Secure IP Fax – Now Standard

Last fall, I blogged about a pending standard for securing facsimile communications over IP networks here and I spoke about this progress at the SIPNOC conference. Since that time, the standard, known as RFC 7345 has been approved by the Internet Engineering Task Force. The availability of a standard is very good news. There’s a common perception that fax isn’t used anymore, but there are a number of business to business (B2B) and consumer applications where fax still is common, including real estate, insurance, health care and legal applications. There are also a number of companies which provide fax by selling equipment, fax enabling technology, software or a hosted service.

So why should people or companies care about securing IP fax? Increasingly, most of our real time communications, whether by voice, fax, text or video, are transported over IP networks. Very often, they will travel over the Internet for a portion of their journey. The Internet is ubiquitous, but fundamentally unsecure unless the application or the transport layers provide security. Security can mean many different things, but is often referring to solutions for needs which include privacy, authentication and data integrity. The new RFC 7345 is designed to support these types of requirements by applying a standard known as Datagram Transport Layer Security (DTLS). One of the key reasons that the Fax over IP RFC uses DTLS is because the T.38 IP fax protocol most typically formats its signals and data using the User Datagram Protocol Transport Layer (UDPTL), unlike most real time media, which use the Real Time Transport protocol (RTP).  DTLS was designed to provide security services with datagram protocols, so it’s a good fit for T.38 IP fax.  The current version of DTLS is 1.2, which is defined in RFC 6347.

Getting a standard approved is really only the beginning. In order to get traction in the marketplace, there needs to be implementations. For example, T.38 was originally approved in 1998 by the International Telecommunications Union, but implementations did not become common until many years later, starting around 2005. In the time since, T.38 has become the most common way to send fax over IP networks and its been adopted by most of the fax eco-system.  On the plus side, a key advocate for the new standard is the Third Generation Partnership Program (3GPP), which is the standards group that drives standardization of services which will run over mobile networks, such as the emerging Long Term Evolution (LTE) network.  The SIP Forum is also continuing work on its SIP Connect interworking agreements and there is potential for including the new standard in a future version of SIPconnect.

I’ll continue to track what’s happening with respect to implementation of the standard.   As I noted in some of my previous posts, the current work on standardizing WebRTC is helping implementors to gain experience in important new standards for security, codecs and Network Address Translation (NAT) traversal. This WebRTC “toolkit” is also available in open source form.  The inclusion of DTLS in RFC 7345 joins the pending RTCWeb standards in providing new applications and use cases for these emerging standards. This will be good news for the user community, as features which were previously available only in proprietary get implemented in variety of products and services.  If you know of any plans in motion or want to learn more, please feel free to comment or get in touch with me.  You can also learn more by checking out my presentation on Securing IP Fax.

Advertisements

On the Road Again – SIPNOC 2014

I’ll be speaking next week at the SIPNOC conference in Herndon, Virginia.  SIPNOC is sponsored by the SIP Forum and covers a wide variety of topics related to SIP — the Session Initiation Protocol — with a particular focus on the needs of service providers.   It runs from June 9 – 12.

WebRTC continues to be a hot topic in the telecom industry and I’ll be on a panel with several other participants to discuss the relationship between SIP and WebRTC.   SIP has been the primary protocol for Voice over IP and is widely deployed.  WebRTC is much newer, but offers an interesting mix of audio, video and data capabilities and it can be accessed via popular browsers from Google and Mozilla.  WebRTC also has a rapidly growing eco-system.  Are SIP and WebRTC complementary standards which work well together or going in totally different directions?  Come to the panel and find out!

I am also delivering a presentation on a very exciting development in IP fax communications over SIP.  The presentation is entitled: Securing IP Fax – A New Standard Approach.  It’s been a long time coming, but there will soon be a new security standard for implementors of IP Fax over SIP networks.  In particular, the Internet Engineering Task Force is working on using an existing security standard known as DTLS and adding this as a security layer for T.38 fax.    I’ll be talking about the pending standard, why it’s needed and what kind of benefits can be expected for the many users of T.38 IP fax once the new standard is deployed.

I’ve attended SIPNOC as a speaker since its beginning four years ago.  It’s an excellent conference and offers an in-depth perspective on the latest news in SIP as delivered by an all star cast of speakers.  I hope you’ll be able to join us.

Securing Fax over IP for Business Communications

The recent controversy regarding NSA tracking of phone conversations has elevated concerns about security and privacy for business communications. Enterprises generally want to keep their communications private. Use of techniques such as private networks, firewalls and secured tunnels can help to protect internal communication from eavesdroppers, but there are also many exchanges which entail communication with third parties over public networks.

