VOIP Caller ID
?"> Is a Spam bombardment a true threat to an IP voice server? Spam (a different problem than denial-of-service) is hard to stop. As I discussed above, unless I fundamentally limit who can call me (which is the approach in closed networks), its hard to discern the intent of the caller when a call is received. Some of the techniques in use for email can work for VOIP spam (black/white listing, for example), and others dont (content analysis).Spam generally doesnt disrupt service, though, in that its not seeking to crash the server or stop you from getting calls (in fact, the aim is to allow you to get calls - from spammers!). Are such spam attacks in the VOIP world truly anonymous -- as opposed to traceable crank phone calls ? If SIPs security techniques are used, they are traceable. However, traceability doesnt always help. For example, if I receive a spam call from firstname.lastname@example.org (.iq is Iraq), I can verify that this caller is , in fact, coming from Iraq, but there is probably little I can do to go after them. To summarize, SIP itself has a wealth of security features built in for providing authentication, confidentiality, and integrity of communications. It even has techniques that can prevent your SIP provider from listening in on your call - that is, you dont even need to trust your provider (these techniques are harder to deploy, however). These techniques, when enabled, surpass the security of even the PSTN. However, the problem is that many of these techniques are not deployed, are not demanded by operators or enterprises, and as a result, often not even implemented by vendors. In my experience, it is only after these networks suffer an attack that these network providers wake up, and start demanding these features to be delivered by their vendors.
SIP does indeed provide authentication, so that if my SIP provider receives a call, it can know for sure that the caller is indeed who they say they are. The problem is, with spam, thats not enough. Even if I can authenticate the caller - that is, determine his or her identity - that doesnt tell me anything about whether that person is a spammer or not. Being able to verify who you are (which SIP can do) is not the same as verifying whether or not you have good or bad intentions in sending me this call. Unfortunately, the latter problem - determining whether someones intentions are good or bad - is not one that is easily solved by some feature in the SIP protocol. In essence, what is my basis for "trusting" that this caller is a good person? There is no easy one. Thats the trust problem here.