[asterisk-users] Anonymous SIP calls

Fri Mar 27 16:47:23 CDT 2015

On 27/3/15 8:03 pm, James B. Byrne wrote:
> One only accepts VOIP calls from known correspondents.  I
> am not clear why this is so other than vague warnings respecting
> (admittedly real and serious) security issues.

Because on the whole most people don't *want* to receive calls from 
random strangers :-)

> What is it
> about incoming SIP calls destined to our internal users that make
> those calls so dangerous?  Why cannot incoming anonymous SIP calls not
> be treated exactly as incoming PSTN calls

Others have already written far more eloquently than I about the 
security implications, but I think there are other factors at play here.

One of the principal benefits E.164 brought to the table was the ability 
to 'bypass' the telco (and their call charges) and route the call direct 
to the desired endpoint over our respective internet connections. But 
the cost of making calls via the PSTN has reduced to a point where the 
cost of the call is no longer a significant factor in whether to place 
the call. Think back even a few years: the cost of calling another 
country could easily rise above 1 (GBP/USD/whatever) per minute. Now, 
with the exception of a few far-flung locations, there are very few 
destinations to which calls are even a fifth of that cost.

Calls that come via the PSTN are subject to some sort of regulation. 
Bonafide marketing companies are obliged to screen their calls through 
the TPS (in the UK - I presume there's a similar 'do not call' screening 
process in other countries). It's not perfect (international marketers 
aren't effectively covered, for example), but it is marginally better 
than a total free for all.

As for solutions, I think that for direct SIP-to-SIP calling to gain the 
traction originally promised, we need to get to the same level of 
incoming call control as we have with spam filtering on email. So there 
will need to be organisations running distributed RBLs similar to (for 
example) Spamhaus which SIP servers can query in real time to check not 
just for hack attempts, but also those SIP servers from which 
unsolicited marketing calls have originated, etc.

In summary:
1) PSTN calls are now /cheap enough/ that the financial benefits of 
direct SIP-to-SIP calls for most users are negligible.
2) When the cost of calls falls to (effectively) zero, the principal 
beneficiaries are fraudsters and telemarketers, and most people would 
rather not deal with either group.
3) Lack of effective protection - both technical and regulatory - 
against SIP-to-SIP misuse (not just fraud, but unsolicited callers, etc.)

Kind regards,

Chris
-- 
This email is made from 100% recycled electrons