Secure IP Fax – Now Standard

Last fall, I blogged about a pending standard for securing facsimile communications over IP networks here and I spoke about this progress at the SIPNOC conference. Since that time, the standard, known as RFC 7345 has been approved by the Internet Engineering Task Force. The availability of a standard is very good news. There’s a common perception that fax isn’t used anymore, but there are a number of business to business (B2B) and consumer applications where fax still is common, including real estate, insurance, health care and legal applications. There are also a number of companies which provide fax by selling equipment, fax enabling technology, software or a hosted service.

So why should people or companies care about securing IP fax? Increasingly, most of our real time communications, whether by voice, fax, text or video, are transported over IP networks. Very often, they will travel over the Internet for a portion of their journey. The Internet is ubiquitous, but fundamentally unsecure unless the application or the transport layers provide security. Security can mean many different things, but is often referring to solutions for needs which include privacy, authentication and data integrity. The new RFC 7345 is designed to support these types of requirements by applying a standard known as Datagram Transport Layer Security (DTLS). One of the key reasons that the Fax over IP RFC uses DTLS is because the T.38 IP fax protocol most typically formats its signals and data using the User Datagram Protocol Transport Layer (UDPTL), unlike most real time media, which use the Real Time Transport protocol (RTP).  DTLS was designed to provide security services with datagram protocols, so it’s a good fit for T.38 IP fax.  The current version of DTLS is 1.2, which is defined in RFC 6347.

Getting a standard approved is really only the beginning. In order to get traction in the marketplace, there needs to be implementations. For example, T.38 was originally approved in 1998 by the International Telecommunications Union, but implementations did not become common until many years later, starting around 2005. In the time since, T.38 has become the most common way to send fax over IP networks and its been adopted by most of the fax eco-system.  On the plus side, a key advocate for the new standard is the Third Generation Partnership Program (3GPP), which is the standards group that drives standardization of services which will run over mobile networks, such as the emerging Long Term Evolution (LTE) network.  The SIP Forum is also continuing work on its SIP Connect interworking agreements and there is potential for including the new standard in a future version of SIPconnect.

I’ll continue to track what’s happening with respect to implementation of the standard.   As I noted in some of my previous posts, the current work on standardizing WebRTC is helping implementors to gain experience in important new standards for security, codecs and Network Address Translation (NAT) traversal. This WebRTC “toolkit” is also available in open source form.  The inclusion of DTLS in RFC 7345 joins the pending RTCWeb standards in providing new applications and use cases for these emerging standards. This will be good news for the user community, as features which were previously available only in proprietary get implemented in variety of products and services.  If you know of any plans in motion or want to learn more, please feel free to comment or get in touch with me.  You can also learn more by checking out my presentation on Securing IP Fax.

Advertisements

Securing Fax over IP for Business Communications

The recent controversy regarding NSA tracking of phone conversations has elevated concerns about security and privacy for business communications. Enterprises generally want to keep their communications private. Use of techniques such as private networks, firewalls and secured tunnels can help to protect internal communication from eavesdroppers, but there are also many exchanges which entail communication with third parties over public networks.

Facsimile is best known as a method of communicating images of printed pages over the Public Switched Telephone Network (PSTN) and many fax companies touted the PSTN as being much more secure than the public Internet, hence reducing the need for formal security approaches. But the circuit-switched network is rapidly being replaced by hybrid and all-IP networks, and a portion of business fax traffic is now sent over the Internet.

During the Nineties, the fax standards experts in the International Telecommunications Union (ITU-T) added annexes to the Group 3 fax T.30 protocol to protect against a variety of security threats. However, there was lack of consensus on how to proceed, so two different approaches were standardized. As attention turned to standardizing fax over higher speed V.34 links and over IP networks, the initial efforts to implement fax security using the new standard approaches fizzled out and never got traction in the marketplace.

Fast forward to 2013. Security and privacy now have a much higher profile. The NSA exposé and other security glitches like the Wikileaks exposures of government and corporate documents have increased awareness of the down side of unsecured documents and communication. In the meantime, as the phone network is being replaced by IP technology, most new sales of fax to the enterprise are for Fax over IP and the T.38 standard from the ITU is frequently used. Most applications of T.38 use a transport protocol called UDPTL (User Datagram Protocol Transport Layer) which is currently an unsecured protocol.

The conventional wisdom might have a “who cares?” attitude, since there’s a common perception that nobody uses fax anymore. However, fax still is used a great deal for a wide variety of business applications which include healthcare, financial and legal organizations, plus fax is integrated into a variety of business processes. Fax is also used for transmission of many normally confidential documents such as insurance claims, real estate transactions and legal notices, plus there are regulations such a HIPAA in the health care domain which require protection of documents from third parties.

For all of these reasons, the need for better security solutions for IP-based facsimile is becoming clear. In another realm of standardization, WebRTC is attracting a lot of attention as a next generation method for performing a wide variety of real time communications such as video and voice over web protocols. The original applications of the Session Initiation Protocol (SIP) were often implemented with little attention paid to security, so the WebRTC standards activities have examined the best approaches for addressing matters such as security and are recommending use of a relatively new security protocol known as Datagram Transport Layer Security (DTLS) to secure real time communications of media within WebRTC.

One advantage of DTLS is that it is relatively protocol agnostic and can be applied as a security layer for various different protocols. So this is a good time to consider how protocols planned for use in WebRTC might also have other applications. The Third Generation Partnership Program (3GPP) has recognized that IP fax is still an important application and wants to have a standard approach to secure faxes which are being transported over IP networks. As a result, there is now an Internet Draft being circulated for comments within the MMUSIC (Multiparty Multimedia Session Control) working group of the Internet Engineering Task Force (IETF) which proposes that DTLS be established as a transport layer that can be used to secure sessions of T.38 IP fax when running over the SIP protocol.

