May 2013 archive
Moving Beyond Telephone Numbers – The Need for a Secure, Ubiquitous Application-Layer Identifier (Featured Blog)
I knew I needed to change.
Our second daughter was a year old and I realized that I had to do something for my health to ensure I was going to be around for my wife and our two girls.
So my wife and I started walking every day, or as close to that as we could. We have the privilege of having a beautiful large cemetery near us that has roads and trails through it where you can walk for quite some time.
Soon walking led to "jogging"... which led to (gasp!) running!
Running was something I swore I'd never do because I never saw any runner smiling. But slowly... very slowly... I became one of those people.
It was an iterative process - I started saying "let me see if I can run from the entrance to the cemetery down to the first fork in the road. Then it was "let's see if I can run to the flagpole." Then "beyond the flagpole to the next fork."
Then, the BIG step... could I run from the entrance all the way up that big, enormous, huge, daunting, terrible hill to the chapel?
From there it was a test of looping the cemetery - and then starting to run into a second, attached cemetery (Greenlawn) that has another huge hill. And then it was looping both cemeteries... and then looping through the other side trails.
Ultimately it became a question of doing TWO loops through both cemeteries to get to a 5K distance.
And then my running left the cemetery and was out the roads...
The process took MANY months... and a lot of fatigue.
The good news is that running in the cemetery was very peaceful. There were generally no cars or road crossings. And very few spectators watching this fat guy huffing and puffing as he tried to make it up the hill.
Plus, on a morbid note, I always thought that if I died while running there, they could just dig a hole and toss my body in it. :-)
Three years later I ran that same loop yesterday at a pace around 9 minutes, 30 seconds per mile. And I've routinely run loops through that cemetery now AFTER having already run 5 or 6 miles. I don't even notice either of those "ginormous" hills that so intimidated me.
I had in fact hoped to do a 5 mile run around Washington, D.C., this morning (I'm here on business travel) but sadly left my running shorts back in N.H.
I have become a runner.
And here's the fascinating part to me: I love it!
In fact, it's now almost like a drug. I often feel a need to run. It helps clear my mind at times - and it just helps physically. As I've written here, I've enjoyed a number of races... and I'm looking forward to my 3rd time running the Swanzey Covered Bridges Half-Marathon this September (with the goal to not fade out at mile 12).
A beautiful effect, too, is that when I have to move quickly in an airport to catch a plane, I'm generally not boarding my plane looking like I am about to have a heart attack! (That used to be how it was...)
Running has been a savior of my sanity on business trips, too, getting me outside of the hotel rooms and conference centers. I recorded an audio segment about this a while back:
Given that I spend FAR too many hours in airplanes, running has provided an antidote to all the endless hours of sitting I do in airborne tin cans.
Running has also let me quickly see a bit of the places I've visited. Normally with the travel I do I wouldn't see much beyond the airports, taxis, hotels and restaurants... but going out for a run in the early morning has let me see the surrounding area. I've had the privilege of running around Red Square in Moscow, in Tiananmen Square in Beijing, underneath the Eiffel Tower in Paris, along back roads in Mumbai... and so many other places. Getting outside has been so critical - and running has enabled me to do that.
Along the way, I have lost some weight. Losing the first 45 pounds turned out to take about 6 months or so... and then I've been stuck in a plateau for most of the last couple of years:
This wasn't all through exercise. I also moderated my eating. A friend from back in Ottawa once wrote about his "S" diet:
No Seconds or Sweets, except on Saturdays and Sundays.
And I remembered that over all the years, and decided that it was a simple mantra to follow - and in particular the "no seconds" was a rule that I adopted.
Now, as that chart shows, I've not been entirely faithful. The travel I do presents meals where it's not always very easy to make the healthiest eating choices. And I freely admit that my willpower fades in the presence of the siren song of a chocolate chip cookie (and wilts completely when presented with a tray of said cookies!).
But I keep at it... and I keep running so that I can have a bit of wiggle-room on the eating. (Another friend says he runs specifically so that he CAN eat!)
And today, I celebrate the health I do have, and this new love of exercise that has so changed my life on so many levels.
If you are out there thinking about doing more exercise, I'd encourage you to get started... find a place where you can start walking, and start setting small, obtainable goals.
Perhaps soon you'll find yourself out there like me, doing something you never thought you'd do... running.
And doing so with a smile on your face! ;-)
Do "smart" parking meters really need phone numbers? Does every "smart meter" installed by electric utilities need a telephone number? Does every new car with a built-in navigation system need a phone number? Does every Amazon Kindle (and similar e-readers) really need its own phone number?
In the absence of an alternative identifier, the answer seems to be a resounding "yes" to all of the above.
