Voice of VOIPSA

UPDATE: The RUCUS mailing list is now open for subscription.

Want to get together with others and discuss in further detail what we can do about Spam for Internet Telephony (SPIT)? A new session has been approved for the IETF 71 meeting coming up in Philadelphia in March called “Reducing Unwanted Communications using SIP” a.k.a. “RUCUS” (Hey, it’s not a real IETF group until it has a cute acronym!) Hannes Tschofenig, who submitted the proposal, has created a RUCUS web page and is looking for feedback. The page says in part:

The topic of dealing with unwanted traffic in SIP has surfaced several times in the IETF in the context of preventing Spam for Internet telephony. Previous attempts to have a structured discussion about this topic have (among other reasons) failed due to the strong focus on selected solution approaches.

Prior work in SIP on identity management has an important role in this activity since a strong identity mechanism in SIP has been seen as a prerequisity for establishing authorization policies. Hence, the “Discussion and Analysis of SIP Identity” (DASI) BoF is relevant for this event. Even though there is no direct dependency between the two activities the number of interested participants will quite likely overlap.

This BoF focuses on the discussion of architectural aspects. The underlying theme is that the work on building blocks is more fruitful once the larger framework is understood. A number of solutions components have been submitted to the IETF, have been published in the academic literature and found their way into other standardization bodies. Reduce unwanted communication requires authorization decisions to be made. These decisions can be made based on individual sessions but also on the interaction at a higher granularity (e.g., the interaction with a specific VoIP provider network). Examples of questions with relevance for an architecture might be:

- Where does information for decision making come from?

- What are useful information items for decision making?

- Where are policy decision points located? What about the placement of
policy enforcement points?

- Are privacy aspects to consider with the exchange of information?

- How does the underlying trust model look like?

- What assumptions are certain mechanisms based on?

- Can individual proposals be combined in a reasonable way?
etc.

It is not the aim of the BoF to discuss specific solution approaches since it is likely that multiple techniques have to be used in concert.

If you are attending IETF 71 in Philadelphia in March, do plan on joining in the RUCUS! (I’ll be there.)

Technorati Tags:
rucus, spit, spam, voice spam, voip, voip security, security, ietf, standards

Over on his new No Jitter blog, Eric Krapf notes in his SIP Security post that at VoiceCon Orlando they will be running a SIP security talk again:

“As SIP continues to seep into the mainstream, more attention is being paid to security issues, especially in public IP networks/the Internet. At VoiceCon Orlando in March, we’re bringing back Cullen Jennings and Eric Rescorla to once again give their ‘SIP Security’ tutorial, which offers enterprises a jump on many of the key issues.”

Long-time readers will remember that I wrote about Cullen & Eric’s appearance at VoiceCon San Francisco back in August and I am glad to see they’ll be back again in Orlando. Since I’ll be down there at VoiceCon Orlando, I’ll look forward to seeing them both again (and yes, I’ll probably sit in their presentation again :-).

Eric also reviews a couple of the ETSI security presentations I recently mentioned, giving a better glimpse than I did here!

Technorati Tags:
cullen jennings, eric rescorla, sip, security, sip security, voip, voip security

If any of you will be in Miami next week for Internet Telephony Expo, I will be speaking on VOIPSA’s behalf at Ingate’s SIP Trunking Seminar Series held in conjunction with IT Expo. Predictably, my session from 8:30-9:45am on Thursday, January 24th is titled “Seminar/myth 1: VoIP is not secure“. Should be fun.

If you are going to be down at IT Expo, do check out the full schedule for Ingate’s SIP Trunking Seminar Series. They have a good range of speakers and the seminars are free.

If any of you are attending either IT Expo or the SIP Trunking Seminar Series, please do drop a note as I’m always interested in meeting readers.

Technorati Tags:
sip, sip trunking, ingate, itexpo, conferences

Within the IETF there’s been a bit of discussion in the past months
about voice spam/SPIT and just recently RFC 5039 from Jonathan
Rosenberg and Cullen Jennings was published that specifically
addresses the issue of SIP and Spam.

The RFC is an excellent summary of the current thinking about the
SPIT problem and potential solutions to address it. If you haven’t
read the document, I would *highly* recommend it.

A concern I had, though, was that it did not appear to me that
existing documents address the issue of what SPIT could look like at
a network level. For instance, if a network administrator monitoring
network traffic suddenly saw a large flood of SIP INVITE packets
coming into his/her network, it could be:

1. a telemarketer/spammer launching a flood of SIP connections to
deliver SPIT;
2. an attacker launching a DoS attack through one of the various SIP
attack tools out there; or
3. a legitimate notification system starting to notify a range of SIP
endpoints.

I could very easily see existing network tools that look at traffic
and perform anomaly detection (and potentially source suppression)
being modified to suppress large flows of SIP traffic. This last case
of legitimate traffic concerned me and so I put together an Internet-
Draft talking about the types of legitimate systems that might
generate a significant volume of traffic that could resemble SPIT (or
a DoS attack).

I put the document out primarily to stimulate discussion. Are these
legitimate scenarios being addressed in current thinking about
SPIT? If not, my point really is that they need to be considered.

Comments about the document are very definitely welcome. Are there other scenarios I
should include? Am I accurate? Am I overstating the case? or what?

Technorati Tags:
ietf, security, sip, standards, voip, voip security

Hannes Tschofenig is over at the 3rd ETSI Security Workshop in France this week and yesterday gave a talk about SIP security. He has now posted the slides to his blog - My Slides from the 3rd ETSI Security Workshop:

Yesterday I gave my presentation at the 3rd ETSI Security Workshop. My presentation title was ‘IETF Security’ and that is obviously pretty fuzzy. After looking on the agenda I decided that the most useful topic to speak about would be SIP identity management and media security. In case you are interested in this topic, please take a look at the following slide set.

