1. Securing IP Fax
A New Standard Approach
James Rafferty
President, Human Communications
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
1
2. Overview
• Background
• What does Security mean for Fax?
• What are the Threats?
• IETF proposed solution
• Impact for Customers
• Summary
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
2
3. Background
• Facsimile is an immensely popular solution
– Has evolved from an office equipment approach to one which is
widely distributed on networks using computer-based solutions
– Network rapidly migrating to IP and the Cloud
– T.38 IP fax over UDPTL is the widely deployed, standard solution
• Issues:
– UDPTL is specific to fax; missing security tools found for RTP
• T.38 over RTP is also standard, but has minimal implementation
– Previous attempts to adopt security for fax not adopted in the
marketplace
• Annexes found in ITU-T T.30 created in 1996, but not used
– Realization of need for security now much more obvious
• Real time fax now often going over IP networks
• Concern by IT managers and service providers about securing all of their
message traffic, including fax
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
3
4. What Does Security Mean for Fax?
• Security solutions typically based on assessment
of threats
• Examples of Threats for Real Time Fax:
– Preserve Confidentiality
• Stop 3rd parties from being able to decode the contents of a
fax if intercepted on the network
– Maintain Integrity
• Prevent 3rd parties from manipulating the contents of fax
messages
– Confirm Identity
• Ensure that the identity of the fax sender can be verified
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
4
5. How to Address the Threats?
• Often confusion between solutions and
threats
• Common Perception that encryption solves all
security problems, but it’s more complicated
than that
– There’s no one single “magic bullet” that solves all
security issues
• Encryption useful, but threat model still needs
to be understood to meet security goals
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
5
6. Threat: Breach Confidentiality
• Much of the information conveyed by fax is
private
– Individual’s financial and health information
– Business financial or other proprietary data
• A confidentiality solution needs to keep the
fax data confidential while it traverses the
network
Eavesdrop
or steal
content
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
6
7. Threat: Change the Content
• Faxes are used to send images coded using
particular compression methods
• Not easy to do, but pages could be
intercepted in route and then changed
• Example:
– Provide disinformation to disrupt competitor
Inject New
ContentSIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
7
8. Threat: Spoof Identity
• Internet services are under increased attack
by rogue users who create SPAM, send fake
messages and impersonate identities
• We’ve all received emails that say they’re
from somebody we know, but are really SPAM
• How? The intruders are spoofing identities.
Spoof
Identity
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
8
9. Proposed Standard from IETF
• 3GPP and IP Fax Community wanted to add security for T.38 IP Fax
– Work originated due to demand from service providers for secure fax
solutions
• MMUSIC working group of IETF has been working on related draft
since Summer, 2013
– draft-ietf-mmusic-udptl-dtls-07.txt
• Co-authors Christer Holmberg, Ivo Sedlacek and Gonzalo Salgueiro
• Wide variety of comments from both fax and Internet communities
• Also vetted by the Fax over IP working group of the SIP Forum
• Approval Status
• Has passed working group last call; now being reviewed for approval (IESG)
• Potential for publication as standards track document later this year
• 3GPP will also reference in their upcoming specifications (Release 12)
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
9
10. Why DTLS?
• Draft uses existing security standard DTLS
• RFC 6347 – Datagram Transport Layer Security
Version 1.2
• DTLS builds on well-known practices in the
Transport Layer Security protocol (TLS)
– TLS suitable for session protocols running over TCP
– DTLS extends TLS concepts, but is adapted for use
with datagram protocols (such as UDP)
• DTLS can be used to secure media centric protocols such as
RTP and UDPTL
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
10
11. Protocol Stack Layers
T.38 IP Fax Protocol
UDPTL
DTLS
UDP
IP
Adds Transport
Security Layer
to T.38 over UDPTL
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
11
12. Does New Spec Address the Threats?
Let’s take a closer look
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
12
13. Protect Confidentiality
• T.38 over UDPTL provides no protection vs. 3rd
parties that want to eavesdrop on a fax
• DTLS provides strong encryption; messages
can’t be decoded without access to keys used
in the selected Cipher
Eavesdrop
or steal
content XSIPNOC 2014 - Securing IP Fax Copyright
- James Rafferty - 2014
13
14. Protect Integrity
• In T.38 over UDPTL, it is possible to modify the
image content
• Addition of DTLS layer provides data integrity
– DTLS computes Message Authentication Codes (MACs)
using hashing algorithms to protect against changes to
message content
– If message content changes, hash totals will be invalid
Inject New
Content
XSIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
14
15. Prevent Identity Spoofing
• In T.38 over UDPTL, there is no protection vs.
spoofed identities
• New draft spec recommends using PKIX
Certificates to authenticate the two sides (per
RFC 5280)
– checks name on certificate vs. domain name
Spoof
Identity
X SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
15
16. Impact for Customers
• Addition of Security for T.38 IP fax should be
valuable to customers both in the enterprise and
service provider markets
• But:
– Often slow rampup from standardization to
deployment
• Can be jumpstarted through support by industry groups
• Vendors can gain an edge by deploying the standard solution
early
• Later, vendors will need to have interworking
implementations of the standard
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
16
17. Accelerating the Rampup
• 3GPP targets adding to IP Multimedia Subsystem / LTE
standards as of Release 12
– This endorsement will help drive additional deployment on
IMS / VoLTE networks, notably for service providers
– Fax and SIP Trunking service providers are also likely
adopters
• Adoption Acceleration Opportunities via Forums
– SIP Forum supports early adoption of standards via:
• SIPit – Interop activities for SIP protocol in general
• SIPConnect – interop and compliance activities for SIP Trunking
• Fax over IP Working Group – members can monitor status of early
implementations
– Other forums such as I3 may also be interested
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
17
18. Enterprise to the Cloud and Beyond
• New standard will be an excellent fit for Cloud
implementations, managed within the
Enterprise or via managed service providers
• Will also have value for enterprise networks
which interconnect premises, or hybrid
networks between premise and the Cloud
• Should also fit SIP Trunking use cases for IP Fax
• Could result in future extensions to
agreements such as SIP Connect
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
18
19. Summary
• IETF is close to standardizing a new security standard
for IP Fax
• Should address the most likely threats that would
compromise fax use over IP networks
• Likely first implementers will be back to back
deployments by single vendor
• Endorsement by 3GPP will help drive mid to longer
term deployments on IMS / LTE networks
• New standard should also be good fit for Enterprise
uses such as SIP Trunking and the Cloud
• Participation in Forums can help accelerate the
adoption rampup once the standard is approved
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
19
20. About James Rafferty
• Versatile Product Management and
Marketing Leader
• Blog:
http://blog2.humancomm.com
• Twitter: @jrafferty11
• Email: jayAthumancommDotcom
• LinkedIn:
https://www.linkedin.com/pub/ja
mes-rafferty/0/917/474
SIPNOC 2014 - Securing IP Fax
Copyright - James Rafferty - 2014
20