[VOIPSEC] RTP cross-talk; RE: maybe vulnerability at sjphone

Ari Takanen voipsa at codenomicon.com
Wed Dec 5 06:54:42 CST 2007 

You do not necessarily need to be a man in the middle, as most RTP
implementations will happily parse any RTP injection. Fortunately
there are some good implementations also. For details, see the
experiments by Christian at:

http://www.ee.oulu.fi/research/ouspg/protos/sota/SSI2006-rtp/

Best regards,

/Ari

On Wed, Dec 05, 2007 at 01:09:42PM +0100, Schwarz Albrecht wrote:
> This might be the well-known RTP cross-talk problem, which is documented
> for H.248-controlled RTP endpoints in H.Sup5, see clause 5 wrt to A, B &
> C parties:
> 
> http://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-H.Sup5-200611-I!!
> PDF-E&type=items
>  
> The problem as such is related to transient effects in resource
> management of RTP resources. I.e. also relevant for SIP, MGCP controlled
> RTP endpoints as well.
> 
> Albrecht
> 
> 
> > -----Original Message-----
> > From: voipsec-bounces at voipsa.org 
> > [mailto:voipsec-bounces at voipsa.org] On Behalf Of Diana Cionoiu
> > Sent: Mittwoch, 5. Dezember 2007 12:11
> > To: Sharon Laiv
> > Cc: voipsec at voipsa.org
> > Subject: Re: [VOIPSEC] maybe vulnerability at sjphone
> > 
> > Hi Sharon,
> > 
> > But this doesn't really help since you can only do that if 
> > you are a man in the middle, and if you are a man in the 
> > middle you can replace the RTP anyway.
> > Anyway this kind of behavior is normal because all those SIP 
> > fans believe that RTP should come from anywhere and it should 
> > go to anywhere.
> > 
> > Diana
> > 
> > 
> > Sharon Laiv wrote:
> > > hi all,
> > >  
> > > I just did the following experiment: 
> > > I did a regular SIP call between 2 SJPhones (latest 
> > release), lets say from IP A to IP B.
> > >  
> > > While in a call, I stopped sending RTP from B to A.
> > > Then I started sending RTP from C to A (C is not known to A 
> > and was no part of the signaling at all...).
> > >  
> > > as a result, A started to get and render the RTP stream 
> > from C and changed it's RTP stream to C!!!
> > >  
> > > So without no difficulty I I have stolen the strem from A to B....
> > > ( I guess this is a symmetric RTP like feature that is 
> > aimed to help 
> > > the crossing of NATs)
> > >  
> > > any comments?
> > >  
> > >
> > >  
> > > Thanks,
> > > Sharon
> > >
> > >
> > >       
> > > 
> > ______________________________________________________________________
> > > ______________ Get easy, one-click access to your favorites.
> > > Make Yahoo! your homepage.
> > > http://www.yahoo.com/r/hs
> > > _______________________________________________
> > > Voipsec mailing list
> > > Voipsec at voipsa.org
> > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > >   
> > 
> > 
> > 
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> > 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-

More information about the Voipsec mailing list