[VOIPSEC] Spoof of IP address within a (large) domain
Chris Calabrese
chris_calabrese at medco.com
Thu Mar 24 08:02:16 CST 2005
IP addresses are easily spoofed on most networks, and even MAC addresses
are spoofable.
The SIP RFC specifically states (at least the older version that I read)
that you must use IPSec if you expect any level of confidentiality or
integrity.
Therefore, to start a possible flame war, any claim of security without
using IPSec (or possibly some equivalent) is false.
Brian Rosen wrote:
>These systems really are all still layer 2 determination of location. They
>really do trace circuit IDs, or MAC addresses or something else at layer 2.
>The discussion is how does the device whose location is determined at layer
>2 find out what it is. For this they want to use a higher layer protocol,
>using the IP address to correlate the location to the device. The reason to
>do that is so that you can have many layer 2 specific tracing methods, with
>only one query method.
>
>You wouldn't do this over a VPN tunnel. You do it at the outside, first
>level access, before you establish the tunnel.
>
>We're still stuck with the issue that if the IP address (or the server) can
>reasonably be spoofed, then address forgery is reasonably possible.
>
>GPS is a wonderful solution except:
>1. To get the accuracy you need, you need "Assisted" GPS. While this is
>becoming more common and easier, it's not deployed everywhere.
>
>2. It's still too power hungry to leave on all the time. That means you
>have a "first fix" delay that is long (10 seconds is not uncommon). That's
>a Loooong time to wait to get an emergency call through, but we can't route
>the call until we know where you are
>
>3. It doesn't work indoors.
>
>The latter is the biggest problem for now. There are repeater mechanisms,
>but they aren't cheap to deploy in large office buildings. Works better in
>a single family, wooden construction situation.
>
>Brian
>
>
>
>>-----Original Message-----
>>From: Robert Moskowitz [mailto:rgm at icsalabs.com]
>>Sent: Wednesday, March 23, 2005 2:45 PM
>>To: Jeffrey Skelton; Brian Rosen; VoipSec
>>Subject: Re: [VOIPSEC] Spoof of IP address within a (large) domain
>>
>>At 01:53 PM 3/23/2005, Jeffrey Skelton wrote:
>>
>>
>>>These arguments about various "rogue" (or righteous) edge extensions
>>>
>>>
>>would
>>
>>
>>>seem to apply equally to IP address as a reliable key for location lookup
>>>
>>>
>>or
>>
>>
>>>location information pushed from a DHCP server.
>>>
>>>
>>Exactly. There can be no trust in device location from a third
>>party. Only the device can 'speak for itself'.
>>
>>I could go on with other ways the device is not where the visible IP
>>address seems to be. All perfectly legit (like my use of SSH tunneling
>>when I am on the road).
>>
>>
>>
>>>Don't methods claim that something other than the actual edge node knows
>>>what the physical location of that edge node is?
>>>
>>>
>>A tunneling protocol and an application proxy has the knowledge of the IP
>>address of the its endpoint. Hopefully we are dealing with only one hop,
>>but we are not (consider remote tunnel then an application proxy).
>>
>>There is no standard way to make that information available.
>>
>>Anyone that really wants to know where a device is should look at the work
>>being done in IEEE 802.11p. They are addressing this the 'right way'. It
>>is all about vehicle safety for them. One of their goals in anonymity,
>>thus 'you don't know who I am, or probably care, but I am at GPS .... and
>>doing ..... (160' (your car figures out that is 8 cars) ahead of you,
>>moving at 80mph, and slamming on my brakes for maximum deceleration). Law
>>inforcement does NOT want to know which car did this. The safety value
>>outweighs any law enforcement value. But we also have to kick a car out
>>of
>>the system that has been determined to 'lie'.
>>
>>
>>
>>
>>
>>
>>
>>>On 3/22/05 3:12 PM, "Robert Moskowitz" <rgm at icsalabs.com> wrote:
>>>
>>>
>>>
>>>>At 04:22 PM 3/17/2005, Brian Rosen wrote:
>>>>
>>>>
>>>>>Now it's my turn to "ask the experts".
>>>>>
>>>>>
>>>>>
>>>>>I have someone proposing a solution to a large problem of "where are
>>>>>
>>>>>
>>>you?";
>>>
>>>
>>>>>that is, finding your own location.
