[VOIPSEC] Voipsec Digest, Vol 37, Issue 4
Wentink, Rachel
Rachel.Wentink at inin.com
Mon Jan 21 07:26:49 CST 2008
John, without appearing too self-serving, as mentioned below I'd suggest
you compare a few companies offering IP PBX systems. Ask yourself what
you want to accomplish in switching to VoIP, and from that you may want
to put together an RFP with the key capabilities in it. If security is
important to you then definitely include items such as support for TLS
and SRTP.
Best of luck in your research,
Rachel
Rachel Wentink| Director, Product Management
phone & fax +1.317.715.8605 | Rachel.Wentink at inin.com
Interactive Intelligence Inc.
Deliberately Innovative
www.inin.com
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of voipsec-request at voipsa.org
Sent: Saturday, January 19, 2008 2:20 PM
To: voipsec at voipsa.org
Subject: Voipsec Digest, Vol 37, Issue 4
Send Voipsec mailing list submissions to
voipsec at voipsa.org
To subscribe or unsubscribe via the World Wide Web, visit
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
or, via email, send a message with subject or body 'help' to
voipsec-request at voipsa.org
You can reach the person managing the list at
voipsec-owner at voipsa.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Voipsec digest..."
Today's Topics:
1. Re: Need recommendations on voip pbx's (Jacek Materna)
2. Re: Need recommendations on voip pbx's (Dan York)
3. Re: Need recommendations on voip pbx's (Muhammad Ali Syed)
4. Re: Need recommendations on voip pbx's (Ari Takanen)
5. Re: Need recommendations on voip pbx's (Jacek Materna)
6. Re: VoIP Spam paper (Hannes Tschofenig)
----------------------------------------------------------------------
Message: 1
Date: Fri, 18 Jan 2008 09:32:57 -0500
From: "Jacek Materna" <jmaterna at voipshield.com>
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
To: "John Richards" <jr.richards73 at gmail.com>, <voipsec at voipsa.org>
Message-ID:
<BC75A0FA6BFF1B49825EFD239D4B1BC54D4B89 at corporate-serve.voipshield.com>
Content-Type: text/plain; charset="us-ascii"
Go Nortel if you want to keep the meridian (I would not), or I recommend
Cisco without question, great performance and relative ease of use +
future proof.
http://bleedingvoip.com/bleedingvoip-showdowns/cisco-vs.-nortel-enterpri
se-showdown.html
Jacek M.
-----Original Message-----
From: voipsec-bounces at voipsa.org on behalf of John Richards
Sent: Thu 1/17/2008 8:52 PM
To: voipsec at voipsa.org
Subject: [VOIPSEC] Need recommendations on voip pbx's
Hello VoIPsec Mailing List,
The company I work for is thinking about getting rid of our current
PBX system(Meridian PBX) and are thinking about deploying a Voice over
IP system. Our company has some small branches scattered around and we
either want to deploy smaller PBX systems within each branch or setup
the employees at each branch to somehow be remote workers. We are
looking for a well-defined system with a good consumer base and a good
support team.Ourbudget for this project has not yet been defined, but we
are willing to spend the extra money to get a good and reliable system.
I'm open to suggestions as I have been assigned the task of doing the
research and giving my recommendation back to our management. I've done
a bit of research already hence why I am asking this group for any
recommendations and suggestions on vendors and technologies to use.
Cheers,
John Richards
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
Message: 2
Date: Fri, 18 Jan 2008 10:24:07 -0500
From: Dan York <dyork at voxeo.com>
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
To: John Richards <jr.richards73 at gmail.com>
Cc: voipsec at voipsa.org
Message-ID: <F4A10FFD-1E31-4A77-82A2-2B9494F71A22 at voxeo.com>
Content-Type: text/plain; charset=US-ASCII; delsp=yes;
format=flowed
John,
I expect you'll see a range of responses from folks here, either on-
list or directly. Most all of the various IP-PBX vendors have someone
subscribed to this list.
Since this list is focused on VoIP security, I don't know that it's
really the right place to have an all-out "PBX faceoff". I can say that
from a *security* point of view, if *I* personally were looking to by an
IP-PBX, I would probably ask questions like:
1. Can the system support encryption of voice (typically Secure RTP
(SRTP)) and signaling (typically some form of TLS)?
