[VOIPSEC] An issue of trust?

[Geoff Devine]

Andre Fucs de Miranda wrote:
> Any reasonable SIP or MGCP switch or SBC should be already capable of
> handling the CALEA requirements.

Actually, that's not 100% true for SIP endpoints.  J-STD-025 requires
that _ALL_ telephony events and features get reported on a "call detail
channel".  There is an FBI conformance test to verify this.  If you do a
lot of telephony features within the SIP User Agent, there is no way you
can pass this particular sub-section of the FBI conformance test.  For
example, you can't distinguish with 100% certainty the difference
between a 3-way conference and two separate calls on a 2-line ATA when
the conference bridge is local to the ATA.  

Randell Jesup writes:

> PSTN gateways usually don't do encryption, since they're so focused on
> density (channels/device).  (Do any of them do encryption?)  In the
medium
> to long term, increasing number of calls (especially to/from/in
certain
> countries) will be IP<->IP.

In my strange and wonderful universe of VoIP over cable, all media
gateways support encryption.  The PacketCable Security spec mandates
128-bit AES.  In our implementation, we do this in an FPGA to preserve
(very expensive) DSP codec density.  Depending on implementation, media
security done in a DSP can cost 10-30% channel density in what ends up
being a very expensive piece of silicon as you scale things.  Anyone who
is PacketCable qualified has been tested for encryption support.  If you
scan through the list on the CableLabs web site, this includes Siemens,
NuEra, Audiocodes (who just bought Nuera), Cisco, and General Bandwidth.
There are now 4 million residential customers using these media
gateways.  As far as I know, none of the cable operators have turned on
media encryption since the DOCSIS access network is already encrypted
but the function is supported by everyone.

Randell Jesup also writes:

> An SBC (or equivalent) setup has issues when the provider of the proxy
> doesn't also control the access link to the subscriber.  The issues
have
> to do with call quality, and to enable the 1 in 100,000,000 chance a
call
> will need to be intercepted (excluding police states or
"trolling"...),
> ALL calls will be slightly to severely negatively impacted (added
delay,
> packet loss, point of failure).  And the cost is far from negligible
as
> the revenue model shifts away from traditional POTS models.

If you are offering interoperability with the PSTN, you inherit PSTN
requirements.  This costs money.  As much as "over the top" service
providers wish it were so, you can't escape from CALEA requirements.
This is a cost to service providers that ends up being passed to the
customer.  Similarly, Vonage discovered a couple of days ago that they
are now subject to Universal Service charges.  A piece of your Vonage
bill will now go to subsidize rural telcos.  Personally, I think this is
proper public policy.  Just because someone is wealthy enough to afford
a broadband connection, they shouldn't be exempted from having to pay
the costs associated with lawful intercept, 911, and rural subsidy.
Where I live, wireline and cellular customers pay $1.00 per month to pay
off the 911 PSAP in New Hampshire.  I think it's only fair that a Vonage
customer who can also dial 911 pay the same $1.00 per month.

Geoff Devine
Chief Architect
Cedar Point Communications