Facsimile is best known as a method of communicating images of printed pages over the Public Switched Telephone Network (PSTN) and many fax companies touted the PSTN as being much more secure than the public Internet, hence reducing the need for formal security approaches. But the circuit-switched network is rapidly being replaced by hybrid and all-IP networks, and a portion of business fax traffic is now sent over the Internet.

During the Nineties, the fax standards experts in the International Telecommunications Union (ITU-T) added annexes to the Group 3 fax T.30 protocol to protect against a variety of security threats. However, there was lack of consensus on how to proceed, so two different approaches were standardized. As attention turned to standardizing fax over higher speed V.34 links and over IP networks, the initial efforts to implement fax security using the new standard approaches fizzled out and never got traction in the marketplace.

Fast forward to 2013. Security and privacy now have a much higher profile. The NSA exposé and other security glitches like the Wikileaks exposures of government and corporate documents have increased awareness of the down side of unsecured documents and communication. In the meantime, as the phone network is being replaced by IP technology, most new sales of fax to the enterprise are for Fax over IP and the T.38 standard from the ITU is frequently used. Most applications of T.38 use a transport protocol called UDPTL (User Datagram Protocol Transport Layer) which is currently an unsecured protocol.

The conventional wisdom might have a “who cares?” attitude, since there’s a common perception that nobody uses fax anymore. However, fax still is used a great deal for a wide variety of business applications which include healthcare, financial and legal organizations, plus fax is integrated into a variety of business processes. Fax is also used for transmission of many normally confidential documents such as insurance claims, real estate transactions and legal notices, plus there are regulations such a HIPAA in the health care domain which require protection of documents from third parties.

For all of these reasons, the need for better security solutions for IP-based facsimile is becoming clear. In another realm of standardization, WebRTC is attracting a lot of attention as a next generation method for performing a wide variety of real time communications such as video and voice over web protocols. The original applications of the Session Initiation Protocol (SIP) were often implemented with little attention paid to security, so the WebRTC standards activities have examined the best approaches for addressing matters such as security and are recommending use of a relatively new security protocol known as Datagram Transport Layer Security (DTLS) to secure real time communications of media within WebRTC.

One advantage of DTLS is that it is relatively protocol agnostic and can be applied as a security layer for various different protocols. So this is a good time to consider how protocols planned for use in WebRTC might also have other applications. The Third Generation Partnership Program (3GPP) has recognized that IP fax is still an important application and wants to have a standard approach to secure faxes which are being transported over IP networks. As a result, there is now an Internet Draft being circulated for comments within the MMUSIC (Multiparty Multimedia Session Control) working group of the Internet Engineering Task Force (IETF) which proposes that DTLS be established as a transport layer that can be used to secure sessions of T.38 IP fax when running over the SIP protocol.

I’m personally enthusiastic about this direction and have made comments on the current draft. I find it ironic that the IETF is looking at adding security layer support to an ITU protocol, but in the world of standards, it’s useful for the work to be done by the experts who have the right domain expertise. In this case, the IETF created DTLS and there is interest in the combination of UDPTL and T.38 from the Fax over IP task group of the SIP Forum, so there is probably enough participation by the Internet and fax communities to produce a useful standard. At this writing, MMUSIC is considering adoption of this draft as an official working group item.

Stay tuned on this one. WebRTC is training a generation of engineers to use a new toolkit of various protocols, so the potential adoption of DTLS by the IP fax community may be a harbinger of a trend to re-purpose various components of the WebRTC initiative in innovative and surprising ways.

WebRTC – Solution for Over The Top Communications?

WebRTC offers an intriguing mix of web-based access and real-time communications.   Part of the excitement has been due to the aggressive approach which has been taken by browser companies such as Google and Mozilla in adding WebRTC to recent versions of their production browsers. 

As a result, any user of these browsers could potentially be connected to other users of WebRTC applications. One example where this could come into play is in Over the Top (OTT) applications. The term Over the Top usually means that an application runs over a broadband IP network and is usually not a packaged service sold by the Internet service provider (ISP). For example, Skype provides a way to do audio and video communications over IP networks. Its base level of service allows for connection to other Skype users at no charge for both audio and video communications. Skype also includes sophisticated features like encryption of calls. For ISPs, Skype potentially competes with a bundled voice offering and a user might elect to use the combination of Skype and a mobile phone for all of their voice communications. This means the ISP gets to sell the customer a broadband IP connection, but may not get any other bundled service revenue.

