[VOIPSEC] VoIP and Fraud

[Brian Rosen]

Hang on.

For current black phones, calling party number, which is actually ANI 
and not CallerID is used as an index into a database that routes the 
call to the correct PSAP and supples the call taker with the address 
corresponding to the phone number.

With VoIP, when we get the infrastructure in place, location will come 
in the signaling, with the call.  The phone will learn its location from 
its environment, for example from DHCP, and include it in the 
signaling.

Within a network (domain), the carrier generally knows the source of 
calls because they make you authenticate to the registrar.  When you 
call 911, the network will use location data you supplied with a system 
we have devised that uses a variant of how mobile phones deliver 
location.  Today, some service providers use a hack that doesn't deliver 
location but does deliver your call to the correct PSAP albeit to an 
administrative line and not the real 911 lines.

So voip doesn't use the telephone number for location.  However, when 
you call 911, there is another piece of information that comes to the 
PSAP which is your call back number.  If you hang up or get 
disconnected, the PSAP may need to call you back.  They need your 
telephone number to do that.

Now, most service providers don't just take your word for that (trust 
what you put in the From header).  There is a header called 
P-Asserted-Identity that is defined for this purpose.  The network 
asserts who you really are.  Some networks always use this, others only 
add it when their idea differs from your idea.

P-A-I is only used within a domain.  It's security properties don't 
provide cross domain protection.  There is work on cryptographically 
secure identity which works in all situations.

Brian