ITU Workshop on “Caller ID Spoofing”
(Geneva, Switzerland, 2 June 2014)
Caller Identification in H.323 Systems
Paul E. Jones
ITU-T Q2/16 Rapporteur
paulej@packetizer.com
Geneva, Switzerland, 2 June 2014
What is H.323?
H.323 is a widely used standard for
videoconferencing over IP networks
H.323 is also widely used for voice
communications, including IP PBX
systems and international voice
transit
In addition, H.323 is used for “overthe-top” video conferencing
Geneva, Switzerland, 2 June 2014
2
Product Form Factors
H.323 is used in
Desktop voice and videophone devices
Desktop video terminals
Room systems, including modern
telepresence systems
Soft phones on nearly every platform,
including Windows, Mac, Android, and
iOS
Geneva, Switzerland, 2 June 2014
3
Caller ID Information
H.323 can identify callers using a
variety of identifier types, including
URIs, including h323:, tel:, and mailto:
numbers, including both public (E.164)
and private
local identifiers, such as a locallydefined identifier
IP addresses
Geneva, Switzerland, 2 June 2014
4
How are Identifiers Assigned?
H.323 identifiers may be
Provisioned in end-user devices, either
by the user or an administrator
Assigned by a “Gatekeeper”
Let’s discuss a few common
deployment models…
Geneva, Switzerland, 2 June 2014
5
Direct Call Model (No Gatekeeper)
A popular deployment model is the
direct call model where two users call
each other without a Gatekeeper,
often using IP addresses
EP
Geneva, Switzerland, 2 June 2014
Media and Call Signaling
EP
6
Direct Call Model (Gatekeeper
Assisted)
In this model, a Gatekeeper helps
resolve addresses (i.e., translating
user-friendly identifiers into IP
addresses), but does not route
signaling
GK
Address resolution
EP
Geneva, Switzerland, 2 June 2014
Media and Call Signaling
EP
7
Gatekeeper Routed
In the third model, a Gatekeeper
routes the call signaling (and may
optionally route media, but we’ll
ignore that for this presentation)
Call Signaling
GK
EP
EP
Media Flows
Geneva, Switzerland, 2 June 2014
8
Spoofing Caller ID
When no Gatekeeper is used to route
signaling, a user could put in just
about anything
Where a Gatekeeper is used to route
signaling, the Gatekeeper can
enforce (override) any signaling
information received from an enduser device
Geneva, Switzerland, 2 June 2014
9
Can We Trust a Gatekeeper?
Gatekeepers controlled and operated
by service providers are generally
trusted
Service providers must know and trust
the peers at the network edge, as this is
effectively a transitive trust model
Gatekeepers might be set up by end
users, hackers, thieves, etc. and
cannot be trusted in the public
Internet
Geneva, Switzerland, 2 June 2014
10
Digital Signatures
H.235.2 (“H.323 security: Signature
security profile”) defines procedures for
using certificates to sign messages to
allow for either hop-by-hop or end-to-end
authentication of messages
It is possible to allow end-user devices to
sign messages so that identifiers can be
validated
It is also possible for the user’s
Gatekeeper to enforce caller ID
information and to sign messages
Geneva, Switzerland, 2 June 2014
11
Issues with Digital Signatures
Certificates can be assigned to an
H.323 URI easily (using identifiers
like paulej@packetizer.com), but
how are certificates assigned to a
phone number?
It’s unclear if anyone is using
certificates for signing messages
Is it a non-issue due to transitive trust?
Too much effort?
Geneva, Switzerland, 2 June 2014
12