[VOIPSEC] VoIP Attack : How feasible
Volker Tanger
vtlists at wyae.de
Fri Jul 28 13:05:56 CDT 2006
On Fri, 28 Jul 2006 15:34:19 +0800
Simon Horne <s.horne at packetizer.com> wrote:
> VPNs do not provide end to end authentication.
Maybe if you are using net2net VPNs - if using host2host (end2end)
VPNs, then they do. At least for the IP connection, that is.
> VPNs do not provide end to end encryption.
See above.
> VPNs do not provide efficient NAT Traversal.
If using UDP-encapsulated IPSec or OpenVPN, they do. It's just plain UDP
traffic then, no problem to NATify in any way.
> traversing NAT which excludes methods like UPnP from being a
> functional solution
*ahem* UPnP is not a functional solution for quite a lot of stuff
it does. It is especially unusable for corporate environments - with
UPnP-enabled "firewalls" any client can configure any port-forwarding
from outside to inwards which is exactly what you do not want on a
corporate firewall.
> In 10 years of VoIP NAT and security development and after truckloads
> of publicized RFC's and white papers why are we still talking about
> VPN's? Surely there must be better solutions that can be deployed
> today. There is, just they are not available in SIP.
...or any other VoIP protocols that rely on symmetric RTP as transport
mechanism (which needs helper protocols and stuff for NATability).
Bye
Volker
--
Volker Tanger http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists at wyae.de PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB
More information about the Voipsec
mailing list