List Of Contents

1. Introduction: VoIP

2. VoIP Architecture and Protocol Stack

3. VoIP configurations

4. Requirements, Availability, and Service Limitations

5. Introduction: Session Initiation Protocol (SIP)

6. Short History of SIP

7. Overview of Services Provided by SIP Servers

8. SIP Enabled Network

9. Threats and Risks

10. How to Protect Against Risks

11. References

Introduction: VoIP

Voice over Internet Protocol (VoIP) is a form of communication that allows you to make phone

calls over a broadband internet connection instead of typical analog telephone lines. Basic VoIP

access usually allows you to call others who are also receiving calls over the internet. Interconnected VoIP services also allow you to make and receive calls to and from traditional landline numbers, usually for a service fee. Some VoIP services require a computer or a dedicated VoIP phone, while others allow you to use your landline phone to place VoIP calls through a special adapter.

VoIP is becoming an attractive communications option for consumers. Given the trend towardslower fees for basic broadband service and the brisk adoption of even faster internet offerings, VoIP usage should only gain popularity with time. However, as VoIP usage increases, so will the potential threats to the typical user. While VoIP vulnerabilities are typically similar to the ones users face on the internet, new threats, scams, and attacks unique to IP telephony are now emerging.

Gaining Flexibility with VoIP

VoIP is not just about making and receiving telephone calls; it’s about a whole new way of communicating. Sure, it includes telephone calls, but there is so much more to the VoIP telephony picture. VoIP integrates most if not all

other forms of communication. You can even run videoconferencing to your desktop. With VoIP, your company enjoys increased productivity and customer satisfaction.

These improvements are typically realized through the flexibility offered by enhanced calling features. A few calling features, such as voice mail and call transfer, have been around in the POTS world for quite some time. On the other hand, integrating data, voice, and video applications to run over a single network and work with wireless phones are more recent innovations made possible by IP telephony. Following are some enhanced calling features made possible by IP telephony:

Vemail: Before IP telephony and VoIP, you accessed voice mail through a telephone and accessed e-mail through a computer. With VoIP, you can read your voice mail on your computer screen and listen to your e-mail through an IP-enabled telephone. The new term for this converged feature is vemail (pronounced “v-e-mail”).

Web surfing: Because VoIP operates with the same set of IP rules and protocols that support Web-based applications, it is possible to access the Web with an IP-enabled telephone. If you have an IP telephone with a large enough screen, it can display Web pages or a list of your favorite Web links. For instance, you could use your phone to view your stock exchange trading status or the current weather forecast.

In an IP telephony world, these calling features (and many more) are available with no monthly recurring charges. VoIP, with all of its many benefits, is quickly replacing traditional POTS-based technologies. VoIP is even becoming a superior replacement for many former computer-only applications. One of the big stories with VoIP is the many new and exciting features that increase your ability to be agile and mobile. You no longer have to say “I’ve got to get to a phone!” VoIP can be on your desk, computer, mobile phone, or PDA. It can be hardwired or have no wires at all. This flexibility is astounding to those familiar with traditional telephony.

VoIP Architecture and Protocol Stack

Current implementation of VoIP has two types of architectures, which are based on H.323 and SIP frameworks, respectively. SIP, which is defined in RFC2543 of the MMUSIC working group of IETF, is an application-layer control signaling protocol for creating, modifying, and terminating sessions with one or more participants. the fundamental architectures of these two implementations are the same. They consist of three main logical components: terminal, signaling server and gateway. They di_er in specific definitions of voice coding, transport protocols, control signaling, gateway control, and call management. QoS requirements of VoIP include packet loss, delay, and delay jitter. The current H.323 and SIP frameworks support some kind of interfaces to QoS management (e.g., the one between H.323 and RSVP), they do not provide functional QoS management mechanisms. Consequently, products in the market now (e.g., Cisco s and Alcatel s VoIP systems) cannot provide QoS guarantees to VoIP applications. QoS management architecture of VoIP can be partitioned into two planes: data plane and control plane. Mechanisms in data plane include packet classification, shaping, policing, management, scheduling, loss recovery, and error concealment. They implement the actions the

network needs to take on user packets, in order to enforce class services. Mechanisms in control plane consist of resource provisioning, engineering, admission control, resource reservation and connection management etc.[4]

