1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
|
Internet Engineering Task Force (IETF) J. Peterson
Request for Comments: 7340 NeuStar, Inc.
Category: Informational H. Schulzrinne
ISSN: 2070-1721 Columbia University
H. Tschofenig
September 2014
Secure Telephone Identity Problem Statement and Requirements
Abstract
Over the past decade, Voice over IP (VoIP) systems based on SIP have
replaced many traditional telephony deployments. Interworking VoIP
systems with the traditional telephone network has reduced the
overall level of calling party number and Caller ID assurances by
granting attackers new and inexpensive tools to impersonate or
obscure calling party numbers when orchestrating bulk commercial
calling schemes, hacking voicemail boxes, or even circumventing
multi-factor authentication systems trusted by banks. Despite
previous attempts to provide a secure assurance of the origin of SIP
communications, we still lack effective standards for identifying the
calling party in a VoIP session. This document examines the reasons
why providing identity for telephone numbers on the Internet has
proven so difficult and shows how changes in the last decade may
provide us with new strategies for attaching a secure identity to SIP
sessions. It also gives high-level requirements for a solution in
this space.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7340.
Peterson, et al. Informational [Page 1]
^L
RFC 7340 STIR Problem Statement September 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Problem Statement ...............................................4
3. Terminology .....................................................6
4. Use Cases .......................................................6
4.1. VoIP-to-VoIP Call ..........................................7
4.2. VoIP-PSTN-VoIP Call ........................................7
4.3. PSTN-to-VoIP Call ..........................................8
4.4. VoIP-to-PSTN Call ..........................................9
4.5. PSTN-VoIP-PSTN Call .......................................10
4.6. PSTN-to-PSTN Call .........................................11
5. Limitations of Current Solutions ...............................11
5.1. P-Asserted-Identity .......................................12
5.2. SIP Identity ..............................................14
5.3. VIPR ......................................................17
6. Environmental Changes ..........................................19
6.1. Shift to Mobile Communication .............................19
6.2. Failure of Public ENUM ....................................19
6.3. Public Key Infrastructure Developments ....................20
6.4. Prevalence of B2BUA Deployments ...........................20
6.5. Stickiness of Deployed Infrastructure .....................20
6.6. Concerns about Pervasive Monitoring .......................21
6.7. Relationship with Number Assignment and Management ........21
7. Basic Requirements .............................................22
8. Acknowledgments ................................................23
9. Security Considerations ........................................23
10. Informative References ........................................23
Peterson, et al. Informational [Page 2]
^L
RFC 7340 STIR Problem Statement September 2014
1. Introduction
In many communication architectures that allow users to communicate
with other users, the need arises for identifying the originating
party that initiates a call or a messaging interaction. The desire
to identify communication parties in end-to-end communication derives
from the need to implement authorization policies (to grant or reject
call attempts) but has also been utilized for charging. While there
are a number of ways to enable identification, this functionality has
been provided by the Session Initiation Protocol (SIP) [RFC3261] by
using two main types of approaches, namely, P-Asserted-Identity (PAI)
[RFC3325] and SIP Identity [RFC4474], which are described in more
detail in Section 5. The goal of these mechanisms is to validate
that the originator of a call is authorized to claim an originating
identifier. Protocols like the Extensible Messaging and Presence
Protocol (XMPP) use mechanisms that are conceptually similar to those
offered by SIP.
Although solutions have been standardized, it turns out that the
current deployment situation is unsatisfactory, and even worse, there
is little indication that it will improve in the future. In
[SECURE-ORIGIN], we illustrate what challenges arise. In particular,
interworking with different communication architectures (e.g., SIP,
Public Switched Telephone Network (PSTN), XMPP, Real-Time
Communications on the Web (RTCWeb)) or other forms of mediation
breaks the end-to-end semantic of the communication interaction and
destroys any identification capabilities. (In this document, we use
the term "PSTN" colloquially rather than in a legal or policy sense,
as a common shorthand for the circuit-switched analog and time-
division multiplexing (TDM) digital telephone system, often using
Signaling System #7 (SS7) to control call setup and teardown.)
Furthermore, the use of different identifiers (e.g., E.164 numbers
vs. SIP URIs) creates challenges for determining who is able to claim
"ownership" for a specific identifier; although domain-based
identifiers (sip:user@example.com) might use certificate or DNS-
related approaches to determine who is able to claim "ownership" of
the URI, telephone numbers do not yet have any similar mechanism
defined.
After the publication of the PAI and SIP Identity specifications
([RFC3325] and [RFC4474], respectively), further attempts have been
made to tackle the topic but, unfortunately, with little success, due
to the complexity of deploying solutions and the long list of (often
conflicting) requirements. A number of years have passed since the
last attempts were made to improve the situation, and we therefore
believe it is time to give it another try. With this document, we
would like to start to develop a common understanding of the problem
Peterson, et al. Informational [Page 3]
^L
RFC 7340 STIR Problem Statement September 2014
statement as well as basic requirements to develop a vision on how to
advance the state of the art and to initiate technical work to enable
secure call origin identification.
2. Problem Statement
In the classical Public Switched Telephone Network, there were a
limited number of carriers, all of whom trusted each other to provide
accurate caller origination information in an environment without any
cryptographic validation. In some cases, national telecommunication
regulation codified these obligations. This model worked as long as
the number of entities was relatively small, easily identified (e.g.,
in the manner carriers are certified in the United States), and
subject to effective legal sanctions in case of misbehavior.
However, for some time, these assumptions have no longer held true.
