[VOIPSEC] VoIP Attack : How feasible
Dan Wing
dwing at cisco.com
Tue Jul 25 13:52:49 CDT 2006
Those are all the same from the user agent's perspective, which is the scope
of sip-outbound. What is done inside the network isn't relevant to
sip-outbound.
-d
> -----Original Message-----
> From: DePietro, John [mailto:jdepietro at starentnetworks.com]
> Sent: Tuesday, July 25, 2006 11:07 AM
> To: Dan Wing; Geoff Devine; Pankaj Shroff
> Cc: Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP Attack : How feasible
>
> Hi,
>
> I do not think that this figure applies to IMS topology
> unless the CSCF are collapsed.
> +-------------------+
> | Domain |
> | Logical Proxy/Reg |
> | |
> |+-----+ +-----+|
> ||Host1| |Host2||
> |+-----+ +-----+|
> +---\------------/--+
> \ /
> \ /
> \ /
> \ /
> +------+
> | User |
> | Agent|
> +------+
>
> Actually, you would need to modify the next figure since edge
> proxies (P-CSCF and I-CSCF) are most like separate from
> Registrar (S-CSCF) to align with IMS. So...
>
> +---------+
> |Registrar|
> |Proxy |
> +---------+
> / \
> / \
> / \
> +-----+ +-----+
> |Edge1| |Edge2|
> +-----+ +-----+
> \ /
> \ /
> ----------------------------NAT/FW
> \ /
> \ /
> +------+
> |User |
> |Agent |
> +------+
>
> ...Looking at the IMS roaming case, how would this draft
> proposal fit - something like example A or B,
>
> Example A
> +---------+
> |Registrar|
> | S-CSCF |
> +---------+
> |
> |
> +---------+
> |I-CSCF |
> +---------+
> / \
> / \ Home Network
> --------------------------
> Visited Network
> / \
> +------+ +------+
> |P-CSCF| |P-CSCF|
> +------+ +------+
> \ /
> \ /
> \ /
> \ /
> +------+
> |User |
> |Agent |
> +------+
>
> Example B
>
> +---------+
> |Registrar|
> | S-CSCF |
> +---------+
> / \
> / \
> +------+ +------+
> |P-CSCF| |P-CSCF|
> +------+ +------+
> / \ / \
> / \ / \ Home Network
> -------/---- \-/------\-------
> / / \ \ Visited Network
> / / \ \
> +------+ +------+
> |P-CSCF| |P-CSCF|
> +------+ +------+
> \ /
> \ /
> \ /
> \ /
> +------+
> |User |
> |Agent |
> +------+
>
> Regards.
>
> -----Original Message-----
> From: Dan Wing [mailto:dwing at cisco.com]
> Sent: Tuesday, July 25, 2006 1:42 PM
> To: 'Geoff Devine'; DePietro, John; 'Pankaj Shroff'
> Cc: Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] VoIP Attack : How feasible
>
>
> > Doesn't this approach just create a registration storm when
> there is a
> > failure?
>
> No, you're registered at both proxies all the time. See section 3
> of the Internet Draft. It has a beautiful ASCII diagram:
>
> +-------------------+
> | Domain |
> | Logical Proxy/Reg |
> | |
> |+-----+ +-----+|
> ||Host1| |Host2||
> |+-----+ +-----+|
> +---\------------/--+
> \ /
> \ /
> \ /
> \ /
> +------+
> | User |
> | Agent|
> +------+
>
> > The I-CSCF/Routing proxy has to be told that each of the
> > clients moved to another edge proxy.
>
> That is necessary whenever a P-CSCF (edge proxy) dies, unless
> the "new" P-CSCF assumes the now-dead P-CSCF's identity (IP
> address). That can still be done with the scheme described
> in sip-outbound.
>
> -d
>
>
> > Geoff
> >
> > -----Original Message-----
> > From: Dan Wing [mailto:dwing at cisco.com]
> > Sent: Tuesday, July 25, 2006 12:46 PM
> > To: 'DePietro, John'; Geoff Devine; 'Pankaj Shroff'
> > Cc: Voipsec at voipsa.org
> > Subject: RE: [VOIPSEC] VoIP Attack : How feasible
> >
> > > Regarding, sip-outbound's approach. Do you have a
> > > description of this, draft-rfc or whitepaper?
> >
> > Sorry, I should have included a citation:
> > http://www.ietf.org/internet-drafts/draft-ietf-sip-outbound-04.txt
> >
> > -d
More information about the Voipsec
mailing list