Blue Box SE#022 – SIP NAT Traversal discussion with Jonathan Rosenberg

Synopsis: Interview about SIP NAT Traversal with Dr. Jonathan Rosenberg, Cisco Fellow and author of many RFCs and Internet-Drafts related to SIP for the Internet Engineering Task Force (IETF).

Welcome to Blue Box: The VoIP Security Podcast Special Edition #20, a 25-minute interview with Dr. Jonathan Rosenberg about SIP and NAT Traversal.  Recorded at Interop New York in October 2007.

Download the show here (MP3, 13MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

In this Special Edition, I sat down with Dr. Jonathan Roseberg at Interop New York in October 2007 to talk about SIP NAT Traversal. Jonathan, a Cisco Fellow, has authored many RFCs related to SIP for the Internet Engineering Task Force (IETF) and in fact was a co-author of RFC 3261, the original specification for the SIP protocol.  He is also the author of "The Hitchhiker’s Guide to SIP", a document that aims to help people find their way through all the many documents that today make up what we call "SIP".

For the past few years, Jonathan has been extremely involved in the whole issue of SIP and NAT traversal and has authored several of the major Internet-Drafts on the issue.  In this interview, we discuss:

  • What the issue is with SIP and NAT traversal
  • How ALGs and SBCs attempt to solve the problem
  • Methods that have been developed by the IETF, specifically:
    • STUN
    • TURN
    • ICE
  • The role of ICE going forward, who is supporting it, etc.

I believe you will find it a very educational session and very helpful in understanding this major issue with regard to SIP.  We thank Jonathan Rosenberg for his time.

If you enjoy this show, we would also suggest you go back and listen to Blue Box Special Edition #20, our interview with Cullen Jennings about SIP security.  The two shows complement each other extremely well and provide a solid understanding of the current state of SIP security.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

New Audio comment line number – +1-415-830-5439 (and ditching K7.net)

Here is our new comment line number: +1-415-830-5439.

Here’s the story…

To my immense annoyance, it seems that we have once again lost our K7.net call-in number for comments: +1-206-350-7280. That isn’t the bad part, really… what annoys me most is that the number still appears to work! You can call it up and leave a message, but if it goes anywhere, it is not going to us! In the past, when we’ve lost our K7 number, the number has been inactive to some period of time, so callers just got a message saying that the number was no longer in use. Now it appears that the number has been reallocated already – or at least is accepting calls.

So please do not call that number!

I’m going to use this failure as an opportunity to completely drop our usage of K7.net. K7.net is a “unified messaging” service that is widely used by podcasters because it provides a very simple and easy – and free – service: Callers call in to a phone number, leave a message, and then you receive an email with the comment attached as a WAV file. It is great for a podcaster. Simple. Easy. Just works.

However, there is this wee minor little detail that is shown in the terms of service at the bottom of the sign-up page:

If a K7 number is inactive for 30 days (use is determined as a voice message or fax message to that number) , we may terminate the account for non-use.

This has been the bane of many podcaster’s existence. If you don’t get a call in 30 days, you lose your number. This impacts podcasters, especially, because our shows may live on out there on the Internet for an incredibly long time. You can still download Blue Box podcast #1 from two years ago which has the wrong comment line included (in fact, it is 2 or 3 numbers ago). So losing your number is really quite bad from a community-building point-of-view. If you put out frequent shows and get frequent comments, this usually isn’t a problem. However, if you are a show like ours where we’ve been only doing maybe two shows a month it may be more of a challenge. I know that here in New England, the New England Podcasters group was instituting a “reminder day” where it was a monthly day to call your comment line to be sure you kept it. In any event, we seem to have lost our number.

Now, I can’t really complain about the service because it is free and the K7 folks have always been very up front about the termination for non-use clause. All I can really do is find another alternative.

I have now done so. My new employer, Voxeo, has a website for developers called evolution.voxeo.com where you can create voice applications in several different XML variants (VoiceXML, CCXML or Voxeo’s own CallXML). You can create a free developer account and with that you can create apps that have their own inbound phone number. For free. Anyone can do so. There is, at least currently, no expiration date or termination clause for non-use (although the terms of use do of course indicate that Voxeo can change or revoke the numbers at any time). So what’s the catch? Well, Voxeo hopes that you like to develop apps on our platform so much that ultimately you’ll need our hosting services for your applications.

So I’ve created my own little experiment in the form of a new comment line: +1-415-830-5439.

