STIR WG response to LS on technologies involved in countering voice spam in telecommunication organizations
|From Contact||Russ Housley|
|Liaisons referred by this one||
LS on technologies involved in countering voice spam in telecommunication organizations
Re: Liaison 1354 (ITU SG 17 – COM17_LS150) The IETF STIR WG appreciates the notification from ITU-T SG 17 of the upcoming finalization of X.ticvs, on countering voice spam at the operator level. The IETF has explicitly addressed the voice spam problems associated with the Session Initiation Protocol (SIP) since the adoption of draft-ietf-sipping-spam-00 in February 2005, which was finalized as RFC 5039 in 2008. That document enumerates known solutions, and acknowledges that no single technology is likely to be a “silver bullet” in solving the potential abuses of Internet voice spam. We therefore feel that having multiple communities study the problem, and approach its resolution from differing perspective, has ongoing value. Per your liaison, we do note the distinction that SG 17 has drawn between circuit-switched network spam, as countered by the recommendations in X.ticvs, and spam in IP-based multimedia applications, as countered by the recommendations in X.1245. The scope of the STIR WG in the IETF, at least for its “in-band” deliverable, addresses the protocol mechanisms necessary for SIP to address the threats of robocalling, voicemail hacking, and swatting. But our study of the problem space suggests that those three attacks usually rely on calling patterns that begin on the Internet and transition to the circuit-switched network through gateways. Thus, segregating those problems into a consideration of either the circuit switched or Internet environment in isolation is not an approach we chose at the IETF. With regard to WTSA-12 Resolution 52, we believe that providing cryptographic identity information in SIP requests does not inherently degrade privacy. This follows from the fact that, as rfc4474bis stipulates, SIP users may claim anonymous identities (such sip:email@example.com) for which no entity has authority. The presence of cryptographic signatures on requests which do claim an identity in no way reduces the privacy provided by such anonymization techniques. The STIR effort in particular focuses on preventing impersonation, and impersonation is always of some specific chosen identity that the impersonator lacks the authority to claim. It is therefore our evaluation that the privacy consequences of the STIR approach are minimal. Conversely, we note that aggregating large amounts of transactional data within service provider networks to enable a statistical analysis of consumer traffic for spam prevention purposes has its own privacy risks. In accordance with RFC 7258 (“Pervasive Monitoring is an Attack”), and RFC 6973 (“Privacy Considerations for Internet Protocols”), we prefer approaches that minimize the data gathered and retained by intermediaries on the Internet, as this data is susceptible to capture by attackers. Furthermore, we believe that the role of operators is transforming as communications migrate from the circuit-switched network to the Internet, and that the efficacy of operator-based approaches may diminish as a consequence of this network evolution. The IETF STIR WG would be happy to discuss these matters further with our colleagues in ITU-T SG 17 if more dialog would be useful. Again, we appreciate our ongoing cooperation with SG 17, and hope that by exploring the problem space from our differing perspectives, we may both make a contribution to resolving this pressing issue.