Secure Telephone Identity Problem Statement and Requirements
RFC 7340
Internet Engineering Task Force (IETF) J. Peterson
Request for Comments: 7340 NeuStar, Inc.
Category: Informational H. Schulzrinne
ISSN: 2070-1721 Columbia University
H. Tschofenig
September 2014
Secure Telephone Identity Problem Statement and Requirements
Abstract
Over the past decade, Voice over IP (VoIP) systems based on SIP have
replaced many traditional telephony deployments. Interworking VoIP
systems with the traditional telephone network has reduced the
overall level of calling party number and Caller ID assurances by
granting attackers new and inexpensive tools to impersonate or
obscure calling party numbers when orchestrating bulk commercial
calling schemes, hacking voicemail boxes, or even circumventing
multi-factor authentication systems trusted by banks. Despite
previous attempts to provide a secure assurance of the origin of SIP
communications, we still lack effective standards for identifying the
calling party in a VoIP session. This document examines the reasons
why providing identity for telephone numbers on the Internet has
proven so difficult and shows how changes in the last decade may
provide us with new strategies for attaching a secure identity to SIP
sessions. It also gives high-level requirements for a solution in
this space.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7340.
Peterson, et al. Informational [Page 1]
RFC 7340 STIR Problem Statement September 2014
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
2. Problem Statement ...............................................4
3. Terminology .....................................................6
4. Use Cases .......................................................6
4.1. VoIP-to-VoIP Call ..........................................7
4.2. VoIP-PSTN-VoIP Call ........................................7
4.3. PSTN-to-VoIP Call ..........................................8
4.4. VoIP-to-PSTN Call ..........................................9
4.5. PSTN-VoIP-PSTN Call .......................................10
4.6. PSTN-to-PSTN Call .........................................11
5. Limitations of Current Solutions ...............................11
5.1. P-Asserted-Identity .......................................12
5.2. SIP Identity ..............................................14
5.3. VIPR ......................................................17
6. Environmental Changes ..........................................19
6.1. Shift to Mobile Communication .............................19
6.2. Failure of Public ENUM ....................................19
6.3. Public Key Infrastructure Developments ....................20
6.4. Prevalence of B2BUA Deployments ...........................20
6.5. Stickiness of Deployed Infrastructure .....................20
6.6. Concerns about Pervasive Monitoring .......................21
6.7. Relationship with Number Assignment and Management ........21
7. Basic Requirements .............................................22
8. Acknowledgments ................................................23
9. Security Considerations ........................................23
10. Informative References ........................................23
Show full document text