One document matched: draft-schwartz-rucus-problem-statement-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY rfc3261 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3261.xml">
<!ENTITY rfc5039 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5039.xml">
<!ENTITY rfc3761 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3761.xml">
<!ENTITY rfc4474 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4474.xml">
<!ENTITY I-D.tschofenig-sipping-framework-spit-reduction SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-tschofenig-sipping-framework-spit-reduction-02.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="yes" ?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc sortrefs="no" ?>
<?rfc colonspace='yes' ?>
<?rfc tocindent='yes' ?>
<rfc category="info" docName="draft-schwartz-rucus-problem-statement-01" ipr="full3978">
<front>
<title abbrev="RUCUS Problem statement">RUCUS Problem Statement</title>
<author initials="D.S" surname="Schwartz" fullname="David Schwartz">
<organization>XConnect Global Networks</organization>
<address>
<postal>
<street>Malcha Technology Park</street>
<street>Building # 1</street>
<city>Jerusalem</city><code>90961</code>
<country>Israel</country>
</postal>
<phone>+972 52 347 4656</phone>
<email>dschwartz@xconnect.net</email>
<uri>www.kayote.com</uri>
</address>
</author>
<date year="2008" />
<abstract>
<t>SIP is being used more an more today
for everyday communication purposes. With this widespread adoption comes
the inevitability of abuse. This document describes the problems that fit
into the category of "unwanted Communication".</t>
</abstract>
<note title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119">
</xref>.</t>
</note>
</front>
<middle>
<section title="Introduction">
<t>As worldwide communication infrastructure is shifting to IP the
potential for disruption or abuse is increasing as well (see cost
analysis brought down in <xref target="RFC5039"></xref>). As such it
is important to be able to assess the potential threat so that possible
remedies can be sought. It is important to stress, however, that
this document and by extension this WG is not focusing ONLY on fraud
or misrepresentation attacks such as those mentioned in <xref
target="RFC5039"></xref>) but on all types of "unwanted" communications.</t>
<t>Fortunately (or unfortunately) we have a large body of work
already completed in other similar areas such as email and as such
the guiding principles of this WG MUST be:</t>
<t>What has been done right</t>
<t>What has been done wrong</t>
<t>What should have been done earlier</t>
</section>
<section title="Unwanted Communication">
<t>So what constitutes Unwanted Communication? Until now, most of the
work that has been done in this area in the various IETF WGs has
focused on the "misrepresentation" issue (<xref target="RFC5039"></xref>)
suggesting strong Identity (e.g. <xref target="RFC4474"></xref>) as the
cornerstone of any solution. Lately, there has been a lot of discussion
on the various lists trying to extend the identity protection (or better
yet - give it some meaning) to e.164 numbers as well as sip URIs.</t>
<t>Still, this is only one aspect of "Unwanted Communications" and
focusing or solving only this issue (if at all possible) will clearly
not eliminate SPAM. As an example, one attack that is cropping up
of late is a hybrid email VoIP attack which upgrades the age old phishing
attack by replacing a compromised web server with a compromised PBX (or
one set up just for this purpose) and includes an e.164 number in the email
message that supposedly is sent by your bank instead of the traditional
fake URL. Since there is no "whois" equivalent for e.164 numbers there
is no way today to combat this attack. While not much can be done if
the unsuspecting caller initiates the call from the PSTN, if the call is
initiated using SIP, there may be some help we can provide. But this
help is contingent on us realizing that the problem scope is wider than
we previously imagined.</t>
<t>Following is an initial list of possible unwanted communication
categories:</t>
<figure anchor="unwanted categories" title="Unwanted Communications Categories">
<artwork align="left"><![CDATA[
Data Mining - This category includes messaging whose sole
purpose is to mine for information.
Included in this category are things like Number
Harvesting via SIP or ENUM
B-side attacks - This category is rooted in the lack of a
"whois" equivalent for e.164 numbers and
includs attacks where the originating
party has no information attesting to the
credibility or authenticity of the signaled
party
Lack of policy - This category deals with the non-malicious
middle-of-the-night or foreign-language
communication. Strong identity will not
prevent this sort of communication.
