[VOIPSEC] VOIP for free??

Brian Rosen br at brianrosen.net
Tue Apr 12 07:16:38 CDT 2005 

There is a difference between how you determine location, and how you report
it.  You can determine it in one of two basic ways:
	a) you can measure it, via GPS, or triangulation, etc.
	b) you can effectively trace wires, and maintain a database
		of wire end point to location
You can report location in two ways presently: DHCP and LLDP-MED

Adding other ways is not desirable because endpoints have to implement all
of them unless they know, for sure, that one of them is deployed in all of
the infrastructures they have to work in.  I'd like there to be only one.
I started a thread on IP address spoofing because there are some folks who
are arguing that you can get ONE method, but it has to be a layer 7 method
that anyone could use.  The only way to do that is to use IP address (as
opposed to MAC address, or port tracing) to determine which location is
needed.

Brian 

-----Original Message-----
From: Paine, Richard H [mailto:richard.h.paine at boeing.com] 
Sent: Tuesday, April 12, 2005 12:44 AM
To: Brian Rosen; Robert Moskowitz; securityrequirements at voipsa.org; Diana
Cionoiu; Smith, Donald
Cc: voipsec at voipsa.org
Subject: RE: [VOIPSEC] VOIP for free??

There is an additional way to do location.  For instance, IEEE 802.11k
draft standard has a location element in the specification.  The
location within a building is available from the network (either wired
or wirless network) and more specifically from the 802.11 network.
Such a location is not available from GPS unless there is an antenna on
the roof and a building infrastructure (like Pseudo-Lites).

Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Cell:  206-854-8199
IPPhone:  425-373-8964
Email:  richard.h.paine at boeing.com 


-----Original Message-----
From: Brian Rosen [mailto:br at brianrosen.net] 
Sent: Monday, April 11, 2005 1:05 PM
To: 'Robert Moskowitz'; securityrequirements at voipsa.org; 'Diana
Cionoiu'; 'Smith, Donald'
Cc: voipsec at voipsa.org
Subject: RE: [VOIPSEC] VOIP for free??

I'm very positive on long term solutions to devices self-locating by
measurement.  I think that's the best long term answer, and I think we
will have technology that will get us there.  The issue is when, and how
that lines up with needs.
One interesting piece of technology is:
www.rosum.com

GPS as a general solution for wireline VoIP endpoints is 3-10 years out.
I hope we're closer to 3 then 10, but the problems are daunting, and
people have been working on them for quite a while.  

I agree that if a device measures itself where it is, that's the best.
Please do recognize though, that when you accept a self-measured
location, you accept the possibility of 100% forgery of that location.
One of the advantages of "networked based" location determination is
that you have another party, that you usually can trust, that is
determining where the endpoints are.

I'm not sure which "DNS Location" mechanism you are referring to.  There
are mechanisms that use the IP address reported to determine the
location of the device, but that is not useful for anything but a sanity
check.  I wrote a proposal that uses the DNS to house a routing database
for emergency calls.
That doesn't tell you where you are, it tells you how to route an
emergency call if you know where you are.

Getting specs on location determination accuracy is very complex.  The
basic requirement you have is the "yell test".  When the paramedic gets
to the location she was dispatched to, can she find you by calling out
your name?
We usually try to get with 100 feet. 

However, the wrong floor in a multistory building is a serious error, so
your z accuracy has to be quite a bit better than your x/y accuracy.

But then again, you can relatively easily get room level accuracy off a
wireline system, which is a lot closer to 10-20 feet.  Does that mean we
should allow self measured mechanisms to be less accurate?
Does cost enter into the requirement?

And then there is the difference between accuracy and uncertainty, a
very large issue currently in the wireless world.

There are a whole lot of pieces to the puzzle here.  Right now, most of
the work is in the IETF (geopriv, ecrit and sip/sipping) and NENA (in
the i2 and
i3 work).  The NRIC 1b work is interesting in terms of pointing the way
to go.  There are some other efforts being mounted in various layer 2
organizations. 

Brian

-----Original Message-----
From: Robert Moskowitz [mailto:rgm at icsalabs.com]
Sent: Monday, April 11, 2005 2:13 PM
To: Brian Rosen; securityrequirements at voipsa.org; Diana Cionoiu; Smith,
Donald
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] VOIP for free??

At 07:48 PM 4/9/2005, Brian Rosen wrote:
>Unfortunately, there are two problems with gps  phones. The first is 
>that it doesn't work indoors.  There are folks working on that, but 
>don't plan on solutions real soon.  The other problem is that its not 
>accurate enough unless you use some kind of assisted gps.  In the u.s.,

>the WAAS system will probably work in a lot of places.  Mobile carriers

>who use gps provide assisted gps to get the required accuracy.

Of course, this is a bit afield as GPS is just a service that may
benefit Voip,or not as you indicated.

The reachablity challenge of GPS is actually part of my point.  It is
the device you want to authenticate and its location.  AN IP address is
NOT a location.  It is a routing vector.  Vint and I had lots of
discussion about this in the Namespace IRTF.

Yes, I was following the DNS location work.  It is good for maybe 90% of
the cases.  As Brian points out we need 100%.  If .01% of callers cannot
give their location, and DNS location works 90% of the time, that means
that 1 in 1000 callers will be mislocated.  Not good numbers.  I suspect
the numbers might be a bit brigher than that, but it still reminds me
about the story of Windows reliablity compared to airplanes.

As to the accuracy of GPS, we had location averaging of bad data before
the bad data varriable was removed.  Some of the systems I saw were
really good at getting the true location that way.  My contacts over at
NRL were even laughing that some of the averaging software was getting
better location than the standard software used by the navy.  Of course,
this means you are stationary for a while....

We need to just list device location as a requirement for relaiable
E911.  Then we can develop best practices along with appropriate
disclaimers.

And Brian, I am very interested to know what body is working on this
location standardization work you mentioned.



Robert Moskowitz
Senior Technical Director
ICSA Labs, a division of Cybertrust, Inc.
W:      248-968-9809
F:      248-968-2824
E:      rgm at icsalabs.com

There's no limit to what can be accomplished
if it doesn't matter who gets the credit







_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list