The big ENUM question (Was: VPFs)
That part of the SS7 network is very true there are trusted service providers running them on top of that it actually takes some capital to be able to interconnect into the ss7 network which most people that are just trying to cause havic aren't going to be up for. Carlos Alcantar Race Telecommunications, Inc. 101 Haskins Way South San Francisco, CA 94080 P: 650.649.3550 x143 F: 650.649.3551 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Hiers, David Sent: Thursday, August 06, 2009 10:44 AM To: John Todd; voiceops at voiceops.org Subject: Re: [VoiceOps] The big ENUM question (Was: VPFs) Every time this comes up, I find myself longing for the security, trustworthiness, and reliability of the physically separate, media-free, well-defined-trusted-service-providers-only network that is SS7. Even when the main attack tool was a simple PSTN analog phone and a box of cracker jacks, we found it necessary to bear the tremendous expense of creating SS7 to get the security (and features) that was needed. It is probably possible to run a signaling plane on the internet that can replace SS7, but it's a pretty tall order. David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 David Hiers CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277 -----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of John Todd Sent: Wednesday, August 05, 2009 2:44 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] The big ENUM question (Was: VPFs) Comments in-line. On Aug 5, 2009, at 11:19 AM, Mark R Lindsey wrote:
At IPTComm a couple of years ago, Jonathan Rosenberg stood up and said
the big problem was the walled gardens that are telcos and ITSPs. We carriers just aren't passing traffic via VoIP. Even Cisco customers aren't passing traffic within their own company; you'd have a BTS over
here and a BTS over there, owned by the same Cable MSO, passing traffic via ISUP.
Continuing this conversation about VPFs: what would it take for you to
start routing calls across the Internet using lookups like ENUM? 1. A big task would be advertising our routes. We'd have to pull our user's numbers out of our boxes -- Asterisk, BroadWorks, MetaSwitch, Taqua, Sonus, Nortel, Cisco, etc., and advertise those numbers somehow. I'm sure tools to extract the list of local numbers from each
of these systems would be pretty easy. Raise your hand if you're excited about advertising all of your user's telephone numbers to make
the telemarketing and SPIT easier.
I think that should already exist, if you're offering some sort of routing to start with. If you don't know the E.164 addresses that are assigned to each customer, how are you getting calls to them in the first place? As far as authenticating to protect against SPIT, that's not overly difficult, I believe. I had a suggestion some time ago that would at least let you create black/whitelists based on asserted domain name. Here is discussion and code I wrote that might be of some interest: https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html http://forum.e164.org/index.php?topic=16.0
2. We'd need to agree on some way to ensure that these routes advertised were authoritative. E.g., how would YOU know that I'm really authorized to advertise +1-229-316-0013? If you dip to SS7, that goes to my CLEC-partner-of-the-week.
OK, now this is a serious issue that I have no easy answer for. There are two companies here in North American that would be GLAD to offer the ability to look that data up in their proprietary databases, and charge you for that service. Personally, I'm not really interested in that model, though Bellheads nearly froth with glee when the concept of a "central database" starts to be needed for EVERY transaction.
3. Then we'd need to agree on some way to do the lookup. ENUM seems like a nice option -- if the basic delegation mechanism made sense. It makes sense if we have large blocks of numbers, like NPANXXs, and there are no number ports. But since we all have number ports, the large blocks will be punctuated by many, many individual references to
the ITSP that ported in the number. So the ability to delegate subdomains using ENUM doesn't bring much value, to my mind. So whether we use ENUM or a normal SIP redirect server probably doesn't make a lot of difference.
OK, another huge stumbling block. Especially when we're now talking about creating ENUM trees that have to be completely broken down to individual responses for each 0-9 subdomain space for each reply if one number is ported out of the block. Gak. DNS doesn't like this.
4. We'd also need to make peace on the whole transport thing. As Brian
Sneddon just said, the commodity Internet remains acceptable for a lot
of purposes. There's risk in betting on that, of course.
If the user doesn't know what to expect, yes, that's very true.
5. And then we'd have to figure out how to bill each other, if we're going to do billing. But is billing each other for 100 kbps audio streams worthwhile anyway?
In my opinion, no. But I'm not a carrier who has become used to feeding from that teat of inter-carrier compensation. I'm used to charging my users for connecting their calls in or out, not charging someone else for the luxury of reaching my customers.