2. Is encryption enabled by default? What has to be done to enable it?
Is there a performance impact?
3. Is encryption available for all supported IP phones? Or is it
limited to specific handsets?
4. How do the IP phones authenticate to the IP-PBX? Do they use
certificates?
5. What services do the IP phones have running on them? (Some have web
servers, SSH servers) Are those services necessary?
6. Can the IP phones be centrally managed and provisioned?
7. How are the software loads for the IP phones stored? Are they in the
phones? Downloaded via TFTP? Encrypted?
8. How is the security of wireless IP handsets addressed?
9. How are management interfaces secured? APIs?
10. Do the IP phones have default passwords? Are they forced to be
changed?
11. What kind of traditional PSTN security is available? i.e toll fraud
prevention, call restrictions, feature access restrictions 12. What
operating systems do the IP-PBX and associated applications use? How
up-to-date are they with patches? How do they handle that?
etc.
And the list can go on (and others on the list are welcome to add to
what I listed). If a certain someone whose last name is York would get
the Best Practices project re-started, we would have a nice
document you could use to assess the security of various vendors.
(Hoping to kick that off next week...)
Hmmm... maybe in addition to the Best Practices document we should have
a "VoIP Security Buyer's Guide: Questions to ask your vendor"
that is a page or two (and points to the Threat Taxonomy, Best
Practices, etc.). What do people think?
Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel,
Alcatel - all have systems that meet those questions to various degrees.
My 2 cents,
Dan
P.S. And I say all this realizing that the security considerations may
all be thrown out the window at some customers if an executive happens
to like a particularly sleek-looking phone.... :-)
On Jan 17, 2008, at 8:52 PM, John Richards wrote:
> Hello VoIPsec Mailing List,
>
> The company I work for is thinking about getting rid of our current
> PBX system(Meridian PBX) and are thinking about deploying a Voice over
> IP system. Our company has some small branches scattered around and we
> either want to deploy smaller PBX systems within each branch or setup
> the employees at each branch to somehow be remote workers. We are
> looking for a well-defined system with a good consumer base and a good
> support team.Ourbudget for this project has not yet been defined, but
> we are willing to spend the extra money to get a good and reliable
> system. I'm open to suggestions as I have been assigned the task of
> doing the research and giving my recommendation back to our
> management. I've done a bit of research already hence why I am asking
> this group for any recommendations and suggestions on vendors and
> technologies to use.
>
> Cheers,
> John Richards
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com
------------------------------
Message: 3
Date: Fri, 18 Jan 2008 16:37:49 +0100
From: "Muhammad Ali Syed" <muhammad.ali.syed at ericsson.com>
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
To: "Dan York" <dyork at voxeo.com>, "John Richards"
<jr.richards73 at gmail.com>
Cc: voipsec at voipsa.org
Message-ID:
<77645E696D7F5D4A8C6A943DE46CFE5B027E9EB9 at esealmw115.eemea.ericsson.se>
Content-Type: text/plain; charset="iso-8859-1"
I agree with Dan , let's leave this list clean from the vendors
marketing gimmicks :) Probably we are better off by having only
technology specific questions here
Best Regards
S. Muhammad Ali
Systems Manager
PDU IP PBX Mobility Solutions
Ericsson Enterprise AB
Business Unit Multimedia, Unit Enterprise LM Ericssons v?g 30
SE-126 25 Stockholm, Sweden
www.ericsson.com Office: : +46 568 67 697
Fax: +46 8 719 5688
Mobile: +46 761263861
muhammad.ali.syed at ericsson.com
This communication is confidential and intended solely for the
addressee(s). Any unauthorized review, use, disclosure or distribution
is prohibited. If you believe this message has been sent to you in
error, please notify the sender by replying to this transmission and
delete the message without disclosing it. Thank you. E-mail including
attachments is susceptible to data corruption, interception,
unauthorized amendment, tampering and viruses, and we only send and
receive emails on the basis that we are not liable for any such
corruption, interception, amendment, tampering or viruses or any
consequences thereof.
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Dan York
Sent: den 18 januari 2008 16:24
To: John Richards
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
John,
I expect you'll see a range of responses from folks here, either on-
list or directly. Most all of the various IP-PBX vendors have someone
subscribed to this list.