For example, entities that are not traditional telecommunication
carriers, possibly located outside the country whose country code
they are using, can act as voice service providers. While there was
a clear distinction between customers and service providers in the
past, VoIP service providers can now easily act as customers or
either originating or transit providers. Moreover, the problem is
not limited to voice communications, as growth in text messaging has
made it another vector for bulk unsolicited commercial messaging
relying on impersonation of a source telephone number or, sometimes,
an SMS short code. For telephony, Caller ID spoofing has become
common, with a small subset of entities either ignoring abuse of
their services or willingly serving to enable fraud and other illegal
behavior.
For example, recently, enterprises and public safety organizations
have been subjected to telephony denial-of-service attacks [TDOS].
In this case, an individual claiming to represent a collections
company for payday loans starts the extortion scheme with a phone
call to an organization. Failing to get payment from an individual
or organization, the criminal organization launches a barrage of
phone calls with spoofed numbers, preventing the targeted
organization from receiving legitimate phone calls. Other boiler-
room organizations use number spoofing to place illegal "robocalls"
(automated telemarketing; see, for example, the US Federal
Communications Commission webpage on this topic [ROBOCALL-FCC]).
Robocalls are a problem that has been recognized already by various
regulators; for example, the US Federal Trade Commission (FTC)
recently organized a robocall competition to solicit ideas for
creating solutions that will block illegal robocalls
[ROBOCALL-CHALLENGE]. Criminals may also use number spoofing to
impersonate banks or bank customers to gain access to information or
financial accounts.
Peterson, et al. Informational [Page 4]
^L
RFC 7340 STIR Problem Statement September 2014
In general, number spoofing is used in two ways: impersonation and
anonymization. For impersonation, the attacker pretends to be a
specific individual. Impersonation can be used for pretexting, where
the attacker obtains information about the individual impersonated
and, for example, activates credit cards, or for harassment, e.g.,
causing utility services to be disconnected, take-out food to be
delivered, or police to respond to a non-existing hostage situation
("swatting"; see [SWATTING]). Some voicemail systems can be set up
so that they grant access to stored messages without a password,
relying solely on the caller identity. As an example, in the News
International phone-hacking scandal [NEWS-HACK], employees of the
newspaper were accused of engaging in phone hacking by utilizing
Caller ID spoofing to get access to voicemail. For numbers where the
caller has suppressed textual caller identification, number spoofing
can be used to retrieve this information, stored in the so-called
Calling Name (CNAM) database. For anonymization, the caller does not
necessarily care whether the number is in service or who it is
assigned to and may switch rapidly and possibly randomly between
numbers. Anonymization facilitates automated illegal telemarketing
or telephony denial-of-service attacks, as described above, as it
makes it difficult to identify perpetrators and craft policies to
block them. It also makes tracing such calls much more labor-
intensive, as each call has to be identified in each transit carrier
hop-by-hop, based on destination number and time of call.
It is insufficient to simply outlaw all spoofing of originating
telephone numbers because the entities spoofing numbers are already
committing other crimes and are thus unlikely to be deterred by legal
sanctions. Secure origin identification should prevent impersonation
and, to a lesser extent, anonymization. However, if numbers are easy
and cheap to obtain, and if the organizations assigning identifiers
cannot or will not establish the true corporate or individual
identity of the entity requesting such identifiers, robocallers will
still be able to switch between many different identities.
The problem space is further complicated by a number of use cases
where entities in the telephone network legitimately send calls on
behalf of others, including "Find-Me/Follow-Me" services.
Ultimately, any SIP entity can receive an INVITE request and forward
it to any other entity, and the recipient of a forwarded message has
little means to ascertain which recipient a call should legitimately
target (see [SIP-SECURITY]). Also, in some cases, third parties may
Peterson, et al. Informational [Page 5]
^L
RFC 7340 STIR Problem Statement September 2014
need to temporarily use the identity of another individual or
organization with full consent of the "owner" of the identifier. For
example:
Doctors' offices: Physicians calling their patients using their cell
phones would like to replace their mobile phone number with the
number of their office to avoid being called back by patients on
their personal phone.
Call centers: Call centers operate on behalf of companies, and the
called party expects to see the Caller ID of the company, not the
call center.
3. Terminology
The following terms are defined in this document:
In-band Identity Conveyance: In-band conveyance is the presence of
call origin identification information conveyed within the control
plane protocol(s) setting up a call. Any in-band solution must
accommodate in-band intermediaries such as Back-to-Back User
Agents (B2BUAs).
Out-of-Band Identity Verification: Out-of-band verification
determines whether the telephone number used by the calling party
actually exists, whether the calling entity is entitled to use the
number, and whether a call has recently been made from this phone
number. This approach is needed because the in-band technique
does not work in all cases, as when certain intermediaries are
involved or due to interworking with circuit-switched networks.
Authority Delegation Infrastructure: The delegation authority
infrastructure determines how the authority over telephone numbers
is used when numbers are ported and delegated. It also describes
how the existing numbering infrastructure is reused to maintain
the lifecycle of number assignments.
Canonical Telephone Number: In order for either in-band conveyance
or out-of-band verification to work, entities must be able to
canonicalize telephone numbers to arrive at a common syntactical
form.
4. Use Cases
In order to explain the requirements and other design assumptions, we
will explain some of the scenarios that need to be supported by any
solution. To reduce clutter, the figures do not show call-routing
Peterson, et al. Informational [Page 6]
^L
RFC 7340 STIR Problem Statement September 2014
elements such as SIP proxies of voice or text service providers. We
generally assume that the PSTN component of any call path cannot be
altered.
4.1. VoIP-to-VoIP Call
For the VoIP-to-VoIP communication case, a group of service providers
that offer interconnected VoIP service exchange calls using SIP end-
to-end but may also deliver some calls via circuit-switched
facilities, as described in separate use cases below. These service
providers use telephone numbers as source and destination
identifiers, either as the user component of a SIP URI (e.g.,
sip:12125551234@example.com) or as a tel URI [RFC3966].
