[VOIPSEC] CLI is already dead for location -Re: Truths on "Truth in Caller ID Act"

Dan_York at mitel.com Dan_York at mitel.com
Fri Oct 13 21:20:30 CDT 2006 

My only comment is that CLI is already meaningless for location.  Any of us offering enterprise IP communication systems also offer teleworker solutions (and in some cases have for several years) that sit on the edge of the corporate network and let you put IP phones wherever you can get an IP address and suitable bandwidth.

That call center in India may all be on IP phones hanging off a switch in Chicago. When they go out the trunks in Chicago to the PSTN, they would have a Chicago CLI *because that is where the PSTN connection is*.  But the endpoints could be anywhere - in any country and on any continent.

The beauty of VoIP is that geographical location is completely irrelevant.  Spoofing issues aside, CLI is dead for location. Period. End of story.  The genie is out of the bottle and no law will put it back inside.

My 2 cents,
Dan  (who is often asked by people who call the 613 phone number "How is the weather in Ottawa?" and replies "Don't know, I haven't been there in a month or two."  VoIP is a beautiful thing...) 
--
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel Corp.     http://www.mitel.com
dan_york at mitel.com +1-613-592-2122


----- Original Message -----
From: Mpierce1
Sent: 10/12/2006 10:05 PM
To: sil at infiltrated.net
Cc: voipsec at voipsa.org
Subject: Re: [VOIPSEC] Truths on "Truth in Caller ID Act"

In a message dated 10/7/2006 8:50:40 AM Eastern Daylight Time, 
sil at infiltrated.net writes:

> You're assuming that it is always used for fraudulent purposes. So again 
> I point to the analogy of a Dell outsourced partner calling me from 
> India passing off a Seattle number.

That's exactly the type of thing that needs to be stopped. If Dell 
outsourcing calls me from India, the CLI must be their number in India not a faked-in 
number of some office in the US. That to me is exactly the purpose of this 
proposed law. It is equivalent to the law regarding FAX calls that has been around 
for a long time.


In a message dated 10/7/2006 8:50:40 AM Eastern Daylight Time, 
sil at infiltrated.net writes:

> With this said, what purpose in all reality DOES CLI serve 
> if authentication is not 100%

Well, millions of people subscribe to CLI and use it to decide whether or not 
to answer the phone, and to block calls that do not provide CLI. I would say 
that it is a valuable use to a lot of people. That purpose doesn't require 
100% validation.

In addition, many 800 number subscribers use the CLI to fetch the calling 
customer's account information so that it is ready when a person answers to 
handle the call. That doesn't need 100% validation.

In another use, the power company provides an 800 number to dial to report 
power outages. They can accumulate many reports and correlate it to a specific 
area without needing anyone to answer the call. This is a very valuable use, 
and certainly does not need absolute 100% validation.

Of course, E911 uses it. I'm really puzzled about your statement that this is 
"the only valid use for CLI", since E911 requires better accuracy than the 
other uses I've described. And why should they "stop using CLI as a resource of 
authentication" (in the PSTN) if it's been working just fine for the purpose 
intended? If this problem with CLI spoofing in VoIP is not solved, they will 
have to stop using it for E911, at least for calls originating from a VoIP 
phone.

All of these uses would become useless if a large percentages of the calls 
had invalid CLI. Thus the need for the law and for techincal means to prevent 
spoofing.


In a message dated 10/7/2006 8:50:40 AM Eastern Daylight Time, 
sil at infiltrated.net writes:

> That is a contradiction to YOUR OWN analogy on American Express when YOU 
> called them don't you think. Must have been easy for you and a breathe 
> of relief to not have to spend an extra minute or so making 
> verifications on your identity yet here you are stating "Don't use CLI" 
> yet your entire post rambles on about the pros of CLI. Hypocritical 
> isn't it? "CLI a valuable tool" ... "Just don't use it for X occassions".
> 
When I call AMEX, my comfort comes from the fact that I dialed an 800 number 
that I got along with the card, and I trust the existing PSTN to route that 
call to the right place. It has nothing to do with CLI. WIll VoIP provide that 
assurance of correct call routing? The security issue is whether AMEX, as the 
receiver of the call, uses the CLI to authenticate me before giving me, as the 
caller, any sensitive information. They don't. While the CLI gives AMEX some 
comfort that the call is coming from the right place for the purpose of 
activiating a card, I don't believe they would give any other account information 
without further authentication.

Besides, my point is "don't use CLI for those things that required 100% 
authentication". That doesn't invalidate its usage for other purposes as I have 
described above. The obvious answer is that, if you receive a call, don't believe 
the CLI enough to give sensitive information to the caller.


In a message dated 10/7/2006 8:50:40 AM Eastern Daylight Time, 
sil at infiltrated.net writes:

> I remember having to make a call home 
> and having an operator ask me the same however, I was told to state my 
> name. This was in the early/mid 90's and I believe Verizon was the 
> carrier.

I don't know what the point is. If you were asked for your name, I presume 
you were making a collect call. CLI (of the pay phone or whatever) was 
irrelevant. Or was it some other type of call? Besides, I really don't believe that 
what happened in early/mid 90's matters anymore. I'm sure that Verizon has 
corrected whatever security hole existed.


In a message dated 10/7/2006 8:50:40 AM Eastern Daylight Time, 
sil at infiltrated.net writes:

> The receiver sees the pre-paid companies CLI not the 
> originator. According to the word of the law, there is no "Truth in 
> Caller ID" in that instance, it is half-baked. Is this an exception to 
> the rule
.

It's just one of the fine points that responsible carriers and pre-paid 
calling card vendors need to examine and make sure that the law is written 
correctly so that what they are doing is not condered illegal. It does no good to 
simply riducule such a law as unnessary or stupid. I would think of the calling 
card call the same as a forwarded call. Either the original calling number or a 
number which positively identifies the calling card company, that is, the 
identity of the "line" they use to forward the call, should be a legal "CLI".


In a message dated 10/7/2006 8:50:40 AM Eastern Daylight Time, 
sil at infiltrated.net writes:

> As for VoIP destroying this feature, I think VoIP will help 
> shape future "standards" on it and perhaps get it done correctly the 
> second (or third or fourth) time around
> 
I presume from your comment that you, like others in the Internet/VoIP arena 
I have corresponded with, believe that the PSTN did everything wrong and that 
VoIP is doing everything correctly. If that is what you think, it is 
impossible to carry on reasonable discussions of how to migrate useful services from 
PSTN to the VoIP environment without losing important utility and without losing 
what security the PSTN provides. The fact remains, whether you what to admit 
it or not, that the PSTN did most things very well, considering the 
technological limits it was working with. Maybe VoIP can do things better, but I have 
yet to see a single case it which it could. I'm still waiting, as are many 
others. I'd love to hear from anyone, preferably off-line, detailing even one thing 
that it actually does better (not "promises" to do better).

Mike Pierce

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list