Right now it’s just a computer-generated voice but I’ll add in my own prompts soon. Interestingly, this number is also reachable via some other phone numbers:

  • Skype: +99000936 9992002622
  • FWD: **86919992002622
  • SIP: sip:9992002622@sip.voxeo.net

And while we are NOT going to switch from using our SIP “bluebox@voipuser.org” address, it’s nice to know that it is available.

Since I know many of our listeners like to know the code underneath things, here is the full text of my “application” that does this: 

<?xml version=”1.0″ encoding=”UTF-8″?>

<callxml version=”2.0″>

<block>

<text> Thank you for the calling the comment line for Blue Box, The Voice over IP Security Podcast.  Please leave your comment after the tone.  Thank you.</text>

<recordaudio maxtime=”3m” value=”mailto:blueboxpodcast@gmail.com?subject=

Voicemail message – listener comment&fromname=

Voxeo Messaging&fromaddress=

dyork@lodestar2.com&body=

Voicemail message&filename=comments.wav”/>

</block>

</callxml>

It uses Voxeo’s own CallXML language which was developed before VoiceXML and CCXML (Call Control XML) were standardized. Why did I use CallXML versus VoiceXML and CCXML? Primarily because I wanted to learn CallXML – and also, frankly, because it seemed to have the easiest commands to do what I was trying to do. It basically says a piece of text and then records up to 3 minutes of audio and emails it to our standard comment line. Ta da… same thing as I was doing with K7.net, but without the annoying termination after 30 days of non-use.

Anyway, that’s the new number and the story behind it. Hopefully I won’t be changing it again anytime soon!

Technorati Tags: , , ,

Blue Box #72: Asterisk security vulnerabilities, Skype and the German government, VoIP security news, listener comments and more

Synopsis: Blue Box #72: Asterisk security vulnerabilities, Skype and the German government, VoIP security news, listener comments and more

Welcome to Blue Box: The VoIP Security Podcast #72, a 25-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 11MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 30, 2007.

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 +1-415-830-5439 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

“The Silver Bullet Security Podcast” – another security podcast to check out

895A79A5-8647-4406-A51D-5F20EEAB03D0.jpgIn preparing for an upcoming Blue Box episode, I happened to come across an article on the IEEE Security & Privacy site which pointed me to an interesting new security podcast called “The Silver Bullet Security Podcast with Gary McGraw”. It is apparently a joint project of security firm Cigital and the IEEE Security & Privacy Magazine. The regular show page is at www.cigital.com/silverbullet/ and includes a place there for comments and feedback. They just rolled out episode 20 and in looking back through the episodes they seem to have interviewed some great folks in the security space. Some of the predictable “big names” like Dan Geer, Marcus Ranum, Eugene Spafford and Bruce Schneier, but also folks like Dorothy Denning whose name was quite popular in the Clipper Chip days but then of whom I personally had heard little else since. Also folks from companies like Cisco and Microsoft and a number of professors from academic institutions.

Looks to be a nice addition to the range of security podcasts out there and it has joined my subscription list.

Blue Box #71: VLAN Hopping, SIP Digest vulnerability, VoIP security hype, Skype security, Google’s latest moves, listener comments and much more…

Synopsis: Blue Box #71: VLAN Hopping, SIP Digest vulnerability, VoIP security hype, Skype security, Google’s latest moves, listener comments and much more…

Welcome to Blue Box: The VoIP Security Podcast #71, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on November 8, 2007.

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Our Blue Box Frappr map has grown to 315 member!

We’ve pretty much ignored our Frappr map for probably most of the last year after Frappr went from AJAX-based Google maps to Flash-based Yahoo!Maps that took forever to load (and didn’t show the world outside of North America). Today I randomly happened to look at it and found that Frappr’s back to using Google Maps and that our map had grown to over 315 members! Very cool to see! If you haven’t joined the map but are open to doing so, you can go to the map or click on the embedded map here:

NOTE: One of our listeners commented in the Blue Box Skype group chat that you do need to be careful about how you are signing into Frappr as it sometimes will add you with your email address versus your Frappr ID.

Technorati Tags: , ,

Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more…

Synopsis:Blue Box #70: 2-yr Anniversary show, VoIP security vulnerabilities, Vonage, Comcast, phishing, listener comments and much, much more…

Welcome to Blue Box: The VoIP Security Podcast #70, a 51-minute podcast  from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.   

Download the show here (MP3, 21MB) or subscribe to the RSS feed to download the show automatically. 

You may also listen to this podcast right now:

NOTE: This show was recorded on October 25, 2007.

Show Content:

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there. 

Thank you for listening and please do let us know what you think of the show.

Blue Box podcast #70 successfully recorded… on *conference WiFi*!

