Category Archives: IETF

Internet-Draft out about ICMP attacks against TCP

ietflogo-1.jpgWhile this isn’t about VoIP, per se, there’s a new version of an Internet-Draft out, draft-ietf-tcpm-icmp-attacks, about how ICMP can be used to attack TCP. The abstract is:

This document discusses the use of the Internet Control Message
Protocol (ICMP) to perform a variety of attacks against the
Transmission Control Protocol (TCP). Additionally, describes a
number of widely implemented modifications to TCP’s handling of ICMP
error messages that help to mitigate these issues.

The document has been around in the IETF space since 2005, but is now moving further down the path toward being issued as an RFC. Seems to be a solid doc for people wanting to understand ICMP attacks.


If you found this post interesting or helpful, please consider either subscribing via RSS or following VOIPSA on Twitter.


5th Emergency Services Workshop to be held Oct 21-23 in Vienna

How does an emergency call to 9-1-1 or 1-1-2 (or whatever your local emergency number may be) work in a world of voice-over-IP?

It’s not a topic we cover hardly at all here on this blog, yet it’s definitely one of the security and social/cultural aspects of our migration to IP that we definitely have to get right. If we as an industry don’t, people can die. (Or the migration to VoIP will be significantly delayed.)

To that end, a number of emergency services experts are meeting to discuss ongoing work on IP-based emergency services in Vienna, Austria on 21st to 23rd October 2008. The first workshop day is focusing on tutorials to help those interested in the classical 1-1-2 (or 9-1-1) emergency call to get up-to-speed with architectures and standards developed for next generation emergency calling. During the second day various recent activities of standardization organizations around the world will be presented. The third workshop day is dedicated to early warning standardization efforts and the outlook to future emergency services activities.

Participation from those working in standardization organizations as well as persons with interest into the subject is highly appreciated. The event is open to the public and anyone may attend.
For socializing an evening program has been organized. There is a nominal fee of 120 Euros charged to cover the facilities cost, food, drinks, etc. Arrangements are also being made for participants to join remotely.

More information about the workshop can be found behind the following link:

http://www.emergency-services-coordination.info/esw5.html

This page also points to previous workshops that took place in New York, Washington, Brussels and Atlanta.

(Thanks to Hannes Tschofenig for providing the majority of this text.)

Technorati Tags:
, , , , ,

US government rolling out largest DNSSEC deployment

It’s not “VoIP security”-related, but this piece in NetworkWorld today is worth a read: “Feds tighten security on .gov“. Here’s the intro:

When you file your taxes online, you want to be sure that the Web site you visit — www.irs.gov — is operated by the Internal Revenue Service and not a scam artist. By the end of next year, you can be confident that every U.S. government Web page is being served up by the appropriate agency.

That’s because the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet’s DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain, and some expect that once that rollout is complete, banks and other businesses might be encouraged to follow suit for their sites.

The article goes on at some length into what the US government is doing, the issues involved and why it all matters. From a larger “Internet infrastructure” point-of-view, actions such as securing the DNS infrastructure will only help in securing services such as VoIP. There’s still a long way to go to getting DNSSEC widely available, but I applaud the US government for helping push efforts along.

FYI, the article references the obsolete RFC 2065 for DNSSEC. For those wishing the read the standard itself, DNSSEC is now defined in RFC’s 4033, 4034 and 4035 with a bit of an update in RFC 4470.

Technorati Tags:
, ,

Info on how to listen remotely to today’s RUCUS session at IETF

ietflogo-1.jpgIf you are interested in listening in to today’s session here at IETF about “Reducing Unwanted Communications Using SIP” (RUCUS) which I’ve mentioned previously, I’ve posted information about how to participate in IETF remotely. The RUCUS session takes place from 1300-1500 US Eastern time today.

Streaming audio should be available on ietf71-ch4.

Jabber group chat should be available as well, but I don’t know yet in which chat room it will be. There isn’t yet a chat room on the IETF server for ‘rucus’. I’ll update this post once I know where the chat room is.