>>>>>
>>>>>It's for 9-1-1, and we have one mechanism, DHCP, that we are pretty
>>>>>
>>>>>
>>happy
>>
>>
>>>>>with; you can spoof within your subnet, but that's about it, and
>>>>>
>>>>>
>>location
>>
>>
>>>>>doesn't vary much within the subnet.
>>>>>
>>>>>
>>>>I've read through all the comments here and see that a couple of items
>>>>
>>>>
>>have
>>
>>
>>>>not been covered that using IP addresses as a physical locator is a
>>>>
>>>>
>>total
>>
>>
>>>>waste of time. Well not total yet, but getting there.
>>>>
>>>>First as two subnets.
>>>>
>>>>With developments in bridging equipment over the past 5 years or so,
>>>>
>>>>
>>many
>>
>>
>>>>places are running flat networks. My colleague in 802.1 from
>>>>
>>>>
>>Enterasys
>>
>>
>>>>said that they have one university running flat with 100,000 devices.
>>>>
>>>>
>>You
>>
>>
>>>>know the IP address is somewhere, but no more than that. MAC address
>>>>
>>>>
>>is a
>>
>>
>>>>better indicator.
>>>>
>>>>But more likely than that are technologies like MobileIP.
>>>>
>>>>I could be running my home agent on my DSL line and be anywhere in the
>>>>world, thanks to IPnIP (protocol 9, as I recall). I could be running
>>>>
>>>>
>>the
>>
>>
>>>>call over an ESP tunnel with the same results. The IP address does
>>>>
>>>>
>>not
>>
>>
>>>>locate the device within the Internet.
>>>>
>>>>Of course HIP does this the right way. The IP address stays where it
>>>>belongs and the system stack moves around the internet. But then HIP
>>>>
>>>>
>>is
>>
>>
>>>>only beginnig to get attention eventhough I wrote the first paper on
>>>>
>>>>
>>it in
>>
>>
>>>>Jan '99...
>>>>
>>>>The one example of a Asterisk server is another way that IP address
>>>>
>>>>
>>seen is
>>
>>
>>>>not the IP address of the device.
>>>>
>>>>Finally, how does the DSL provider really know which house that call
>>>>
>>>>
>>came
>>
>>
>>>>from? What if the homeowner is providing wireless services via an
>>>>
>>>>
>>802.11
>>
>>
>>>>network to the neighbors? (or the neighbor just lunching off an open
>>>>network...).
>>>>
>>>>You want reliable locator, put digital certs from the vendor and GPS
>>>>hardware to deliver authenticated location information. Look at what
>>>>802.11p is facing for authenticating car locations (and they are
>>>>
>>>>
>>tackling
>>
>>
>>>>anonymity).
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>Robert Moskowitz
>>>>Senior Technical Director
>>>>ICSA Labs, a division of Cybertrust, Inc.
>>>>W: 248-968-9809
>>>>F: 248-968-2824
>>>>E: rgm at icsalabs.com
>>>>
>>>>There's no limit to what can be accomplished
>>>>if it doesn't matter who gets the credit
>>>>
>>>>
>>>>
>>>>_______________________________________________
>>>>Voipsec mailing list
>>>>Voipsec at voipsa.org
>>>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>>>
>>>>
>>Robert Moskowitz
>>Senior Technical Director
>>ICSA Labs, a division of Cybertrust, Inc.
>>W: 248-968-9809
>>F: 248-968-2824
>>E: rgm at icsalabs.com
>>
>>There's no limit to what can be accomplished
>>if it doesn't matter who gets the credit
>>
>>
>>
>>
>>
>
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
--
Chris Calabrese, CISSP, GCIA, GCFA
Information Security Engineering
medco.com
-----------------------------------------
This e-mail message and any attachments contain confidential information
from Medco. If you are not the intended recipient, you are hereby notified
that disclosure, printing, copying, distribution, or the taking of any
action in reliance on the contents of this electronic information is
strictly prohibited. If you have received this e-mail message in error,
please immediately notify the sender by reply message and then delete the
electronic message and any attachments.
More information about the Voipsec
mailing list