SPEERMINT Working Group                                     S. Niccolini
Internet-Draft                                                       NEC
Intended status: Informational                           August 29, 2006
Expires: March 2, 2007


                         VoIP Security Threats
                draft-niccolini-speermint-voipthreats-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.
   This document may not be modified, and derivative works of it may not
   be created, except to publish it as an RFC and to translate it into
   languages other than English.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 2, 2007.

Copyright Notice

   Copyright (C) The Internet Society (2006).











Niccolini                 Expires March 2, 2007                 [Page 1]


Internet-Draft                VoIP Threats                   August 2006


Abstract

   This memo presents the different security threats related to VoIP.
   First of all a taxonomy for the different types of security threats
   is defined.  Afterwards the different instances of the threats are
   briefly analyzed following such taxonomy.  Finally the existing
   security solutions in SIP and RTP/RTCP are presented to describe the
   countermeasures currently available for such threats.  The objective
   of this document is to identify and enumerate the VoIP threat vectors
   in order to specifiy security-related requirements specific to
   peering.  Once the requirements are identified, methods and solutions
   how to achieve such requirements can be selected.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3

   2.  Taxonomy of VoIP Security Threats  . . . . . . . . . . . . . .  4
     2.1.  Interception and Modification Threats  . . . . . . . . . .  4
     2.2.  Interruption of Service Threats  . . . . . . . . . . . . .  5
     2.3.  Abuse of Service Threats . . . . . . . . . . . . . . . . .  6
     2.4.  Social Threats . . . . . . . . . . . . . . . . . . . . . .  6

   3.  Overview of VoIP Security Solutions  . . . . . . . . . . . . .  8

   4.  Conclusions  . . . . . . . . . . . . . . . . . . . . . . . . . 10

   5.  Security Considerations  . . . . . . . . . . . . . . . . . . . 11

   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12

   7.  Informative References . . . . . . . . . . . . . . . . . . . . 13

   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
   Intellectual Property and Copyright Statements . . . . . . . . . . 15















Niccolini                 Expires March 2, 2007                 [Page 2]


Internet-Draft                VoIP Threats                   August 2006


1.  Introduction

   With VoIP, the need for security is compounded because there is the
   need to protect both the control plane and the data plane.  In a
   legacy telephone system, security is a more valid assumption.
   Intercepting conversations requires either physical access to
   telephone lines or to compromise the Public Switched Telephone
   Network (PSTN) nodes or the office Private Branch eXchanges (PBXs).
   Only particularly security-sensitive organizations bother to encrypt
   voice traffic over traditional telephone lines.  In contrast, the
   risk of sending unencrypted data across the Internet is more
   significant (e.g.  DTMF tones corresponding to the credit card
   number).  An additional security threat to Internet Telephony comes
   from the fact that the signaling is sent using the same network as
   the multimedia data; traditional telephone systems have the signaling
   network separated from the data network.  This is an increased
   security threat since a hacker could attack the signaling network and
   its servers with increased damage potential (call hijacking, call
   drop, DoS attacks, etc.).  Therefore there is the need of
   investigating the different security threats and to highlight the
   solutiond how to avoid them.






























Niccolini                 Expires March 2, 2007                 [Page 3]


Internet-Draft                VoIP Threats                   August 2006


2.  Taxonomy of VoIP Security Threats

   A taxonomy of VoIP security threats has been defined in [1].  Such a
   taxonomy is a very complete one and takes into account also threats
   not caused by VoIP-specific technical reasons (e.g. loss of power).
   In this section a similar taxonomy is presented trying to reuse as
   much as possible from the referenced document but avoiding to
   classify threats that can not be reconducted to technical reasons.
   The VoIP security threats can be divided into four main areas:

   o  Interception and Modification Threats;

   o  Interruption of Service Threats;

   o  Abuse of Service Threats;

   o  Social Threats.

2.1.  Interception and Modification Threats

   The interception threat results from the ability of the attacker of
   intercepting the signaling and/or the data.  The interception-only
   threat results in the attacker being able to use the intercepted data
   for malicious scopes, examples are:

   o  call pattern tracking - the attacker tracks the call patterns of
      the users;

   o  number harvesting - the attacker harvest numbers and/or user
      identities for calling such numbers/identities or for using
      spoofed identities;

   o  conversation reconstruction - the attacker reconstruct the
      conversation and/or additional data delivered with it (e.g.
      numbers transmitted with DTMF tones).