6. Of course, we also want to be sure we're allowing calls only from the right people. A few years ago, many of us setup our SBCs to allow calls from the public Internet, but that's much less common now. Oh, we'll accept any ol' screechy call that comes from our known peer, and
pay him to do it.
I guess I can agree with this, but I don't know what "allowing calls from the right people" means, except in the context of getting paid for inbound calls (see my reply to your #5) or in a quality assurance issue (see #4.)
And once we figure out all of these challenges -- which are really quite moderate -- we've got to convince ourselves that the effort is worth the reward: we get to bypass the big carriers for some calls, and get to use fancy codecs like G.722 and video.
The technical challenges are really quite moderate. The VPF people are
trying to solve it but only within their club. Why pay them when we can do it ourselves?
I agree with this last statement entirely, but with a caveat. The caveat is that I think that E.164 is broken, from both an operational and political level. I used to be a big believer, and I still think it probably is good non-global peering arrangements. But for public use, I think it's dead. (possibly excepting iNum, but I'm still viewing that with some suspicion) What's the punchline to this set of comments I've made? I am an advocate (and administrator) of the freenum.org system, which uses a concept called "ISN", which is an alternate pointer system which can replace E.164. It uses organizationally-based numbering schemes which are keypad friendly (12 digit standard DTMF keyboard) and which are suitably different from An ISN (ITAD Subscriber Number) is formed very much like a SIP URI: a subscriber portion, a separator, and an organization identifier. A SIP URI might be "1234 at loligo.com", and a similar ISN would be "1234*256". In this case, loligo.com (me) has received ITAD 256 from IANA a few years ago. So the ENUM-like lookup is "4.3.2.1.256.freenum.org" - the freenum.org zone can either delegate zone "256" to me, or I can do what most organizations do and put in a wildcard NAPTR record that just points all SIP calls to my Asterisk SIP platform. In this example case, the NAPTR for 4.3.2.1.256.freenum.org maps to "1234 at loligo.com", and uses standard SIP lookups from there on out. Here's a small set of advantages of freenum.org over E.164: - Not similar to E.164 numbers (users have expectation of "internet calling") - Works on most of the world's existing phones - Requires no alphanumerics - Maps very cleanly to SIP infrastructures - Uses all standard ENUM methods, but slightly modifies root - Totally free - IANA-based registry for organizations (not-for-profit) - Layers onto existing E.164 system, if you so wish (12125551212*254 would work fine, as an example) - Does not involve the ITU - Does not involve governments - Assumes end-to-end IP SIP at no charge between entities - Organizationally-based, not geographic - Scales better than ENUM, and within organizations can scale laterally - OpenSER, SER, Asterisk, FreeSwitch support existing already for dialing/DNS lookups - We have SIP, ENUM shims for systems that So, I believe that many of the problems with ENUM are insurmountable on a large scale. A different system needs to be put in place that allows dialpad access yet is more friendly and scalable for systems which are internet-enabled in the core. Hopefully, you'll take a look at the concept and see if you might permit your users to dial those digits and also accept inbound calls. JT _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On Thu, Aug 6, 2009 at 2:19 PM, Carlos Alcantar <carlos at race.com> wrote:
That part of the SS7 network is very true there are trusted service providers running them on top of that it actually takes some capital to be able to interconnect into the ss7 network which most people that are just trying to cause havic aren't going to be up for.
Carlos Alcantar Race Telecommunications, Inc. 101 Haskins Way South San Francisco, CA 94080 P: 650.649.3550 x143 F: 650.649.3551
-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Hiers, David Sent: Thursday, August 06, 2009 10:44 AM To: John Todd; voiceops at voiceops.org Subject: Re: [VoiceOps] The big ENUM question (Was: VPFs)
Every time this comes up, I find myself longing for the security, trustworthiness, and reliability of the physically separate, media-free, well-defined-trusted-service-providers-only network that is SS7. Even when the main attack tool was a simple PSTN analog phone and a box of cracker jacks, we found it necessary to bear the tremendous expense of creating SS7 to get the security (and features) that was needed.
It is probably possible to run a signaling plane on the internet that can replace SS7, but it's a pretty tall order.