As illustrated in Figure 1, if Alice calls Bob, the call will use SIP
end-to-end. (The call may or may not traverse the Internet.)
+------------+
| IP-based |
| SIP Phone |<--+
| of Bob | |
|+19175551234| |
+------------+ |
|
+------------+ |
| IP-based | |
| SIP Phone | ------------
| of Alice | / | \
|+12121234567| // | \\
+------------+ // ,' \\\
| /// / -----
| //// ,' \\\\
| / ,' \
| | ,' |
+---->|......: IP-based |
| Network |
\ /
\\\\ ////
-------------------------
Figure 1: VoIP-to-VoIP Call
4.2. VoIP-PSTN-VoIP Call
Frequently, two VoIP-based service providers are not directly
connected by VoIP and use Time Division Multiplexer (TDM) circuits to
exchange calls, leading to the IP-PSTN-IP use case. In this use
case, Dan's Voice Service Provider (VSP) is not a member of the
Peterson, et al. Informational [Page 7]
^L
RFC 7340 STIR Problem Statement September 2014
interconnect federation Alice's and Bob's VSP belongs to. As far as
Alice is concerned, Dan is not accessible via IP, and the PSTN is
used as an interconnection network. Figure 2 shows the resulting
exchange.
--------
//// \\\\
+--- >| PSTN |
| | |
| \\\\ ////
| --------
| |
| |
| |
+------------+ +--+----+ |
| IP-based | | PSTN | |
| SIP Phone | --+ VoIP +- v
| of Alice | / | GW | \ +---+---+
|+12121234567| // `''''''' \\| PSTN |
+------------+ // | \+ VoIP +
| /// | | GW |\
| //// | `'''''''\\ +------------+
| / | | \ | IP-based |
| | | | | | Phone |
+---->|---------------+ +------|---->| of Dan |
| | |+12039994321|
\ IP-based / +------------+
\\\\ Network ////
-------------------------
Figure 2: IP-PSTN-IP Call
Note: A B2BUA/Session Border Controller (SBC) exhibits behavior that
looks similar to this scenario since the original call content would,
in the worst case, be re-created on the call origination side.
4.3. PSTN-to-VoIP Call
Consider Figure 3, where Carl is using a PSTN phone and initiates a
call to Alice. Alice is using a VoIP-based phone. The call from
Carl traverses the PSTN and enters the Internet via a PSTN/VoIP
gateway. This gateway attaches some identity information to the
call, for example, based on the caller identification information it
had received through the PSTN, if available.
Peterson, et al. Informational [Page 8]
^L
RFC 7340 STIR Problem Statement September 2014
--------
//// \\\\
+->| PSTN |--+
| | | |
| \\\\ //// |
| -------- |
| |
| v
| +----+-------+
+---+------+ |PSTN / VoIP | +-----+
|PSTN Phone| |Gateway | |SIP |
|of Carl | +----+-------+ |UA |
+----------+ | |Alice|
INVITE +-----+
| ^
V |
+---------------+ INVITE
|VoIP | |
|Interconnection| INVITE +-------+
|Provider(s) |----------->+ |
+---------------+ |Alice's|
|VSP |
| |
+-------+
Figure 3: PSTN-to-VoIP Call
4.4. VoIP-to-PSTN Call
Consider Figure 4, where Alice calls Carl. Carl uses a PSTN phone,
and Alice uses an IP-based phone. When Alice initiates the call, the
E.164 number is translated to a SIP URI and subsequently to an IP
address. The call of Alice traverses her VoIP provider, where the
call origin identification information is added. It then hits the
PSTN/VoIP gateway. It is desirable that the gateway verify that
Alice can claim the E.164 number she is using before it populates the
corresponding calling party number field in telephone network
signaling. Carl's phone must be able to verify that it is receiving
a legitimate call from the calling party number it will render to
Carl.
Peterson, et al. Informational [Page 9]
^L
RFC 7340 STIR Problem Statement September 2014
+-------+ +-----+ -C
|PSTN | |SIP | |a
|Phone |<----------------+ |UA | |l
|of Carl| | |Alice| |l
+-------+ | +-----+ |i
--------------------------- | |n
//// \\\\ | |g
| PSTN | INVITE |
| | | |P
\\\\ //// | |a
--------------------------- | |r
^ | |t
| v |y
+------------+ +--------+|
|PSTN / VoIP |<--INVITE----|VoIP ||D
|Gateway | |Service ||o
+------------+ |Provider||m
|of Alice||a
+--------+|i
-n
Figure 4: VoIP-to-PSTN Call
4.5. PSTN-VoIP-PSTN Call
Consider Figure 5, where Carl calls Alice. Both users have PSTN
phones, but interconnection between the two circuit-switched parts of
the PSTN is accomplished via an IP network. Consequently, Carl's
operator uses a PSTN-to-VoIP gateway to route the call via an IP
network to a gateway to break out into the PSTN again.
Peterson, et al. Informational [Page 10]
^L
RFC 7340 STIR Problem Statement September 2014
+----------+
|PSTN Phone|
-------- |of Alice |
//// \\\\ +----------+
+->| PSTN |------+ ^
| | | | |
| \\\\ //// | |
| -------- | --------
| v //// \\\\
| ,-------+ | PSTN |
| |PSTN | | |
+---+------+ __|VoIP GW|_ \\\\ ////
|PSTN Phone| / '`''''''' \ --------
|of Carl | // | \\ ^
+----------+ // | \\\ |
/// -. INVITE ----- |
//// `-. \\\\ |
/ `.. \ |
| IP-based `._ ,--+----+
| Network `.....>|VoIP |
| |PSTN GW|
\ '`'''''''
\\\\ ////
-------------------------
Figure 5: PSTN-VoIP-PSTN Call
4.6. PSTN-to-PSTN Call
For the "legacy" case of a PSTN-to-PSTN call, otherwise beyond
improvement, we may be able to use out-of-band IP connectivity at
both the originating and terminating carrier to validate the call
information.