   The modification threat supposes that the attacker is able to modify
   the content of the packets being intercepted acting as a man in the
   middle.  In principle this threat affect both the signaling and the
   data depending on the ability of the attacker of intercepting both.
   The interception and modification threat results in the attacker
   being able to modify the packets for malicious scopes, examples are:

   o  call black holing - the attacker intentionally drops essential
      packets (e.g.  INVITE) of the VoIP protocol resulting the call
      initiation to fail;





Niccolini                 Expires March 2, 2007                 [Page 4]


Internet-Draft                VoIP Threats                   August 2006


   o  call rerouting - the attacker redirects the packets on a different
      path in order to include unauthorized nodes in the path or to
      exclude authorized ones from it;

   o  conversation alteration - the attacker alters the packets in order
      to modify the conversation between two users;

   o  conversation degrading - the attacker intentionally drops a
      selection of packets or modify the content of them with the
      objective of degrading the overall quality of the conversation;

2.2.  Interruption of Service Threats

   The interruption of service attacks are mainly oriented at
   compromising the availability of the service or deteriorating the
   quality level of such resources.  Interruption of service attacks can
   be either specific to SIP protocol or to RTP/RTCP protcol.  General
   interruption of service attacks not using VoIP-specific protocols are
   out of the scope of this document.  Examples of SIP protocol specific
   interruption of service attacks exploiting SIP-specific
   vulnerabilities are:

   o  SIP malformed requests and messages - the attacker tries to cause
      a crash or a reboot of the proxy/endpoint by sending SIP malformed
      requests and messages;

   o  SIP requests and messages flooding - the attacker tries to exhaust
      the resources of the proxy/endpoint by sending many SIP requests
      and messages;

   o  call hijacking - the attacker uses SIP messages (e.g. 301 Moved
      Temporarly) in order to hijack an existing call towards other
      proxy/endpoint, it is needed that the attacker replicates the
      proper SIP header for the hijacking to be successful (To, From,
      Call-ID, CSeq);

   o  call tear down - the attacker uses SIP messages (e.g.  CANCEL/BYE)
      in order to tear down an existing call, it is needed that the
      attacker replicates the proper SIP header for the hijacking to be
      successful (To, From, Call-ID, CSeq).

   Examples of RTP/RTCP protocol specific interruption of service
   attacks exploiting RTP/RTCP-specific vulnerabilities are:

   o  RTP/RTCP malformed messages - the attacker tries to cause a crash
      or a reboot of the proxy/endpoint by sending RTP/RTCP malformed
      messages;;




Niccolini                 Expires March 2, 2007                 [Page 5]


Internet-Draft                VoIP Threats                   August 2006


   o  RTP/RTCP messages flooding - the attacker tries to exhaust the
      resources of the proxy/endpoint by sending many RTP/RTCP
      messages;;

   o  RTP/RTCP session tear down - the attacker uses RTCP messages (e.g.
      BYE) in order to tear down an existing call at RTP layer, the SIP
      layer will not notice that the RTP flow has been torn down and the
      call will not result as released;

   o  RTP/RTCP QoS degradation - the attacker sends wrong RTCP reports
      advertising more packet loss or more jitter than actually
      experimented resulting in the usage of a poor quality codec
      degrading the overall quality of the call experience.

   In principle such attacks does not need interception of any packet in
   order to be performed (could be done by simple guessing) but some of
   these attacks (e.g. call hijacking, RTP/RTCP session tear down, etc.)
   benefit from the retrieval of call-specific information as coming
   from interception of SIP/RTP/RTCP packets.

2.3.  Abuse of Service Threats

   In the abuse of service attacks services are improperly used for the
   scope of committing fraud or reduce billing.  Examples of abuse of
   service attacks are:

   o  identity theft - the attacker uses the identity of the owner
      without the consent for the scope of masking his real identity
      when committing fraud (e.g. when calling the attacker can charge
      the bill of the identity owner, the attacker can use the identity
      to bypass call blocking, etc.);

   o  service volume fraud - the attacker injects in the network more
      traffic than what declared in the session request in order to
      avoid paying for the used resources;

   o  session replay - the attacker replays a past session of another
      user in order to have access to the same resources (e.g. a bank
      account, etc.).

2.4.  Social Threats

   False presentation of information together with unwanted contact are
   the only social threats that can be reconducted to a technical
   background in the case of VoIP.  Examples are:

   o  false presenation of identity/authority/rights/content - the
      attacker presents false or misleading credentials in order to gain



Niccolini                 Expires March 2, 2007                 [Page 6]


Internet-Draft                VoIP Threats                   August 2006


      a social advantage out of it;

   o  unwanted lawful/unlawful contact - the attacker contacts the
      victim with the unlawful or lawful scopes (e.g. extortion,
      telemarketing, etc.), please note that unwanted lawful contact in
      the case of VoIP is also referred to as SPam over Internet
      Telephony (SPIT), SPIT discussion is excluded by the SPEERMINT
      working group per charter.











































Niccolini                 Expires March 2, 2007                 [Page 7]


Internet-Draft                VoIP Threats                   August 2006


3.  Overview of VoIP Security Solutions

   This section presents the VoIP security features currently
   standardized or under standardization in order to give an overview of
   the building blocks needed to counter the VoIP Security threats
   detailed in this draft.  The technology to secure VoIP can be divided
   in three main areas as follows:

   o  Authentication/Authorization;

   o  Encryption;

   o  Identity management.

