27 Jun
2020
27 Jun
'20
12:24 a.m.
Hi,
The address(es) of the ePDG are discovered using DNS: the phone will try to resolve epdg.epc.mncXXX.mccYYY.pub.3gppnetwork.org, where XXX is your operator's Mobile Network Code (for instance Swisscom is 001), and YYY is your Mobile Country Code (228 for Switzerland).
So I guess a first test can be to look for these addresses and watch for ipsec traffic.
Also looks like a terribly easy way to spoof or screw up automatic discovery. I doubt any vendor uses DNSSec here (or that it will be of any use to protect against abuse).
And oh! What about home routers that don't delegate DNS to the provider's DNS infrastructure?
Regards, Greg