Comparison with TCP/IP

Application layer differences

The first difference between the VoIP implementation of TCP/IP and the traditional data implementation is in the application layer. In a VoIP call, the application layer utilizes the following three protocols:

NTP: Network time protocol. This protocol enables timing, which helps ensure that the signals are transmitted and received within the proper timeframe to assure quality.

RTP: Real-time transport protocol. This protocol provides end-to-end network transport functions for digital voice signals encapsulated in the VoIP packet.

RTCP: Real-time transport control protocol. This protocol monitors voice signal delivery and provides minimal control functions to ensure the delivery of packets.

All three of the application layer protocols combine, at nanosecond speeds, to deliver VoIP voice packets.

Transport layer differences

The second difference between the traditional data implementation of TCP/IP and the VoIP implementation is in the transport layer. The lion’s share of computer data networking uses the TCP protocol at the transport layer. For VoIP, the transport layer uses UDP, user datagram protocol. (UDP is used also for real-time videoconferencing networks.)

VoIP configurations

Dedicated routers

These devices allow you to use your traditional phone to place VoIP calls. They are connected to cable/DSL modems (or any high-speed internet source) and allow you to attach an ordinary telephone. Once configured, and with an appropriate VoIP provider and service plan, these devices require no special software or interaction with a computer. In fact, you only need to pick up your phone and dial a number at the dial tone. You also may bring your adapter with you when you travel and make calls wherever broadband internet access is available.

Adapters (USB)

These devices also allow you to use a traditional phone to place VoIP calls. They usually come

in the form of USB adapters that are slightly larger than the typical thumb drive. They feature a

standard modular phone jack to which you can attach an ordinary phone line. Once connected, your phone behaves as if it were connected to standard phone service. Behind the scenes, however, the included software is actually setting up a VoIP call.

Software-controlled VoIP applications: “softphones”

There are many software applications (“softphones”) that allow you to place VoIP phone calls

directly from an ordinary computer with a headset, microphone, and sound card. Internet telephony service providers usually give away their softphones but require that you use their service. Together, these applications and services enable users to talk to other people using the same service at no cost, and to the rest of the world for a fee. Software-based VoIP applications are quite attractive to consumers because they often already have most of the components necessary to get started at little to no cost.

Dedicated VoIP phones

A VoIP phone looks like an ordinary corded or cordless telephone, but it connects directly to a computer network rather than a traditional phone line. A dedicated VoIP phone may consist of a phone and base station that connects to the internet or it may also operate on a local wireless network. Like the VoIP adapters mentioned above, dedicated VoIP phones also require a provider and service plan.

Requirements, Availability, and Service Limitations

When considering VoIP service, you should not assume that its features, functionality, and

options will equal those of traditional landlines; you should be familiar with the requirements,

availability, and possible service limitations of VoIP service before switching to VoIP as either a

primary means of communication or an enhancement to your current services.

Requirements

VoIP requires a connection to the Internet through an ISP, a VoIP service to extend the reach to

traditional landlines, and VoIP software to actually place calls. Plain Old Telephone Service

(POTS) requires none of these prerequisites. It is important to note that Digital Subscriber Line

(DSL) internet service uses traditional phone lines for your internet connection; in this case, you

already have telephone service to begin with. You may wish to weigh the expected benefits of

VoIP against these costs given your current operating environment.

Availability due to power outages

During a typical power outage, VoIP becomes unavailable because VoIP devices (computers,

routers, adapters) usually rely on a power source to function. Traditional phone lines are usually

still available during such an outage, which is a major advantage in an emergency. Ultimately, it

may be necessary to use an uninterruptible power supply (UPS) with a VoIP installation if

connectivity is desired during a power outage or some other kind of emergency.

