Voice over internet calls renew old protocol conflict

Wired on Friday: Veterans of the internet revolution sometimes describe their experiences as being fighters in a civil war: …

Wired on Friday: Veterans of the internet revolution sometimes describe their experiences as being fighters in a civil war: a war between the Netheads and the Bellheads.

The Bellheads were the old guard. Named after the archetypal large, monopolistic telephone company, America's AT&T Bell, these were the people who grew up with the design of the telephone network as the model of a large-sacle communications system.

The Netheads were the Young Turks - who advocated the far more anarchic but flexible and cheap ideas embodied by the internet's design.

Well, that war is pretty much over: the Netheads won. Now even telephone companies use the internet, and net-like systems carry their phone calls. But swift and overwhelming victories can be treacherous.

READ MORE

The lessons learnt by the vanquished side are forgotten and everyone can find themselves in an unfamiliar, post-war world: a "catastrophic success", in the words of President Bush.

Voice over Internet Protocol, or VoIP is the pinnacle of the Bellhead's rout. In the old days, upstart Netheads smuggled their internet packets of data over the established voice phone lines, converted into bleeps and whistles. Nowadays, the opposite is true: more and more voice traffic is being digitised, cut up into bits, and sent across the dedicated internet connections, using the IP: the internet protocol.

To the customer, VoIP looks simple enough. You take an ordinary phone, and plug it into a VoiP box, and plug that into your broadband connection. Pick up the receiver and you'll hear the same familiar dialtone. You get calls at internet flat-rates, and even international calls are net-cheap instead of at a Bellhead premium.

But VoIP is an uneasy mix of Nethead and Bellhead ideas. And the clash of those two worlds, says Mike Lynn of Atlanta-based Internet Security Systems, might prefigure some nasty surprises for the fledgling VoIP industry and its first adopters.

Lynn's job is to find flaws in Net protocols that might lead to security attacks for his clients. He, and others, have found VoIP to be one of the more fertile areas for flaws.

There are two ways to do VoIP. Both are compromises between the Bellheads and the Netheads. And both, says Lynn, have their problems.

The first is something called "H.323". That's a Bellhead standard for VoIP, created by the venerable telephony organisation, the 135-years young International Telecommunication Union (ITU). As befits its origins, H.323 is a monster of careful standardisation-by-committee.

Every possibility, every feature, gathered from decades of institutional knowledge has been included. "H.323", summarises Lynn, "shows how much the ITU loves standards - and hates trees".

The result is a system which multi-million dollar telephone companies might consider implementing, but which is impossible for the myriad small net hardware companies writing code for the VoIP-enabled net to get right.

On the freewheeling net, complexity is a recipe for disaster. The computer engineering laboratory at the University of Oulu, Finland, demonstrates the problem. By carefully crafting a data packet to conform to some ITU rules, but break others, the students managed to crash phones, routers, and computers dealing with VoIP.

Bugs like this aren't a problem when you're dealing in the Bellhead universe. Everybody who runs a telephone exchange has a vested interest in making sure they, and everyone else, doesn't crash. But on the net, where anyone can connnect with anyone else, a malicious attacker on the other side of the net has no such interest.

Even without poor implementations, there are problems with the ITU's standard. Part of the H.323 definition describes a feature called "operator intrusion". This is a system that lets a third-party listen in and interrupt your call. An important feature in telephones: less appealing when anyone on the net can pass themselves off as an operator, and spy on your call from across the world. (Fortunately, few companies implement this part of the standard.)

The Bellhead's ignorance of the problems of the net might get them into trouble, but there are just as many issues with the Nethead's trying to re-invent the telephone.

The competing protocol to H.323 is SIP, created by the net equivalent of the ITU, the Internet Engineering Task Force. SIP has the traditional benefits of the Netheads: it's simple, and in some ways less trusting. But it too doesn't quite capture what users have come to expect from a phone system run by the Bellheads.

Lynn has shown that it's relatively simple to attack an SIP phone - disabling it in such a way that it appears busy to the rest of the world, while the owner thinks it is operating perfectly normally. And when an SIP phone makes a call to the old phone system, other problems crop up. Some SIP phones can fake caller-ID so that the wrong phone number appears to the person you're calling.

That doesn't sound quite as damaging as crashes and surveillance - but imagine what could happen with a malicious hacker, jamming your phone lines, and pretending to be an important client - or your bank.

The Netheads won, and VoIP, their most pointed triumph, is growing more and more popular. But we still have our Bellhead expectations about the phone system. We don't expect our telephones to work like the net. We want them to be reliable, unhackable - the values that the Bellheads held most dear.

The telephone companies still have a lot to learn about simplicity and openness. But the net advocates could spend a bit of time learning from their ancient enemies, too.