[e2e] Fighting SPIT on a cell phone

Fri Jan 11 08:44:41 PST 2008

On Fri, 2008-01-11 at 16:05 +0000, bmanning at vacation.karoshi.com wrote:
> On Fri, Jan 11, 2008 at 04:57:23PM +0100, Pars Mutaf wrote:
> > Hi,
> > 
> > On Fri, 2008-01-11 at 15:25 +0000, bmanning at vacation.karoshi.com wrote:
> > > you are making an assumption about the persistance
> > > of the binding between an IP address and a given interface.
> > 
> > The IP address can be a mobile IP address for example. But 
> > other solutions are certainly possible.
> 
> 	3ff3:0:478::42  - is this mobile or fixed? what is the
> 		lease time?   the point i was trying to make 
> 		was that an IP address is WHERE you are in a
> 		topology, not WHO you are.

The IP address will be attached to a vCARD found somewhere.

> > > you seem to be making an assumption about the ability to 
> > > algorithmically determine unwanted content ... 
> > 
> > In my vision, if Mr. X who was given the SIP URI 'x' starts 
> > to SPIT on my phone, I (the user) can cancel the SIP URI 'x'. 
> > Mr. Y can still call me because he was returned another SIP 
> > URI.
> 
> 	let me try and be more clear.  who or what makes
> 	the determination that Mr.X is "spit"ing on your 
> 	telephone?  

Me. When I receive SPAM I can tell that it is SPAM (in general). 

> > This idea of "disposable cell phone number" is already in 
> > use today. 
> > We are proposing a protocol for distributing disposable 
> > SIP URIs from the cell phone, on an on-demand basis.
> 	
> 	ah ... you are proposing to augment SIP call 
> 	establishment w/ a challange/response ...
> 

This is independent from SIP IMO. We can distribute other 
types of identifiers as well. 

pars

> > > which is 
> > > a much harder problem and not (IMHO)  something usually 
> > > done at the transport layer.
> > 
> > Why transport layer?
> 
> 	the e2e list was focused on IP end 2 end, not application
> 	layer end 2 end.  SIP is (by definition) an application
> 	that runs on top of IP.
> 
> > 
> > Thanks!
> > pars
> > 
> > 
> > 
> > > --bill
> > > 
> > > 
> > > On Fri, Jan 11, 2008 at 02:24:39PM +0100, Pars Mutaf wrote:
> > > > Hello,
> > > > 
> > > > I want to leave my cell phone number (SIP URI) on a discussion
> > > > forum, or web page, blog, craigslist, phonebook, facebook etc. 
> > > > But wish to avoid SPIT (SPam over Internet Telephony). A solution 
> > > > is presented below (with variations called weak, strong).
> > > > 
> > > > Looked like acceptable end2end-interest topic (sorry if not).
> > > > Comments are appreciated.
> > > > 
> > > > Regards,
> > > > Pars Mutaf
> > > > 
> > > > 
> > > > 1. Weak solution
> > > > 
> > > > I leave the IP address of my cell phone but not a SIP URI. Interested
> > > > party sends a request to my phone. My phone generates a random SIP URI
> > > > and returns a different SIP URI to each querier.
> > > > 
> > > > If I receive SPIT to the SIP URI 'x', then I can cancel it. Since 
> > > > each requestor is returned a different SIP URI, legitimate parties can 
> > > > continue to call me or send SMS.
> > > > 
> > > > Since the SIP URI 'x' was canceled, a SPITer can request another one
> > > > and still send me SPIT. To avoid this attack, the querier can be
> > > > requested to solve a hard challenge e.g. a CAPTCHA. A SIP URI will be
> > > > returned only after the querier user provided the solution. The
> > > > difficulty of the CAPTCHA can be adaptively tuned by the target host.
> > > > 
> > > > When done, i.e. the desired phone call is received, the target user
> > > > can stop receiving requests to the indicated IP address.
> > > > 
> > > > 
> > > > 2. Strong solution
> > > > 
> > > > I leave the IP address of my phone but not a SIP URI. I want to
> > > > receive phone calls or SMS only from people that I know. Interested
> > > > party sends a request to my phone. My phone displays a message with 
> > > > the requestor's name e.g.:
> > > > 
> > > >   "Alice Collins requested phone number. Accept? [YES/NO]"
> > > > 
> > > > If I accept, my phone generates a random SIP URI and returns it to the
> > > > querier.
> > > > 
> > > > This solution requires human name certification.
> > > > 
> > > > An attacker can send continuous bogus requests to the target IP
> > > > address and make the target phone continuously display the above
> > > > message, annoying the target user. This attack can be defeated by
> > > > requesting the querier user to solve a hard CAPTCHA before his request
> > > > can be displayed at the target host's screen. The difficulty of the
> > > > CAPTCHA can be adaptively tuned by the target host.
> > > > 
> > > > ==
> > > > Comments are appreciated either here or please subscribe to:
> > > > https://www1.ietf.org/mailman/listinfo/humanresolvers
> > > > 
> > > > If you find the problem interesting but have another solution
> > > > you are also welcome of course.