Availability due to bandwidth

VoIP communication nearly always requires a high-speed (broadband) internet connection for

reliable functionality. Even given typical broadband connection speeds, though, service

interruptions or degradation of quality is possible due to high internet traffic. For example, if you

are trying to place a VoIP call while other people are using a lot of bandwidth on the same

internet connection, the sound quality of your VoIP call or general VoIP availability may be

affected.

911 services

911 services are not guaranteed with a basic (VoIP to VoIP) setup. However, it is available with

many of the interconnected services that extend VoIP connectivity to traditional landlines. You

should not assume that 911 services are present and working (even with interconnected VoIP

services) but should consult with the terms of your service agreement. The FCC has described

some of the challenges of VoIP services and has provided tips for VoIP subscribers.

Introduction: Session Initiation Protocol

The growing thirst among communications providers, their partners and subscribers for a new generation of IP-based services is now being quenched by SIP – the Session Initiation Protocol. An idea born in a computer science laboratory less than a decade ago, SIP is the first protocol to enable multiuser sessions regardless of media content and is now a specification of the International Engineering Task Force (IETF).Today, increasing numbers of carriers, CLECs and ITSPsare offering such SIP-based services as local and long distance telephony, presence & Instant Messaging, IP Centrex/Hosted PBX, voice messaging, push-to-talk, rich media conferencing, and more. Independent software vendors (ISVs) are creating new tools for developers to build SIP-based applications as well as SIP software for carriers’ networks. Network equipment vendors (NEVs) are developing hardware that supports SIP signaling and services. There is a wide variety of IP phones, User Agents, network proxy servers, VOIP gateways, media servers and application servers that all utilize SIP. Gradually, SIP is evolving from the prestigious protocols it resembles -- the Web’s Hyper Text Transfer Protocol(HTTP) formatting protocol and the Simple Mail Transfer Protocol (SMTP) email protocol -- into powerful emerging standard. However, while SIP utilizes its own unique user agents and servers, it does not operate in a vacuum. Comparable to the converging of the multimedia services it supports, SIP works with a myriad of preexisting protocols governing authentication, location, voice quality, etc. This paper provides a high-level overview of what SIP is and does. It charts SIP’s migration from the laboratory to the marketplace. It describes the services SIP provides and the initiatives underway that will spur its growth.

The SIP Advantage: Open, Extensible Web-Like Communications Like the Internet

SIP is easy to understand, extend and implement. As an IETF specification, SIP extends the open-standards spirit of the Internet to messaging, enabling disparate computers, phones, televisions and software to communicate. As noted, a SIP message is very similar to HTTP (RFC 2068). Much of the syntax in message headers and many HTTP codes are re-used. Using SIP, for example, the error code for an address not found, “404,” is identical to the Web’s. SIP also re-uses the SMTP for address schemes. A SIP address, such as sip:guest@sipcenter.com, has the exact structure as an email address. SIP even leverages Web architectures, such as Domain Name System or Service (DNS), making

messaging among SIP users even more extensible.

Using SIP, service providers can freely choose among standards-based components and quickly harness new technologies. Users can locate and contact one another regardless of media content and numbers of participants. SIP negotiates sessions so that all participants can agree on and modify session features. It can even add, drop or transfer users. However, SIP is not a cure-all. It is neither a session description protocol, nor does it provide conference control. To describe the payload of message content and characteristics, SIP uses the Internet’s Session Description Protocol (SDP) to describe the characteristics of the end devices. SIP also does not itself provide Quality of Service (QoS) and interoperates with the Resource Reservation