   Authentication is needed to understand who was the sender of a
   specific packet.  Authentication can take place between different
   entities or end-to-end:

   o  from client to server - Digest authentication [2] or mutual
      Transport Layer Security (TLS) [3];

   o  from server to server - mutual Transport Layer Security (TLS);

   o  from server to client - Transport Layer Security (TLS);

   o  end-to-end - S/MIME [4].

   All solutions require some kind of trust relationship (i.e. shared
   secret or certificates authorities).

   Encryption is needed to protect the content of the packets from being
   read by other parties than the ones which are supposed to be the
   recipient of such packets.  Encryption follows the same paradigm as
   authentication and can be done either on a hop-by-hop or on a end-to-
   end basis.  On a hop-by-hop basis TLS is used (TLS creates an
   authenticated, encrypted, integrity-checked channel).  On a end-to-
   end basis S/MIME is used to sign and encrypt portions of the SIP
   body.  At the media level a end-to-end encryption is possible using
   SRTP [5] to protect RTP/RTCP media (audio, video).  Currently there
   is a discussion in the IETF about the requirements for SRTP media
   keying which is still an open issue.  Other solutions that provide
   encryption and integrity are lower layer ones like IPsec which is
   done hop-by-hop.

   Identity managemement is also an important piece of security
   framework in SIP [6].  The objective of the identity framework is to
   give technical means to assess user identity in a secure manner.  It
   requires strong cryptographic assertions but it represents the most



Niccolini                 Expires March 2, 2007                 [Page 8]


Internet-Draft                VoIP Threats                   August 2006


   promising approach to enable furhter security solutions which need
   the assumption of dealing with strong authenticated identities.
   Pleae note that other techniques could also be used to counter VoIP
   Security threats, the techniques that constitute stand-alone
   solutions and that do not need standardization work are left out the
   scope of this document.  It is left open for discussion which other
   security techniques to include in this section.












































Niccolini                 Expires March 2, 2007                 [Page 9]


Internet-Draft                VoIP Threats                   August 2006


4.  Conclusions

   This memo presented a taxonomy for the different types of VoIP
   security threats.  The multiple instances of the threats were also
   presented with a brief explanation.  Finally the existing security
   solutions in VoIP were presented to describe the countermeasures
   currently available for such threats.  The objective of this document
   is to identify and enumerate the VoIP threat vectors in order to
   specifiy security-related requirements specific to peering.  Once the
   requirements are identified, methods and solutions how to achieve
   such requirements can be selected.








































Niccolini                 Expires March 2, 2007                [Page 10]


Internet-Draft                VoIP Threats                   August 2006


5.  Security Considerations

   This memo is entirely focused on the security threats for VoIP.
















































Niccolini                 Expires March 2, 2007                [Page 11]


Internet-Draft                VoIP Threats                   August 2006


6.  Acknowledgements

   This memo takes inspiration from VOIPSA VoIP Security and Privacy
   Threat Taxonomy.  The author would like to thank VOIPSA for having
   produced such a comprehensive taxonomy which is the starting point of
   this draft.  The author would also like to thank Cullen Jennings for
   the useful slides presented at the VoIP Management and Security
   workshop.











































Niccolini                 Expires March 2, 2007                [Page 12]


Internet-Draft                VoIP Threats                   August 2006


7.  Informative References

   [1]  "VOIPSA VoIP Security and Privacy Threat Taxonomy",
        October 2005.

   [2]  Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A.,
        Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP:
        Session Initiation Protocol", RFC 3261, June 2002.

   [3]  Dierks, T. and E. Rescorla, "The TLS Protocol Version 1.2",
        draft-ietf-tls-rfc4346-bis-01.txt (work in progress), June 2006.

   [4]  Ramsdell, B., "Secure/Multipurpose Internet Mail Extensions
        (S/MIME) Version 3.1 Message Specification", RFC 3851,
        July 2004.

   [5]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
        Norrman, "The Secure Real-time Transport Protocol (SRTP)",
        RFC 3711, March 2004.

   [6]  Peterson, J. and C. Jennings, "Enhancements for Authenticated
        Identity Management in the Session Initiation Protocol (SIP)",
        draft-ietf-sip-identity-06.txt (work in progress), October 2005.




























Niccolini                 Expires March 2, 2007                [Page 13]


Internet-Draft                VoIP Threats                   August 2006


Author's Address

   Saverio Niccolini
   Network Laboratories, NEC Europe Ltd.
   Kurfuersten-Anlage 36
   Heidelberg  69115
   Germany

   Phone: +49 (0) 6221 4342 118
   Email: saverio.niccolini@netlab.nec.de
   URI:   http://www.netlab.nec.de








































Niccolini                 Expires March 2, 2007                [Page 14]


Internet-Draft                VoIP Threats                   August 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Niccolini                 Expires March 2, 2007                [Page 15]