330 likes | 349 Views
SIP.edu & VoIP Security. 2nd Workshop on Securing VoIP June 1-2, Washington, DC Ben Teitelbaum <ben@internet2.edu> http://people.internet2.edu/~ben/. Outline. Internet2 SIP.edu Goal Architecture Status Security Concerns Abilene Observatory VoIP Observatory?. Internet2 Who?.
E N D
SIP.edu & VoIP Security 2nd Workshop on Securing VoIPJune 1-2, Washington, DC Ben Teitelbaum <ben@internet2.edu>http://people.internet2.edu/~ben/
Outline • Internet2 • SIP.edu • Goal • Architecture • Status • Security Concerns • Abilene Observatory • VoIP Observatory?
Internet2 Who? Elevator Explanation • Internet2's mission is to develop and deploy advanced network applications and technologies, accelerating the creation of tomorrow’s Internet Who we really are • Membership organization of 200+ US research universities • Parent 501.3c (UCAID) has board of university presidents • Project supported by numerous partnerships (government, industry, international) Goals • Enable new generation of applications • Re-create leading edge R&E network capability • Transfer capability to global production internet
Internet2 Partnerships • