<br><br><div class="gmail_quote">On Thu, Aug 6, 2009 at 2:19 PM, Carlos Alcantar <span dir="ltr"><<a href="mailto:carlos@race.com">carlos@race.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
That part of the SS7 network is very true there are trusted service<br>
providers running them on top of that it actually takes some capital to<br>
be able to interconnect into the ss7 network which most people that are<br>
just trying to cause havic aren't going to be up for.<br>
<font color="#888888"><br>
<br>
Carlos Alcantar<br>
Race Telecommunications, Inc.<br>
101 Haskins Way<br>
South San Francisco, CA 94080<br>
P: 650.649.3550 x143<br>
F: 650.649.3551<br>
</font><div class="im"><br>
<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a><br>
</div><div><div></div><div class="h5">[mailto:<a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>] On Behalf Of Hiers, David<br>
Sent: Thursday, August 06, 2009 10:44 AM<br>
To: John Todd; <a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
Subject: Re: [VoiceOps] The big ENUM question (Was: VPFs)<br>
<br>
Every time this comes up, I find myself longing for the security,<br>
trustworthiness, and reliability of the physically separate, media-free,<br>
well-defined-trusted-service-providers-only network that is SS7. Even<br>
when the main attack tool was a simple PSTN analog phone and a box of<br>
cracker jacks, we found it necessary to bear the tremendous expense of<br>
creating SS7 to get the security (and features) that was needed.<br>
<br>
It is probably possible to run a signaling plane on the internet that<br>
can replace SS7, but it's a pretty tall order.<br>
<br>
<br>
David Hiers<br>
<br>
CCIE (R/S, V), CISSP<br>
ADP Dealer Services<br>
2525 SW 1st Ave.<br>
Suite 300W<br>
Portland, OR 97201<br>
o: 503-205-4467<br>
f: 503-402-3277<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
David Hiers<br>
<br>
CCIE (R/S, V), CISSP<br>
ADP Dealer Services<br>
2525 SW 1st Ave.<br>
Suite 300W<br>
Portland, OR 97201<br>
o: 503-205-4467<br>
f: 503-402-3277<br>
<br>
<br>
-----Original Message-----<br>
From: <a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a><br>
[mailto:<a href="mailto:voiceops-bounces@voiceops.org">voiceops-bounces@voiceops.org</a>] On Behalf Of John Todd<br>
Sent: Wednesday, August 05, 2009 2:44 PM<br>
To: <a href="mailto:voiceops@voiceops.org">voiceops@voiceops.org</a><br>
Subject: Re: [VoiceOps] The big ENUM question (Was: VPFs)<br>
<br>
<br>
Comments in-line.<br>
<br>
On Aug 5, 2009, at 11:19 AM, Mark R Lindsey wrote:<br>
<br>
> At IPTComm a couple of years ago, Jonathan Rosenberg stood up and said<br>
<br>
> the big problem was the walled gardens that are telcos and ITSPs. We<br>
> carriers just aren't passing traffic via VoIP. Even Cisco customers<br>
> aren't passing traffic within their own company; you'd have a BTS over<br>
<br>
> here and a BTS over there, owned by the same Cable MSO, passing<br>
> traffic via ISUP.<br>
><br>
> Continuing this conversation about VPFs: what would it take for you to<br>
<br>
> start routing calls across the Internet using lookups like ENUM?<br>
><br>
> 1. A big task would be advertising our routes. We'd have to pull our<br>
> user's numbers out of our boxes -- Asterisk, BroadWorks, MetaSwitch,<br>
> Taqua, Sonus, Nortel, Cisco, etc., and advertise those numbers<br>
> somehow. I'm sure tools to extract the list of local numbers from each<br>
<br>
> of these systems would be pretty easy. Raise your hand if you're<br>
> excited about advertising all of your user's telephone numbers to make<br>
<br>
> the telemarketing and SPIT easier.<br>
<br>
I think that should already exist, if you're offering some sort of<br>
routing to start with. If you don't know the E.164 addresses that are<br>
assigned to each customer, how are you getting calls to them in the<br>
first place?<br>
<br>
As far as authenticating to protect against SPIT, that's not overly<br>
difficult, I believe. I had a suggestion some time ago that would at<br>
least let you create black/whitelists based on asserted domain name.<br>
Here is discussion and code I wrote that might be of some interest:<br>
<br>