Since this list is focused on VoIP security, I don't know that it's
really the right place to have an all-out "PBX faceoff". I can say that
from a *security* point of view, if *I* personally were looking to by an
IP-PBX, I would probably ask questions like:
1. Can the system support encryption of voice (typically Secure RTP
(SRTP)) and signaling (typically some form of TLS)?
2. Is encryption enabled by default? What has to be done to enable it?
Is there a performance impact?
3. Is encryption available for all supported IP phones? Or is it
limited to specific handsets?
4. How do the IP phones authenticate to the IP-PBX? Do they use
certificates?
5. What services do the IP phones have running on them? (Some have web
servers, SSH servers) Are those services necessary?
6. Can the IP phones be centrally managed and provisioned?
7. How are the software loads for the IP phones stored? Are they in the
phones? Downloaded via TFTP? Encrypted?
8. How is the security of wireless IP handsets addressed?
9. How are management interfaces secured? APIs?
10. Do the IP phones have default passwords? Are they forced to be
changed?
11. What kind of traditional PSTN security is available? i.e toll fraud
prevention, call restrictions, feature access restrictions 12. What
operating systems do the IP-PBX and associated applications use? How
up-to-date are they with patches? How do they handle that?
etc.
And the list can go on (and others on the list are welcome to add to
what I listed). If a certain someone whose last name is York would get
the Best Practices project re-started, we would have a nice
document you could use to assess the security of various vendors.
(Hoping to kick that off next week...)
Hmmm... maybe in addition to the Best Practices document we should have
a "VoIP Security Buyer's Guide: Questions to ask your vendor"
that is a page or two (and points to the Threat Taxonomy, Best
Practices, etc.). What do people think?
Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel,
Alcatel - all have systems that meet those questions to various degrees.
My 2 cents,
Dan
P.S. And I say all this realizing that the security considerations may
all be thrown out the window at some customers if an executive happens
to like a particularly sleek-looking phone.... :-)
On Jan 17, 2008, at 8:52 PM, John Richards wrote:
> Hello VoIPsec Mailing List,
>
> The company I work for is thinking about getting rid of our current
> PBX system(Meridian PBX) and are thinking about deploying a Voice over
> IP system. Our company has some small branches scattered around and we
> either want to deploy smaller PBX systems within each branch or setup
> the employees at each branch to somehow be remote workers. We are
> looking for a well-defined system with a good consumer base and a good
> support team.Ourbudget for this project has not yet been defined, but
> we are willing to spend the extra money to get a good and reliable
> system. I'm open to suggestions as I have been assigned the task of
> doing the research and giving my recommendation back to our
> management. I've done a bit of research already hence why I am asking
> this group for any recommendations and suggestions on vendors and
> technologies to use.
>
> Cheers,
> John Richards
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
Message: 4
Date: Fri, 18 Jan 2008 17:56:45 +0200
From: Ari Takanen <voipsa at codenomicon.com>
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
To: Dan York <dyork at voxeo.com>
Cc: voipsec at voipsa.org
Message-ID: <20080118155645.GG27937 at codenomicon.com>
Content-Type: text/plain; charset=us-ascii
At least based on our studies, 80% of VoIP implementations (*) STILL
fail even with fuzz testing. No matter what security mechanisms you
have in place, you will have very weak security if no security testing
is taking place during the software development. Products from many
major vendors are pretty safe choice still, as they have pretty good
development practises today. Ask your vendor, otherwise they will
never be motivated to improve the security/quality.
/Ari
(*) This 80% failure rate was true already in 2002 when PROTOS tests
came out. Although most of those problems were fixed, the fuzzers have
taken significant development since then. Some companies still do not
do any negative testing beyond PROTOS fuzzing (I hope they do that at
least).
On Fri, Jan 18, 2008 at 10:24:07AM -0500, Dan York wrote:
> John,
>
> I expect you'll see a range of responses from folks here, either on-
> list or directly. Most all of the various IP-PBX vendors have someone
> subscribed to this list.
>
> Since this list is focused on VoIP security, I don't know that it's
> really the right place to have an all-out "PBX faceoff". I can say
> that from a *security* point of view, if *I* personally were looking
> to by an IP-PBX, I would probably ask questions like:
>
> 1. Can the system support encryption of voice (typically Secure RTP
> (SRTP)) and signaling (typically some form of TLS)?
