[VOIPSA Best Practices] Best Practices document structure set - next question: are these the appropriate areas?
Dustin D. Trammell
dtrammell at tippingpoint.com
Mon Jan 29 09:42:29 CST 2007
On Fri, 2007-01-19 at 18:22 +0100, Jozef Janitor wrote:
> Also important part of voip security is the credibility of an incoming
> calling number (callid). Because in the PSTN network normally I can’t
> change my callid, but in the VoIP it’s usually not a big problem.
> Maybe this problem could be handled with ENUM.
This one is a slippery slope indeed. I've had to debunk the myth many a
time about Caller-ID spoofing in the PSTN not being possible, because it
certainly is. When you assume that Caller-ID information coming from
one entity, say the PSTN is trusted and Caller-ID information coming
from elsewhere is not, it opens up a big can of worms. In my opinion
Caller-ID information can never be trusted to be accurate, regardless of
the source, so really how do we define a best practice to secure it?
Currently there is no mechanism for verifying the identity (if you can
even call it that) being purported by the Caller-ID information. My
personal approach to Caller-ID is akin to that old phrase LeVar Burton
used on the PBS television show "Reading Rainbow"[1]:
"This is who owns the telephone line that is calling you, but don't take
MY word for it."
> And SpIT. We know that controlling SPAM in our emails is very
> difficult . But controlling SPAM in VoIP will be even more difficult.
> So I hope that some pages in this document will also cover the
> possibilities of solving the SpIT problem.
I agree with the earlier suggestions of a final "Emerging Threats"
section which should encompass SPIT. So far, most of the solutions to
this issue involve a Turing test of some form, which I haven't decided
if I'm entirely in favor of just yet...
[1] http://www.youtube.com/watch?v=c6j8EiWIVZs
--
Dustin D. Trammell
VoIP Security Research
TippingPoint, a division of 3Com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <http://voipsa.org/pipermail/bestpractices_voipsa.org/attachments/20070129/f65a2e3a/attachment.sig>
More information about the bestpractices
mailing list