The Short History of SIP

By 1996, the Internet Engineering Task Force (IETF) had already developed the basics for multimedia on the Internet (see Chapter 14, “SIP Conferencing”) in the Multi-Party, Multimedia Working Group. Two proposals, the Simple Conference Invitation Protocol (SCIP) by Henning Schulzrinne and the Session Initiation Protocol (SIP) by Mark Handley, were announced and later merged to form Session Initiation Protocol. The new protocol also preserved the HTTP orientation from the initial SCIP proposal that later proved to be crucial to the merging of IP communications on the Internet. Schulzrinne focused on the continuing development of SIP with the objective of “re-engineering the telephone system from ground up,” an “opportunity that appears only once in 100 years,” as we heard him argue at a time when few believed this was practical. SIP was initially approved as RFC [2] number 2543 in the IETF in March 1999. Because of the tremendous interest and the increasing number of contributions to SIP, a separate SIPWorking Group (WG) was formed in September

1999. The SIP for Instant Messaging and Presence Leveraging (SIMPLE) was formed in March 2001, followed by SIPPING for applications and their extensions in 2002. The specific needs of SIP developers and service providers have led to an increasing number of new working groups. This very large body of

work attests both to the creativity of the Internet communications engineering community, and also to the vigor of the newly created industry. We will shorten the narrative on the history of SIP by listing the related

Philosophical Differences between the Internet and Non-Internet Worlds

The Internet once stressed flexibility not reliability. However, with the advent of VoIP that has changed. In a traditional telecommunications environment, which encompasses the wireline and wireless carriers, the stress is on reliability and that is because of the demands and expectations of the customer. Voice is a real-time service.

Reliability is a subjective measure of dependability. Reliability is one of those soft touchy feely word that mean different things to different people. : Reliability is very different than either Availability or MTBF. Reliability is a measure of performance or dependability while the system is operational. Reliability is a subjective measure that takes into account Availability, MTBF, and consistent quality of product. Reliability is a subjective measurement because how much weight one places over one measurement over another is dependent on the person.

Due to the stress on reliability, the wireline and wireless carriers maintain an exhaustive set of operating and technical requirements, which govern what can be interconnected into their networks. During the early 1990s, a large wireline carrier suffered a massive network failure affecting multiple states and resulting in a loss of service for several hours. In the traditional telecommunications environment, if a piece of equipment does not meet specific operating and technical standards then that piece of equipment will be prohibited from use in the network. The traditional telecommunications environment relies heavily on NEBS. NEBS, which is the acronym for Network Equipment Building Systems, is managed by Telcordia, formerly Bellcore.

The Internet, however, stresses flexibility, therefore, the need for stringent standards does not exist. The Internet players’ concentration on flexibility has allowed multiple equipment vendors to manufacturer a variety of computers, host, routers, storage devices, laptop computers, software utilities, network management tools, etc., without having to account for national standards of performance. If an Internet company’s product does not satisfy the marketplace it usually goes out of business.

When one looks at how the Internet is configured with multiple network types and multiple configurations, it is difficult not to be amazed at the Internet’s ability to adapt.

The Internet Protocol was designed to be a “best effort” protocol. The focus on the moving of data

Adapters (USB)

These devices also allow you to use a traditional phone to place VoIP calls. They usually come in the form of USB adapters that are slightly larger than the typical thumb drive. They feature a standard modular phone jack to which you can attach an ordinary phone line. Once connected, your phone behaves as if it were connected to standard phone service. Behind the scenes, however, the included software is actually setting up a VoIP call.

Software-controlled VoIP applications: “softphones”

There are many software applications (“softphones”) that allow you to place VoIP phone calls directly from an ordinary computer with a headset, microphone, and sound card. Internet telephony service providers usually give away their softphones but require that you use their service. Together, these applications and services enable users to talk to other people using the same service at no cost, and to the rest of the world for a fee. Software-based VoIP applications are quite attractive to consumers because they often already have most of the components necessary to get started at little to no cost.

Dedicated VoIP phones

Requirements, Availability, and Service Limitations

When considering VoIP service, you should not assume that its features, functionality, and options will equal those of traditional landlines; you should be familiar with the requirements, availability, and possible service limitations of VoIP service before switching to VoIP as either a primary means of communication or an enhancement to your current services.