> 2. Is encryption enabled by default? What has to be done to enable
> it? Is there a performance impact?
> 3. Is encryption available for all supported IP phones? Or is it
> limited to specific handsets?
> 4. How do the IP phones authenticate to the IP-PBX? Do they use
> certificates?
> 5. What services do the IP phones have running on them? (Some have
> web servers, SSH servers) Are those services necessary?
> 6. Can the IP phones be centrally managed and provisioned?
> 7. How are the software loads for the IP phones stored? Are they in
> the phones? Downloaded via TFTP? Encrypted?
> 8. How is the security of wireless IP handsets addressed?
> 9. How are management interfaces secured? APIs?
> 10. Do the IP phones have default passwords? Are they forced to be
> changed?
> 11. What kind of traditional PSTN security is available? i.e toll
> fraud prevention, call restrictions, feature access restrictions
> 12. What operating systems do the IP-PBX and associated applications
> use? How up-to-date are they with patches? How do they handle that?
> etc.
>
> And the list can go on (and others on the list are welcome to add to
> what I listed). If a certain someone whose last name is York would
> get the Best Practices project re-started, we would have a nice
> document you could use to assess the security of various vendors.
> (Hoping to kick that off next week...)
>
> Hmmm... maybe in addition to the Best Practices document we should
> have a "VoIP Security Buyer's Guide: Questions to ask your vendor"
> that is a page or two (and points to the Threat Taxonomy, Best
> Practices, etc.). What do people think?
>
> Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel,
> Alcatel - all have systems that meet those questions to various
degrees.
>
> My 2 cents,
> Dan
>
> P.S. And I say all this realizing that the security considerations
> may all be thrown out the window at some customers if an executive
> happens to like a particularly sleek-looking phone.... :-)
>
> On Jan 17, 2008, at 8:52 PM, John Richards wrote:
>
> > Hello VoIPsec Mailing List,
> >
> > The company I work for is thinking about getting rid of our
> > current PBX
> > system(Meridian PBX) and are thinking about deploying a Voice over
IP
> > system. Our company has some small branches scattered around and we
> > either
> > want to deploy smaller PBX systems within each branch or setup the
> > employees
> > at each branch to somehow be remote workers. We are looking for a
> > well-defined system with a good consumer base and a good support
> > team.Ourbudget for this project has not yet been defined, but we are
> > willing to
> > spend the extra money to get a good and reliable system. I'm open to
> > suggestions as I have been assigned the task of doing the research
and
> > giving my recommendation back to our management. I've done a bit of
> > research
> > already hence why I am asking this group for any recommendations and
> > suggestions on vendors and technologies to use.
> >
> > Cheers,
> > John Richards
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
> --
> Dan York, CISSP, Director of Emerging Communication Technology
> Office of the CTO Voxeo Corporation dyork at voxeo.com
> Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
> Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
>
> Bring your web applications to the phone.
> Find out how at http://evolution.voxeo.com
>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
--
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Tutkijantie 4E
tel: +358-40 50 67678 FI-90570 Oulu
http://www.codenomicon.com Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
------------------------------
Message: 5
Date: Fri, 18 Jan 2008 12:06:06 -0500
From: "Jacek Materna" <jmaterna at voipshield.com>
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
To: "Dan York" <dyork at voxeo.com>, "John Richards"
<jr.richards73 at gmail.com>
Cc: voipsec at voipsa.org
Message-ID:
<BC75A0FA6BFF1B49825EFD239D4B1BC54D4BBC at corporate-serve.voipshield.com>
Content-Type: text/plain; charset="us-ascii"
Dan,
I believe the more open guides/pointers possible the better. There are
some around the web but most are locked out and require privileged
access. Even with, from what I've seen there's nothing too exciting
there. At bleedingvoip we're trying to open it up to all. If you need a
hand around, let me know.
Jacek
-----Original Message-----
From: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org] On
Behalf Of Dan York
Sent: Friday, January 18, 2008 10:24 AM
To: John Richards
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Need recommendations on voip pbx's
John,
I expect you'll see a range of responses from folks here, either on-
list or directly. Most all of the various IP-PBX vendors have someone
subscribed to this list.
