Closing the last security holes in VoIP and making operation easy

The Internet Engineering Task Force (IETF) is currently trying to come up with answers to the last remaining questions about internet telephony. The IETF meeting in Prague dealt with the standardization of such functions as call waiting, voice boxes, and return calls, among other things, in VoIP. In addition, the task force is trying to formulate a regulation for emergency calls and, last but not least, have calls made over the internet encrypted.

As Jürgen Quitteck of NEC Laboratories in Heidelberg explained, the latter security issue is often used as an argument against internet telephony. The RTP-SEC task force hopes to put an end to these concerns. "Once we have an encryption standard, internet telephony will be safer than ISDN telephony", Quitteck believes. He argues that it is not quite right to claim that ISDN is much more secure today even without encryption. "Tapping phone lines by analogue means at the distributor is easier than fishing VoIP data out of the Internet", Quitteck explains. He points out that not even a leased line from an international carrier is necessarily secure without encryption.

However, not all of those attending the meeting in Prague were equally satisfied with the selection of encryption standards that are to be developed further within the IETF's RTP-SEC (RTP stands for the "real-time protocol") task force. Both Quitteck and Jiri Kuthan, one of the cofounders of SIP router manufacturer iptelorg GmbH, which was taken over by Tekelek of the US, say they would have preferred the ZRTP solution proposed by PGP guru Phil Zimmermann.

As Kuthan put it, Zimmermann's proposal was attractive because it was such an easy, user-friendly solution. In this approach, the two connections start by exchanging a pair of keys, with the encryption developed by Diffie and Hellman being used. When the call has been terminated, the keys are destroyed in order to rule out retroactive decryption. Kuthan says that it is easy to exchange keys because no public-key infrastructure is required. He says that the only drawback would be the somewhat longer latency periods required for the exchange of keys before a call can be put through.

In contrast, Eric Rescorla, Hannes Tschofennig and others propose ( PDF document) that DTLS be used, which is based on certificates containing keys. Kuthan says he is convinced that ZRTP will be implemented immediately in SER media routers contrary to the vote of the IETF task force. Encryption, Kuthan argues, will close the largest "hole that is still open" in SIP.

Kuthan says that the ideas being discussed in the BLISS task force are "nice to have". BLISS is intended to standardize such well known ISDN telephony functions as call waiting and call returns for SIP. While all of these functions are already available, they are implemented by various means; as a result, the solutions being offered by different SIP providers vary greatly. In some respects, Quitteck says, BLISS marks a turning point in the IETF's policies since the task force has mainly been focusing on standardizing only protocol components, not the applications built upon them.

Before the end of the month, the ECRIT task force plans to complete a number of core documents concerning emergency calls via IP networks so that an emergency call will be recognized as such in the network, the caller's location determined, and the call routed to the appropriate emergency centre. Repeatedly, [ticker:uk_65911 authorities] have been demanding an emergency call function for IP telephony, among other features. (Monika Ermert) /

(ehe)