[Asterisk-Dev] Fwd: [VOIPSEC] SPIT Security initiative

[John Todd]

This may be worth reviewing as a potential future addition to 
chan_sip.  At the very least, this is a development tool/effort that 
is at least worthy of understanding.

It would seem to me that Asterisk provide an optimal platform into 
which these methods could be integrated, due to the Open Source 
nature of Asterisk and the fairly large overlay of experience in the 
Asterisk development community with those who have also developed 
anti-SPAM or other tools in the past.

The major roadblock to this is that Asterisk (still!) does not 
support TCP for SIP transmissions, which prevents SAML from being 
used in this implementation.  Perhaps some more people can step 
forward to put money towards a bounty...

JT


>From: "David Schwartz" <david at kayote.com>
>To: <david at kayote.com>
>Date: Thu, 2 Jun 2005 16:55:22 -0000
>Cc:
>Subject: [VOIPSEC] SPIT Security initiative
>Reply-To: david at kayote.com
>
>
>I wanted to bring to the attention of the SIP community an initiative Kayote
>has been working on to combat the ever-growing threat of SPIT. Essentially,
>we have adopted Jon Peterson's idea of embedding security information into
>the SIP message via SAML . This will give upstream elements the ability to
>make available to downstream elements what they know about the SPIT threat
>potential on a call-by-call basis and let the downstream elements decide
>what to do with that information.
>
>The data sent downstream takes the form of name=value pairs and each
>parameter highlights a specific "red flag" in terms of potential for SPIT.
>For example, is the user calling from a free service, or is he a paying
>customer. Does his ITSP authorize as well as assert identity? Is there some
>other reason to suspect the call to be SPIT (from information regarding his
>calling patterns)? And finally, an overall score that we subjectively
>assign, called the AssertionStrength.
>
>This work is very preliminary and we expect the list of security attributes
>to evolve, but the key is the method of communicating the information on a
>call by call basis. As we describe in the open issues section, there are
>still a lot of SIP  related things that need to get ironed out.
>
>We are making a public server available for developers to start playing
>with. SIP messages can be bounced off the server and they will be returned
>with the embedded SAML containing the security attributes of the caller. On
>the web site, developers can configure their variables and other options.
>Our hope is that we can create a dynamic ongoing discussion that will engage
>the firewall and SBC vendors, the IP-PBX and Proxy builders, and even the
>CPE people, to get them to key off this information and
>reject/allow/filter/divert calls accordingly.
>
>We put up a small client to show the basic functionality. The technical
>details are provided in an accompanying document. The client and document
>can both be found at
>
>www.spitprevention.net
>
>Once you sign in, you can download the client and the doc
>
>(http://www.spitprevention.net/downloads/SPITPrevention.pdf).
>
>Depending on feedback from the community, future direction may include a
>standardization track.
>
>Kayote welcomes any comments that you have and looks forward to working on
>this project with  the developer community.
>
>Best regards,
>
>David Schwartz
>Kayote Networks
>david.Schwartz at kayote.com
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org