[VOIPSEC] Billing a SIP call by the minute

[Henrik Ingo]

dhiraj.2.bhuyan at bt.com wrote:
> There are security issues in many of the current VoIP billing
> solutions that still needs to be addressed. For example, a "modified"
> SIP phone may initiate a call and once the call is established, the
> SIP phone terminates the call (at SIP layer), but continues sending
> and receiving the RTP media steams. Since the RTP media stream is end
> to end (for most VoIP solutions), the billing system is fooled into
> believing that the call is over.
> 
 > Dhiraj Bhuyan
 > Senior Security Researcher
 > British Telecom, UK
 >

Sure, but I've always thought in SIP that is more like a feature, not a 
bug. Unless the RTP traffic is routed through a proxy of yours, or the 
other party is on the PSTN in which case the call is routed through a 
VoIP gateway of yours, why should they pay you anything? (In both of 
those cases correct billing will also not be a problem.) SIP wasn't 
designed to support that, and you may see that as something lacking in 
SIP, but surely it is not a security issue.

It would seem logical to me that as a provider of a SIP Proxy, you may 
bill something for the SIP traffic (the call setup) but not for the RTP 
traffic (the actual voice) which may not even route close to any of your 
networks. Also note that there are many legit ways to work around such 
billing (such as "what is your IP, I'll call you directly?") without the 
need to send forged BYE messages.

henrik

-- 
Henrik.Ingo at sesca.com
+358-40-5697354