[VOIPSEC] (Missed)Trust in Caller ID Act
Geoff Devine
gdevine at cedarpointcom.com
Sat Oct 14 16:01:16 BST 2006
Jesus Oquendo writes:
> Is this fair? What about overseas companies passing off bogus
> information, what mechanisms exist for checking the validity
> of where the call is coming from? E.g.:
>
> Russian-VoIP-ISP.com is a known VoIP despot who routes calls
> through some point to point in the US. That point to point
> routes it through Level3 down the chain, there is no mechanism
> I know of that can do reverse checking to validate that this
> number is coming from a legitimate source. Is this Level3's
> fault?
In a word.... Yes.
To it's up to Level3 to police their trust federation. If they have a
customer who is allowing Russian-VoIP-ISP.com to spoof CallerID, Level3
must pull the plug on that customer or at least filter CallerID for
calls from that customer.
I grow rather tired of the arguments offered by the SIP community. The
telephone network has a known set of requirements. SIP and SIP-based
VoIP architectures were created that completely ignored those
requirements. The reality of legacy requirements keeps intruding on the
SIP community and the knee-jerk reaction is to reject these requirements
out of hand as being "old" and "obsolete".
* We watched the VoIP community howl in anguish about emergency
services
requirements.
* We watched the VoIP community howl in anguish about lawful intercept
requirements.
* We watched the VoIP community howl in anguish about universal service
fees.
* Malicious calls (a.k.a. SPIT) and customer originated trace
requirements are another big problem in VoIP networks.
In this thread, we're watching the VoIP community howl in anguish about
CallerID problems they created and are expected to fix. Most of the
legacy telephony requirements are there for very good public policy
reasons. In my opinion, it's a very poor engineering job to build
something without first learning the full requirements.
Geoff
More information about the Voipsec
mailing list