[VOIPSEC] Session Border Controller use

Hadriel Kaplan HKaplan at acmepacket.com
Fri Jun 23 19:23:03 BST 2006


Hi again, comments inline...

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> 
> I am not really sure I understand this reasoning. Why would be hacking
> an SBC less dangerous than hacking the gateway. If I manage to bring
> the gateway down then all communication with PSTN through this gateway
> will be impossible. But the provider usually has a lot of other gateways
> to chose
> from, so this does not sound terribly dangerous. 

This is a nit, but if you gain control of a gateway you could do much better
than take it down - you could use it for financial gain.  Taking it down
would be detected fast; fraudulent use typically takes much longer to
detect, and it's money.  But obviously taking a gateway down is a lot easier
to accomplish than controlling it.  

> If I manage to bring
> the SBC down, then the whole SIP service behind it (proxies and
> gateways) will be useless and I would assume that there will be less
> SBCs deployed than gateways.

Yup, typically there are fewer SBCs than gateways - but not just one active
SBC.  All the ones I know of also have full redundancy at each SBC access
point, for both signaling and media, so the service and active sessions
aren't "down" for more than the milliseconds it takes them to switch, at
even the one.  And they also protect the proxies/registrars/softswitches,
and usually there are more SBCs than those.

But sure if you can hack your way into them it's possible you could hack
your way to break the local redundancy too, or who knows what else.  But
that's why the SBC vendors focus on preventing such things.  And that's a
big difference.  Of course every gateway, media-server, proxy, app server,
registrar, etc. could be "hardened", audited, monitored, etc.  But that's
much harder to practically do and requires those vendors to focus on such
things.  They don't, typically.  Just like in an Enterprise, where every PC
and server could be, but people still use firewalls for a multi-layered
defense.

Then there's the DoS/DDoS aspect, especially flood attacks.  SBCs in the
service provider market typically(?) employ hardware-based mechanisms to
stop them.  No software-based device can get near the volume of DDoS flood
that a hardware-based implementation can stop.  (on a side note, your
software happens to be very good at handling it for a software-based
implementation, I've found)  


[snipped out stuff about policing media based on codec of call, and qos
monitoring]
> What is the practical gain of all of this? I was under the impression
> that ISPs are in the business of selling traffic and not limiting it.
> >From a user perspective if my VoIP provider
> prohibits me from using video telephony in addition to voice then I
> will make sure to get another VoIP provider.

ISPs (Internet SP) are in the business of selling bandwidth.  If they want
to charge more for premium/priority traffic, then they need a way to police
that.  VSPs (voip SPs) are in the business of selling services.  And there
are hybrids all in between.  The point, though, is that they are all in
business to make money.  If they want to charge you a flat fee to just route
SIP signaling, that's cool.  If they want to charge you per call, or
differently for voice than video, or based on your bandwidth usage - then
they can.  Or if they want to just monitor the quality of your call, they
can.  It's all under their control, to follow whatever business model they
want.  If your voip provider doesn't give you what you want, then you are
free to switch providers - that's under your control.

-hadriel





More information about the Voipsec mailing list