The Internet Protocol Journal - Volume 5, Number 4

Letters to the Editor

ENUM

Ole,

As the co-chair of the ENUM work group in the IETF, I was delighted with Geoff Huston's article. (The Internet Protocol Journal, Volume 5, No. 2, June 2002, page 13).

I would like to point out and clarify several other issues raised by the Letters to the Editor published in the subsequent issue.

First, as a practical matter though the North American Numbering Plan uses a single country code "1," there will not be a single administration of ENUM within "1." The agreements between the IAB and the ITU on the administration of e164.arpa clearly indicate that these resources will be administered on a nation-state basis.

The United States, Canada, Bermuda, and the 18 countries of the NANP will be free to administer their numbering resources as they so choose through the use of 1 + NPA (area codes) zones within the root of e164.arpa.

Dr. Deleuze writes, "E.164 numbers are really telephone addresses. They are tied to telephone network topology and are surely not user friendly. There are no user-friendly names in the telephone system."

In fact, this is not exactly correct either. Since the advent of Number Portability by several national telephone administrations, including the United States, telephone numbers are no longer tied to the underlying network or routing structure of the PSTN. Actual routing of phone calls in the United States is done on Local Routing Numbers for all landline calls and, beginning in November of 2003, for wireless calls as well.

Phone numbers even now are essentially names, much like domain names in the Internet. In the United States, phone numbers can be taken or "ported" to any wireline service provider within proscribed geographic boundaries, in 2003 between wireless service providers and from wireline to wireless providers as well.

I partially take issue with Dr. Deleuze's thought that telephone numbers are not "user-friendly." Phone numbers are readily identifiable, easy to use, and are not tied to culture or language, problems we have not yet solved with domain names.

Richard Shockey, NeuStar Inc.
rich.shockey@NeuStar.com



Visitor Networks

Dear Editor,

The September 2002 issue of IPJ featured a very interesting, comprehensive article on visitor networks. One aspect I found not mentioned, however, is the danger of users in such scenarios falling victim to fake visitor gateways. In public wireless hot spots, as they are increasingly being setup at numerous locations these days, attackers could employ their own mobile WLAN device to direct visitors trying to log on to the hot spot to their own fake login page, enabling them to easily collect their login details such as credit card information. Using encryption does not help here as long as the gateway does not need to authenticate itself to the customer's mobile device. The average user should not have a chance to realize whether he or she is connected to a legitimate or a fake login page—if he or she is aware of that potential danger at all. Given the fact that all such an attack would need, apart from readily available equipment such as a portable computer with a WLAN card, is some small piece of appropriate software and that it would be quite difficult to detect,that kind of threat unfortunately should be quite realistic in such environments.

Dr. Georg Schwarz
Detecon International GmbH, Berlin, Germany

Georg.Schwarz@detecon.com

The author responds:

This is a good point that was not discussed in the article. There are actually at least three cases that visitors need to worry about. The first is, as you mentioned, that the service provider is not who they say they are. This can be dealt with by using SSL certificates assuming the visitor is conscious of the URL that he/she is being directed to and knows that it belongs to the real service provider. If the visitor has no idea who is a reasonable service provider, this is a different class of problem, very similar to what has happened with public telephones that accept standard calling and credit cards—someone makes a call, receives the service but then gets charged an outrageous rate. The third case is a man-in-the-middle attack or passive snooping where someone with a laptop as you describe is able to grab traffic and gather passwords.

Some basic advice to visitors is for services that require subscription, although possibly inconvenient, never subscribe on a potentially compromised connection. That way, only the service provider-assigned username and password is compromised, instead of more sensitive personal information related to the account. Connections using 802.1x authentication with EAP-TLS provide mutual authentication and are in the long run, a better solution than redirection of web pages. No matter what kind of security one has, inevitably there will be legally legitimate providers that will take advantage of visitors and in that case it's just "buyer beware."

Dory Leifer
leifer@del.com



Wireless Security

Hi Ole,

Again, I found the latest issue of IPJ quite enlightening and useful. However, I do have one comment regarding the article by Greg Scholz on "An Architecture for Securing Wireless Networks." Although the use of source IP addresses to provide policy group membership on the firewall works in most cases, some client OSs and some IPSec VPN boxes allow the source address (even if it is the endpoint address of the tunnel, not the "real" address of the host) to be changed,provided the source address of the enciphered traffic does not change. This would allow users to change the policy group they belong to. A better solution is to use a VPN box that can associate groups of IPSec tunnels to VLANs. Then the firewall could be configured to allow policy group membership based on VLANs. This takes all determination of policy group membership off the client host and places it in the domain of trust of the VPN and firewall boxes.

Chris Liljenstolpe
Cable and Wireless

chris@cw.net