Since this list is focused on VoIP security, I don't know that it's
really the right place to have an all-out "PBX faceoff". I can say
that from a *security* point of view, if *I* personally were looking
to by an IP-PBX, I would probably ask questions like:
1. Can the system support encryption of voice (typically Secure RTP
(SRTP)) and signaling (typically some form of TLS)?
2. Is encryption enabled by default? What has to be done to enable
it? Is there a performance impact?
3. Is encryption available for all supported IP phones? Or is it
limited to specific handsets?
4. How do the IP phones authenticate to the IP-PBX? Do they use
certificates?
5. What services do the IP phones have running on them? (Some have
web servers, SSH servers) Are those services necessary?
6. Can the IP phones be centrally managed and provisioned?
7. How are the software loads for the IP phones stored? Are they in
the phones? Downloaded via TFTP? Encrypted?
8. How is the security of wireless IP handsets addressed?
9. How are management interfaces secured? APIs?
10. Do the IP phones have default passwords? Are they forced to be
changed?
11. What kind of traditional PSTN security is available? i.e toll
fraud prevention, call restrictions, feature access restrictions
12. What operating systems do the IP-PBX and associated applications
use? How up-to-date are they with patches? How do they handle that?
etc.
And the list can go on (and others on the list are welcome to add to
what I listed). If a certain someone whose last name is York would
get the Best Practices project re-started, we would have a nice
document you could use to assess the security of various vendors.
(Hoping to kick that off next week...)
Hmmm... maybe in addition to the Best Practices document we should
have a "VoIP Security Buyer's Guide: Questions to ask your vendor"
that is a page or two (and points to the Threat Taxonomy, Best
Practices, etc.). What do people think?
Most all of the vendors I am aware of - Cisco, Avaya, Nortel, Mitel,
Alcatel - all have systems that meet those questions to various degrees.
My 2 cents,
Dan
P.S. And I say all this realizing that the security considerations
may all be thrown out the window at some customers if an executive
happens to like a particularly sleek-looking phone.... :-)
On Jan 17, 2008, at 8:52 PM, John Richards wrote:
> Hello VoIPsec Mailing List,
>
> The company I work for is thinking about getting rid of our
> current PBX
> system(Meridian PBX) and are thinking about deploying a Voice over IP
> system. Our company has some small branches scattered around and we
> either
> want to deploy smaller PBX systems within each branch or setup the
> employees
> at each branch to somehow be remote workers. We are looking for a
> well-defined system with a good consumer base and a good support
> team.Ourbudget for this project has not yet been defined, but we are
> willing to
> spend the extra money to get a good and reliable system. I'm open to
> suggestions as I have been assigned the task of doing the research and
> giving my recommendation back to our management. I've done a bit of
> research
> already hence why I am asking this group for any recommendations and
> suggestions on vendors and technologies to use.
>
> Cheers,
> John Richards
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
--
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
------------------------------
Message: 6
Date: Sat, 19 Jan 2008 21:19:51 +0200
From: Hannes Tschofenig <Hannes.Tschofenig at gmx.net>
Subject: Re: [VOIPSEC] VoIP Spam paper
To: vijay arvind <vijay.arvind at gmail.com>
Cc: voipsec at voipsa.org, SIPPING LIST <sipping at ietf.org>, Eric
Rescorla
<ekr at networkresonance.com>
Message-ID: <47924D57.4020901 at gmx.net>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Vijay,
sorry for the late response.
First, I would like to start with a high-level observation. You are
combining authentication and authorization in your documents. I don't
believe that this is really necessary. SPIT prevention is largely an
authorization problem that can be separated from the specific details of
how authentication was done. This is also true for the current SIP work
where various mechanisms are available for authentication but they are
largely decoupled from the authorization policy framework used, for
example, in the presence authorization policy work or for media
security. Our work on SPIT prevention focuses on the authorization part
since there is a lot of prior work in the context of SIP-based
authentication that can be leveraged without introducing a lot of
dependency. For us, there is very little reason to come up with new
solutions in the authentication space only for SPIT prevention usage.
