Secure caller ID for VoIP

Session Initiation Protocol is used widely for the setup, teardown and management of VoIP calls. Much of its functionality is related to the setup of calls, as its name implies. Part of this setup involves the delivery of the caller's identity so that the called party can decide how to treat the call - what is, essentially, Internet caller ID.

The basic mechanism for caller ID in the core SIP specification (RFC 3261) works much as it does in e-mail. The caller information has a From header field, including the address. That mechanism worked well enough in an Internet that was largely free of malicious users, but it quickly became clear that the technique could be abused, as it has been in e-mail. It is possible to spoof "From" VoIP headers and hide the sender's true identity.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Session Initiation Protocol is used widely for the setup, teardown and management of VoIP calls. Much of its functionality is related to the setup of calls, as its name implies. Part of this setup involves the delivery of the caller's identity so that the called party can decide how to treat the call - what is, essentially, Internet caller ID.

The basic mechanism for caller ID in the core SIP specification (RFC 3261) works much as it does in e-mail. The caller information has a From header field, including the address. That mechanism worked well enough in an Internet that was largely free of malicious users, but it quickly became clear that the technique could be abused, as it has been in e-mail. It is possible to spoof "From" VoIP headers and hide the sender's true identity.

Click to see: How it works: authenticating SIP callers

These problems were remedied by a specification known as P-Asserted-ID (RFC 3325), published in November 2002 by the IETF. With P-Asserted-ID, a single network or a small federation of networks can provide network-verified caller ID services.

P-Asserted-ID was a big step forward, and it has seen widespread use with SIP networks. However, even at the time of publication it was known to be a stopgap solution. The primary problem is that it works only for single provider networks or with small federations of tightly coupled providers enjoying strong mutual trust. To date, this is exactly the kind of VoIP network that has been deployed. Most VoIP networks don't connect with each other over IP and instead rely on the public switched telephone network.