His slide set does give an excellent overview of security issues in SIP, the various RFCs and approaches, etc. As he mentions, he focuses on identity and media security. A great contribution to the ongoing dialog on these issues. In fact, much of the workshop agenda looks quite intriguing. It will be interesting to see if other presenters make their slides available or if conclusions are posted anywhere.

Note to other presenters: If you do put your slides up somewhere, we’re glad to link to them here. In fact, if you use SlideShare (or a similar service), we’ll be glad to embed the presentations directly in this blog.

Technorati Tags:
ietf, security, sip, standards, voip, voip security, hannes tschofenig

The IETF leadership recently announced that they are seeking final comments on an Internet-Draft called “Requirements from SIP Session Border Controller Deployments” (current draft also available here) as they decide whether to move this document to an Informational RFC. The abstract of the document is as follows:

This document describes functions implemented in Session Initiation Protocol (SIP) intermediaries known as Session Border Controllers (SBCs). The goal of this document is to describe the commonly provided functions of SBCs. A special focus is given to those practices that are viewed to be in conflict with SIP architectural principles. This document also explores the underlying requirements of network operators that have led to the use of these functions and practices in order to identify protocol requirements and determine whether those requirements are satisfied by existing specifications or additional standards work is required.

If you work with SBCs, use them in your networks, or work for a SBC vendor, now is a good time to ensure that this document captures the requirements you have for deploying SBCs. Once finalized as an Informational RFC, the idea is that it will be used to assist in the potential creation of new SIP-related standards or the modification of existing standards. Now is the time to voice your opinion (and the note from the IETF explains how to do that). Comments have been requested to be received by January 16, 2008.

Technorati Tags:
ietf, security, standards, voip, voip security, session border controllers, sbcs

Blue Box Special Edition #22 is now available which explores and explains the details around SIP and NAT traversal. In this interview I sat down with Dr. Jonathan Rosenberg, a Cisco fellow and author of a wide range of RFCs and Internet-Drafts related to SIP to talk about SIP and NAT traversal. We explore what the problem is, how ALGs and SBCs attempt to solve the problem and how the IETF has looked to address the issue through first STUN, then TURN and now finally ICE. I think you’ll find it a very educational and informative session.

On a similar note, you may also be interested in Blue Box Special Edition #20 where I sat down with Cullen Jennings to talk about overall security issues with SIP. These two podcasts together give you a solid overview of the current security issues with SIP.

Technorati Tags:
blue box, bluebox, dan york, danyork, ietf, sip, standards, voip security, jonathan rosenberg

I’ve long been a staunch opponent of the “isolate your VoIP network from your data network” strategy. I personally believe that by putting up such restrictive barriers as would be required to provide any sense of actual security, the owners and administrators of a VoIP deployment are severely limiting the potential value they are able to receive from using Internet telephony. One of the Great Promises of VoIP is the ability to integrate communications with other productivity technologies such as work-group software and CRM applications. A lot of VoIP security practitioners tout the isolation strategy as a solution for the insecurity of the VoIP core devices and endpoints when in reality it is little more than a stop-gap, and not a very good one at that. By providing a false sense of security by way of network isolation, many VoIP deployment administrators may become complacent and pay less attention to the security posture of the actual VoIP devices and endpoints themselves. If you plan to integrate your communications system into the data-flow of your business in even the most minimal way, you’ll find quickly that most types of isolation that are available either provide a barrier to the desired functionality or open up so many holes in the barrier that it may as well not be there.

(more…)

In a few hours I’ll be boarding a plane back to New York where I’ll be attending Interop New York this afternoon and tomorrow. If any of you reading this will be there, please do drop an email. Tomorrow, I’ll be on a panel at 2:45pm with Jonathan Rosenberg about “Voice-oriented Attacks”. (Side note to Interop: Please make it so that we can link to individual sessions instead of having to link to the entire list of “security”-related sessions!) If you aren’t aware of who Jonathan Rosenberg is, he works for Cisco and is a huge contributor to IETF efforts related to SIP and in fact was one of the co-authors of RFC 3261 which is the primary RFC defining SIP. He’s also the author of “The Hitchhiker’s Guide to SIP” which aims to help guide people through the maze of the many, many documents that now are part of “SIP”. More relevant to tomorrow’s session, he’s also the author of a series of NAT traversal protocols for SIP, namely STUN, TURN and now ICE. Eric Krapf, the moderator of the session, is aiming to make it a more interactive and discussion-focused session (i.e. no slideware-to-death)… we’ll see if we can make it fun as well. I’ve also asked Interop for permission to record it and run it as a Blue Box podcast - we’ll see if they give me permission.
Note that if you are a CISSP, the ISC2 is holding a member reception today (Wednesday October 24, 2007) starting at 5:30 PM in Jacob Javits Center Room 1EO2 - LEVEL 1. Assuming that everything works with my flights today, I’ll be there.
I’ll even have some new business cards to give out…

P.S. I’ve now been public about who my new employer is.

Technorati Tags: cisco, conferences, danyork, jonathanrosenberg, security, voip, voip security, voipsa, voxeo

Blue Box Podcast #69 is now available for download. In this 46-minute episode, Jonathan and I discuss the Linksys SPA-941 vulnerability mentioned in the VOIPSEC list, a potential SIP DDoS, a new release of SIPVicious, a suggested Asterisk security roadmap, other VoIP security news, listener comments and more.