5. Limitations of Current Solutions
From the inception of SIP, the From header field value has held an
arbitrary user-supplied identity, much like the From header field
value of an SMTP email message. During work on [RFC3261], efforts
began to provide a secure origin for SIP requests as an extension to
SIP. The so-called "short term" solution, the P-Asserted-Identity
header described in [RFC3325], is deployed fairly widely, even though
it is limited to closed trusted networks where end-user devices
cannot alter or inspect SIP messages and offers no cryptographic
validation. As P-Asserted-Identity is used increasingly across
multiple networks, it cannot offer any protection against identity
spoofing by intermediaries or entities that allow untrusted entities
Peterson, et al. Informational [Page 11]
^L
RFC 7340 STIR Problem Statement September 2014
to set the P-Asserted-Identity information. An overview of
addressing spam in SIP and an explanation of how it differs from
similar problems with email appeared in [RFC5039].
Subsequent efforts to prevent calling-origin identity spoofing in SIP
include the SIP Identity effort (the "long-term" identity solution)
[RFC4474] and Verification Involving PSTN Reachability (VIPR)
[VIPR-OVERVIEW]. SIP Identity attaches a new header field to SIP
requests containing a signature over the From header field value
combined with other message components to prevent replay attacks.
SIP Identity is meant to prevent both (a) SIP UAs from originating
calls with spoofed From headers and (b) intermediaries, such as SIP
proxies, from launching man-in-the-middle attacks by altering calls
as they pass through the intermediaries. The VIPR architecture
attacked a broader range of problems relating to spam, routing, and
identity with a new infrastructure for managing rendezvous and
security, which operated alongside of SIP deployments.
As we will describe in more detail below, both SIP Identity and VIPR
suffer from serious limitations that have prevented their deployment
on a significant scale, but they may still offer ideas and protocol
building blocks for a solution.
5.1. P-Asserted-Identity
The P-Asserted-Identity header field of SIP [RFC3325] provides a way
for trusted network entities to share with one another an
authoritative identifier for the originator of a call. The value of
P-Asserted-Identity cannot be populated by a user, though if a user
wants to suggest an identity to the trusted network, a separate
header (P-Preferred-Identity) enables them to do so. The features of
the P-Asserted-Identity header evolved as part of a broader effort to
reach parity with traditional telephone network signaling mechanisms
for selectively sharing and restricting presentation of the calling
party number at the user level while still allowing core network
elements to know the identity of the user for abuse prevention and
accounting.
In order for P-Asserted-Identity to have these properties, it
requires the existence of a trust domain as described in [RFC3324].
Any entity in the trust domain may add a P-Asserted-Identity header
to a SIP message, and any entity in the trust domain may forward a
message with a P-Asserted-Identity header to any other entity in the
trust domain. If a trusted entity forwards a SIP request to an
untrusted entity, however, the P-Asserted-Identity header must first
be removed; most end-user devices are outside trust domains. Sending
a P-Asserted-Identity request to an untrusted entity could leak
potentially private information, such as the network-asserted calling
Peterson, et al. Informational [Page 12]
^L
RFC 7340 STIR Problem Statement September 2014
party number in a case where a caller has requested presentation
restriction. This concept of a trust domain is modeled on the
trusted network of devices that operate the traditional telephone
network.
P-Asserted-Identity has been very successful in telephone replacement
deployments of SIP. It is an extremely simple in-band mechanism,
requiring no cryptographic operations. Since it is so reminiscent of
legacy mechanisms in the traditional telephone network and interworks
so seamlessly with those protocols, it has naturally been favored by
providers comfortable with these operating principles.
In practice, a trust domain exhibits many of the same merits and
flaws as the traditional telephone network when it comes to securing
a calling party number. Any trusted entity may provide P-Asserted-
Identity, and a recipient of a SIP message has no direct assurance of
who generated the P-Asserted-Identity header field value: all trust
is transitive. Trust domains are dictated by business arrangements
more than by security standards; thus, the level of assurance of
P-Asserted-Identity is only as good as the least trustworthy member
of a trust domain. Since the contents of P-Asserted-Identity are not
intended for consumption by end users, end users must trust that
their service provider participates in an appropriate trust domain,
as there will be no direct evidence of the trust domain in the SIP
signaling that end-user devices receive. Since the mechanism is so
closely modeled on the traditional telephone network, it is unlikely
to provide a higher level of security than that.
Since [RFC3325] was written, the whole notion of "P-" headers
intended for use in private SIP domains has also been deprecated (see
[RFC5727]) largely because of overwhelming evidence that these
headers were being used outside of private contexts and leaking into
the public Internet. It is unclear how many deployments that make
use of P-Asserted-Identity in fact conform to the Spec(T)
requirements of [RFC3324].
P-Asserted-Identity also complicates the question of which URI should
be presented to a user when a call is received. Per [RFC3261], SIP
user agents would render the contents of the From header field to a
user when receiving an INVITE request, but what if the P-Asserted-
Identity contains a more trustworthy URI, and presentation is not
restricted? Subsequent proposals have suggested additional header
fields to carry different forms of identity related to the caller,
including billing identities. As the calling identities in a SIP
request proliferate, the question of how to select one to render to
the end user becomes more difficult to answer.
Peterson, et al. Informational [Page 13]
^L
RFC 7340 STIR Problem Statement September 2014
5.2. SIP Identity
The SIP Identity mechanism [RFC4474] provides two header fields for
securing identity information in SIP requests: the Identity and
Identity-Info header fields. Architecturally, the SIP Identity
mechanism assumes a classic "SIP trapezoid" deployment in which an
authentication service, acting on behalf of the originator of a SIP
request, attaches identity information to the request that provides
partial integrity protection; a verification service acting on behalf
of the recipient validates the integrity of the request when it is
received.