Now, I have some comments for you inline:
vijay arvind wrote:
> Hello Hannes,
> Thanks for introducing the paper to the larger community. Was away for
> thanksgiving so could not respond earlier. I have a few
> additions/corrections to what has been mentioned in your mail:
>
> 1) The contents of the call credential:
> The call credential contains the following information, in addition,
to
> provide sender authentication and remove the possibility of credential
> misuse:
> Identity of Caller, Public Key of Caller, Identity of Call Recipient,
Public
> Key of Call Recipient, Call Duration, Timestamp, {all the previous
info
> encrypted with the callers private key}.
> This ensures multiple things
>
In the context of our work I guess we are largely interested only in the
"Call Duration" part of your solution (rather than the authentication
specific parts).
> a) If Alice and Bob know each other (and have each others public keys
as
> described in work
> http://www-static.cc.gatech.edu/~vijayab/locating_SIP_users.pdf), then
when
> Charlie calls with a credential from Bob, Alice can actually ensure
the
> credential is from Bob.
>
The case where they know each other (and they are already on each
other's buddy list) is easy.
I browsed through the paper and I believe you describe the SIP CERT
concept.
I am not sure whether your understanding of SIP digest and SIPS usage
matches my understanding.
You might want to double-check your performance results.
> 2) Deployment:
> Quoting Hannes: "Although not stated explicitly, I assume that
information
> about a users
> call patters are stored with its VoIP provider."
> This is not how the paper extracts information about a user. Consider
user
> Alice who uses say Vonage's VOIP service and thus all calls to and
from
> Alice pass through Vonage's proxy server. Now lets say user Dave wants
to
> call Alice and is using some VoIP provider X. Then Dave's reputation
(if he
> doesnt have an SN credential) is assigned by the Vonage proxy and
built on
> all the interactions (call history) that Vonages' customers have had
with
> him.
I see. In essence, you are saying that every VoIP provider would story
information about customers of other VoIP providers IF they have ever
called a user of that domain (+ maybe considering "garbage" collection
via a TTL).
When someone uses SIP privacy mechanisms then they would never gain
reputation in the way how your system works since SIP privacy hides the
identity of the caller towards the callee (including the domain of the
destination).
> So the reputation for an incoming call is assigned by the proxy of
the
> call recipient (that is Alice's Vonage proxy).
Wouldn't the caller's home domain be the most likely party that knows
something about the call pattern of that user?
> So Vonage will thus have a
> reputation matrix of all users of Vonage and all users that Vonage
users
> have interacted with and then assign reputations (based on
> Eigentrust(pagerank)) to them. Daves proxy X has no say in this
matter.
>
Got it.
> Therefore if a particular VoIP provider provides this reputation
calculating
> mechanism, users of that VoIP provider can utilize it and we expect
the
> deployment to work that way.
>
> 3) Privacy aspects:
> The paper as it stands now has privacy issues with regards to its
credential
> sharing mechanism. We have come up with a way to address that and that
will
> be available along with an actual implementation of CallRank that we
are
> building on MjSip as a client and OpenSER as the proxy server.
>
I am looking forward to see how it works.
> 4) Future work:
> In addition to what is already mentioned we realize that for each
proxy to
> calculate the reputation matrix for a large number of users we need
far more
> intelligent, efficient ways of calcualting the reputation matrix. We
find
> that there are ways in which we can organize the matrix to come up
with
> efficient and accurate reputation calculations. All this and more are
part
> of the next paper that we are working on.
>
Excellent.
> I hope I have clarified certain things that we could not provide in
all
> detail in the paper due to space constraints.
>
Yep. Your comments have helped me a lot. Thanks.
Ciao
Hannes
> Bye,
> Vijay
>
> On Nov 25, 2007 5:32 AM, Hannes Tschofenig <Hannes.Tschofenig at gmx.net>
> wrote:
>
>
>> Hi all
>>
>> BACKGROUND
>>
>> In the IETF SIPPING WG we had discussions regarding SPIT prevention
>> mechanism. Particularly with regard to the SPIT marking techniques it
>> seems that there is some disagreement about the usefulness of
>> statistical techniques. A number of ideas have been discussed already
on
>> various IETF mailing lists.
>> I would like to bring another paper to your attention that has been
>> posted to the VOIPSEC mailing list.
>>
>> THE PAPER
>>
>> The paper says that it exploit the fact that in regular communication
>> users both make and receive calls, while spammers are interested in
only
>> making calls and disseminating information. This paper takes existing
>> work from the email environment and applies it to VoIP (as it seems).
