[VoiceOps] The big ENUM question (Was: VPFs)

Alex Balashov abalashov at evaristesys.com
Thu Aug 6 17:31:29 EDT 2009 

There's nothing preventing someone from throwing garbage into the SS7 
network, it's just that as has been repeated already several times, the 
barriers to entry for that rather exclusive, proprietary and expensive 
world are rather high.

The issue with setting up a secure and trusted signaling plane over the 
Internet isn't so much making the communication pathways secure;  VPNs 
do a perfectly good job of that.  That's not the problem.  The problem 
is the security of all the other things that are also connected to the 
IP network into which those VPN tunnels land.  If an ordinary server is 
broken into, it can be used as a jump-off point by someone who knows 
what they're looking for to compromise the signaling plane as well by 
forwarding packets through the right gateway destination.

No, it's not terribly easy, but at the same time, the chances of it 
happening are orders of magnitude higher in a generalised IP scenario.

That's much harder to do with SS7 endpoints;  one would have to break 
not only into a network element via IP, but also stick an exploit into 
what is usually a very proprietary and reasonably secure black box.

The other related factor is that as many participants in the SS7 network 
as there are, that's a very, very small pool of deployments, generalised 
user experience and far-reaching knowledge as compared to anything IP. 
Ubiquitous operating systems and open-source packages enjoy thousands of 
times the volume of bugs, cracks, exploits and open QA feedback on which 
there is a lot of sunshine as compared to something so exclusive.

That's not to say that there isn't already plenty of SS7 over public IP 
going on.  I've seen more than my fair share of CLECs - usually little 
ones created to support the back side of some VoIP product - 
interconnect with the ILEC via SIGTRAN over Internet VPN to a 
third-party provider that actually works the A-links.  I don't know if 
VeriSign still offers this product, but it was plenty popular.

-- Alex

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

More information about the VoiceOps mailing list