[VOIPSEC] Billing a SIP call by the minute
henrik.ingo at sesca.com
Tue Nov 8 07:36:48 GMT 2005
dhiraj.2.bhuyan at bt.com wrote:
> There are security issues in many of the current VoIP billing
> solutions that still needs to be addressed. For example, a "modified"
> SIP phone may initiate a call and once the call is established, the
> SIP phone terminates the call (at SIP layer), but continues sending
> and receiving the RTP media steams. Since the RTP media stream is end
> to end (for most VoIP solutions), the billing system is fooled into
> believing that the call is over.
> Dhiraj Bhuyan
> Senior Security Researcher
> British Telecom, UK
Sure, but I've always thought in SIP that is more like a feature, not a
bug. Unless the RTP traffic is routed through a proxy of yours, or the
other party is on the PSTN in which case the call is routed through a
VoIP gateway of yours, why should they pay you anything? (In both of
those cases correct billing will also not be a problem.) SIP wasn't
designed to support that, and you may see that as something lacking in
SIP, but surely it is not a security issue.
It would seem logical to me that as a provider of a SIP Proxy, you may
bill something for the SIP traffic (the call setup) but not for the RTP
traffic (the actual voice) which may not even route close to any of your
networks. Also note that there are many legit ways to work around such
billing (such as "what is your IP, I'll call you directly?") without the
need to send forged BYE messages.
Henrik.Ingo at sesca.com
More information about the Voipsec