[VOIPSEC] SPIT Security initiative

David Schwartz david at kayote.com
Thu Jun 2 11:55:22 CDT 2005 

I wanted to bring to the attention of the SIP community an initiative Kayote
has been working on to combat the ever-growing threat of SPIT. Essentially,
we have adopted Jon Peterson's idea of embedding security information into
the SIP message via SAML . This will give upstream elements the ability to
make available to downstream elements what they know about the SPIT threat
potential on a call-by-call basis and let the downstream elements decide
what to do with that information.

The data sent downstream takes the form of name=value pairs and each
parameter highlights a specific "red flag" in terms of potential for SPIT.
For example, is the user calling from a free service, or is he a paying
customer. Does his ITSP authorize as well as assert identity? Is there some
other reason to suspect the call to be SPIT (from information regarding his
calling patterns)? And finally, an overall score that we subjectively
assign, called the AssertionStrength.

This work is very preliminary and we expect the list of security attributes
to evolve, but the key is the method of communicating the information on a
call by call basis. As we describe in the open issues section, there are
still a lot of SIP  related things that need to get ironed out.

We are making a public server available for developers to start playing
with. SIP messages can be bounced off the server and they will be returned
with the embedded SAML containing the security attributes of the caller. On
the web site, developers can configure their variables and other options.
Our hope is that we can create a dynamic ongoing discussion that will engage
the firewall and SBC vendors, the IP-PBX and Proxy builders, and even the
CPE people, to get them to key off this information and
reject/allow/filter/divert calls accordingly.

We put up a small client to show the basic functionality. The technical
details are provided in an accompanying document. The client and document
can both be found at

www.spitprevention.net

Once you sign in, you can download the client and the doc

(http://www.spitprevention.net/downloads/SPITPrevention.pdf).

Depending on feedback from the community, future direction may include a
standardization track.

Kayote welcomes any comments that you have and looks forward to working on
this project with  the developer community.

Best regards,

David Schwartz
Kayote Networks
david.Schwartz at kayote.com

More information about the Voipsec mailing list