Misrepresentation - The one we all like to hate. In this
category are included:
* Telemarketing
* Fraudulent access (e.g. voice mail)
Any application where access is based
on the signaling party's phone number
falls into this category
"underprivileged" - Malicious applications just trying to
gain a foothold on a remote computer fall
into this category. This class addresses
attacks that use IP communications as
a means rather than an end.
]]></artwork>
</figure>
<t>You will note in the list above I have included things like number
mining even though the is not part of a "communication" process. I did
this since this is a prepatory attack for unwanted communcations I felt
it should be dealt with in this context as well.</t>
</section>
<section title="Data Mining">
<t>As opposed to the URI namespace which is infinite, the e.164 namespace
which is in use for the majority of SIP voice calls today is not large
in computing terms. As a result, it is quite trivial to gather or mine
this information for use (individually or for resale) in misrepresentation
attacks. Low volume SIP INVITE messages recording failures (e.g. 404 Not found)
and successes (e.g. 183 Session Progress) are highly effective and relatively
hard to defend against. These kind of attacks have been seen in the field using
both SIP <xref target="RFC3261"></xref> and ENUM <xref target="RFC3761">
</xref></t>
</section>
<section title="B-Side Attacks">
<t>It is important to understand that SPAM is not static but rather is all
about economics and adapts accoridignly. While the return on investment for
the misrepresentation attacks does not yet justify widespread use, the ROI
for B-side attacks is clearer and is being seen in the field today. Basically,
the spammers go with what works - and phishing works better than telemarketing.
When you do the math you see that a very small hit percentage is needed for a
highly successful phishing campaign to materialize. Continual improvement in
protection against this sort of attack is forcing the phishers to adapt as
well (e.g. inline GIFs instead of embedded URLs that can be verified).</t>
<t>Against this backdrop it is to be expected that the next step in
the evolution of phishing is to include an instruction to dial a DID or
virtual phone number that the caller has no way to verify - where this will
lead to nefarius activities. In a sense it is the "B-side" that is
threatening the "A-side" and hence the name of this category. It is
important to realize that this attack is not unique to IP communications.
The compromised "B-side" could belong a PSTN compromised switch. The
thing is that (a) its harder to comparmise a PSTN switch (b) who ever
said that we have to limit ourselves to the protection available
on the PSTN?</t>
</section>
<section title="Lack Of Policy">
<t>Unwanted communication is subjective - not objective. As such it is entirely
possible for a legitimate call to be unwanted (even at the level of not having
the phone ring and force me to answer) at its intended destination and
it is completely reasonable to arm the receiving party with the ability to
prevent this sort of occurance a-priori. In order to combat this form of
unwanted communication there is a need for policy exchange mechanisms as
discussed in <xref target="I-D.tschofenig-sipping-framework-spit-reduction">
</xref></t>
</section>
<section title="Misrepresentation">
<t>This category deals with propagation of trusted identity across trust
boundaries and is covered in <xref target="RFC5039"></xref>.</t>
</section>
<section title="Regulatory">
<t>It wouldn't be right to finish a document describing the RUCUS problem
statement without raising the specter of regulatory involvement. An incident
which occurred in 1997 in which House Speaker Newt Gingrich's cellular telephone
conversation was illegally intercepted, taped and published by the media
prompted calls in Congress for stronger anti-eavesdropping legislation. One can
only imagine what unwanted communications to one of these legislatures will
cause to IP communications.</t>
</section>
<section anchor="security_considerations" title="Security Considerations">
<t>[[This section will be completed in a later version of this
document.]]</t>
</section>
<section title="Acknowledgements">
<t>Thanks to Adam O'Donell for alerting me to the VoIP aspects
of email phishing.</t>
</section>
<section title="IANA Considerations">
<t>None. This document is informational</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc2119;
&rfc3261;
</references>
<references title="Informational References">
&rfc5039;
&rfc4474;
&rfc3761;
&I-D.tschofenig-sipping-framework-spit-reduction;
</references>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 10:19:43 |