Requirements

VoIP requires a connection to the Internet through an ISP, a VoIP service to extend the reach to traditional landlines, and VoIP software to actually place calls. Plain Old Telephone Service (POTS) requires none of these prerequisites. It is important to note that Digital Subscriber Line (DSL) internet service uses traditional phone lines for your internet connection; in this case, you already have telephone service to begin with. You may wish to weigh the expected benefits of VoIP against these costs given your current operating environment.

Availability due to power outages

During a typical power outage, VoIP becomes unavailable because VoIP devices (computers, routers, adapters) usually rely on a power source to function. Traditional phone lines are usually still available during such an outage, which is a major advantage in an emergency. Ultimately, it may be necessary to use an uninterruptible power supply (UPS) with a VoIP installation if connectivity is desired during a power outage or some other kind of emergency.

Availability due to bandwidth

VoIP communication nearly always requires a high-speed (broadband) internet connection for reliable functionality. Even given typical broadband connection speeds, though, service interruptions or degradation of quality is possible due to high internet traffic. For example, if you are trying to place a VoIP call while other people are using a lot of bandwidth on the same internet connection, the sound quality of your VoIP call or general VoIP availability may be affected.

911 services

911 services are not guaranteed with a basic (VoIP to VoIP) setup. However, it is available with many of the interconnected services that extend VoIP connectivity to traditional landlines. You should not assume that 911 services are present and working (even with interconnected VoIP services) but should consult with the terms of your service agreement. The FCC has described some of the challenges of VoIP services and has provided tips for VoIP subscribers. For more information,

Threats / Risks

Many of the threats associated with VoIP are similar to the threats inherent to any internet application. Internet users are already familiar with the nuisance of email abuse in the form of spam and phishing attempts. VoIP opens yet another pathway for these annoyances, which can lead to spam over internet telephony (SPIT), spoofing, and identity theft. Additionally, the confidentiality of VoIP conversations themselves has come into question, depending on service type or VoIP configuration.

Spam over internet telephony (SPIT)

As VoIP usage increases, so will the pesky marketing strategies associated with it. Perennial annoyances like telemarketing and spam have been plaguing consumers and internet users for years. A new sort of hybrid of these two concepts is SPIT, or spam over internet telephony. Like email spamming, sending commercial messages via VoIP is fast and cheap. Unlike traditional telemarketing, though, VoIP offers the potential for large volumes of unsolicited calls, due to the wide array of tools already available to attackers on the internet. Telemarketers could easily send

large amounts of messages to VoIP customers. Unlike traditional spam email messages, which average only 10–20 kilobytes in file size, unwanted VoIP voicemails can require megabytes of storage.

Spoofing

It is technically possible for an attacker to masquerade as another VoIP caller. For example, an attacker could possibly inject a bogus caller ID into an ordinary VoIP call so that the receiver believes the call to be coming from a known and trusted source (a bank, for example). The receiver, fooled by the electronic identification of the caller, may place unwarranted trust in the person at the other end. In such an exchange, the receiver may be tricked into disclosing personal information like account numbers, social security numbers, or secondary authentication factor: a mother’s maiden name, for example. This scheme is essentially the VoIP version of traditional phishing, where a user follows links in an unsolicited email and is tricked into providing personal information on a bogus web site. Attackers may use these bits and pieces of personal information to complete partial identity records of victims of identity theft.

Confidentiality concerns

Many critics of VoIP question its confidentiality. The concern is that VoIP data sometimes travels unencrypted over the internet. Therefore, it is technically possible for someone to collect VoIP data and attempt to reconstruct a conversation. Although it is extremely difficult to achieve, some software programs are designed to piece together bits and pieces of VoIP data in an effort to reconstruct conversations. While such activity is currently rare, you should be aware of this possibility as it may increase as VoIP becomes more widespread.

