[VOIPSEC] VPNs and VoIP (was: Re: VoIP Attack : How feasible)

Fri Jul 28 20:21:45 CDT 2006

On 7/28/06, Volker Tanger <vtlists at wyae.de> wrote:
> Good evening!
>
> On Fri, 28 Jul 2006 17:50:14 -0400
> "Michael Slavitch" <slavitch at gmail.com> wrote:
>
> > IPSec deployments are dwarfed by PPTP implementations
>
> Sources? I've yet to see one PPTP inplementation in real use (over here

Every MSFT VPN.  I've yet to see a IPSec VPN used in a corporate
environment. Most VPN systems are pure commercial software.

> PPTP either just is password(MSCHAPv2)-based or on EAP-TLS certificates
> generated on the AD-Server - so nothing with "locally-generated". The

AD server. Local to the domain, no need for a CA. Local meaning local
behind the NAT.

> user-certificates have to individually distributed, losing the
> "signon-from-any*" capacity that usually comes with SSO.
> What a pity.

Not true. Exactly not true in fact. See Kim Cameron's blog on that detail.

> > Single login / single signon / single identity isn't just a matter of
> > convenience, it's a matter of correct architecture.
>
> ...or in this case just monopoly.

Thus was how the monopoly was made.  Novell almost had the monopoly
before and lost it.

> VPNs are workarounds to bring the SIP/H.323 protocols back into a
> protected/friendly network where you hope such forgings will not happen.
>

Indeed. Simplicity is better. SIP/H.323 had no solution. ICE is still
a pain. Session border controllers are useless and a pain.  VPN's work
for all and are a simple easy commodity.
Why sniff?

> IAX/IAX2 and XARSIM both only use one single data stream for
> control channel and up-/downstream audio, making the protocols much
> easier to NAT. Skype seems to be similar.

Well, if you call a tunneled overlay similar. Skype's overlay is
mathematically similar to a VPN just with a different form of
addressing and a distributed connectivity table with no central
servers.  Which is good.

> IAX (the Asterisk protocol) is designed to work client-server and
> server-server, is offering (static key) encryption (currently in
> alpha-stage) within the protocol, but lacking the nice decentralization
> of audio/video traffic - here all goes through the server, which can
> become a capacity problem for larger installations.

Nice, but too hard to deploy for the average person. Too much a
tech-enthusiast effort.

> In contrast to that XARSIM is working heavily decentralized and has
> reduced the "server" down to a simple lookup/YP function. It offers a
> simple yet effective Caller-ID authentication, end2end encryption and
> traffic decentralization - but just is starting to produce the first
> code.

Interesting.  Useless unless it has hardware adoption or a 500 pound
gorilla backing it.

> Skype is - just proprietary. Works fine through NAT, but
> everything other detail is off-limits. Server software is not available.

And not needed.

> The field still is wide open.
> Let the competition begin.
> May the best protocol win.
> ;-)

Actually, protocols are just the treaties. The best products win even
with bad protocols.

Cisco, MSFT, Oracle have all followed this path.