The Identity header field value contains a signature over a hash of
selected elements of a SIP request, including several header field
values (most significantly, the From header field value) and the
entirety of the body of the request. The set of header field values
was chosen specifically to prevent cut-and-paste attacks; it requires
the verification service to retain some state to guard against
replays. The signature over the body of a request has different
properties for different SIP methods, but all prevent tampering by
man-in-the-middle attacks. For a SIP MESSAGE request, for example,
the signature over the body covers the actual message conveyed by the
request: it is pointless to guarantee the source of a request if a
man in the middle can change the content of the message, as in that
case the message content is created by an attacker. Similar threats
exist against the SIP NOTIFY method. For a SIP INVITE request, a
signature over the Session Description Protocol (SDP) body is
intended to prevent a man in the middle from changing properties of
the media stream, including the IP address and port to which media
should be sent, as this provides a means for the man in the middle to
direct session media to a resource that the originator did not
specify and thus impersonate an intended listener.
The Identity-Info header field value contains a URI designating the
location of the certificate corresponding to the private key that
signed the hash in the Identity header. That certificate could be
passed by-value along with the SIP request, in which case a cid URI
appears in Identity-Info, or by-reference, for example, when the
Identity-Info header field value has the URL of a service that
delivers the certificate. [RFC4474] imposes further constraints
governing the subject of that certificate, namely, that it must cover
the domain name indicated in the domain component of the URI in the
From header field value of the request.
Peterson, et al. Informational [Page 14]
^L
RFC 7340 STIR Problem Statement September 2014
The SIP Identity mechanism, however, has two fundamental limitations
that have precluded its deployment: first, it provides identity only
for domain names rather than other identifiers, and second, it does
not tolerate intermediaries that alter the bodies, or certain header
fields, of SIP requests.
As deployed, SIP predominantly mimics the structures of the telephone
network and thus uses telephone numbers as identifiers. Telephone
numbers in the From header field value of a SIP request may appear as
the user part of a SIP URI or, alternatively, in an independent tel
URI. The certificate designated by the Identity-Info header field as
specified, however, corresponds only to the domain portion of a SIP
URI in the From header field. As such, [RFC4474] does not have any
provision to identify the assignee of a telephone number. While it
could be the case that the domain name portion of a SIP URI signifies
a carrier (like "att.com") to whom numbers are assigned, the SIP
Identity mechanism provides no assurance that a particular number has
been assigned to any specific carrier. For a tel URI, moreover, it
is unclear in [RFC4474] what entity should hold a corresponding
certificate. A caller may not want to reveal the identity of its
service provider to the callee and may thus prefer tel URIs in the
From header field.
This lack of authority gives rise to a whole class of SIP Identity
problems when dealing with telephone numbers, as is explored in
[CONCERNS]. That document shows how the Identity header of a SIP
request targeting a telephone number (embedded in a SIP URI) could be
dropped by an intermediate domain, which then modifies and re-signs
the request, all without alerting the verification service: the
verification service has no way of knowing which original domain
signed the request. Provided that the local authentication service
is complicit, an originator can claim virtually any telephone number,
impersonating any chosen Caller ID from the perspective of the
verifier. Both of these attacks are rooted in the inability of the
verification service to ascertain a specific certificate that is
authoritative for a telephone number.
Moreover, as deployed, SIP is highly mediated and is mediated in ways
that [RFC3261] did not anticipate. As request routing commonly
depends on policies dissimilar to [RFC3263], requests transit
multiple intermediate domains to reach a destination; some forms of
intermediaries in those domains may effectively reinitiate the
session.
One of the main reasons that SIP deployments mimic the PSTN
architecture is because the requirement for interconnection with the
PSTN remains paramount: a call may originate in SIP and terminate on
the PSTN, or vice versa. Worse still, a PSTN-to-PSTN call may
Peterson, et al. Informational [Page 15]
^L
RFC 7340 STIR Problem Statement September 2014
transit a SIP network in the middle, or vice versa. This necessarily
reduces SIP's feature set to the least common denominator of the
telephone network and mandates support for telephone numbers as a
primary calling identifier.
Interworking with non-SIP networks makes end-to-end identity
problematic. When a PSTN gateway sends a call to a SIP network, it
creates the INVITE request anew, regardless of whether a previous leg
of the call originated in a SIP network that later delivered the call
to the PSTN. As these gateways are not necessarily operated by
entities that have any relationship to the number assignee, it is
unclear how they could provide an identity signature that a verifier
should trust. Moreover, how could the gateway know that the calling
party number it receives from the PSTN is actually authentic? And
when a gateway receives a call via SIP and terminates a call to the
PSTN, how can that gateway verify that a telephone number in the From
header field value is authentic before it presents that number as the
calling party number in the PSTN?
Similarly, some SIP networks deploy intermediaries that act as back-
to-back user agents (B2BUAs), typically in order to provide policy or
interworking functions at network boundaries (hence, the nickname
"Session Border Controller"). These functions range from topology
hiding, to alterations necessary to interoperate successfully with
particular SIP implementations, to simple network address translation
from private address space. To implement these functions, these
entities modify SIP INVITE requests in transit, potentially changing
the From, Contact, and Call-ID header field values, as well as
aspects of the SDP, including especially the IP addresses and ports
associated with media. Consequently, a SIP request exiting a B2BUA
does not necessarily bear much resemblance to the original request
received by the B2BUA, just as an SS7 request exiting a PSTN gateway
may transform all aspects of the SIP request in the VoIP leg of the
call. An Identity signature provided for the original INVITE has no
bearing on the post-B2BUA INVITE, and, were the B2BUA to preserve the
original Identity header, any verification service would detect a
violation of the integrity protection.