How to Protect Against Risks

Many of the principles and practices for safe VoIP usage are the same as those you may already be practicing with other internet applications. Ignoring these general principles could allow attackers to gain control of your computer operating system by means of an existing software flaw or a misconfiguration unrelated to your VoIP application. It may then be possible for them to exploit flaws in your VoIP configuration, thereby possibly gaining access to personal information you share when using VoIP. Here are some of the key practices of good personal computing:

Use and maintain anti-virus and anti-spyware programs.
Be cautious about opening files attached to email messages or instant messages.
Verify the authenticity and security of downloaded files and new software.
Configure your web browser(s) securely.
Use a firewall.
Identify, back-up, and secure your personal or financial data.
Create and use strong passwords.
Patch and update your application software

The Anatomy of a SIP Session

SIP sessions utilize up to four major components: SIP User Agents, SIP Registrar Servers, SIP Proxy Servers and SIP Redirect Servers. Together, these systems deliver messages embedded with the SDP protocol defining their content and characteristics to complete a SIP session. Below is a high-level description of each SIP component and the role it plays in this process.

SIP User Agents (UAs) are the end-user devices, such as cell phones, multimedia handsets, PCs, PDAs, etc. used to create and manage a SIP session. The User Agent Client initiates the message. The User Agent Server responds to it.

SIP Registrar Servers are databases that contain the location of all User Agents within a domain. In SIP messaging, these servers retrieve and send participants’ IP addresses and other pertinent information to the SIP Proxy Server.

SIP Proxy Servers accept session requests made by a SIP UA and query the SIP Registrar Server to obtain the recipient UA’s addressing information. It then forwards the session invitation directly to the recipient UA if it is located in the same domain or to a Proxy Server if the UA resides in another domain.

SIP Redirect Servers allow SIP Proxy Servers to direct SIP session invitations to external domains. SIP Redirect Servers may reside in the same hardware as SIP Registrar Severs and SIP Proxy Servers.

SIP Capabilities

SIP-enabled IP devices can call each other directly, if they know each other’s URL. Thus, an IP phone call can be placed directly between two or more SIP phones or PCs. Small conferences can be held by several users connecting to one device acting as the conference bridge, where one of the SIP phones can act as both conference participant and conference bridge. Besides SIP devices such as phones, PCs, IP telephony gateways, and mobile devices, service providers also deploy SIP servers for a variety of additional services. Figure illustrates how SIP servers perform a routing service that puts the caller in contact with the called party in a step-by-step fashion, taking into account the desired service and user preferences. We will show in the following sections that the SIP service model provides users with all services known from the circuit-switched telephone network, as well as new services thatresult from taking advantage of the Internet.

Overview of Services Provided by SIP Servers

Multimedia conferencing on the Internet was well developed by the research and academic community by 1997. This has been reflected in the explosion of commercial ventures for Internet multimedia during the past decade. Work started at the same time to extend the Internet multimedia architecture for use in telephony. Because of the enormous complexity and richness of services on the PSTN, this work has taken much longer to develop, and only at the end of 2000 had it reached a critical mass where true reengineering of the telephone system for the Internet was well understood. In the history of science and technology, many new technologies have found applications that were not envisaged by their inventors. With this limitation in mind, the following sections will provide an overview of services that are supported by SIP servers, such as those used by public VoIP service providers and in enterprise PBX networks.

The prevalent business model of VoIP service providers in early 2006, however, is to not support any features that require going outside the walled garden. The assumption of practically all VoIP service providers is that all services are provided in-house. This may change, however, as Internet-wide VoIP will mature. Recent work has shown that all or most services performed by SIP proxy servers in the network can also be performed by server-less P2P SIP.

SIP Enabled Network

The SIP network is composed of the following:

SIP endpoints, such as phones, gateways, and various types of computers— SIP endpoints are fully qualified Internet hosts, as defined in RFCs 1122 and 1123. Internet hosts are very different from telecommunication devices, such as phones, fax machines, or mobile phones in the sense that

(1) they may use the services of any other host on the IP network and

(2) they may run any and all applications the user may desire.