Let’s suppose you’re an ISP that would like to offer an alternative to Skype for your customer community. What does WebRTC bring to the table? On the media side, WebRTC can support both audio and video communications. It also has built-in security methods for authentication and securing of sessions. For the application, the ISP can create this from scratch or layer this onto a WebRTC enabled browser and automatically take advantage of the WebRTC “hooks” which are built into a browser such as Chrome or Firefox. To truly complete the OTT application, there is still more to do such as determine which signaling to use, and what addressing scheme should be used to interconnect users. For a good analysis of the signaling side, see this recent blog post from webrtchacks.

So, let’s assume the ISP completes the OTT application using WebRTC. What is the potential value add compared to a application like Skype? One potential benefit is the capability for the user to communicate with other users that have WebRTC-enabled applications. One limitation of Skype is that it is a closed community and uses proprietary technologies. As a result, Skype users can currently only communicate with other Skype users unless they go off the network. By contrast, with WebRTC, there will be a standards-based interface based on JavaScript APIs, so that the ISP could structure their application so that it can talk to other WebRTC-enabled applications. There are also a wide variety of WebRTC to SIP gateways that have already been brought to the market, so this offers the potential to interconnect the WebRTC enabled application with the existing base of SIP applications. Hence, WebRTC offers the potential to help break down the silos which currently dominate multimedia communications and enable different applications to communicate either directly via WebRTC or indirectly through WebRTC to SIP gateways.

One way to look at WebRTC is that it offers a very robust “toolkit” of multimedia communications capabilities that can run over web interfaces. The example we have discussed in this blog of an OTT application is just one possibility of how a developer or ISP might use this toolkit. As the web development community learns to take advantage of WebRTC, there will no doubt be a wide range of applications which will emerge. On the business side, WebRTC is a disruptive technology, so we can also anticipate a wide array of different business models to emerge which will build on its open standards hooks.

WebRTC – New Communications Paradigm?

About two years ago, Google brought a new communications initiative called WebRTC to the two best known Internet standards organizations.  WebRTC is short for Web Real Time Communications and the intent is to enable complex real time communications of voice, video and data using web clients, web servers and related applications.  Google has been advancing the work both through contributions to open source libraries and by contributions to standards organizations.  As you may know, once work is accepted by standards organizations, lots of people can get involved, so this work is no longer strictly a Google initiative and has gained support and participation from many companies both large and small. 

The breakdown of work between the standards organizations has played to the strengths of two of them.  The Internet Engineering Task Force (IETF) is contributing Internet protocols to the work and the Worldwide Web Consortium (W3C) is preparing an application program interface (API) based on JavaScript.    

By the second half of last year, the drumbeats promoting WebRTC sounded loudly and in recent weeks, there was an industry conference dedicated strictly to WebRTC, with more to come later this year.   I spoke at the SIPNOC conference on a WebRTC panel a couple of months back and there was lots of interest from telecom industry participants who have been busy in recent years building out real time communications using the Session Initiation Protocol (SIP).  Some articles have even touted WebRTC as the “savior” for the telecom industry, whereas other pundits have said that WebRTC is very high on the hype scale.   

One of the goals of this blog will be to cut through marketing spin and look at what is really happening in the world of communications.  In my view, WebRTC has no shortage of hype, but there is also real technical substance in the initiative and many companies are making serious investments in WebRTC, even though many of the technical elements are nascent and the standards are not yet baked.  One key thing to keep in mind is that WebRTC is the latest attempt to bring real time multimedia communications into the web infrastructure and make it relatively easy for web developers to add real time communications to their applications, without having the master the intricacies of SIP.  The telecom industry has made several attempts to integrate with web developers in the past five years, but the WebRTC initiative seems more promising, since it is centered on web protocols, not on telecom protocols, and much of the “plumbing” will be buried beneath the same kind of JavaScript APIs that web developers have been utilizing for many years.  

If you want a deep dive into WebRTC on the technical side, I can recommend the book “WebRTC:  “APIs and RTCWEB Protocols of the HTML5 Real-Time Web,” written by Alan Johnston and Dan Burnett.  They have just released a second edition, which I have not read yet, but the first edition offered a good technical overview and a nice distillation of the many standards that are being extended or developed as part of the overall initiative.  (Disclosure: I know Alan well from his work in the IETF and we are co-authors on a current Internet Draft.)  Since this is open standards work, you can also dive even deeper and sign up for the various IETF and W3C standards lists if you want to fill up your mailbox with emails.

Circling back to the title of this post, will WebRTC truly be a new communications paradigm?   In my view, it’s too early to tell, but stay tuned and hold on tight.  This promises to be quite a ride.