<a href="https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html" target="_blank">https://mail.internet2.edu/wws/arc/sip.edu/2006-07/msg00012.html</a><br>
<a href="http://forum.e164.org/index.php?topic=16.0" target="_blank">http://forum.e164.org/index.php?topic=16.0</a><br>
<br>
<br>
> 2. We'd need to agree on some way to ensure that these routes<br>
> advertised were authoritative. E.g., how would YOU know that I'm<br>
> really authorized to advertise +1-229-316-0013? If you dip to SS7,<br>
> that goes to my CLEC-partner-of-the-week.<br>
<br>
OK, now this is a serious issue that I have no easy answer for. There<br>
are two companies here in North American that would be GLAD to offer the<br>
ability to look that data up in their proprietary databases, and charge<br>
you for that service. Personally, I'm not really interested in that<br>
model, though Bellheads nearly froth with glee when the concept of a<br>
"central database" starts to be needed for EVERY transaction.<br>
<br>
> 3. Then we'd need to agree on some way to do the lookup. ENUM seems<br>
> like a nice option -- if the basic delegation mechanism made sense.<br>
> It makes sense if we have large blocks of numbers, like NPANXXs, and<br>
> there are no number ports. But since we all have number ports, the<br>
> large blocks will be punctuated by many, many individual references to<br>
<br>
> the ITSP that ported in the number. So the ability to delegate<br>
> subdomains using ENUM doesn't bring much value, to my mind. So<br>
> whether we use ENUM or a normal SIP redirect server probably doesn't<br>
> make a lot of difference.<br>
<br>
OK, another huge stumbling block. Especially when we're now talking<br>
about creating ENUM trees that have to be completely broken down to<br>
individual responses for each 0-9 subdomain space for each reply if one<br>
number is ported out of the block. Gak. DNS doesn't like this.<br>
<br>
> 4. We'd also need to make peace on the whole transport thing. As Brian<br>
<br>
> Sneddon just said, the commodity Internet remains acceptable for a lot<br>
<br>
> of purposes. There's risk in betting on that, of course.<br>
<br>
If the user doesn't know what to expect, yes, that's very true.<br>
<br>
> 5. And then we'd have to figure out how to bill each other, if we're<br>
> going to do billing. But is billing each other for 100 kbps audio<br>
> streams worthwhile anyway?<br>
<br>
In my opinion, no. But I'm not a carrier who has become used to feeding<br>
from that teat of inter-carrier compensation. I'm used to charging my<br>
users for connecting their calls in or out, not charging someone else<br>
for the luxury of reaching my customers.<br>
<br>
> 6. Of course, we also want to be sure we're allowing calls only from<br>
> the right people. A few years ago, many of us setup our SBCs to allow<br>
> calls from the public Internet, but that's much less common now. Oh,<br>
> we'll accept any ol' screechy call that comes from our known peer, and<br>
<br>
> pay him to do it.<br>
<br>
I guess I can agree with this, but I don't know what "allowing calls<br>
from the right people" means, except in the context of getting paid for<br>
inbound calls (see my reply to your #5) or in a quality assurance issue<br>
(see #4.)<br>
<br>
> And once we figure out all of these challenges -- which are really<br>
> quite moderate -- we've got to convince ourselves that the effort is<br>
> worth the reward: we get to bypass the big carriers for some calls,<br>
> and get to use fancy codecs like G.722 and video.<br>
><br>
> The technical challenges are really quite moderate. The VPF people are<br>
<br>
> trying to solve it but only within their club. Why pay them when we<br>
> can do it ourselves?<br>
<br>
I agree with this last statement entirely, but with a caveat.<br>
<br>
The caveat is that I think that E.164 is broken, from both an<br>
operational and political level. I used to be a big believer, and I<br>
still think it probably is good non-global peering arrangements. But<br>
for public use, I think it's dead. (possibly excepting iNum, but I'm<br>
still viewing that with some suspicion)<br>
<br>
What's the punchline to this set of comments I've made? I am an<br>