The SIP community has long been aware of these problems with
[RFC4474] in practical deployments. Some have therefore proposed
weakening the security constraints of [RFC4474] so that at least some
deployments of B2BUAs will be compatible with integrity protection of
SIP requests. However, such solutions do not address the key
problems identified above: the lack of any clear authority for
telephone numbers and the fact that some INVITE requests are
generated by intermediaries rather than endpoints. Removing the
Peterson, et al. Informational [Page 16]
^L
RFC 7340 STIR Problem Statement September 2014
signature over the SDP from the Identity header will not, for
example, make it any clearer how a PSTN gateway should assert
identity in an INVITE request.
5.3. VIPR
Verification Involving PSTN Reachability (VIPR) directly attacks the
twin problems of identifying number assignees on the Internet and
coping with intermediaries that may modify signaling. To address the
first problem, VIPR relies on the PSTN itself: it discovers which
endpoints on the Internet are reachable via a particular PSTN number
by calling the number on the PSTN to determine whom a call to that
number will reach. As VIPR-enabled Internet endpoints associated
with PSTN numbers are discovered, VIPR provides a rendezvous service
that allows the endpoints of a call to form an out-of-band connection
over the Internet; this connection allows the endpoints to exchange
information that secures future communications and permits direct,
unmediated SIP connections.
VIPR provides these services within a fairly narrow scope of
applicability. Its seminal use case is the enterprise IP Private
Branch Exchange (IPBX), a device that has both PSTN connectivity and
Internet connectivity, which serves a set of local users with
telephone numbers; after a PSTN call has connected successfully and
then ended, the PBX searches a distributed hash table to see if any
VIPR-compatible devices have advertised themselves as a route for the
unfamiliar number on the Internet. If advertisements exist, the
originating PBX then initiates a verification process to determine
whether the entity claiming to be the assignee of the unfamiliar
number in fact received the successful call: this involves verifying
details such as the start and stop times of the call. If the
destination verifies successfully, the originating PBX provisions a
local database with a route for that telephone number to the URI
provided by the proven destination. Moreover, the destination gives
a token to the originator that can be inserted in future call setup
messages to authenticate the source of future communications.
Through this mechanism, the VIPR system provides a suite of
properties, ones that go well beyond merely securing the origins of
communications. It also provides a routing system that dynamically
discovers mappings between telephone numbers and URIs, effectively
building an ad hoc ENUM database in every VIPR implementation. The
tokens exchanged over the out-of-band connection established by VIPR
also provide an authorization mechanism for accepting calls over the
Internet, which significantly reduces the potential for spam.
Because the token can act as a cookie due to the presence of this
Peterson, et al. Informational [Page 17]
^L
RFC 7340 STIR Problem Statement September 2014
out-of-band connectivity, the VIPR token is less susceptible to cut-
and-paste attacks and thus needs to cover far less of a SIP request
with its signature.
Due to its narrow scope of applicability and the details of its
implementation, VIPR has some significant limitations. The most
salient for the purposes of this document is that it only has bearing
on repeated communications between entities: it has no solution to
the classic "robocall" problem, where the target typically receives a
call from a number that has never called before. All of VIPR's
strengths in establishing identity and spam prevention kick in only
after an initial PSTN call has been completed and subsequent attempts
at communication begin. Every VIPR-compliant entity, moreover,
maintains its own stateful database of previous contacts and
authorizations, which lends itself more to aggregators like IP PBXs
that may front for thousands of users than to individual phones.
That database must be refreshed by periodic PSTN calls to determine
that control over the number has not shifted to some other entity;
figuring out when data has grown stale is one of the challenges of
the architecture. As VIPR requires compliant implementations to
operate both a PSTN interface and an IP interface, it has little
apparent applicability to ordinary desktop PCs or similar devices
with no ability to place direct PSTN calls.
The distributed hash table (DHT) also creates a new attack surface
for impersonation. Attackers who want to pose as the owners of
telephone numbers can advertise themselves as routes to a number in
the hash table. VIPR has no inherent restriction on the number of
entities that may advertise themselves as routes for a number; thus,
an originator may find multiple advertisements for a number on the
DHT even when an attack is not in progress. Attackers may learn from
these validation attempts which VIPR entities recently placed calls
to the target number, even if they cannot impersonate the target
since they lack the PSTN call detail information. It may be that
this information is all the attacker hopes to glean. The fact that
advertisements and verifications are public results from the public
nature of the DHT that VIPR creates. The public DHT prevents any
centralized control or attempts to impede communications, but those
come at the cost of apparently unavoidable privacy losses.
Because of these limitations, VIPR, much like SIP Identity, has had
little impact in the marketplace. Ultimately, VIPR's utility as an
identity mechanism is limited by its reliance on the PSTN, especially
its need for an initial PSTN call to complete before any of VIPR's
benefits can be realized, and by the drawbacks of the highly public
exchanges required to create the out-of-band connection between VIPR
entities. As such, there is no obvious solution to providing secure
origin services for SIP on the Internet today.
Peterson, et al. Informational [Page 18]
^L
RFC 7340 STIR Problem Statement September 2014
6. Environmental Changes
6.1. Shift to Mobile Communication
In the years since [RFC4474] was conceived, there have been a number
of fundamental shifts in the communications marketplace. The most
transformative has been the precipitous rise of mobile smartphones,
which are now arguably the dominant communications device in the
developed world. Smart phones have both a PSTN and an IP interface,
as well as SMS and Multimedia Messaging Service (MMS) capabilities.
