[VOIPSEC] VoIP Attack : How feasible

Satyam Tyagi styagi at sipera.com
Fri Jul 28 14:04:43 CDT 2006 

Inline

Thanks,
Satyam

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Volker Tanger
Sent: Friday, July 28, 2006 1:06 PM
To: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] VoIP Attack : How feasible

On Fri, 28 Jul 2006 15:34:19 +0800
Simon Horne <s.horne at packetizer.com> wrote:

> VPNs do not provide end to end authentication.

Maybe if you are using net2net VPNs - if using host2host (end2end)
VPNs, then they do. At least for the IP connection, that is.


[Satyam] host-to-host still does not authenticate app-to-app or take it
another level user-to-user. I can see a case where a user authenticates host
using VPN client using one set of credentials and soft client using
different set of credentials. I think you still need at least app-to-app
authentication, if not user-to-user. At least some mechanism of passing host
credentials to different apps if these are tied together, I don't think they
should be necessarily tied together, I could see a case where a user may
want to run multiple app instances in the same vpn channel.


> VPNs do not provide end to end encryption.

See above.


> VPNs do not provide efficient NAT Traversal.

If using UDP-encapsulated IPSec or OpenVPN, they do. It's just plain UDP
traffic then, no problem to NATify in any way.


> traversing NAT which excludes methods like UPnP from being a
> functional solution

*ahem*  UPnP is not a functional solution for quite a lot of stuff
it does. It is especially unusable for corporate environments - with
UPnP-enabled "firewalls" any client can configure any port-forwarding
from outside to inwards which is exactly what you do not want on a
corporate firewall.


> In 10 years of VoIP NAT and security development and after truckloads
> of  publicized RFC's and white papers why are we still talking about
> VPN's?  Surely there must be better solutions that can be deployed
> today. There is,  just they are not available in SIP.

...or any other VoIP protocols that rely on symmetric RTP as transport
mechanism (which needs helper protocols and stuff for NATability).

Bye

Volker


-- 

Volker Tanger    http://www.wyae.de/volker.tanger/
--------------------------------------------------
vtlists at wyae.de                    PGP Fingerprint
378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list