UPDATE: A request is in to create the ‘rucus@jabber.ietf.org’ room. If that room isn’t created in time, we’ll use the SIPPING room at ‘sipping@jabber.ietf.org’. We’ll announce on the streaming audio which one we are using.

Technorati Tags:
, , , ,


buy viagra
buy viagra online
viagra online
discount viagra
order viagra
cheap viagra
generic viagra
generica viagra
viagra buy
viagra price
order viagra online
viagra generic
viagra pill
where buy viagra
buy viagra cheap
viagra order
get viagra
buy online viagra
online viagra
viagra sale online
where to buy viagra
cheapest viagra
purchase viagra
cheap viagra online
viagra buy online
buying viagra
buy viagra on
generic viagra canada
prescription viagra
buy viagra norway
generic viagra pack
buy viagra in nevada
buy viagra now online
viagra online buy
find viagra online
buy cheap viagra online
cheap generic viagra
buy cheap viagra
generic viagra online
viagra sale
generic viagra cheap
buy viagra on line
where buy generic viagra
viagra online bestellen
viagra prescription online
generic online viagra
low price viagra
cheapest viagra price
buy generic viagra
viagra uk
viagra online prescription
cheap est viagra
viagra soft tab
viagra discount
viagra cheap
where to buy viagra on line
buying viagra online
buy viagra now
purchase viagra online
viagra pharmacy
natural viagra
buy viagra in canada
viagra paypal
viagra on line
viagra 100mg
viagra without prescription
cheapest place to buy viagra online
generic Cialis
buy cialis
buy cialis online
cialis online
online cialis
order cialis
cheap cialis
discount Cialis
generic cialis price
cialis prescription
buy cialis generic
cialis online discount
cheapest cialis
buy discount cialis
purchase cheap cialis online
order cialis online
cialis for sale
cialis price
purchase cialis
cialis online pharmacy
buy Cheap Cialis
cialis story
generic cialis online
best cialis price
cheapest cialis generic
order generic cialis
low cost cialis
buy cialis generic online
levitra
buy levitra
cheap levitra
levitra online
buy levitra online
order levitra
order levitra online
cialis levitra
generic levitra
online levitra
buy cheap levitra
discount levitra
levitra sale
buy generic levitra
levitra online pharmacy
levitra price
purchase levitra
cheap levitra online
levitra story
levitra on line
levitra prescription
levitra cheap
best price for levitra
buy xanax
buy phentermine
buy lasix
tramadol
buy tramadol
buy tramadol online
tramadol online
cheap tramadol
order tramadol
tramadol hcl
ultram tramadol
tramadol prescription
online tramadol
tramadol sale
purchase tramadol
buy cheap tramadol
order tramadol online
overnight tramadol
tramadol cheap
tramadol pharmacy
discount tramadol
tramadol hydrochloride
tramadol 50mg
cheap tramadol online
generic tramadol
buy clomid
buy prozac
buy cipro
buy diflucan
buy acomplia
buy lexapro
buy flagyl
buy propecia
order propecia
cheap propecia
propecia online
order propecia online
buy propecia online
generic propecia
compare propecia
propecia without prescription
propecia prescription
propecia pill
discount propecia
online propecia
cheapest propecia
get propecia
propecia order
propecia price
propecia uk
propecia cost
propecia sale
purchase propecia
buy cheap propecia
propecia sale online
buy online propecia
online pharmacy propecia
online prescription propecia
buy generic propecia
buying propecia
buy propecia now
buy fosamax
buy kamagra
buy clomid online
buy prozac online
buy cipro online
buy diflucan online
buy acomplia online
buy lexapro online
buy flagyl online

Web page for RUCUS BOF at IETF 71 now at new URL

ietflogo-1.jpgAs I mentioned previously (here and here), the “RUCUS” BOF about voice spam at IETF 71 in Philadelphia is one of great interest with its focus on voice spam, a.k.a. “SPam for Internet Telephony” or “SPIT”. Unfortunately BOF co-chair Hannes Tschofenig ran into a problem with his domain and had to move the page to a new URL: http://www.shingou.info/bof-rucus.html

If you saved the URL or sent it on to someone, you’ll need to update to using the new URL. If you didn’t visit the RUCUS page before, please do check it out – and feel free to join the RUCUS mailing list. Of course, if you can, please do join us in person in Philadelphia!