This suite of tools suggests that some of the techniques proposed by
VIPR could be adapted to the smartphone environment. The installed
base of smartphones is, moreover, highly upgradable and permits rapid
adoption of out-of-band rendezvous services for smartphones that
bypass the PSTN. Mobile messaging services that use telephone
numbers as identities allow smartphone users to send text messages to
one another over the Internet rather than over the PSTN. Like VIPR,
such services create an out-of-band connection over the Internet
between smartphones; unlike VIPR, the rendezvous service is provided
by a trusted centralized database rather than by a DHT, and it is the
centralized database that effectively verifies and asserts the
telephone number of the sender of a message. While such messaging
services are specific to the users of the specific service, it seems
clear that similar databases could be provided by neutral third
parties in a position to coordinate between endpoints.
6.2. Failure of Public ENUM
At the time [RFC4474] was written, the hopes for establishing a
certificate authority for telephone numbers on the Internet largely
rested on public ENUM deployment. The e164.arpa DNS tree established
for ENUM could have grown to include certificates for telephone
numbers or at least for number ranges. It is now clear, however,
that public ENUM as originally envisioned has little prospect for
adoption. That said, some national authorities for telephone numbers
are migrating their provisioning services to the Internet and issuing
credentials that express authority for telephone numbers to secure
those services. These new authorities for numbers could provide to
the public Internet the necessary signatory authority for securing
calling party numbers. While these systems are far from universal,
the authors of this document believe that a solution devised for the
North American Numbering Plan could have applicability to other
country codes.
Peterson, et al. Informational [Page 19]
^L
RFC 7340 STIR Problem Statement September 2014
6.3. Public Key Infrastructure Developments
There have been a number of recent high-profile compromises of web
certificate authorities. The presence of numerous (in some cases,
hundreds) trusted certificate authorities in modern web browsers has
become a significant security liability. As [RFC4474] relied on web
certificate authorities, this too provides new lessons for any work
on revising [RFC4474], namely, that innovations like DNS-Based
Authentication of Named Entities (DANE) [RFC6698], which designate a
specific certificate preferred by the owner of a DNS name, could
greatly improve the security of a SIP Identity mechanism and,
moreover, that when considering new certificate authorities for
telephone numbers, we should be wary of excessive pluralism. While a
chain of delegation with a progressively narrowing scope of authority
(e.g., from a regulatory entity, to a carrier, to a reseller, to an
end user) is needed to reflect operational practices, there is no
need to have multiple roots or peer entities that both claim
authority for the same telephone number or number range.
6.4. Prevalence of B2BUA Deployments
Given the prevalence of established B2BUA deployments, we may have a
further opportunity to review the elements signed using the SIP
Identity mechanism [RFC4474] and to decide on the value of
alternative signature mechanisms. Separating the elements necessary
for (a) securing the From header field value and preventing replays
from (b) the elements necessary to prevent men-in-the-middle from
tampering with messages may also yield a strategy for identity that
will be practicable in some highly mediated networks. Solutions in
this space must, however, remain mindful of the requirements for
securing cryptographic material necessary to support Datagram
Transport Layer Security for Secure RTP (DTLS-SRTP) or future
security mechanisms.
6.5. Stickiness of Deployed Infrastructure
One thing that has not changed, and is not likely to change in the
future, is the transitive nature of trust in the PSTN. When a call
from the PSTN arrives at a SIP gateway with a calling party number,
the gateway will have little chance of determining whether the
originator of the call was authorized to claim that calling party
number. Due to roaming and countless other factors, calls on the
PSTN may emerge from administrative domains that were not assigned
the originating number. This use case will remain the most difficult
to tackle for an identity system and may prove beyond repair. It
does, however, seem that with the changes in the solution space, and
Peterson, et al. Informational [Page 20]
^L
RFC 7340 STIR Problem Statement September 2014
a better understanding of the limits of [RFC4474] and VIPR, we are
today in a position to reexamine the problem space and find solutions
that can have a significant impact on the secure origins problem.
6.6. Concerns about Pervasive Monitoring
While spoofing the origins of communication is a source of numerous
security concerns, solutions for identifying communications must also
be mindful of the security risks of pervasive monitoring (see
[RFC7258]). Identifying information, once it is attached to
communications, can potentially be inspected by parties other than
the intended recipient and collected for any number of reasons. As
stated above, the purpose of this work is not to eliminate anonymity;
furthermore, to be viable and in the public interest, solutions
should not facilitate the unauthorized collection of calling data.
6.7. Relationship with Number Assignment and Management
Currently, telephone numbers are typically managed in a loose
delegation hierarchy. For example, a national regulatory agency may
task a private, neutral entity with administering numbering
resources, such as area codes, and a similar entity with assigning
number blocks to carriers and other authorized entities, who in turn
then assign numbers to customers. Resellers with looser regulatory
obligations can complicate the picture, and in many cases, it is
difficult to distinguish the roles of enterprises from carriers. In
many countries, individual numbers are portable between carriers, at
least within the same technology (e.g., wireline-to-wireline).
Separate databases manage the mapping of numbers to switch
identifiers, companies, and textual Caller ID information.
As the PSTN transitions to using VoIP technologies, new assignment
policies and management mechanisms are likely to emerge. For
example, it has been proposed that geography could play a smaller
role in number assignments, that individual numbers could be assigned
to end users directly rather than only to service providers, and that
the assignment of numbers does not have to depend on providing actual
call delivery services.
Databases today already map telephone numbers to entities that have
been assigned the number, e.g., through the LERG (Local Exchange
Routing Guide) in the United States. Thus, the transition to IP-
based networks may offer an opportunity to integrate cryptographic
bindings between numbers or number ranges and service providers into
databases.
Peterson, et al. Informational [Page 21]
^L
RFC 7340 STIR Problem Statement September 2014
7. Basic Requirements
This section describes only the high-level requirements of the STIR
effort, which we expect will be further articulated as work
continues:
Generation: Intermediaries as well as end systems must be able to
generate the source identity information.
