[VOIPSEC] VoIP and Fraud

Geoff Devine gdevine at cedarpointcom.com
Tue Feb 15 20:39:21 CST 2005 

Brian Rosen wrote:
> So the way this will work in VoIP if things go the way I think they are
> going is:
> 1. The PHONE learns its location when it boots using, for example, a new
> option to carry location in DHCP
> 2. When an emergency call is placed, the location is put in the signaling on
> the call using, for example, PIDF-LO for SIP.

Since the VoIP endpoint isn't trusted, this is not a secure way to implement the feature.  To build this feature in a secure way, you either need to have some trusted component within the service provider network implement the feature or you need a trusted network component to validate all the SIP signaling to ensure that the SIP User Agent isn't lying.
 
An approach could be to have the SIP Proxy (or a session controller) validate the contents of each SIP message from the user agent.  If it's supplying CallerID information, the SIP Proxy would have a policy that ensures the user agent isn't lying.  For 911 calls, it could have a policy to ensure that the UA isn't lying about coordinate information.  To make it truly secure, you're pretty much implementing a Back2Back User Agent since you can't allow anything to be passed on in the network that you can't understand and validate.
 
There are varying degrees of security policy and paranoia.  At one extreme, you have the lightweight SIP Proxy that doesn't even authenticate when a SIP user agent REGISTERs.  All SIP messages are blindly relayed.  Slightly better than that, you can have a SIP Proxy that challenges the REGISTER so the User Agent is at least authenticated.  This is how Vonage works.  To get improved security, you can implement additional policy that enforces well-behaved protocol.  At the other extreme, you only pass things on to the network that you can understand and police.
 
I suggest we avoid using 911 in our examples since it's usually fairly easy to defeat any IP-based coordinate/location method.  With VPN,  I can sit at my house and talk to the DHCP server at my office.  If I dial 911 from a soft client on my home PC while I'm using my corporate VPN, it would get coordinate information indicating that it is at my office. 
 
Geoff

More information about the Voipsec mailing list