Technorati Tags:
, , , , ,

Join the new RUCUS mailing list if you want to look at ways to end SPIT!

ietflogo.jpgAs mentioned previously, there is a new session planned for IETF 71 in March called “Reducing Unwanted Communications Using SIP“, a.k.a. “RUCUS”.

The RUCUS mailing list is now open for subscriptions and we encourage anyone interested in looking at how we address the issue of voice spam, aka “Spam for Internet Telephony” aka “SPIT” to join into the conversation.

We would ask you to please read the group description prior to joining so that you understand what we are trying to do. The primary goal of this session in March in Philadelphia is to look to understand the architecture necessary to address the issue and identify the pieces of that architecture that may already be there or may need to be put in place.

Technorati Tags:
, , , , , , , ,

End-to-end VoIP security using DTLS-SRTP? (A new proposal…)

ietflogo.jpgAs we’ve discussed both here and on Blue Box, the issue of securing the keys for Secure RTP is one of the remaining challenges to have secure voice transmission in the open standards world of SIP. Out of the large number of proposals to secure the key exchange, “DTLS” emerged as the choice of the IETF… but it still had the issue that an endpoint needed to be sure of the authenticity of the other endpoint’s certificate. SIP Identity (RFC 4474) and a draft “Identity-Media” from Dan Wing addressed the authenticity issue but broke in some common network configurations. Now Kai Fisher has put out an Internet Draft called “End-to-End Security for DTLS-SRTP” that proposes a mechanism to address that. In the post to the SIP mailing list, Kai explains the motivation:

I have submitted a draft proposing a solution to secure a DTLS-SRTP handshake and hence SRTP end-to-end (in terms of end-domain to end-domain). As discussed during the last IETF meetings and analyzed by Dan’s Identity-Media draft, current solutions like SIP Identity do not protect the authenticity of the fingerprint end-to-end in certain inter-domain scenarios. For example, a modification of SDP m-/c-lines or the From header field by intermediaries breaks the SIP-Identity or Identity-Media signature and causes a re-signing by a domain different to the originating one. The draft proposes a solution for such scenarios without the need to re-sign during domain traversal and which preserves the original identity information.

The abstract to the draft provides more info:

The end-to-end security properties of DTLS-SRTP depend on the authenticity of the certificate fingerprint exchanged in the signalling channel. In current approaches the authenticity is protected by SIP-Identity or SIP-Identity-Media. These types of signatures are broken if intermediaries like Session Border Controllers in other domains change specific information of the SIP header or the SIP body. The end-to-end security property between the originating and terminating domain is lost if these intermediaries re-sign the SIP message and create a new identity signature using their own domain credentials.

This document defines a new signature type ‘Fingerprint-Identity’ which is exchanged in the signalling channel. Fingerprint-Identity covers only those elements of a SIP message necessary to authenticate the certificate fingerprint and to secure media end-to-end. It is independent from SIP-Identity and SIP-Identity-Media and can be applied in parallel to them.

More details can, of course, be found in the draft. As noted in the post to the SIP mailing list, Kai is looking for feedback. This is an important issue to get done – and to get done correctly – so we strongly urge people to take a look at the document and provide feedback if you see ways the proposal can be improved.

Technorati Tags:
, , , , , , ,

Raising a RUCUS about SPIT at IETF 71!

UPDATE: The RUCUS mailing list is now open for subscription.

ietflogo.jpgWant to get together with others and discuss in further detail what we can do about Spam for Internet Telephony (SPIT)? A new session has been approved for the IETF 71 meeting coming up in Philadelphia in March called “Reducing Unwanted Communications using SIP” a.k.a. “RUCUS” (Hey, it’s not a real IETF group until it has a cute acronym!) Hannes Tschofenig, who submitted the proposal, has created a RUCUS web page and is looking for feedback. The page says in part:

The topic of dealing with unwanted traffic in SIP has surfaced several times in the IETF in the context of preventing Spam for Internet telephony. Previous attempts to have a structured discussion about this topic have (among other reasons) failed due to the strong focus on selected solution approaches.