David Hiers
CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277
David Hiers
CCIE (R/S, V), CISSP ADP Dealer Services 2525 SW 1st Ave. Suite 300W Portland, OR 97201 o: 503-205-4467 f: 503-402-3277
-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of John Todd Sent: Wednesday, August 05, 2009 2:44 PM To: voiceops at voiceops.org Subject: Re: [VoiceOps] The big ENUM question (Was: VPFs)
Comments in-line.
On Aug 5, 2009, at 11:19 AM, Mark R Lindsey wrote:
At IPTComm a couple of years ago, Jonathan Rosenberg stood up and said
the big problem was the walled gardens that are telcos and ITSPs. We carriers just aren't passing traffic via VoIP. Even Cisco customers aren't passing traffic within their own company; you'd have a BTS over
here and a BTS over there, owned by the same Cable MSO, passing traffic via ISUP.
Continuing this conversation about VPFs: what would it take for you to
start routing calls across the Internet using lookups like ENUM?
1. A big task would be advertising our routes. We'd have to pull our user's numbers out of our boxes -- Asterisk, BroadWorks, MetaSwitch, Taqua, Sonus, Nortel, Cisco, etc., and advertise those numbers somehow. I'm sure tools to extract the list of local numbers from each
of these systems would be pretty easy. Raise your hand if you're excited about advertising all of your user's telephone numbers to make
the telemarketing and SPIT easier.
I think that should already exist, if you're offering some sort of routing to start with. If you don't know the E.164 addresses that are assigned to each customer, how are you getting calls to them in the first place?
As far as authenticating to protect against SPIT, that's not overly difficult, I believe. I had a suggestion some time ago that would at least let you create black/whitelists based on asserted domain name. Here is discussion and code I wrote that might be of some interest:
https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html http://forum.e164.org/index.php?topic=16.0
2. We'd need to agree on some way to ensure that these routes advertised were authoritative. E.g., how would YOU know that I'm really authorized to advertise +1-229-316-0013? If you dip to SS7, that goes to my CLEC-partner-of-the-week.
OK, now this is a serious issue that I have no easy answer for. There are two companies here in North American that would be GLAD to offer the ability to look that data up in their proprietary databases, and charge you for that service. Personally, I'm not really interested in that model, though Bellheads nearly froth with glee when the concept of a "central database" starts to be needed for EVERY transaction.
3. Then we'd need to agree on some way to do the lookup. ENUM seems like a nice option -- if the basic delegation mechanism made sense. It makes sense if we have large blocks of numbers, like NPANXXs, and there are no number ports. But since we all have number ports, the large blocks will be punctuated by many, many individual references to
the ITSP that ported in the number. So the ability to delegate subdomains using ENUM doesn't bring much value, to my mind. So whether we use ENUM or a normal SIP redirect server probably doesn't make a lot of difference.
OK, another huge stumbling block. Especially when we're now talking about creating ENUM trees that have to be completely broken down to individual responses for each 0-9 subdomain space for each reply if one number is ported out of the block. Gak. DNS doesn't like this.
4. We'd also need to make peace on the whole transport thing. As Brian
Sneddon just said, the commodity Internet remains acceptable for a lot
of purposes. There's risk in betting on that, of course.
If the user doesn't know what to expect, yes, that's very true.
5. And then we'd have to figure out how to bill each other, if we're going to do billing. But is billing each other for 100 kbps audio streams worthwhile anyway?
In my opinion, no. But I'm not a carrier who has become used to feeding from that teat of inter-carrier compensation. I'm used to charging my users for connecting their calls in or out, not charging someone else for the luxury of reaching my customers.
6. Of course, we also want to be sure we're allowing calls only from the right people. A few years ago, many of us setup our SBCs to allow calls from the public Internet, but that's much less common now. Oh, we'll accept any ol' screechy call that comes from our known peer, and
pay him to do it.
I guess I can agree with this, but I don't know what "allowing calls from the right people" means, except in the context of getting paid for inbound calls (see my reply to your #5) or in a quality assurance issue (see #4.)
And once we figure out all of these challenges -- which are really quite moderate -- we've got to convince ourselves that the effort is worth the reward: we get to bypass the big carriers for some calls, and get to use fancy codecs like G.722 and video.
The technical challenges are really quite moderate. The VPF people are
trying to solve it but only within their club. Why pay them when we can do it ourselves?
I agree with this last statement entirely, but with a caveat.
