<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:sans-serif;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p
{mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
@list l0
{mso-list-id:1470586698;
mso-list-template-ids:1560155676;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1924294775;
mso-list-template-ids:1560155676;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I think all 4 of your bullets are missing “operations
personnel that run VoIP networks and services”. These are the
clients of this document I am thinking of. They are different from “security
professionals” in the sense that security is just one aspect of what they
care about. They are definitely different from administrators, a group
which doesn’t actively monitor but function in an offline capacity.
Something along the lines of “operations personnel looking to
ensure the security of VoIP networks and services”.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Regarding a BP for QoS, something along
the lines of listing the deployment of active and passive media quality
monitoring equipment to ensure a minimum MOS score is being met for
applications that could suffer DoS attacks because the quality of audio is
critical to their function (such as speech recognition).<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>greg<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
dan_york@Mitel.com [mailto:dan_york@Mitel.com] <br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, January 19, 2007
2:36 PM<br>
<b><span style='font-weight:bold'>To:</span></b> <st1:PersonName w:st="on">Greg
Scallan</st1:PersonName><br>
<b><span style='font-weight:bold'>Cc:</span></b> bestpractices@voipsa.org<br>
<b><span style='font-weight:bold'>Subject:</span></b> Audience needs to be
expanded... and should we include "quality assurance"? RE: [VOIPSA
Best Practices] Best Practices document structure set - next question: are
these the appropriate areas?</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
</span></font><font size=2 face=sans-serif><span style='font-size:10.0pt;
font-family:sans-serif'>Greg,</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>Thanks
for pushing back on this point. You're right that the audience as
currently defined does not include people actually working with VoIP systems! So
we need to alter a bullet or introduce a new one. Perhaps it is what I
think Raul suggested earlier:</span></font> <o:p></o:p></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l1 level1 lfo1'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Security professionals and
system/network/application adminstrators looking for a security baseline
for VoIP systems. <o:p></o:p></span></font></li>
</ul>
<p class=MsoNormal style='margin-bottom:12.0pt'><font size=2 face=sans-serif><span
style='font-size:10.0pt;font-family:sans-serif'><br>
Does that cover it or do we need a separate bullet?</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>On
the quality assurance area, I guess I'm still struggling in my mind with how
deep we would want to go into that. I guess I can see a lot of issues
that can degrade quality that have very little to do with security, per se. For
instance, using poor quality cabling or bad NICs or... hopefully no one still
is... hubs. I totally agree with you that VoIP adds new areas such as
those you mention that have to be factored in for quality. But I'm still
not sure how we integrate those into a "Best Practices for Securing
Voice-over-IP/IP Telephony" document.</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>What
would you see as best practices that we should include in the document? I'm
certainly very open to being convinced we should.</span></font> <br>
<br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>Thanks,<br>
Dan</span></font> <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'><br>
</span></font><br>
<br>
<o:p></o:p></p>
<table class=MsoNormalTable border=0 cellpadding=0 width="100%"
style='width:100.0%'>
<tr>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'><o:p> </o:p></span></font></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><b><font size=1 face=sans-serif><span style='font-size:
7.5pt;font-family:sans-serif;font-weight:bold'>"<st1:PersonName w:st="on">Greg
Scallan</st1:PersonName>" <spider@tellme.com></span></font></b> <o:p></o:p></p>
<p><font size=1 face=sans-serif><span style='font-size:7.5pt;font-family:
sans-serif'>01/19/2007 11:56 AM</span></font> <o:p></o:p></p>
</td>
<td valign=top style='padding:.75pt .75pt .75pt .75pt'>
<p class=MsoNormal><font size=1 face=Arial><span style='font-size:7.5pt;
font-family:Arial'> </span></font><br>
<font size=1 face=sans-serif><span style='font-size:7.5pt;font-family:sans-serif'>
To: <dan_york@Mitel.com></span></font>
<br>
<font size=1 face=sans-serif><span style='font-size:7.5pt;font-family:sans-serif'>
cc: <bestpractices@voipsa.org></span></font>
<br>
<font size=1 face=sans-serif><span style='font-size:7.5pt;font-family:sans-serif'>
Subject: RE: [VOIPSA Best
Practices] Best Practices document structure set - next question: are these
the appropriate areas?</span></font><o:p></o:p></p>
</td>
</tr>
</table>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<br>
Regarding quality assurance, I think it goes back to how much the target
audience of the BP cares about that topic. Your list below does not
include personnel responsible for operating and monitoring a VoIP service and
so I agree that QA is not a major concern for your listed audience.
However, I do think the target audience should include such personnel and
they would care greatly about best practices for ensuring the security of their
network. There are many products and existing BP’s that cover this
topic in general for IP networks, but VoIP adds an additional complexity,
especially in the category of media jitter, latency and packet loss and its
impact on services (especially that of recognition). <br>
<br>
Probably more importantly right now is documenting and agreeing on who exactly
the target audience of this BP is. That would help us identify the
importance (and hence substance) of each section as it pertains to the listed
consumers. <br>
<br>
greg<br>
<br>
</span></font><font size=2 color=navy face=Arial><span style='font-size:10.0pt;
font-family:Arial;color:navy'> </span></font> <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>we're
trying to create a document that hits these audiences:</span></font> <o:p></o:p></p>
<ul type=disc>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>End customers trying to understand how best to
secure their systems. <o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Security professionals looking for a security
baseline for VoIP systems. <o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>System administrators, technicians, students and
others looking to enter into working with VoIP systems. <o:p></o:p></span></font></li>
<li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;
mso-list:l0 level1 lfo2'><font size=3 face="Times New Roman"><span
style='font-size:12.0pt'>Press/media who want to understand how VoIP
systems can be secured. <o:p></o:p></span></font></li>
</ul>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>[insert from other email]</span></font> <br>
<font size=2 face=sans-serif><span style='font-size:10.0pt;font-family:sans-serif'>11.
Interesting point. Certainly "availability" is a security
concern and *part* of that relates to quality assurance. But I don't know
how far we want to go down that road... we want to focus on helping people
understand how to have a *secure* VoIP system, but not necessarily instructing
them on how to have one with *excellent* audio quality. </span></font> <o:p></o:p></p>
</div>
</div>
</body>
</html>