Re: Should FCC look at SS7 vulnerabilities or BGP vulnerabilities

[Brandon Martin <lists.nanog () monmotha net>]

On 5/16/24 16:05, Josh Luthman wrote:
> The FCC has spent the last several years hounding us voice providers 
> over spam calls.  They've implemented laws.  They have required us to do 
> paperwork.  Have they been successful in that task?
>
> Now do you think they're going to properly understand what an SS7 or 
> vulnerability is?

The FCC absolutely is going to have experts in house who know what SS7 
is and who are likely aware of the basics of how it works and what 
vulnerabilities that might "obviously" lead to.  Whether they have 
anyone in house who knows it in technical detail and would be able to 
audit it from a protocol and implementation level to come up with novel 
vulnerabilities or even really understand in detail how published 
vulnerabilities work is perhaps another matter, but they don't 
necessarily need that to come up with effective advisory guidelines or 
even mandatory regulations if they invite proper comment from the 
industry and review them.

Regulating the phone system is not exactly a new thing for the FCC, 
after all.

I think the issue with their lack of effectiveness on spam calls is due 
to the comparatively small number of players in the PSTN (speaking of 
both classic TDM and modern IP voice-carrying and signaling networks) 
world allowing lots of regulatory capture.  That's going to keep the FCC 
from issuing mandatory rules much beyond what much of the industry is on 
the road to implementing already to keep their customers placated.

The Internet is at least a little different in that it is set up more as 
a system where every player has some degree of parity in operation 
regardless of their size or footprint, and the self-governance 
rulemaking is much more out in the open.  I suspect that's why we've had 
some success with getting BGP security not just addressed in guidance 
but actually practically improved.

That self-governance and openness also improves the FCC's ability to 
gather information and I suspect also improves the quality and relevance 
of official public comments that they receive.

I do think the FCC should at least consider looking at SS7 
security...and perhaps they should attempt to just get rid of it.  It's 
really only relevant for legacy TDM networks at this point, from what I 
can tell, with essentially all modern IP voice-carrying networks instead 
using SIP.  Maybe it's time for it to just die along with the TDM PSTN 
which a lot of states are essentially killing off by removing mandatory 
service offering, anyway.
--
Brandon Martin