I’m personally enthusiastic about this direction and have made comments on the current draft. I find it ironic that the IETF is looking at adding security layer support to an ITU protocol, but in the world of standards, it’s useful for the work to be done by the experts who have the right domain expertise. In this case, the IETF created DTLS and there is interest in the combination of UDPTL and T.38 from the Fax over IP task group of the SIP Forum, so there is probably enough participation by the Internet and fax communities to produce a useful standard. At this writing, MMUSIC is considering adoption of this draft as an official working group item.

Stay tuned on this one. WebRTC is training a generation of engineers to use a new toolkit of various protocols, so the potential adoption of DTLS by the IP fax community may be a harbinger of a trend to re-purpose various components of the WebRTC initiative in innovative and surprising ways.

WebRTC – New Communications Paradigm?

About two years ago, Google brought a new communications initiative called WebRTC to the two best known Internet standards organizations.  WebRTC is short for Web Real Time Communications and the intent is to enable complex real time communications of voice, video and data using web clients, web servers and related applications.  Google has been advancing the work both through contributions to open source libraries and by contributions to standards organizations.  As you may know, once work is accepted by standards organizations, lots of people can get involved, so this work is no longer strictly a Google initiative and has gained support and participation from many companies both large and small. 

The breakdown of work between the standards organizations has played to the strengths of two of them.  The Internet Engineering Task Force (IETF) is contributing Internet protocols to the work and the Worldwide Web Consortium (W3C) is preparing an application program interface (API) based on JavaScript.    

By the second half of last year, the drumbeats promoting WebRTC sounded loudly and in recent weeks, there was an industry conference dedicated strictly to WebRTC, with more to come later this year.   I spoke at the SIPNOC conference on a WebRTC panel a couple of months back and there was lots of interest from telecom industry participants who have been busy in recent years building out real time communications using the Session Initiation Protocol (SIP).  Some articles have even touted WebRTC as the “savior” for the telecom industry, whereas other pundits have said that WebRTC is very high on the hype scale.   

One of the goals of this blog will be to cut through marketing spin and look at what is really happening in the world of communications.  In my view, WebRTC has no shortage of hype, but there is also real technical substance in the initiative and many companies are making serious investments in WebRTC, even though many of the technical elements are nascent and the standards are not yet baked.  One key thing to keep in mind is that WebRTC is the latest attempt to bring real time multimedia communications into the web infrastructure and make it relatively easy for web developers to add real time communications to their applications, without having the master the intricacies of SIP.  The telecom industry has made several attempts to integrate with web developers in the past five years, but the WebRTC initiative seems more promising, since it is centered on web protocols, not on telecom protocols, and much of the “plumbing” will be buried beneath the same kind of JavaScript APIs that web developers have been utilizing for many years.  

If you want a deep dive into WebRTC on the technical side, I can recommend the book “WebRTC:  “APIs and RTCWEB Protocols of the HTML5 Real-Time Web,” written by Alan Johnston and Dan Burnett.  They have just released a second edition, which I have not read yet, but the first edition offered a good technical overview and a nice distillation of the many standards that are being extended or developed as part of the overall initiative.  (Disclosure: I know Alan well from his work in the IETF and we are co-authors on a current Internet Draft.)  Since this is open standards work, you can also dive even deeper and sign up for the various IETF and W3C standards lists if you want to fill up your mailbox with emails.

Circling back to the title of this post, will WebRTC truly be a new communications paradigm?   In my view, it’s too early to tell, but stay tuned and hold on tight.  This promises to be quite a ride. 

   

Communications Advisor: Starting Up

I’ve decided to begin a new blog to talk about trends in communications technology.  During the nineties, my company Human Communications offered innovative advice, consulting services, a newsletter and training to a broad roster of clients around the world.  I also wrote, edited and managed communication standards in several standards groups including the Internet Engineering Task Force, the International Telecommunications Union and participated in a variety of other industry consortia exploring related matters.  I’m still active in the IETF in areas such as SIP and WebRTC, and my background in fax technology still comes into play sometimes when I attend industry conferences such as the recent SIPNOC. 

As I transition out of my current role as a director of product management for Dialogic, I’m exploring a wide variety of possibilities for what’s next, but I retain my interest in the future of communications technology. 

I’ve also recently gotten excited about the innovations in social media as it applies to marketing.  Back when I attended graduate school at Rensselaer, the management engineering curriculum had a very analytical slant.  I loved digging into statistics and putting together computer simulations using queuing theory, but my first corporate job was mostly about applying computers for business applications and all of the fancy math stuff I’d been learning in school didn’t really come into play.  

Fast forward to the world of marketing today and the analytical approaches I learned back in school are an important part of the trend known as inbound marketing.  

I’m not sure what the future will bring, but I’m confident that communication technologies will continue to evolve and new applications will surprise us all.  In a similar manner, social media is rapidly infusing the business world and opening up new ways to communicate with customers.  My goal will be to talk about these trends and cite the work of others who are leading the charge.  

I will also continue to write posts to my other blog — Writer’s Notebook — but my focus there will be on my throughts and experiences about writing, travel and the use of personal technology.   

The opinions expressed here will be my own, unless I’m citing the work of others.   

That’s all for now. I look forward to hearing your feedback and comments as the blog evolves.