The user can direct communications via any service provider and can load any application, similar to other

services on the Internet. Depending on the service and user preferences, most communication services can also be controlled from end to end without support from the network for call setup. There are two types of SIP endpoints:

User devices, such as phones and personal computers.
Gateways to other networks, especially IP telephony gateways that

use CAS, Q.931 or SS7 signaling. Other gateways can connect to H.323 or other legacy VoIP networks and device control networks, such as found in certain IP PBXs and so-called softswitches, using MGCP, MEGACO, or H.248 master-slave protocols.

SIP servers—Most users have no desire to understand and manage the services they use, and there are also security and technical reasons to place services on dedicated servers in the network, where they can be

accessed from anywhere and used with various communication devices. SIP servers accomplish the functions found in the telecom AIN, in e-mail systems, and in web servers, as well as new functions, specific

to SIP. SIP servers can be stateless, similar to other Internet devices. SIP servers can be deployed in geographically distributed clusters to avoid service failures. All this ensures very fast response time and avoids failures in the network to disable calls, since the call state is kept at the periphery of the network and not in the core. Users do not depend on any potential central points of failure in the network and can communicate

as long as they have working end devices.

A caller can send an INVITE message to establish a session to the called party, without knowing exactly where the other endpoint may be, and the SIP servers will route the call to the destination. The route to the destination can be forked in the network so as to find the other endpoint. The same infrastructure can also serve for an instant message and presence service. Awatcher can subscribe to a presentity and receive NOTIFY messages from the presentity. The watcher and presentity can exchange short text messages using SIP itself, or

RTP packets for any other communication media: audio, various data applications, video, or games for instant communications.

SIP Methods

SIP RESPONSE CODE CLASSES

SIP Enabled IP Communication Network

Endpoints and servers benefit from a long list of protocol features of SIP:

Web-style and telephony-type addressing—SIP devices can use URIs that are location-independent and URLs that point to a specific host. Addresses can take the form of e-mail addresses or telephone numbers, with clearly defined options for E.164 public telephone numbers and private numbering plans.

Registration—Devices connected to the network are registered so as to route calls to and from the device. Users may register themselves using their ID to get access to their particular information and services, independent from the device registration. This is similar to e-mail access from web kiosks or Internet cafes. Such dynamic routing to/from the user is accomplished without needing “switch translations” or other static routing tables to be managed.

Security—SIP is designed to use the Internet security mechanisms protect sensitive signaling information from various types of attack. User location and traffic patterns can be kept confidential. SIP security can be quite complex and uses the advances in all generic IP security mechanisms.

Redirect—ASIP server can redirect a request to another address, similar to the core function of the AIN.

Proxy—SIP proxy servers will forward the request of the user to another server that can provide the requested service, such as voicemail, conferencing, or presence information.

Forking—Arequest from a user can be forwarded in several directions simultaneously, as, for example, when trying various locations where the called party may be found.
Rendezvous and presence—The active form of rendezvous consists of routing a request for call setup to another server or endpoint where the desired service may be performed, such as communication with an individual, or with a machine. The passive form of rendezvous consists of presence information (that is, letting someone know that a party of interest is connected to the network and its communication state, such as available or busy).
Mobility—Users may have many communication devices such as phones, fax machines, computers, palm computers, and pagers, at home, at work, and while traveling. User devices can be attached to various types of networks, if proper gateways are provided: IP, PSTN, mobile telephony, wireless mobile data, or paging. SIP call setup can proceed without regard to the type of network or type of device theparties may use at a certain instance.
User preferences—Callers can specify how servers and the network should handle their requests, and also specify what type of service is desired or acceptable, whom they would like to reach, and whom they would like to avoid (for example, to avoid making calls to busy lines or to speak to machines). Called parties can specify how to handle incoming calls, depending on a very large set of criteria, such as who the caller is, from where the call is coming from, time of day, the communication device, and others.
Routing control—The route taken by SIP messages can be specified and recorded for various services.

