[VOIPSEC] Cisco 7920 wireless IP Phones
Scott Keagy
Scott.Keagy at webex.com
Thu May 26 13:26:51 CDT 2005
IPSEC overhead with VoIP is a real concern, given a typical 20 byte audio
codec payload and 12+8+20 byte headers of RTP+UDP+IP (before we talk about
IPSEC overhead). Even with CRTP inside of IPSEC (compressing 40 bytes down
to 2-4 bytes depending on UDP checksums), still have serious IPSEC overhead
with abysmal VoIP throughput.
Service providers can have reasonable work-arounds with CRTP packet-stacking
inside an IPSEC tunnel (something along the lines of TCRTP) if you have high
traffic corridors with well defined sources and destinations. But for
general use as in a wireless case, the overhead is just going to suck unless
there are special new methods of creating a shortened identifer tagged on
the encrypted payload that operates only at the link layer (and requires
negotiation and state maintenance between the wireless devices). Now I'm
pretty ignorant of current activities in wireless networking, so have no
insight into whether such work exists or is underway.
Regards,
Scott
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Guillermo Marro
Sent: Thursday, May 26, 2005 10:46 AM
To: Chris at infravast.com
Cc: Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones
Chris,
IMHO, saying that wireless infrastructure is insecure (irrespective of what
preventive measures you take to mitigate risks) is perhaps an unnecessary
simplification that might cause a lot of misconception.
In my eyes, wireless infrastructure will never be safe from layer-1 local
DoS attacks (signal jamming). Irrespective of how smart your modulation
scheme is, there is not much you can do about powerful wide- band white
noise generators. So it's probably safe for now to say that availability is
and will be an issue.
Regarding confidentiality and integrity, I'm with Tom: strength of WPA
protection DOES MATTER.
It'd be interesting to know about successful attacks to WPA2-AES achieved in
feasible time frames. I'd also be more than happy to know about successful
attacks to TLS and SSH (patched implementations on both wireless or wired
deployments).
Regarding the overhead added by IPSec, I believe it is entirely dependent on
the size of the IP datagram. A datagram with a payload of
64 bytes does not clearly have the same overhead (in proportion) that one
with 1480 bytes of payload. I'm no VoIP expert, so I don't know what the
average VoIP packet looks like, but I'd like to know how you reach that 40%
overhead figure.
Thanks,
-G
On Wed, 2005-05-25 at 22:26 -0500, Christopher A. Martin wrote:
> TLS is SSL all grown up.
>
> SSL and SSH can be hijacked (MiM, Man in the middle) by hacker tools
> crafted specifically for VoIP. A good example of ssl hijacking is a
> tool called airsnarf.
>
> http://airsnarf.shmoo.com/
>
> I believe that this would be a trivial task to convert to SIP since it
> is merely a cousin to html.
>
> The author, Beetle, gave some very good demonstrations of how easy it
> is to break "ANY" wireless encryption/protection scheme and, with this
> tool, hijack any ssl/tls encrypted page to capture
> authentication/credit card or any other info that was supposed to be
> encrypted. Over two days he was able to show a class of about 60
> people, many new to wireless how to do the same thing.
>
> When I say that IPSec adds too much overhead I refer to the fact that,
> due to encapsulation, IPSec adds approximately 40% additional overhead
> to an IP packet and often fragmentation due to packets that need to be
> fragmented for encapsulation.
>
> Chris
>
> -----Original Message-----
> From: Robert Thompson Jr. [mailto:rthompson at columbiabank.com]
> Sent: Wednesday, May 25, 2005 1:19 PM
> To: Chris at infravast.com; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones
>
> I am very new to VOIP, so please bear with me.
>
> But when you say that it is trivial to intercept the traffic, you just
> mean to receive it right? You are not talking about deciphering the
> information and being able to listen in on the conversation are you?
>
> Why would IPSEC add too much overhead?
>
> Instead of SSH and SSL, could TLS be used? As I am under the
> understanding that TLS doesn't have any more overhead than SSL though
> is quite more secure.
>
> Rob.
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On Behalf Of Christopher A. Martin
> Sent: Tuesday, May 24, 2005 5:47 PM
> To: 'Finnegan, James M SAM Contractor'; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Cisco 7920 wireless IP Phones
>
>
> It is trivial to hijack, intercept, impersonate any type of traffic
> over wireless, whether WEP, WAP, etc is implemented. IPSec over it is
> about the only safe bet (which adds too much overhead). SSH and SSL
> can also be compromised due to wireless hijacking.
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
> On Behalf Of Finnegan, James M SAM Contractor
> Sent: Tuesday, May 24, 2005 12:03 PM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Cisco 7920 wireless IP Phones
>
> Greetings all,
>
> I have run into a problem I was hoping to get feedback on. We are
> using the 7920 IP Phones at our sites, running CCM 3.3.
>
> The Army has decided the wireless link needs to be encrypted with
> something other than WEP or WEP w/LEAP. Our standard wireless
> encryption is 3DES.
> The
> 7920's only support WEP or WEP w/LEAP. Has anyone run into this problem?
>
>
>
> Thanks
>
>
>
> Mike Finnegan
>
> B.I.T.S.
>
> U.S.Army Corp of Engineers
>
>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
--
...........................
Guillermo Marro
Synaptes
Comunicacion Inteligente
http://www.synaptes.com
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list