Workshop in France this week and yesterday gave a talk about SIP security. He has now posted the slides to his blog - My Slides from the 3rd ETSI Security Workshop:

Yesterday I gave my presentation at the 3rd ETSI Security Workshop. My presentation title was ‘IETF Security’ and that is obviously pretty fuzzy. After looking on the agenda I decided that the most useful topic to speak about would be SIP identity management and media security. In case you are interested in this topic, please take a look at the following slide set.

His slide set does give an excellent overview of security issues in SIP, the various RFCs and approaches, etc. As he mentions, he focuses on identity and media security. A great contribution to the ongoing dialog on these issues. In fact, much of the workshop agenda looks quite intriguing. It will be interesting to see if other presenters make their slides available or if conclusions are posted anywhere.

Note to other presenters: If you do put your slides up somewhere, we’re glad to link to them here. In fact, if you use SlideShare (or a similar service), we’ll be glad to embed the presentations directly in this blog.

Technorati Tags:
ietf, security, sip, standards, voip, voip security, hannes tschofenig