[asterisk-users] Anonymous SIP calls
Chris Bagnall
asterisk at lists.minotaur.cc
Fri Mar 27 16:47:23 CDT 2015
On 27/3/15 8:03 pm, James B. Byrne wrote:
> One only accepts VOIP calls from known correspondents. I
> am not clear why this is so other than vague warnings respecting
> (admittedly real and serious) security issues.
Because on the whole most people don't *want* to receive calls from
random strangers :-)
> What is it
> about incoming SIP calls destined to our internal users that make
> those calls so dangerous? Why cannot incoming anonymous SIP calls not
> be treated exactly as incoming PSTN calls
Others have already written far more eloquently than I about the
security implications, but I think there are other factors at play here.
One of the principal benefits E.164 brought to the table was the ability
to 'bypass' the telco (and their call charges) and route the call direct
to the desired endpoint over our respective internet connections. But
the cost of making calls via the PSTN has reduced to a point where the
cost of the call is no longer a significant factor in whether to place
the call. Think back even a few years: the cost of calling another
country could easily rise above 1 (GBP/USD/whatever) per minute. Now,
with the exception of a few far-flung locations, there are very few
destinations to which calls are even a fifth of that cost.
Calls that come via the PSTN are subject to some sort of regulation.
Bonafide marketing companies are obliged to screen their calls through
the TPS (in the UK - I presume there's a similar 'do not call' screening
process in other countries). It's not perfect (international marketers
aren't effectively covered, for example), but it is marginally better
than a total free for all.
As for solutions, I think that for direct SIP-to-SIP calling to gain the
traction originally promised, we need to get to the same level of
incoming call control as we have with spam filtering on email. So there
will need to be organisations running distributed RBLs similar to (for
example) Spamhaus which SIP servers can query in real time to check not
just for hack attempts, but also those SIP servers from which
unsolicited marketing calls have originated, etc.
In summary:
1) PSTN calls are now /cheap enough/ that the financial benefits of
direct SIP-to-SIP calls for most users are negligible.
2) When the cost of calls falls to (effectively) zero, the principal
beneficiaries are fraudsters and telemarketers, and most people would
rather not deal with either group.
3) Lack of effective protection - both technical and regulatory -
against SIP-to-SIP misuse (not just fraud, but unsolicited callers, etc.)
Kind regards,
Chris
--
This email is made from 100% recycled electrons
More information about the asterisk-users
mailing list