[VOIPSEC] Watering down VoIP security expectations.

[Simon Horne]

At 05:16 PM 10/03/2006, Tobias Glemser wrote:
>Simon,
>
>let me just pick one point of your quite interesting posting.
>
> > When I first joined the list back in the early days, there was some
> > discussion on SPIT and the tone was "how do we kill it".
>(..)
> > solution was actually quite simple. "Put an authentication component
> > in the first call setup message to identify the caller." If the caller
> > has it and authenticates than accept the call. If it doesn't then
> > reject the call.
>Maybe this would "kill" SPIT. But without any doubt this would kill VoIP. 
>If someone tries to call me, I want my damn phone to ring. I don't want to 
>exchange keys or anything like that before the first call can be 
>established. And, by the way, we already have SPAM in our good old POTS, 
>my answering machine knows what I'm talking about. POTS did not "evolve" 
>either, because this is not a technical problem, but a fundamental one.

There are two points here,  firstly we want to use TLS to secure the 
signalling channel right? To do TLS we already do a key exchange or have I 
completely missed something?. So my point is if you take a wholistic 
approach to security then the key you use to secure the signalling channel 
can also be used to authenticate the caller. We use weak shared secret or 
alike to secure the media key exchanges right? could we also use the same 
key to better encrypt the media keys. This is what is meant by a wholistic 
approach to VoIP security. Instead of 3 different separate methods for 
authentication, signal encryption and media encryption we have 1 that does 
3 functions, thereby greatly improving the overall efficiency, greatly 
reducing duplication and providing the customer with far better performance 
without compromising security.

Secondly, isn't VoIP suppose to be better than the standard telephone? Why 
would I want to use VoIP when I still get cold calls. As we migrate to 
complete end to end IP solution can't we design in methods to efficiently 
deal with it (kill it)?  You mentioned Answering Machine? This what I'm 
talking about you're 'living" with the problem on the POTS, why do we have 
to live with it on VoIP?


>We want to be reachable without any barrier. This is why I'm sure there 
>will never be a way to avoid SPAM no matter which "we want to be 
>reachable" media we're looking at: eMail, VoIP, POTS or your door bell. 
>("door bell SPAM": "Hello, we would like to talk with you about god", I 
>had this twice last year *scnr*).

You want to be reachable to everyone? allow unauthenticated callers, or if 
you require "true Identity" then require authentication. It's a heck of a 
lot better than screening calls with an answering machine :) . If you want 
a restricted number than the flexibility should be there for the inclusion 
of user/pass so callers can be admitted on a call by call basis. This is a 
much better solution then having an IVR system and requesting PIN numbers etc.


>Just have a look at eMail-SPAM: There have been services (and maybe 
>they're still there) where the ServiceProvider sends an eMail back to the 
>initial sender, containing a dynamic link the initial sender has to 
>follow, to validate he's a human being. This really did the job, users of 
>this service almost never got spam because on the "I am a human, let me 
>send this eMail" authentication website you had to enter a dynamic code 
>displayed in an image. Bots did not take this challenge.
>So there was/is a way to avoid SPAM. But, do you know anyone using such a 
>service? I don't, because the user acceptance is somewhere between low and 
>bottomless.
>So, if such a service is not working with a media like eMail, which is 
>normally not that time-critical, I really don't think this would work with 
>a media like VoIP. Again: If I want to call, I want to call now, and on 
>the other side, if I use a phone, I want to be reachable.
>
>Every service which would work without user interaction but authentication 
>would be some kind of CA where every phone worldwide is registered and as 
>soon as SPAM is reported over a specific phone, it's blacklisted. But to 
>get this szenario really working we would have to leave earth and go to 
>alice's wonderland :)

Really? wonderland? ok?  Do we live will a closed "peering" solution where 
you can't call another person because your provider is not on the same 
peering group as the person you are calling.  They definitely will not open 
their networks up to the open Internet because of the threat of SPIT? So 
you will just have to revert back to the POTS. There are great services 
such as ENUM and DNS SRV which can efficient route calls using DNS BUT you 
can't use them and your provider is unwilling to support them because of 
the threat of SPIT (and other reasons). This a clear example of how "living 
with" a problem is hampering the evolution of VoIP.  There are already 
softphones that can handle PKI authentication (not in SIP) so I guess we're 
going down that rabbit hole...:)


>So my conclusion is this:
>The SPAM/SPIT problem will never be beaten, we can only try to develop 
>better and better solutions to eleminate as many SPAM/SPIT as possible 
>before it reaches the user. This is where we can evolve, just have a look 
>at Anti-SPAM Boxes today. The race has begun but it will never finish.

Email is completely broken. It's like trying to fix something after it's 
been shattered into a million pieces. VoIP is not there yet, but not 
efficiently dealing with (fixing) the problem of SPIT and opening networks 
up to public access, breaks VoIP (which we don't want to happen). Trying to 
live with it and manage it, limits VoIP potential  (which we don't want 
either) so we have no choice but to FIX IT.

Simon