I’m delighted to report that Jonathan and I successfully recorded Blue Box #70 this morning. It was a bit surreal, actually. There I was at the Javits Center in a vacant room on conference WiFi and Jonathan’s audio quality was outstanding! In fact, when I listened to the recording afterward his audio sounded far better than my audio that was recorded off of my local USB headset! Of course, in contrast to the stats I showed yesterday, here’s how our call looked today:

200710251121

0.0% packet loss on receiving Jonathan’s signal! Very cool! And a 94ms round trip sure beats a 200-300ms round trip, eh?

To get this good quality on a conference WiFi really speaks to the efforts of the Interop NOC team to deliver this kind of network. Kudos to them!

For those curious, I recorded the show locally on my MacBook Pro using WireTap Studio from Ambrosia Software. Given that our recording levels were quite different, I’m probably going to need to run the recording through the Levelator in order to bring the levels in line.

It should be posted probably some time early tomorrow. I’m at Interop all day today and so the post-production will probably be done during my time out at JFK and flying home later today.

Technorati Tags:

Two years ago today, Blue Box podcast #1 was launched

It seems rather amazing to me that it was two years ago today – October 24, 2005 – when we launched this show with Blue Box Podcast #1 (I remember because 10/24 is just a great number for a geek!). It’s been a long, strange trip since then… we’ve learned a lot… about podcasting, about building a community… and, of course, about VoIP security. We’ve put out 69 main shows and 21 special editions – a total of 90 shows… with more in the queue. It’s truly been a remarkable experience and we greatly appreciate all the contributions and support we’ve had from all of you over the years. Thank you for all of your support!

Sadly, despite our best efforts, Blue Box #70 , our 2-year anniversary show, did NOT make it out today on our actual anniversary. With my schedule, we wound up trying to record tonight and unfortunately the hotel WiFi at the hotel I am staying at in New York City just wasn’t up to giving us the quality recording that we wanted to have via Skype. Here’s a taste of what we were experiencing:

200710242221

If I read that right, we were getting a 32% packet loss… even if it was really 9%, it was still a lot. The roundtrip was much higher sometimes… up near 300 or more milliseconds. You just can’t get a good recording in those circumstances. Skype was working fine earlier in the night, so I don’t know if we just hit a time when more people were back at the hotel using the network. Whatever the reason, we eventually just had to give up. I thought about trying Yahoo!Voice or Gizmo, but generally if Skype is having problems the other ones will as well.

It’s disappointing, primarily because I really wanted to get the show out today. We’ve recorded shows from hotels in the past (even using hotel WiFi) and this is the first time in two years that we’ve actually had to cancel a recording because of poor connectivity!

We’re going to try again tomorrow from the Interop show where I did find I got great connectivity in some areas. We’ll see. If not it may need to wait until Friday when I’m back in my home studio.

In the meantime, thanks again to all of you who have made this show a joy to produce and do each week!

Technorati Tags: , , ,

Blue Box SE#021: Interview with ZFone and ZRTP creator Phil Zimmermann by Brenno de Winter

Synopsis: Interview with ZFone and ZRTP creator Phil Zimmermann by Brenno de Winter.

Welcome to Blue Box: The VoIP Security Podcast Special Edition #21, a 44-minute interview between Phil Zimmermann and Brenno de Winter in August 2007.

Download the show here (MP3, 20MB) or subscribe to the RSS feed to download the show automatically.

You may also listen to this podcast right now:

Show Content:

Brenno de Winter produces a Dutch podcast about information technology news called “ICT Roddels” (http://ictroddels.nl/) and back in early August he sat down with ZFone and ZRTP creator Phil Zimmermann to discuss (in English) what ZFone and ZRTP are all about. Brenno released the interview on his show and then offered it to us to run as a Blue Box show. In the 40-minute interview, Brenno and Phil spend the first 20 or so minutes talking about ZFone, ZRTP and VoIP security and then spend the remainder of the show talking about security in general, Phil’s background and other topics.

While we have interviewed Phil in the past ourselves, it’s been about a year since we last spoke with him and so we thought this might be an interesting update for you to hear. We thank Brenno for making the interview available to us.

I also have to say a word of thanks to long-time contributor Martyn Davies who stepped in at the last moment to provide the intro/outro to this interview. I unfortunately lost my voice after a presentation yesterday (bad news for a podcaster!) and Jonathan is currently traveling – and our goal this year is to make sure we get shows out on Wednesdays.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at either +1-206-350-7280 or via SIP to ‘bluebox@voipuser.org‘ to leave a comment there.

Thank you for listening and please do let us know what you think of the show.