[VOIPSEC] VOIP for free??

Brian Rosen br at brianrosen.net
Mon Apr 11 15:04:47 CDT 2005 

I'm very positive on long term solutions to devices self-locating by
measurement.  I think that's the best long term answer, and I think we will
have technology that will get us there.  The issue is when, and how that
lines up with needs.
One interesting piece of technology is:
www.rosum.com

GPS as a general solution for wireline VoIP endpoints is 3-10 years out.
I hope we're closer to 3 then 10, but the problems are daunting, and people
have been working on them for quite a while.  

I agree that if a device measures itself where it is, that's the best.
Please do recognize though, that when you accept a self-measured location,
you accept the possibility of 100% forgery of that location.  One of the
advantages of "networked based" location determination is that you have
another party, that you usually can trust, that is determining where the
endpoints are.

I'm not sure which "DNS Location" mechanism you are referring to.  There are
mechanisms that use the IP address reported to determine the location of the
device, but that is not useful for anything but a sanity check.  I wrote a
proposal that uses the DNS to house a routing database for emergency calls.
That doesn't tell you where you are, it tells you how to route an emergency
call if you know where you are.

Getting specs on location determination accuracy is very complex.  The basic
requirement you have is the "yell test".  When the paramedic gets to the
location she was dispatched to, can she find you by calling out your name?
We usually try to get with 100 feet. 

However, the wrong floor in a multistory building is a serious error, so
your z accuracy has to be quite a bit better than your x/y accuracy.

But then again, you can relatively easily get room level accuracy off a
wireline system, which is a lot closer to 10-20 feet.  Does that mean we
should allow self measured mechanisms to be less accurate?
Does cost enter into the requirement?

And then there is the difference between accuracy and uncertainty, a very
large issue currently in the wireless world.

There are a whole lot of pieces to the puzzle here.  Right now, most of the
work is in the IETF (geopriv, ecrit and sip/sipping) and NENA (in the i2 and
i3 work).  The NRIC 1b work is interesting in terms of pointing the way to
go.  There are some other efforts being mounted in various layer 2
organizations. 

Brian

-----Original Message-----
From: Robert Moskowitz [mailto:rgm at icsalabs.com] 
Sent: Monday, April 11, 2005 2:13 PM
To: Brian Rosen; securityrequirements at voipsa.org; Diana Cionoiu; Smith,
Donald
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP for free??

At 07:48 PM 4/9/2005, Brian Rosen wrote:
>Unfortunately, there are two problems with gps  phones. The first is that 
>it doesn't work indoors.  There are folks working on that, but don't plan 
>on solutions real soon.  The other problem is that its not accurate enough 
>unless you use some kind of assisted gps.  In the u.s., the WAAS system 
>will probably work in a lot of places.  Mobile carriers who use gps 
>provide assisted gps to get the required accuracy.

Of course, this is a bit afield as GPS is just a service that may benefit 
Voip,or not as you indicated.

The reachablity challenge of GPS is actually part of my point.  It is the 
device you want to authenticate and its location.  AN IP address is NOT a 
location.  It is a routing vector.  Vint and I had lots of discussion about 
this in the Namespace IRTF.

Yes, I was following the DNS location work.  It is good for maybe 90% of 
the cases.  As Brian points out we need 100%.  If .01% of callers cannot 
give their location, and DNS location works 90% of the time, that means 
that 1 in 1000 callers will be mislocated.  Not good numbers.  I suspect 
the numbers might be a bit brigher than that, but it still reminds me about 
the story of Windows reliablity compared to airplanes.

As to the accuracy of GPS, we had location averaging of bad data before the 
bad data varriable was removed.  Some of the systems I saw were really good 
at getting the true location that way.  My contacts over at NRL were even 
laughing that some of the averaging software was getting better location 
than the standard software used by the navy.  Of course, this means you are 
stationary for a while....

We need to just list device location as a requirement for relaiable 
E911.  Then we can develop best practices along with appropriate
disclaimers.

And Brian, I am very interested to know what body is working on this 
location standardization work you mentioned.



Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
E:      rgm at icsalabs.com

There's no limit to what can be accomplished
if it doesn't matter who gets the credit

More information about the Voipsec mailing list