[VOIPSEC] VoIP Attack : How feasible
DePietro, John
jdepietro at starentnetworks.com
Tue Jul 25 13:07:20 CDT 2006
Hi,
I do not think that this figure applies to IMS topology unless the CSCF are collapsed.
+-------------------+
| Domain |
| Logical Proxy/Reg |
| |
|+-----+ +-----+|
||Host1| |Host2||
|+-----+ +-----+|
+---\------------/--+
\ /
\ /
\ /
\ /
+------+
| User |
| Agent|
+------+
Actually, you would need to modify the next figure since edge proxies (P-CSCF and I-CSCF) are most like separate from Registrar (S-CSCF) to align with IMS. So...
+---------+
|Registrar|
|Proxy |
+---------+
/ \
/ \
/ \
+-----+ +-----+
|Edge1| |Edge2|
+-----+ +-----+
\ /
\ /
----------------------------NAT/FW
\ /
\ /
+------+
|User |
|Agent |
+------+
...Looking at the IMS roaming case, how would this draft proposal fit - something like example A or B,
Example A
+---------+
|Registrar|
| S-CSCF |
+---------+
|
|
+---------+
|I-CSCF |
+---------+
/ \
/ \ Home Network
--------------------------
Visited Network
/ \
+------+ +------+
|P-CSCF| |P-CSCF|
+------+ +------+
\ /
\ /
\ /
\ /
+------+
|User |
|Agent |
+------+
Example B
+---------+
|Registrar|
| S-CSCF |
+---------+
/ \
/ \
+------+ +------+
|P-CSCF| |P-CSCF|
+------+ +------+
/ \ / \
/ \ / \ Home Network
-------/---- \-/------\-------
/ / \ \ Visited Network
/ / \ \
+------+ +------+
|P-CSCF| |P-CSCF|
+------+ +------+
\ /
\ /
\ /
\ /
+------+
|User |
|Agent |
+------+
Regards.
-----Original Message-----
From: Dan Wing [mailto:dwing at cisco.com]
Sent: Tuesday, July 25, 2006 1:42 PM
To: 'Geoff Devine'; DePietro, John; 'Pankaj Shroff'
Cc: Voipsec at voipsa.org
Subject: RE: [VOIPSEC] VoIP Attack : How feasible
> Doesn't this approach just create a registration storm when there is a
> failure?
No, you're registered at both proxies all the time. See section 3
of the Internet Draft. It has a beautiful ASCII diagram:
+-------------------+
| Domain |
| Logical Proxy/Reg |
| |
|+-----+ +-----+|
||Host1| |Host2||
|+-----+ +-----+|
+---\------------/--+
\ /
\ /
\ /
\ /
+------+
| User |
| Agent|
+------+
> The I-CSCF/Routing proxy has to be told that each of the
> clients moved to another edge proxy.
That is necessary whenever a P-CSCF (edge proxy) dies, unless
the "new" P-CSCF assumes the now-dead P-CSCF's identity (IP
address). That can still be done with the scheme described
in sip-outbound.
-d
> Geoff
>
> -----Original Message-----
> From: Dan Wing [mailto:dwing at cisco.com]
> Sent: Tuesday, July 25, 2006 12:46 PM
> To: 'DePietro, John'; Geoff Devine; 'Pankaj Shroff'
> Cc: Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP Attack : How feasible
>
> > Regarding, sip-outbound's approach. Do you have a
> > description of this, draft-rfc or whitepaper?
>
> Sorry, I should have included a citation:
> http://www.ietf.org/internet-drafts/draft-ietf-sip-outbound-04.txt
>
> -d
More information about the Voipsec
mailing list