2004 October

October 2004

Rich Tehrani highlights one of the most discussed topics in VoIP services – but doesn\’t look into the work being done in the IETF to handle this problem…

VoIP service is portable, allowing you to take your equipment on the road or use a soft client on any computer from anywhere in the world. How do service providers deal with the issue of customers calling from Starbucks? The simple answer is they usually don%u2019t. If you call 911 from Starbucks, you can expect to see emergency response sent to the address on file: your house. Worse yet is that you could be connected to the wrong 911 office, also known as a PSAP or public safety answering point.

This new draft outlines a certificate management solution for SIP. As with E-mail, nothing really happens with S/MIME security in SIP. We need a scalable solution with a decentralized view in order to build a platform for SIP message authentication and SIP user identification.

This draft defines a Credential Service that uses a SIP subscribe/ notify mechanism to discover other users\’ certificates and credentials and be notified about changes to these certificates. Other user agents that want to contact that AOR can retrieve these certificates from the server. The result is that widespread deployment of S/MIME in SIP is possible, because no extra expense or effort is required of the end user.

A new SIP RFC is published, describing a mechanism to join an existing SIP session, either barging in or just \”joining\” a conference
or making a multi-part conference out of a two-part call.

This document defines a new header for use with SIP multi-party applications and call control. The Join header is used to logically join an existing SIP dialog with a new SIP dialog. This primitive can be used to enable a variety of features, for example: \”Barge-In\”, answering-machine-style \”Message Screening\” and \”Call Center Monitoring\”. Note that definition of these example features is non- normative.

ENUM, the IETF standard solution for looking up phone numbers in DNS and replacing them with SIP addresses, is getting nowhere. What the VoIP community believed was the key to unlocking expensive PSTN calls is being stopped or controlled by the telcos of the past. They don\’t want to open the flood gates and let the Internet be the base for telephony. They want to use the IP based broadband network as last mile access networks, connecting customers to their PSTN switches.

So what is the problem? The ENUM e164.arpa domain, which is the global ENUM system, is of no practical use today. Political disputes and regulators are blocking the process. There are alternatives, one of the best is e164.org – a free, user-controlled Enum root. This is what I thought Enum would be. Well, what I was hoping for wasn\’t what everyone wanted, obviously.

So where are we? We have no generic way of finding the best route from one phone number to another, looking up if there\’s an alternative way to set up the call across the Internet. This opens up for alternatives to Enum. Two alternatives was presented at the pulver.com Von conference that opened in Boston yesterday: DUNDi and Verisign services.

DUNDi is a lightweight protocol and a regulation on how to set up trusted peering communities. DUNDi is aimed at finding the best route as well as stopping VoIP spam. The inventor is Mark Spencer, the lead programmer of Asterisk and the CEO of Digium, Inc.. The idea, as stated on the front page of the DUNDi web site, was to build a non-centralized system as opposed to web security, a solution that mostly builds upon one company: Verisign.

Verisign on the other hand, wants to be the new telco, trying to become the global trusted directory service for VoIP peering. I anticipate their next move to be starting to sell SIP TLS and S/MIME certificates, signing up with VoIP equipment manufacturers so the devices only accept Verisign certificates.

I believe in distributed systems. The Internet is a distributed system, the e-mail network on the Internet is a distributed system, DNS is a distributed system. Centralized solutions doesn\’t scale well on the Internet. My bet would be that DUNDi soon is implemented by everyone using Free World Dialup and/or Asterisk. That is quite a lot of users. What will become of Enum is something we don\’t know yet. The technology is there, the winning implementation isn\’t here yet.

The end-user based authentication for SIP is now S/MIME, a standard that has not proven to be a success for secure e-mail. The whole set of NAT support functions implemented in many SIP proxies and session boarder controllers also violates the S/MIME message integrity, putting even more roadblocks in the path towards secure and trustworthy SIP-based telephony.
In September a new Internet Draft was published by the SIP working group. This drafts suggests that a proxy authenticates users within a domain by signing messages with a private key belonging to the domain, not the user. This takes the burden off the SIP phone. The draft also notes that a user may use many phones and having a endpoint-based authentication scheme forces the user to install the private key in all devices, something that may end up to be impossible to manage. The new scheme works up to a certain level, and gives us a possible solution to move forward with, even if it doesn\’t give us strong end-to-end encryption. I hope that we can come up with a working scheme before it is too late, before we have a too large mass of unsecured phones out there. Changing the proxy is already much easier than forcing a change of the SIP phones used today.

The authentication service authenticates the identity of the message sender and validates that the identity given in the message can legitimately be asserted by the sender. Then it computes a signature over the canonical form of several headers and all the bodies, and inserts this signature into the message.

Asterisk CVS HEAD, the development branch of Asterisk that came alive after the release of 1.0, is changing dramatically. One of the new features is the Realtime Arcthitecture. This is an architecture that has been wanted for a long time. Let me give you a very brief explanation:

In the 1.0 version, there is a lot of support for database configuration of Asterisk users and phones. This code is hacked into the source with a lot of compile time directives. There is support mostly for MySQL, which of course made users of other databases wanting to add code for their database of choice. This was unmanageable. The code was becoming very hard to maintain and the number of non-compatible patches was overwhelming.

The realtime architecture takes care of this. It is basically a code change, not really so much of new functionality – yet. The channel drivers for SIP and IAX2 and the voicemail application now can access user data in a database in a very clean way, without compile time directives. The database source is configured in the configuration file extconfig.conf. There are a number of new applications to read and change database data as well.

The architecture is open for new drivers, if you want to add support of your database, LDAP or EBCDIC files – then write a driver to the res_config module. Additions and patches are welcome!

For those of you that use MYSQLFRIENDS today in IAX or SIP, there\’s a change in how you set up the database table, documented in the docs directory. Otherwise there is no change in what we support or not. You can still not use MYSQLFRIENDS together with mailbox notification or NAT keep-alives in the SIP channel.

With this architecture, we hope to get more manageable code and improved support for a number of databases and configuration platforms in Asterisk, both for \”realtime\” data and persistent configurations.

Asterisk has a new friend in the Linux community:

Jon \’Maddog\’ Hall, president of Linux International, told delegates at the LinuxWorld conference in London today that open source VoIP technology, such as Asterisk, would take the market by storm. He said systems based on Asterisk would be up to ten times cheaper than proprietary IP PBX (softswitch) products from the likes of Cisco and 3Com.