advocate (and administrator) of the <a href="http://freenum.org" target="_blank">freenum.org</a> system, which uses a<br>
concept called "ISN", which is an alternate pointer system which can<br>
replace E.164. It uses organizationally-based numbering schemes which<br>
are keypad friendly (12 digit standard DTMF keyboard) and which are<br>
suitably different from<br>
<br>
An ISN (ITAD Subscriber Number) is formed very much like a SIP URI: a<br>
subscriber portion, a separator, and an organization identifier. A SIP<br>
URI might be "<a href="mailto:1234@loligo.com">1234@loligo.com</a>", and a similar ISN would be "1234*256".<br>
In this case, <a href="http://loligo.com" target="_blank">loligo.com</a> (me) has received ITAD 256 from IANA a few<br>
years ago. So the ENUM-like lookup is "<a href="http://4.3.2.1.256.freenum.org" target="_blank">4.3.2.1.256.freenum.org</a>" - the<br>
<a href="http://freenum.org" target="_blank">freenum.org</a> zone can either delegate zone "256" to me, or I can do what<br>
most organizations do and put in a wildcard NAPTR record that just<br>
points all SIP calls to my Asterisk SIP platform. In this example case,<br>
the NAPTR for <a href="http://4.3.2.1.256.freenum.org" target="_blank">4.3.2.1.256.freenum.org</a> maps to "<a href="mailto:1234@loligo.com">1234@loligo.com</a>", and<br>
uses standard SIP lookups from there on out.<br>
<br>
Here's a small set of advantages of <a href="http://freenum.org" target="_blank">freenum.org</a> over E.164:<br>
<br>
- Not similar to E.164 numbers (users have expectation of "internet<br>
calling")<br>
- Works on most of the world's existing phones<br>
- Requires no alphanumerics<br>
- Maps very cleanly to SIP infrastructures<br>
- Uses all standard ENUM methods, but slightly modifies root<br>
- Totally free<br>
- IANA-based registry for organizations (not-for-profit)<br>
- Layers onto existing E.164 system, if you so wish (12125551212*254<br>
would work fine, as an example)<br>
- Does not involve the ITU<br>
- Does not involve governments<br>
- Assumes end-to-end IP SIP at no charge between entities<br>
- Organizationally-based, not geographic<br>
- Scales better than ENUM, and within organizations can scale<br>
laterally<br>
- OpenSER, SER, Asterisk, FreeSwitch support existing already for<br>
dialing/DNS lookups<br>
- We have SIP, ENUM shims for systems that<br>
<br>
So, I believe that many of the problems with ENUM are insurmountable on<br>
a large scale. A different system needs to be put in place that allows<br>
dialpad access yet is more friendly and scalable for systems which are<br>
internet-enabled in the core. Hopefully, you'll take a look at the<br>
concept and see if you might permit your users to dial those digits and<br>
also accept inbound calls.<br>
<br>
JT<br>
<br>
<br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
<br>
<br>
This message and any attachments are intended only for the use of the<br>
addressee and may contain information that is privileged and<br>
confidential. If the reader of the message is not the intended recipient<br>
or an authorized representative of the intended recipient, you are<br>
hereby notified that any dissemination of this communication is strictly<br>
prohibited. If you have received this communication in error, please<br>
notify us immediately by e-mail and delete the message and any<br>
attachments from your system.<br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a><br>
<br>
_______________________________________________<br>
VoiceOps mailing list<br>
<a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><br>
<a href="https://puck.nether.net/mailman/listinfo/voiceops" target="_blank">https://puck.nether.net/mailman/listinfo/voiceops</a></div></div></blockquote><div><br><br>Since connecting to SS7 has an expense hurdle there needs to be a process to get access to the IP equivalent. Maybe a group of ENUM servers behind an authoritative source that you have to establish a VPN to reach. There are commercial companies that offer this type of service already such as Netnumber. However the ENUM servers would have IP routing information instead of PSTN routing information.<br>
<br>~Jared Geiger<br></div></div><br>