[VOIPSEC] Billing a SIP call by the minute

dhiraj.2.bhuyan at bt.com dhiraj.2.bhuyan at bt.com
Tue Nov 8 05:24:31 CST 2005 



>>dhiraj.2.bhuyan at bt.com wrote:
>> There are security issues in many of the current VoIP billing
>> solutions that still needs to be addressed. For example, a "modified"
>> SIP phone may initiate a call and once the call is established, the
>> SIP phone terminates the call (at SIP layer), but continues sending
>> and receiving the RTP media steams. Since the RTP media stream is end
>> to end (for most VoIP solutions), the billing system is fooled into
>> believing that the call is over.
>> 
>> Dhiraj Bhuyan
>> Senior Security Researcher
>> British Telecom, UK
>>

>Sure, but I've always thought in SIP that is more like a feature, not a 
>bug. Unless the RTP traffic is routed through a proxy of yours, or the 
>other party is on the PSTN in which case the call is routed through a 
>VoIP gateway of yours, why should they pay you anything? (In both of 
>those cases correct billing will also not be a problem.) SIP wasn't 
>designed to support that, and you may see that as something lacking in 
>SIP, but surely it is not a security issue.
>
>It would seem logical to me that as a provider of a SIP Proxy, you may 
>bill something for the SIP traffic (the call setup) but not for the RTP 
>traffic (the actual voice) which may not even route close to any of your 
>networks. Also note that there are many legit ways to work around such 
>billing (such as "what is your IP, I'll call you directly?") without the 
>need to send forged BYE messages.

>henrik

>-- 
>Henrik.Ingo at sesca.com
>+358-40-5697354

I totally agree. Bhe kind of service you are talking about is a yellow page lookup, where you are quering the Registrar for the address of the callee (and the caller pays for the lookup). If you were to offer a telco grade VoIP service, there are other things that needs to be addressed as well. For example, how will you do legal interception (if this is needed as per regulatory requirements)? How will you offer QoS? If you are offering QoS, shouldn't the customers pay for it? etc. etc. Moreover, I think, revealing the IP address of the caller to the callee and vice versa is not always a good idea. From an IP address one can often dig out a lot of information about a person (physical location etc).

Dhiraj
------

Dhiraj Bhuyan, CISSP
Senior Security Researcher,
British Telecom, UK

More information about the Voipsec mailing list