[VOIPSEC] VOIP for free??

Paine, Richard H richard.h.paine at boeing.com
Tue Apr 12 08:34:51 CDT 2005 

You must add the wireless/mobile element or location has no relevance
(for E911 or business processes).  Essentially, if you move to a mobile
workspace, the only way to address location is via the mobile network
infrastructure because location is dynamic for both people and
equipment.  Layer 7 doesn't work without the knowledge of where in the
mobile physical space something is, what is moving in it, and how it is
moving.  This information must be delivered  by the only infrastructure
relevant to the movement; the network infrastructure.  DHCP and LLDP-MED
are not the only ways to report it.  IEEE 802.11k adds the location
measurement into the wireless LAN infrastructure.  I have an
implementation of such an infrastructure and it does work.

Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Cell:  206-854-8199
IPPhone:  425-373-8964
Email:  richard.h.paine at boeing.com 


-----Original Message-----
From: Brian Rosen [mailto:br at brianrosen.net] 
Sent: Tuesday, April 12, 2005 5:17 AM
To: Paine, Richard H; 'Robert Moskowitz';
securityrequirements at voipsa.org; 'Diana Cionoiu'; 'Smith, Donald'
Cc: voipsec at voipsa.org
Subject: RE: [VOIPSEC] VOIP for free??

There is a difference between how you determine location, and how you
report it.  You can determine it in one of two basic ways:
	a) you can measure it, via GPS, or triangulation, etc.
	b) you can effectively trace wires, and maintain a database
		of wire end point to location
You can report location in two ways presently: DHCP and LLDP-MED

Adding other ways is not desirable because endpoints have to implement
all of them unless they know, for sure, that one of them is deployed in
all of the infrastructures they have to work in.  I'd like there to be
only one.
I started a thread on IP address spoofing because there are some folks
who are arguing that you can get ONE method, but it has to be a layer 7
method that anyone could use.  The only way to do that is to use IP
address (as opposed to MAC address, or port tracing) to determine which
location is needed.

Brian 

-----Original Message-----
From: Paine, Richard H [mailto:richard.h.paine at boeing.com]
Sent: Tuesday, April 12, 2005 12:44 AM
To: Brian Rosen; Robert Moskowitz; securityrequirements at voipsa.org;
Diana Cionoiu; Smith, Donald
Cc: voipsec at voipsa.org
Subject: RE: [VOIPSEC] VOIP for free??

There is an additional way to do location.  For instance, IEEE 802.11k
draft standard has a location element in the specification.  The
location within a building is available from the network (either wired
or wirless network) and more specifically from the 802.11 network.
Such a location is not available from GPS unless there is an antenna on
the roof and a building infrastructure (like Pseudo-Lites).

Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Cell:  206-854-8199
IPPhone:  425-373-8964
Email:  richard.h.paine at boeing.com 


-----Original Message-----
From: Brian Rosen [mailto:br at brianrosen.net]
Sent: Monday, April 11, 2005 1:05 PM
To: 'Robert Moskowitz'; securityrequirements at voipsa.org; 'Diana
Cionoiu'; 'Smith, Donald'
Cc: voipsec at voipsa.org
Subject: RE: [VOIPSEC] VOIP for free??

I'm very positive on long term solutions to devices self-locating by
measurement.  I think that's the best long term answer, and I think we
will have technology that will get us there.  The issue is when, and how
that lines up with needs.
One interesting piece of technology is:
www.rosum.com

GPS as a general solution for wireline VoIP endpoints is 3-10 years out.
I hope we're closer to 3 then 10, but the problems are daunting, and
people have been working on them for quite a while.  

I agree that if a device measures itself where it is, that's the best.
Please do recognize though, that when you accept a self-measured
location, you accept the possibility of 100% forgery of that location.
One of the advantages of "networked based" location determination is
that you have another party, that you usually can trust, that is
determining where the endpoints are.

I'm not sure which "DNS Location" mechanism you are referring to.  There
are mechanisms that use the IP address reported to determine the
location of the device, but that is not useful for anything but a sanity
check.  I wrote a proposal that uses the DNS to house a routing database
for emergency calls.
That doesn't tell you where you are, it tells you how to route an
emergency call if you know where you are.

Getting specs on location determination accuracy is very complex.  The
basic requirement you have is the "yell test".  When the paramedic gets
to the location she was dispatched to, can she find you by calling out
your name?
We usually try to get with 100 feet. 

However, the wrong floor in a multistory building is a serious error, so
your z accuracy has to be quite a bit better than your x/y accuracy.

But then again, you can relatively easily get room level accuracy off a
wireline system, which is a lot closer to 10-20 feet.  Does that mean we
should allow self measured mechanisms to be less accurate?
Does cost enter into the requirement?

And then there is the difference between accuracy and uncertainty, a
very large issue currently in the wireless world.

There are a whole lot of pieces to the puzzle here.  Right now, most of
the work is in the IETF (geopriv, ecrit and sip/sipping) and NENA (in
the i2 and
i3 work).  The NRIC 1b work is interesting in terms of pointing the way
to go.  There are some other efforts being mounted in various layer 2
organizations. 

Brian

-----Original Message-----
From: Robert Moskowitz [mailto:rgm at icsalabs.com]
Sent: Monday, April 11, 2005 2:13 PM
To: Brian Rosen; securityrequirements at voipsa.org; Diana Cionoiu; Smith,
Donald
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP for free??

At 07:48 PM 4/9/2005, Brian Rosen wrote:
>Unfortunately, there are two problems with gps  phones. The first is 
>that it doesn't work indoors.  There are folks working on that, but 
>don't plan on solutions real soon.  The other problem is that its not 
>accurate enough unless you use some kind of assisted gps.  In the u.s.,

>the WAAS system will probably work in a lot of places.  Mobile carriers

>who use gps provide assisted gps to get the required accuracy.

Of course, this is a bit afield as GPS is just a service that may
benefit Voip,or not as you indicated.

The reachablity challenge of GPS is actually part of my point.  It is
the device you want to authenticate and its location.  AN IP address is
NOT a location.  It is a routing vector.  Vint and I had lots of
discussion about this in the Namespace IRTF.

Yes, I was following the DNS location work.  It is good for maybe 90% of
the cases.  As Brian points out we need 100%.  If .01% of callers cannot
give their location, and DNS location works 90% of the time, that means
that 1 in 1000 callers will be mislocated.  Not good numbers.  I suspect
the numbers might be a bit brigher than that, but it still reminds me
about the story of Windows reliablity compared to airplanes.

As to the accuracy of GPS, we had location averaging of bad data before
the bad data varriable was removed.  Some of the systems I saw were
really good at getting the true location that way.  My contacts over at
NRL were even laughing that some of the averaging software was getting
better location than the standard software used by the navy.  Of course,
this means you are stationary for a while....

We need to just list device location as a requirement for relaiable
E911.  Then we can develop best practices along with appropriate
disclaimers.

And Brian, I am very interested to know what body is working on this
location standardization work you mentioned.



Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
E:      rgm at icsalabs.com

There's no limit to what can be accomplished if it doesn't matter who
gets the credit







_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list