Re: [Openh323gk-users] Calling Party Number Authentication - Walkthru

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mark,

Basically CLID is, or can be, a user generated peice of information.
If you were to dig down deep into the protocols (Q.931 ISDN & SS7 ISUP)
you would find that CLID is a more complicated information element
than just a digit string.  One indicator is:

	Screening indicator (octet 3a)

	Bits
	2 1
        ----
	0 0   User-provided, not screened
	0 1   User-provided, verified and passed
	1 0   User-provided, verified and failed
	1 1   Network provided

	NOTE 8 - The meaning and the use of this field is defined in
	         clause 3/Q.951 and clause 4/Q.951.

So if I were to want to authenticate on this information I would be 
interested in knowing where it came from.  You might want to only
accept those that were "Network provided".

Here's the scenario; you have a business which has many, many telephones 
behind their PBX.  They elect to give most of these telephones a dialable
number so the telephone company gives them a range of numbers, say 
555-1000 to 555-1999.  These are reachable over a much smaller number of
channels on the trunking to the central office.  When a call comes in for
one of these numbers the telephone company transmits the number dialed so
that the PBX can know where to route that call.  Now when an outgoing call 
is made if the CLID is to have that telephone's dialable number appear
teh PBX will have to inform the telephone company's network which number
it is.  This is an example of a "User-provided" case.

Now if everything is the way the telephone Gods intended the telephone
company switch will compare that number against the list of assigned 
numbers and if it matches set the Screening Indicator to "User-provided,
verified and passed".  If it doesn't pass it can either reject the call
or allow it to proceed but set it to "User-provided, verified and failed".
If they don't bother to screen it it should be marked "User-provided, 
not screened".

The reality is that many )(most?) telephone companies don't do much of 
any of this.  I think BT does, I know Telus do, I know Bell Canada don't.

Now even if it were a perfect world you still are assuming that "Network
Provided" is gospel truth.  Well you have to think about who runs all
the telephone network in the path of the call.  Any of them can be either
corrupt or insecure.

Years ago this stuff wasn't very accessable.  Today you've got thousands 
of VoIP gateways out there.  People are passing calls around the Internet 
and bridging them to PSTN ISDN trunks all over the place.  CLID is a
mess.  I just received a call from Japan with a CLID of 135..... what is
that supposed to be?  

So caveat emptor.

	-Vance


On Tue, Aug 12, 2003 at 04:59:28PM +1200, Mark Frater wrote:
}  > Date: Mon, 11 Aug 2003 13:42:59 -0400
}  > From: Vance Shipley <vances@motivity.ca>
}  > >
}  > Folks,
}  >
}  > You should be aware that CLID is inherently insecure.
}  > You are probably safe to use it as long as the risk
}  > is not great.  If the rewards become large enough
}  > someone will abuse it.
}  >
}  > -Vance
}  
}  Can you elaborate? As you will see from my original post, I noted that CLID is
}  configurable for any Endpoint, therefore we have combined CLID authentication
}  with a required AliasAuth. Also, we have the Endpoint Alias being passed to the
}  radius server in the Username field.
}  
}  So, the Endpoint MUST register from a given IP, the ARQ MUST come from that
}  Endpoint for the Username to match in Radius, and the CLID MUST match a given
}  Calling-Station-Id for that Username in radius.
}  
}  So effectively, we are using a combination of IP and h323Alias and CLID for
}  authentication.
}  Short of IP Spoofing to get around the AliasAuth, what other "inherently
}  insecurities" for abuse can you see?
}  
}  Mark
}  
}  
}  
}  -------------------------------------------------------
}  This SF.Net email sponsored by: Free pre-built ASP.NET sites including
}  Data Reports, E-commerce, Portals, and Forums are available now.
}  Download today and enter to win an XBOX or Visual Studio .NET.
}  http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
}  _______________________________________________
}  List: Openh323gk-users@lists.sourceforge.net
}  Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
}  Homepage: http://www.gnugk.org/


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
List: Openh323gk-users@lists.sourceforge.net
Archive: http://sourceforge.net/mailarchive/forum.php?forum_id=8549
Homepage: http://www.gnugk.org/

[Index of Archives]     [SIP]     [Open H.323]     [Gnu Gatekeeper]     [Asterisk PBX]     [ISDN Cause Codes]     [Yosemite News]

  Powered by Linux