>>
>> The basic idea is to observe communication and call duration in
>> particular. Thereby, the call duration is used to create, so-called
call
>> credentials. A call credential CC consists of A, the identity of the
>> caller, B, the identity of the call recipient, t, the call duration
and
>> TS, the time stamp of the call along with a digital signature of the
>> same information.
>>
>> Although not stated explicitly, I assume that information about a
users
>> call patters are stored with its VoIP provider. Then, when a user
makes
>> a call information about the call patters (i.e., in the form of call
>> credentials) are made available to the receiving domain or other end
>> point. Sharing information about the sender with the recipient's
domain
>> or the recipient itself has been described in
>> http://tools.ietf.org/id/draft-schwartz-sipping-spit-saml-01.txt
>> (although no reference to that document is included in the paper).
This
>> work on utilizing social networks, as described in
>> http://tools.ietf.org/id/draft-ono-trust-path-discovery-02.txt, might
>> also be applicable.
>>
>> To deal with the introduction problem turing tests are suggested.
>>
>> Working on draft-schwartz-sipping-spit-saml-01.txt we encountered
>> problems, such as
>>
>> * Deployment challenge to get SPIT SAML to deploy. Without it being
>> widely deployed the receiving domain does not have a way to know
>> anything about the call statistics. Hence, the mechanism would only
work
>> within a single domain. Without sufficient deployment the mechanisms
>> described in the paper wouldn't be so useful either. As such, this
>> deployment challenge has nothing todo with SAML but is rather a
generic
>> problem with the solution approach outlined in the paper (although
the
>> authors claim it differently in Section 2.4 "Related Work").
>>
>> * Privacy aspects: It is not clear whether it is actually possible to
>> distribute some of this information from one domain to another one
>> without violating some privacy laws.
>>
>> * Trusting the information provided by the sending domain is likely
to
>> work only for larger VoIP providers. In the worst case the Spammer
might
>> provide this information since he is acting as a VoIP provider.
>>
>> The idea of using call patterns for SPIT prevention is not new.
Still,
>> the provided details for using the call duration (using the
Eigentrust
>> algorithm) in a SPIT prevention scenario are nice. Maybe this paper
>> provides a different spin to our SPIT marking discussion.
>>
>> Ciao
>> Hannes
>>
>> PS: http://tools.ietf.org/id/draft-schwartz-sipping-spit-saml-01.txt
did
>> not describe which algorithms to use to compute some of the
parameters.
>> I believe that this is fine for an IETF document given that there are
a
>> lot of implementation specific aspects that are not relevant for
>> standardization.
>>
>>
>> -----Urspr?ngliche Nachricht-----
>> Von: voipsec-bounces at voipsa.org [mailto:voipsec-bounces at voipsa.org]
Im
>> Auftrag von ext vijay arvind
>> Gesendet: Montag, 12. November 2007 00:34
>> An: voipsec at voipsa.org
>> Betreff: [VOIPSEC] VoIP Spam paper
>>
>> Hello All,
>>
>> Attached is a link to a VoIP spam approach that we at the Georgia
Tech
>> Information Security center (GTISC) are working on and was presented
at
>> the
>> 4th conference of Email and Anti Spam:
>> http://www.ceas.cc/2007/papers/paper-63.pdf
>>
>> The basic idea is to try and exploit the fact that in regular
>> communication
>> users both make and receive calls, while spammers are interested in
only
>> making calls and disseminating information. Users rarely call a
spammer
>> and
>> even if they inadvertently do so, the call will last for a small
duration.
>> Hence we use call duration and the directionality of calling patterns
to
>> distinguish between a regular user and a spammer. We use basic
>> cryptographic
>> primitives to encapsulate call duration as call credentials. How we
>> combine
>> these call credentials using social networking theory and the
Eigentrust
>> algorithm (PageRank) to create a spammer detecting mechanism forms
the
>> crux
>> of the paper.
>>
>> Bouquets and Brickbats are most welcome.
>>
>> Thanks,
>> Vijay
>> _______________________________________________
>> Voipsec mailing list
>> Voipsec at voipsa.org
>> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>>
>>
>>
>
>
------------------------------
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
End of Voipsec Digest, Vol 37, Issue 4
**************************************
More information about the Voipsec
mailing list