| The Internet Engineering Task
Forces (IETF) Session Initiation Protocol (SIP) has proven itself
to be the flavor of choice for many Voice-over-IP (VoIP) gateway and
component manufacturers. SIP certainly offers advantages over H.323 and
other Internet telephony protocols, but does it really offer the same
level of call privacy and security as the PSTN?
For circuit-switched phone calls, signaling messages usually include
identification of the calling party, which may be delivered to the party
being called. The party placing the call typically has the option of
suppressing this caller ID information to maintain privacy. For calls
placed over IP using the current version of the SIP protocol, this calling
party identification, as well as the option to keep the information
private, may also be necessary. The SIP working group of the IETF is
proposing two extensions to the protocol to handle this information.
In an Internet draft document, the working group suggests that calling
number delivery and calling name delivery services which in PSTN calls
offer identity information about the calling party prior to the called
party answering the phone can also be utilized for calls transported
using SIP. For this information to be trustworthy, a SIP user agent will
need to require that all incoming SIP invitations arrive through a set of
SIP proxies. These proxies, referred to as DCS-proxies by the working
group, are interconnected and offer a transitive trust relationship. This
means that a SIP user agent that places a call through a DCS-proxy can
trust that proxy to deliver the requested service, but the proxies do not
trust the SIP user agents.
IP address information can also provide identification such as location
in an IP calling environment. This information must be hidden from the
other party in a SIP environment, and calling party information should not
be in an intelligible format when it reaches the called party. The working
group proposes a header field called DCS-Caller, which would be added to
an INVITE message to identify a caller, with the option that this
information can be kept from the DCS proxy if the call originator does not
want this information to be available.
The other header field proposed by the working group would be called
DCS-Anonymity, and would allow an originating SIP user agent to choose the
privacy level to be provided by the DCS proxy. This field would have two
functions, in that it could be used to block SIP-level privacy requests
(such as the caller name and/or number), as well as IP address
information.
There are additional fields within a SIP call that can reveal privacy
information, and the working group recommends ways to encrypt information
to work around these fields. The group also recommends use of the IPSec
protocol in addition to the proposed extensions.
|
| VPNs:
Evolving In The New Millennium
BY PHIL SAUNDERS
Its not that we didnt hear enough about virtual private networks
(VPNs) in the late 90s. We certainly did. Lets be careful, though,
not to underestimate this pithy acronym and what it means with regard to
the Internet and secure communications as we move quickly into the new
millennium. The VPN industry in the late 90s carried with it a distinct
set of applications and clearly defined vendors. While the traditional
VPN applications of intranets and extranets are still in their early
growth stages, the evolution of the Internet and, more importantly,
how users will access it will invoke new ways in which VPNs will be
defined in 2000 and beyond.
The recent Consumer Electronics Show in Las Vegas featured a
refrigerator with Internet access! The refrigerator had a bar-code scanner
that could be used to scan in a shopping list and send it to the local
grocery store via the Internet upon command. While this application may
not seem as security-sensitive as online banking, for example, it is still
a form of e-commerce and the data needs to be protected. Perhaps the
refrigerator itself does not require VPN capability, but the residential
gateway through which it communicates certainly should. So what does an
Internet-enabled refrigerator have to do with you? Look at it as a
harbinger of things to come.
As Internet-access devices proliferate, mutate, and evolve, and the
convergence of voice and data continues, we need to prepare for a future
even though we may not be able to define it yet. The devices, operating
systems, and communication media may change, but the requirements for
private communications i.e., data privacy, user authentication, and
message authentication remain the same as long as the Internet is the
network.
The good news is that much of the groundwork has been laid. Lets
talk about standards and interoperability two very popular topics
revolving around VPNs in the late 90s. The IPSec standard has taken
several years to develop and is the foundation of any viable VPN
implementation on the market today. Vendors large and small now develop
products and features to support IPSec-based VPNs, which provide users the
assurances of strong security and interoperability. The IPSec VPN vendor
community has made significant strides to ensure interoperabilty. These
efforts include participation in IPSec bakeoffs, where vendors
gather with their equipment at one location and test interoperability, as
well as participation in the VPN Consortium (VPNC), which provides an
Internet-based framework for testing and documenting IPSec
interoperability among vendors.
The emerging markets for Internet access will have to deal with the
same standards-compliance issues that the networking communication vendors
are pioneering. New products for accessing the Internet will need to
interoperate from both a communications and a security standpoint. While
we cannot begin to envision all the Internet access products the
millennium will bring, it is certain that the IPSec standard will play a
significant role in ensuring secure, flexible, and interoperable Internet
communications.
Phil Saunders is vice president of marketing for Information
Resource Engineering, Inc. (IRE). IREs comprehensive network security
systems emphasize standards-based security, cost-effectiveness, and ease
of use in the protection of remote access, electronic commerce, and
distributed business communication applications throughout the world. For
more information, visit the companys Web site at www.ire.com. |