The caveat is that I think that E.164 is broken, from both an operational and political level. I used to be a big believer, and I still think it probably is good non-global peering arrangements. But for public use, I think it's dead. (possibly excepting iNum, but I'm still viewing that with some suspicion)
What's the punchline to this set of comments I've made? I am an advocate (and administrator) of the freenum.org system, which uses a concept called "ISN", which is an alternate pointer system which can replace E.164. It uses organizationally-based numbering schemes which are keypad friendly (12 digit standard DTMF keyboard) and which are suitably different from
An ISN (ITAD Subscriber Number) is formed very much like a SIP URI: a subscriber portion, a separator, and an organization identifier. A SIP URI might be "1234 at loligo.com", and a similar ISN would be "1234*256". In this case, loligo.com (me) has received ITAD 256 from IANA a few years ago. So the ENUM-like lookup is "4.3.2.1.256.freenum.org" - the freenum.org zone can either delegate zone "256" to me, or I can do what most organizations do and put in a wildcard NAPTR record that just points all SIP calls to my Asterisk SIP platform. In this example case, the NAPTR for 4.3.2.1.256.freenum.org maps to "1234 at loligo.com", and uses standard SIP lookups from there on out.
Here's a small set of advantages of freenum.org over E.164:
- Not similar to E.164 numbers (users have expectation of "internet calling") - Works on most of the world's existing phones - Requires no alphanumerics - Maps very cleanly to SIP infrastructures - Uses all standard ENUM methods, but slightly modifies root - Totally free - IANA-based registry for organizations (not-for-profit) - Layers onto existing E.164 system, if you so wish (12125551212*254 would work fine, as an example) - Does not involve the ITU - Does not involve governments - Assumes end-to-end IP SIP at no charge between entities - Organizationally-based, not geographic - Scales better than ENUM, and within organizations can scale laterally - OpenSER, SER, Asterisk, FreeSwitch support existing already for dialing/DNS lookups - We have SIP, ENUM shims for systems that
So, I believe that many of the problems with ENUM are insurmountable on a large scale. A different system needs to be put in place that allows dialpad access yet is more friendly and scalable for systems which are internet-enabled in the core. Hopefully, you'll take a look at the concept and see if you might permit your users to dial those digits and also accept inbound calls.
JT
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and delete the message and any attachments from your system. _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
_______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
Since connecting to SS7 has an expense hurdle there needs to be a process to get access to the IP equivalent. Maybe a group of ENUM servers behind an authoritative source that you have to establish a VPN to reach. There are commercial companies that offer this type of service already such as Netnumber. However the ENUM servers would have IP routing information instead of PSTN routing information. ~Jared Geiger
There's nothing preventing someone from throwing garbage into the SS7 network, it's just that as has been repeated already several times, the barriers to entry for that rather exclusive, proprietary and expensive world are rather high. The issue with setting up a secure and trusted signaling plane over the Internet isn't so much making the communication pathways secure; VPNs do a perfectly good job of that. That's not the problem. The problem is the security of all the other things that are also connected to the IP network into which those VPN tunnels land. If an ordinary server is broken into, it can be used as a jump-off point by someone who knows what they're looking for to compromise the signaling plane as well by forwarding packets through the right gateway destination. No, it's not terribly easy, but at the same time, the chances of it happening are orders of magnitude higher in a generalised IP scenario. That's much harder to do with SS7 endpoints; one would have to break not only into a network element via IP, but also stick an exploit into what is usually a very proprietary and reasonably secure black box. The other related factor is that as many participants in the SS7 network as there are, that's a very, very small pool of deployments, generalised user experience and far-reaching knowledge as compared to anything IP. Ubiquitous operating systems and open-source packages enjoy thousands of times the volume of bugs, cracks, exploits and open QA feedback on which there is a lot of sunshine as compared to something so exclusive. That's not to say that there isn't already plenty of SS7 over public IP going on. I've seen more than my fair share of CLECs - usually little ones created to support the back side of some VoIP product - interconnect with the ILEC via SIGTRAN over Internet VPN to a third-party provider that actually works the A-links. I don't know if VeriSign still offers this product, but it was plenty popular. -- Alex -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (678) 237-1775
participants (3)
-
abalashov@evaristesys.com -
carlos@race.com -
jared@compuwizz.net