At the recent SIPNOC 2013 event, U.S. Federal Communications Commission CTO Henning Schulzrinne gave a presentation (slides available) about "Transitioning the PSTN to IP" where he made a point about the changes around telephone numbers and their uses (starting on slide 14) and specifically spoke about this use of phone numbers for devices (slide 20). While his perspective is obviously oriented to North America and country code +1, the trends he identifies point to a common problem:
What do we use as an application-layer identifier for Internet-connected devices?
In a subsequent conversation, Henning indicated that one of the area codes seeing the largest amount of requests for new phone numbers is one in Detroit - because of the automakers need to provision new cars with navigation systems such as OnStar that need an identifier.
Why Not IPv6 Addresses?
Naturally, doing the work I do promoting IPv6 deployment, my first reaction was of course:
"Can't we just give all those devices IPv6 addresses and be done with it?"
The answer turns out to be a bit more complex. Yes, we can give all those devices IPv6 addresses (and almost certainly will as we are simply running out of IPv4 addresses), but:
1. Vendors Don't Want To Be Locked In To Infrastructure - Say you are a utility and you deploy 1,000 smart meters in homes in a city that all connect back to a central server to provide their information. They can connect over the Internet using mobile 3G/4G networks and in this case they could use an IPv6 address or any other identifier. They don't need to use a telephone number when they squirt their data back to the server. However, the use of IP addresses as identifiers then ties the devices to a specific Internet Service Provider. Should the utility wish to change to a different provider of mobile Internet connectivity, they would now have to reconfigure all their systems with the new IPv6 addresses of the devices. Yes, they could obtain their own block of "Provider Independent (PI)" IPv6 addresses, but now they add the issue of having to have their ISP route their PI address block across that provider's network.
2. Some Areas Don't Have Internet Connectivity - In some places where smart meters are being deployed, or where cars travel, there simply isn't any 3G/4G Internet connectivity and so the devices have to connect back to their servers using traditional "2G" telephone connections. They need a phone number because they literally have to "phone home".
While we might argue that #2 is a transitory condition while Internet access continues to expand, the first issue of separating the device/application identifier from the underlying infrastructure is admittedly a solid concern.
Telephone Numbers Work Well
The challenge for any new identifier is that telephone numbers work rather well. They are:
- easily understood - people in general are very comfortable with and used to phone numbers (assuming they have access to phone networks)
- ubiquitous - phone numbers are everywhere and are available globally
- well defined - they have a fixed format that is well known and standardized
- easy to provision - they can be entered and configured very easily, including via keypads, speech recognition and more
For all these reasons, it is understandable that device vendors have chosen phone numbers as identifiers.
The Billing / Provisioning Conundrum
The last bullet above points to a larger issue that will be a challenge for any new identifier. Utilities, telcos and other industries have billing and provisioning systems that in some cases are decades old. They may have been initially written 20 or 30 (or more) years ago and then simply added on to in the subsequent years. These systems work with telephone numbers because that's what they know.
Changing them to use new identifiers may be difficult or in some cases near impossible.
So Why Change?
So if telephone numbers work so well and legacy systems are so tied to those numbers, why consider changing?
Several reasons come to mind:
1. Security - There really is none with telephone numbers. As Henning noted in his presentation and I've written about on the VOIPSA blog in the past, "Caller ID" is easily spoofable. In fact, there are many services you can find through a simple search that will let you easily do this for a small fee. If you operate your own IP-PBX you can easily configure your "Caller ID" to be whatever you want and some VoIP service providers may let you send that Caller ID on through to the recipient.
2. OTT mobile apps moving to desktop (and vice versa) - Many of the "over the top (OTT)" apps that have sprung up in the iOS and Android devices for voice, video or chat communication started out using the mobile devices phone number as an identifier. It's a simple and easy solution as the device has the number already. We're seeing some of those apps, though, such as Viber, now move from the mobile space to the desktop. Does the phone number really make sense there? Similarly, Skype made the jump from desktop to mobile several years ago and used its own "Skype ID" identifier - no need for a phone number there.
3. WebRTC - As I've written before, I see WebRTC as a fundamental disruption to telecommunications on so many different levels. It is incredibly powerful to have browser-based communication via voice, video or chat... in any web browser... on any platform including ultimately mobile devices. But for WebRTC to work, you do need to have some way to identify the person you are calling. "Identity" is a key component here - and right now many of the WebRTC systems being developed are all individual silos of communication (which in many cases may in fact be fine for their specific use case). WebRTC doesn't need phone numbers - but some kind of widely-accepted application-layer identifier could be helpful.
