Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Awesome
4813 posts

Uber Geek
+1 received by user: 1062

Trusted
Subscriber

Topic # 120956 19-Jun-2013 16:29
Send private message

Hoping someone here with more VoIP knowledge than me can help me out.

I understand that incoming calls on SIP URI's is a security problem and leads to annoying no voice calls because there is no verification. I've been trying to Google and find some more info on the extent of the problem, or possible solutions - but I can't seem to find much at all (Suggesting it's maybe not as big an issue as I was thinking?)

Does anyone have any good info you can share?

I really like the idea of using an email address like format user@service kind of thing as an eventual phone number replacement - and SIP can do this now as we know. But is there a solution that solves the issue of rogue incoming calls?




Twitter: ajobbins


Create new topic
3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 839638 19-Jun-2013 17:16
Send private message

The best way is to firewall off everything except for your provider's SIP proxy/proxies from contacting your device on whatever port it's using for SIP.  That should do the trick.

De-centralised SIP sounds great in theory, but the way that it's replaced telephony means that people are just used to dialling numbers.  Also as you say, there's just no security inherent in the protocol (and no way for providers to bill...)



Awesome
4813 posts

Uber Geek
+1 received by user: 1062

Trusted
Subscriber

  Reply # 839658 19-Jun-2013 17:34
Send private message

Yeah but restricting to only a SIP provider kind of defeats the point, especially as most of them only allow incoming SIP URL dialling.

Providers wouldn't have a right to bill because the calls would be P2P and a SIP provider wouldn't be used.

What I'm struggling with is, is finding any info online about URI dialling security. When I Google things like 'how secure is SIP URI dialling', 'SIP URI dialling security', 'risks SIP URI' etc. etc. I get plenty of hits of guides for making it work, getting the DNS setup, Asterisk configured etc. but basically nothing talking about issues or risks of doing it.

It's like the problem doesn't exist (when we know it does).




Twitter: ajobbins


 
 
 
 


3673 posts

Uber Geek
+1 received by user: 1384

Subscriber

  Reply # 839698 19-Jun-2013 18:27
Send private message

If you open up your SIP device to the net it is only a matter of time until a botnet will find it and start flooding it with INVITE's which will lead to the device being crippled.
As mentioned above, it is a nice idea but just not practical.

It is a very real risk. Google SIP attacks or something like that.

3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 839705 19-Jun-2013 18:38
Send private message

ajobbins: Yeah but restricting to only a SIP provider kind of defeats the point, especially as most of them only allow incoming SIP URL dialling.

Providers wouldn't have a right to bill because the calls would be P2P and a SIP provider wouldn't be used.

What I'm struggling with is, is finding any info online about URI dialling security. When I Google things like 'how secure is SIP URI dialling', 'SIP URI dialling security', 'risks SIP URI' etc. etc. I get plenty of hits of guides for making it work, getting the DNS setup, Asterisk configured etc. but basically nothing talking about issues or risks of doing it.

It's like the problem doesn't exist (when we know it does).


It's the same way that email has no security as far as who can email who.  They are based on the same principles of "trust everyone implicitly".

The thing is, we have SBCs to control security.  So SIP endpoints, PABXs etc generally speaking, just accept whatever they're fed.  Most have the ability to have an ACL of which proxies they will listen to but that's the limit of it.  And they should in most cases only respond to calls to configured users.

There's no concept in SIP of authorization in a peer-to-peer environment.  Much like any other protocol.

This is why we have SIP providers, SIP proxies, SIP registrars, SBCs and the like :)



Awesome
4813 posts

Uber Geek
+1 received by user: 1062

Trusted
Subscriber

  Reply # 839706 19-Jun-2013 18:38
Send private message

I guess it's similar to email servers and spam. SIP URI needs a solution to verify that the calling (sending) party is who they say they are and are authorised to make the call.




Twitter: ajobbins


5288 posts

Uber Geek
+1 received by user: 2314

Trusted
Lifetime subscriber

  Reply # 839719 19-Jun-2013 18:54
Send private message

Skype pretty much does what you are trying to do to a certain extent.




Chorus has spent $1.4 billion on making their xDSL broadband network faster. If your still stuck on ADSL or VDSL, why not spend from $150 on a master filter install to make sure you are getting the most out of your connection?
I install - Naked DSL, DSL Master Splitters, VoIP, data cabling and general computer support for home and small business.
Rural Broadband RBI installer for Ultimate Broadband and Full Flavour

 

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com


3344 posts

Uber Geek
+1 received by user: 1089

Trusted
Vocus

  Reply # 839720 19-Jun-2013 18:57
Send private message

ajobbins: I guess it's similar to email servers and spam. SIP URI needs a solution to verify that the calling (sending) party is who they say they are and are authorised to make the call.


SIP Softswitches do this, at least for their subscribers.  We still have to somewhat "trust" other providers though.

For direct calling, it is possible to share a secret and use that for authorization.

I can't see why some variant of SPF or DKIM couldn't be applied, but to my knowledge nothing like that is widely implemented in SIP UAs.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.