Re: [Ecrit] FW: [Geopriv] Winterbottom-ecrit-direct considered

[Brian Rosen <br at brianrosen.net>]

inline


On 11/3/09 10:18 AM, "Marc Linsner" <mlinsner at cisco.com> wrote:

> 
> 
> On 11/2/09 11:56 AM, "Brian Rosen" <br at brianrosen.net> wrote:
> 
>> Nope, just dealing with reality.
>> 
>> Reality is that calls come from service providers. They like it that way.
> 
> I'll ask again, how does a call coming from a particular service provider
> relate to the nature/veracity of the emergency?
The quality of the information, and the ability to get additional
assistance, if needed, depends on the SP, if there is any.  Most SPs have
dedicated emergency call teams that will quickly assist a PSAP if there is a
problem.  They have information which may be valuable to the PSAP.  PSAPs
appreciate this.  They depend on it.  They really work over SPs who don't do
that.


> 
>> 
>> If that changes, then strategies should change, but emergency calling ought
>> not to be the driver for any such change.
> 
> I have doubts that PS could alter the VoIP marketplace.
I assume "PS" is "SP".  SPs ARE the VoIP marketplace.  There is no VoIP
marketplace without SPs presently.  There is no reason to think that will
change  

> 
>> 
>> What "real value of the information included with the call" am I ignoring?
>> I said we'll deal with addresses (albeit, with SBCs and all manner of NATs,
>> that is getting pretty hard to do) first.  What else should we look for?
> 
> 
> 1) Location: Have I had other calls within x meters of this location in the
> last 5 minutes? 20 minutes? 1 hour? 24 hours?
The primary problem is abuse.  What should I do if I had a legitimate call
from the same location, but a different address/SP/...?  What should I do if
I had an abusive call from the same location?  Our statistics on that are
probably poor, but my personal opinion is that location is not a good
indicator of abuse.  I suppose it depends on how reliable location will be
with abusive calls.  If it turns out to be very reliable, that might be
helpful.  I suspect the abuser will manage to make location unreliable.  I
guess we will see.  We certainly have the ability to use location as an
input to the routing decisions, so no problem if it actually works.

Of course, in the current systems, you don't get location with a "simless"
call.  I agree that we shouldn't assume that will be the case going forward.

I would not use this for a DDoS attack.  That would kill a call from a
non-compromised device in a residence/office with one that was compromised.

> 
> 2) Caller Identity (From; Contact): Have I had other calls with the same
> identity in the last 5 minutes? 20 minutes? 1 hour? 24 hours?
Yes, this is like address. We'll clearly start with that.  If it works,
that's our primary defense.   Often effective on abuse, usually not
effective enough on a DDoS: you shut off the sources you know are bad, but
too many new ones pop up to make that effective enough.  It's also usually
spoofed. 

> 
> 3) Network Address: Have I received other calls from this IP address in the
> last 5 minutes? 20 minutes? 1 hour? 24 hours?
As above.

The "filter based on source SP" is a secondary line of defense.  An attack
signature is an even better line of primary attack, if there is one.  Normal
abuse would not have a signature.  A DDoS attack often does.
> 
> -Marc-
> 
> 
>