Threats and Risks

Many of the threats associated with VoIP are similar to the threats inherent to any internet

application. Internet users are already familiar with the nuisance of email abuse in the form of

spam and phishing attempts. VoIP opens yet another pathway for these annoyances, which can

lead to spam over internet telephony (SPIT), spoofing, and identity theft. Additionally, the

confidentiality of VoIP conversations themselves has come into question, depending on service

type or VoIP configuration.

Spam over internet telephony (SPIT)

As VoIP usage increases, so will the pesky marketing strategies associated with it. Perennial

annoyances like telemarketing and spam have been plaguing consumers and internet users for

years. A new sort of hybrid of these two concepts is SPIT, or spam over internet telephony. Like

email spamming, sending commercial messages via VoIP is fast and cheap. Unlike traditional

telemarketing, though, VoIP offers the potential for large volumes of unsolicited calls, due to the

wide array of tools already available to attackers on the internet. Telemarketers could easily send

large amounts of messages to VoIP customers. Unlike traditional spam email messages, which

average only 10–20 kilobytes in file size, unwanted VoIP voicemails can require megabytes of

storage.

Spoofing

It is technically possible for an attacker to masquerade as another VoIP caller. For example, an

attacker could possibly inject a bogus caller ID into an ordinary VoIP call so that the receiver

believes the call to be coming from a known and trusted source (a bank, for example). The

receiver, fooled by the electronic identification of the caller, may place unwarranted trust in the

person at the other end. In such an exchange, the receiver may be tricked into disclosing personal

information like account numbers, social security numbers, or secondary authentication factor: a

mother’s maiden name, for example. This scheme is essentially the VoIP version of traditional

phishing, where a user follows links in an unsolicited email and is tricked into providing personal

information on a bogus web site. Attackers may use these bits and pieces of personal information

to complete partial identity records of victims of identity theft.

Confidentiality concerns

Many critics of VoIP question its confidentiality. The concern is that VoIP data sometimes

travels unencrypted over the internet. Therefore, it is technically possible for someone to collect

VoIP data and attempt to reconstruct a conversation. Although it is extremely difficult to

achieve, some software programs are designed to piece together bits and pieces of VoIP data in

an effort to reconstruct conversations. While such activity is currently rare, you should be aware

of this possibility as it may increase as VoIP becomes more widespread.

How to Protect Against Risks

• Use and maintain anti-virus and anti-spyware programs.

• Be cautious about opening files attached to email messages or instant messages.

• Verify the authenticity and security of downloaded files and new software.

• Configure your web browser(s) securely.

• Use a firewall.

• Identify, back-up, and secure your personal or financial data.

• Create and use strong passwords.

• Patch and update your application software.

• Do not divulge personal information to people you don’t know.

• If you are using a software VoIP application, consider using encryption software for both

your installation and for those you wish to talk to.

REFERENCES

Goode B., “Voice over Internet Protocol” – Proc. of IEEE, vol. 90, no. 9, Septmember 2008.
Schiller J., “Mobile Communications” - Addison Wesley, 2007.
Benvensite M., et. al., “EDCF proposed draft text” – IEEE working document 802.11-01/131r1 (2007)
Vaidya N.H., et. al., “Distributed Fair Scheduling in a wireless LAN” – Sixth International Conference on Mobile Computing and Networking, Boston 2006.

Sobrinho J.L., Krishnakumar A.S., “Real-time Traffic over the IEEE802.11 Medium Access Control Layer” – Bell Labs Technical Journal (2007), pp. 172-187.
Sobrinho J.L., Krishnakumar A.S., “Quality of Service in ad hoc carrier sense multiple access networks” – IEEE Journal on Selected Areas in Communications 17(8) (2005), pp. 1353-1368.
Perkins C.E, “Mobile IP Tutorials”, http://www.computer.org/internet/v2n1/perkins.htm#r30
Schulzrinne H., Wedland E., “Application-layer mobility using SIP” – ACM SIGMOBILE Mobile Computing and Communications Review, vol. 4, no. 3, July 2006, pp. 47-57.