Sausage making, SS7 and protocols
Jay R. Ashworth
jra at scfn.thpl.lib.fl.us
Tue Nov 4 17:28:07 UTC 1997
On Tue, Nov 04, 1997 at 07:12:27AM -0600,
on the North American Network Operators Group mailing list,
Sean Donelan wrote:
> >In a world where the internet industry is becoming
> >more and more like the telecoms industry, the
> >necessity of users to have protocol level access
> >to the network is diminishing, and the dangers
> >of doing so are becoming greater. Which telcos
> >will blithely hand out SS7 interconnects to
> >users? Without (routable) IP access, there
> >would be no SYN floods of distant networks, no
> >source spoofing, less hacking, easier traceability,
> >and the BGP table need only be OTO 1 entry per
> >non-leaf node on a provider interconnection
> Strange how people in the telecom industry think they need to
> become more like the internet industry, and people in the internet
> industry think they need to become more like the telecom industry.
> If you want to see some sausage being made, take a look at the
> "Advance Intelligent Network" and the Internet interface working
> group PINT.
As someone who's spent extensive time in the past 10 years following
both industries, I'm going to have fun with this one...
To respond first to the original poster's question: "Which telco's will
hand out SS7 connections to users", I pose the analogous question:
"Which ISP's will hand out BGP4 connections to users?"
> In the US, with telecom deregulation, the distinction between 'users'
> and 'telephone companies' is becoming less distinct. When an insurance
> company, an university, or an ISP files the paperwork to become a CLEC,
> are they a 'user' or a 'telco?' What telco would refuse SS7 interconnects
> to a CLEC? The trust model in SS7 makes rlogin look like a high-security
> protocol. SS7 was developed in an environment where there would be a
> few trusted 'users.' As the number of 'telco'-like entities explodes,
> you might see some interesting security issues showing up with SS7. There
> is some 'screening' between networks, but gateway STP nodes have many of
> the same problems as Internet firewalls.
Precisely. All an STP (Signal Transfer Point, for the non telco
people) is, is an SS7 router. SS7 is, of course, the protocol used on
the networks whereby switches tell each other about, and what to do
about, calls. As Sean notes, this has been a tightly closed network to
date, and whether sufficient engineering has been done to determine how
scalable the administrative protocols surrounding it are is unknown.
It's been noted that when you scale a problem up by an order of
magnitude, it's no longer the same problem. Let's hope they don't blow
this on SS7.
> Internet providers give both less and more access to their networks than
> telcos. Generally ISPs don't give other ISPs more access to their networks
> than any other untrusted user. Even read-only SNMP between providers is
> almost non-existant. Most ISPs would probally consider giving SS7 level
> access into their network to another ISP a huge security hole. In some
> sense, interconnecting ISPs is easier than telcos because the security
> risk of connecting to another ISP is the same as connecting to a user.
> Today's SS7 network is far more risky than anything Capt. Crunch could
> do with his whistle.
Perfectly correct. See, Sean? We do agree on some things. :-)
> On the other hand, it seems like many ISPs don't consider it a duty to
> screen or filter their customer's ingress or their own egress. While
> telco's almost always screen information such as directory numbers when
> they originate from a customer PBX.
Yeah, but they didn't think it up until _afterwards_. It is to this
day possible to spoof ANI/CNID with certain PRI connected PBXs on
certain models of switch.
> This has less to do with the SS7
> protocol, than the trust relationship between telcos. Telcos trust
> other telcos to only send SS7 packets with screened customer phone
> numbers. This 'trust' is formalized into extremely complicated
> agreements between telcos, especially who is liable when the trust is
> broken. ISPs have very simple 'trust' relationships (i.e. trust no one),
> and correspondingly simple agreements between them.
Excellent capsulization of the situation.
> Since there is a much lower trust relationship between ISPs, tracing
> malicious behavior is much more difficult. At a simple level, look how
> caller-id information is treated between telcos. Telcos pass caller-id
> information, more or less, on an end-to-end basis through the SS7 network
> 'sharing' it with all the telco's along the way. However, telcos don't
> pass the caller-id information to the 'user' if the presentation-restricted
> flag is set. ISPs don't normally provide any more information to another
> ISP than they do to an user. Which model causes less problems when the
> CLEC turns out to be an private investigative company, or a university.
Indeed. In the environment we're transitioning into, the ISP model
will likely turn out to be more popular, for precisely that reason.
Whether the LECs and IXCs can adapt is another question entirely.
> It will be interesting to see which trust model works better as the number
> of CLECs grows or the number of ISPs shrinks, depending on which consulting
> group you want to believe. Will ISPs start trusting each other more, or
> will telcos start trusting each other less? At some companies, the Internet
> connection is the most secure outside communications connection they have.
Wow. That's a scary thought. I personally am disinclined to false
senses of security, myself, so I prefer the latter. Lends an
interesting tenor to the national security communications backbone
topic, though, doesn't it?
[ Cross posted from NANOG to comp.dcom.telecom, for comment. ]
Jay R. Ashworth jra at baylink.com
Member of the Technical Staff Unsolicited Commercial Emailers Sued
The Suncoast Freenet "Pedantry. It's not just a job, it's an
Tampa Bay, Florida adventure." -- someone on AFU +1 813 790 7592
More information about the NANOG