4. Global applications - Similarly, this rise of WebRTC and OTT apps has no connection to geography. I can use any of these apps in any country where I can get Internet connectivity (and yes, am not being blocked by the local government). I can also physically move from country to country either temporarily or permanently. Yet if I do so I can't necessarily take my phone number with me. If I move to the US from the UK, I'll probably want to get a new mobile device - or at least a new SIM card - and will wind up with a new phone number. Now I have to go back into the apps to change the identifier used by the app to be that of my new phone number.
5. Internet of Things / M2M - As noted in the intro to this post, we're connecting more and more devices to the Internet. We've got "connected homes" where every light switch and electrical circuit is getting a sensor and all appliances are wired into centralized systems. Devices are communicating with other devices and applications. We talk about this as the "Internet of Things (IoT)" or "machine-to-machine (M2M)" communication. And yes, these devices all need IP addresses - and realistically will need to have IPv6 addresses. In some cases that may be all that is needed for provisioning and operation. In other cases a higher-level identifier may be needed.
6. Challenges in obtaining phone numbers - We can't, yet, just go obtain telephone numbers from a service like we can for domain names. Obtaining phone numbers is a more involved process that, for instance, may be beyond many WebRTC startups (although they can use services that will get them phone numbers). One of the points Henning made in this SIPNOC presentation was the FCC is actually asking for feedback on this topic. Should they open up phone numbers within the US to be more easily obtainable? But even if this were done within the US, how would it work globally?
7. Changes in user behavior - Add to all of this the fact that most of us have stopped remembering phone numbers and instead simply pull them up from contact / address books. We don't need a phone number any more... we just want to call someone, the underlying identifier is no longer critical.
All of these are reasons why a change to a new application-layer identifier would be helpful.
So What Do We Do?
What about SIP addresses that look like email addresses? What about other OpenID or other URL-based schemes? What about service-specific identifiers? What about using domain names and DNS?
Henning had a chart in his slides that compared these different options ("URL owned" is where you own the domain):
The truth is there is no easy solution.
Telephone numbers are ubiquitous, understood and easy-to-use.
A replacement identifier needs to be all of that... plus secure and portable and able to adapt to new innovations and uses.
Oh... and it has to actually be deployable within our lifetime.
Will there be only one identifier as we have with telephone numbers?
Probably not... but in the absence of one common identifier we'll see what we are already seeing - many different islands of identity for initiating real-time communications calls:
- Skype has its own proprietary identity system for calls
- Apple has its own proprietary identity system for FaceTime calls
- Google has its own proprietary identity system for Hangouts
- Facebook has its own proprietary identity system used by some RTC apps
- Every WebRTC startup seems to be using its own proprietary identity system.
- A smaller community of people who care about open identifiers are actually using SIP addresses and/or Jabber IDs (for XMPP/Jingle).
And in the meantime, Amazon is still assigning phone numbers to each of its Kindles, the utilities are assigning phone numbers to smart meters and automakers are embedding phone numbers in cars.
How can we move beyond telephone numbers as identifiers? Or are we already doing so but into proprietary walled gardens? Or are we stuck with telephone numbers until they just gradually fade away?
RELATED NOTES: Some additional pointers are worth mentioning:
- The Internet Society (my employer) has a team focused on the broader subject of online privacy and identity (beyond simply the telephone numbers I mention here) and the links and documents there may be of interest.
- There's a new Internet Draft out, draft-peterson-secure-origin-ps, that does an excellent job on the problem statement around "secure origin identification" as it relates to VoIP based on the SIP protocol and why there are security issues with what we think of as "Caller ID".
- Chris Kranky recently argued that telcos are missing the opportunity of leveraging telephone numbers as identifiers in the data world.
You can listen to an audio version of this post on SoundCloud:
If you found this post interesting or useful, please consider either:
- following me on Twitter;
- adding me to a circle on Google+;
- following me on App.net
- subscribing to my email newsletter; or
- subscribing to the RSS feed
Per ICANN’s TLD DNSSEC report, this means that we’re now at 107 TLDs out of 317 with DS anchors in the root zone. Great to see!
So now… if you have a domain in the .TV or .CC TLDs, you, too, can benefit from the increased security of DNSSEC and can ensure that people connecting to your domain are in fact getting to the servers and sites you want them to connect to.
Given that the TLDs were just signed today, it may take a few days for registrars and DNS hosting providers to support connecting .TV and .CC domains into the global chain of trust… but it can’t hurt to ask those registrars and providers when they will provide this support! For more information, see: How To Secure And Sign Your Domain With DNSSEC Using Domain Registrars.
Kudos to the teams at Verisign, .TV and .CC for making this happen!