Prior work in SIP on identity management has an important role in this activity since a strong identity mechanism in SIP has been seen as a prerequisity for establishing authorization policies. Hence, the “Discussion and Analysis of SIP Identity” (DASI) BoF is relevant for this event. Even though there is no direct dependency between the two activities the number of interested participants will quite likely overlap.

This BoF focuses on the discussion of architectural aspects. The underlying theme is that the work on building blocks is more fruitful once the larger framework is understood. A number of solutions components have been submitted to the IETF, have been published in the academic literature and found their way into other standardization bodies. Reduce unwanted communication requires authorization decisions to be made. These decisions can be made based on individual sessions but also on the interaction at a higher granularity (e.g., the interaction with a specific VoIP provider network). Examples of questions with relevance for an architecture might be:
– Where does information for decision making come from?
– What are useful information items for decision making?
– Where are policy decision points located? What about the placement of
policy enforcement points?
– Are privacy aspects to consider with the exchange of information?
– How does the underlying trust model look like?
– What assumptions are certain mechanisms based on?
– Can individual proposals be combined in a reasonable way?
etc.

It is not the aim of the BoF to discuss specific solution approaches since it is likely that multiple techniques have to be used in concert.

If you are attending IETF 71 in Philadelphia in March, do plan on joining in the RUCUS! (I’ll be there.)

Technorati Tags:
, , , , , , , ,

An excellent overview of SIP security issues at the 3rd ETSI Security Workshop

Hannes Tschofenig is over at the 3rd ETSI Security Workshop in France this week and yesterday gave a talk about SIP security. He has now posted the slides to his blog – My Slides from the 3rd ETSI Security Workshop:

Yesterday I gave my presentation at the 3rd ETSI Security Workshop. My presentation title was ‘IETF Security’ and that is obviously pretty fuzzy. After looking on the agenda I decided that the most useful topic to speak about would be SIP identity management and media security. In case you are interested in this topic, please take a look at the following slide set.

His slide set does give an excellent overview of security issues in SIP, the various RFCs and approaches, etc. As he mentions, he focuses on identity and media security. A great contribution to the ongoing dialog on these issues. In fact, much of the workshop agenda looks quite intriguing. It will be interesting to see if other presenters make their slides available or if conclusions are posted anywhere.

Note to other presenters: If you do put your slides up somewhere, we’re glad to link to them here. In fact, if you use SlideShare (or a similar service), we’ll be glad to embed the presentations directly in this blog.

Technorati Tags:
, , , , , ,

IETF seeking feedback on “Requirements from SIP Session Border Controller Deployments”

ietflogo.jpgThe IETF leadership recently announced that they are seeking final comments on an Internet-Draft called “Requirements from SIP Session Border Controller Deployments” (current draft also available here) as they decide whether to move this document to an Informational RFC. The abstract of the document is as follows:

This document describes functions implemented in Session Initiation Protocol (SIP) intermediaries known as Session Border Controllers (SBCs). The goal of this document is to describe the commonly provided functions of SBCs. A special focus is given to those practices that are viewed to be in conflict with SIP architectural principles. This document also explores the underlying requirements of network operators that have led to the use of these functions and practices in order to identify protocol requirements and determine whether those requirements are satisfied by existing specifications or additional standards work is required.

If you work with SBCs, use them in your networks, or work for a SBC vendor, now is a good time to ensure that this document captures the requirements you have for deploying SBCs. Once finalized as an Informational RFC, the idea is that it will be used to assist in the potential creation of new SIP-related standards or the modification of existing standards. Now is the time to voice your opinion (and the note from the IETF explains how to do that). Comments have been requested to be received by January 16, 2008.

Technorati Tags:
, , , , , ,