Validation: Intermediaries as well as end systems must be able to
validate the source identity information.
Usability: Any validation mechanism must work without human
intervention, for example, without mechanisms like CAPTCHA
(Completely Automated Public Turing test to tell Computers and
Humans Apart).
Deployability: Must survive transition of the call to the PSTN and
the presence of B2BUAs.
Reflecting existing authority: Must stage credentials on existing
national-level number delegations, without assuming the need for
an international golden root on the Internet.
Accommodating current practices: Must allow number portability among
carriers and must support legitimate usage of number spoofing
(e.g., doctors' offices and call centers).
Minimal payload overhead: Must lead to minimal expansion of SIP
header fields to avoid fragmentation in deployments that use UDP.
Efficiency: Must minimize RTTs for any network lookups and minimize
any necessary cryptographic operations.
Privacy: A solution must minimize the amount of information that an
unauthorized party can learn about what numbers have been called
by a specific caller and what numbers have called a specific
called party.
Some requirements specifically outside the scope of the effort
include:
Display name: This effort does not consider how the display name of
the caller might be validated.
Peterson, et al. Informational [Page 22]
^L
RFC 7340 STIR Problem Statement September 2014
Response authentication: This effort only considers the problem of
providing secure telephone identity for requests, not for
responses to requests; no solution is proposed for the problem of
determining to which number a call has connected [RFC4916].
8. Acknowledgments
We would like to thank Sanjay Mishra, Fernando Mousinho, David
Frankel, Penn Pfautz, Mike Hammer, Dan York, Andrew Allen, Philippe
Fouquart, Hadriel Kaplan, Richard Shockey, Russ Housley, Alissa
Cooper, Bernard Aboba, Sean Turner, Brian Rosen, Eric Burger, and
Eric Rescorla for the discussion and input that contributed to this
document.
9. Security Considerations
This document is about improving the security of call origin
identification; security considerations for specific solutions will
be discussed in solutions documents.
10. Informative References
[CONCERNS] Rosenberg, J., "Concerns around the Applicability of RFC
4474", Work in Progress, February 2008.
[NEWS-HACK] Wikipedia, "News International phone hacking scandal",
June 2014,
<http://en.wikipedia.org/w/index.php?title=News
_International_phone_hacking_scandal&oldid=614607591>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3263] Rosenberg, J. and H. Schulzrinne, "Session Initiation
Protocol (SIP): Locating SIP Servers", RFC 3263, June
2002.
[RFC3324] Watson, M., "Short Term Requirements for Network
Asserted Identity", RFC 3324, November 2002.
[RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private
Extensions to the Session Initiation Protocol (SIP) for
Asserted Identity within Trusted Networks", RFC 3325,
November 2002.
Peterson, et al. Informational [Page 23]
^L
RFC 7340 STIR Problem Statement September 2014
[RFC3966] Schulzrinne, H., "The tel URI for Telephone Numbers",
RFC 3966, December 2004.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC4916] Elwell, J., "Connected Identity in the Session
Initiation Protocol (SIP)", RFC 4916, June 2007.
[RFC5039] Rosenberg, J. and C. Jennings, "The Session Initiation
Protocol (SIP) and Spam", RFC 5039, January 2008.
[RFC5727] Peterson, J., Jennings, C., and R. Sparks, "Change
Process for the Session Initiation Protocol (SIP) and
the Real- time Applications and Infrastructure Area",
BCP 67, RFC 5727, March 2010.
[RFC6698] Hoffman, P. and J. Schlyter, "The DNS-Based
Authentication of Named Entities (DANE) Transport Layer
Security (TLS) Protocol: TLSA", RFC 6698, August 2012.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is
an Attack", BCP 188, RFC 7258, May 2014.
[ROBOCALL-CHALLENGE]
Federal Trade Commission (FTC), "FTC Robocall
Challenge", <http://robocall.challenge.gov/>.
[ROBOCALL-FCC]
Federal Communications Commission (FCC), "Robocalls",
April 2013, <http://www.fcc.gov/guides/robocalls>.
[SECURE-ORIGIN]
Cooper, A., Tschofenig, H., Peterson, J., and B. Aboba,
"Secure Call Origin Identification", Work in Progress,
November 2012.
[SIP-SECURITY]
Peterson, J., "Retargeting and Security in SIP: A
Framework and Requirements", Work in Progress, February
2005.
[SWATTING] The Federal Bureau of Investigation (FBI), "Don't Make
the Call: The New Phenomenon of 'Swatting'", February
2008, <http://www.fbi.gov/news/stories/2008/february/
swatting020408>.
Peterson, et al. Informational [Page 24]
^L
RFC 7340 STIR Problem Statement September 2014
[TDOS] Krebs, B., "DHS Warns of 'TDoS' Extortion Attacks on
Public Emergency Networks", April 2013,
<http://krebsonsecurity.com/2013/04/dhs-warns-of-tdos-
extortion-attacks-on-public-emergency-networks/>.
[VIPR-OVERVIEW]
Barnes, M., Jennings, C., Rosenberg, J., and M. Petit-
Huguenin, "Verification Involving PSTN Reachability:
Requirements and Architecture Overview", Work in
Progress, December 2013.
Authors' Addresses
Jon Peterson
NeuStar, Inc.
1800 Sutter St Suite 570
Concord, CA 94520
US
EMail: jon.peterson@neustar.biz
Henning Schulzrinne
Columbia University
Department of Computer Science
450 Computer Science Building
New York, NY 10027
US
Phone: +1 212 939 7004
EMail: hgs@cs.columbia.edu
URI: http://www.cs.columbia.edu
Hannes Tschofenig
Hall, Tirol 6060
Austria
EMail: Hannes.Tschofenig@gmx.net
URI: http://www.tschofenig.priv.at
Peterson, et al. Informational [Page 25]
^L
|
