Liaison statement
STIR WG response to LS on technologies involved in countering voice spam in telecommunication organizations

State Posted
Posted Date 2015-03-31
From Group stir
From Contact Russ Housley
To Group ITU-T-SG-17
To Contacts
Response Contact
Technical Contact
Purpose In response
Attachments (None)
Liaisons referred by this one LS on technologies involved in countering voice spam in telecommunication organizations
Re: Liaison 1354 (ITU SG 17 – COM17_LS150)

The IETF STIR WG appreciates the notification from ITU-T SG 17 of the
upcoming finalization of X.ticvs, on countering voice spam at the
operator level.  The IETF has explicitly addressed the voice spam
problems associated with the Session Initiation Protocol (SIP) since the
adoption of draft-ietf-sipping-spam-00 in February 2005, which was
finalized as RFC 5039 in 2008.  That document enumerates known solutions,
and acknowledges that no single technology is likely to be a “silver
bullet” in solving the potential abuses of Internet voice spam.  We
therefore feel that having multiple communities study the problem, and
approach its resolution from differing perspective, has ongoing value.

Per your liaison, we do note the distinction that SG 17 has drawn between
circuit-switched network spam, as countered by the recommendations in
X.ticvs, and spam in IP-based multimedia applications, as countered by
the recommendations in X.1245.  The scope of the STIR WG in the IETF, at
least for its “in-band” deliverable, addresses the protocol mechanisms
necessary for SIP to address the threats of robocalling, voicemail
hacking, and swatting.  But our study of the problem space suggests that
those three attacks usually rely on calling patterns that begin on the
Internet and transition to the circuit-switched network through gateways.
Thus, segregating those problems into a consideration of either the
circuit switched or Internet environment in isolation is not an approach
we chose at the IETF.

With regard to WTSA-12 Resolution 52, we believe that providing
cryptographic identity information in SIP requests does not inherently
degrade privacy.  This follows from the fact that, as rfc4474bis
stipulates, SIP users may claim anonymous identities (such for which no entity has authority.  The
presence of cryptographic signatures on requests which do claim an
identity in no way reduces the privacy provided by such anonymization
techniques.  The STIR effort in particular focuses on preventing
impersonation, and impersonation is always of some specific chosen
identity that the impersonator lacks the authority to claim.  It is
therefore our evaluation that the privacy consequences of the STIR
approach are minimal.

Conversely, we note that aggregating large amounts of transactional data
within service provider networks to enable a statistical analysis of
consumer traffic for spam prevention purposes has its own privacy risks.
In accordance with RFC 7258 (“Pervasive Monitoring is an Attack”), and
RFC 6973 (“Privacy Considerations for Internet Protocols”), we prefer
approaches that minimize the data gathered and retained by intermediaries
on the Internet, as this data is susceptible to capture by attackers.
Furthermore, we believe that the role of operators is transforming as
communications migrate from the circuit-switched network to the Internet,
and that the efficacy of operator-based approaches may diminish as a
consequence of this network evolution.

The IETF STIR WG would be happy to discuss these matters further with our
colleagues in ITU-T SG 17 if more dialog would be useful.  Again, we
appreciate our ongoing cooperation with SG 17, and hope that by exploring
the problem space from our differing perspectives, we may both make a
contribution to resolving this pressing issue.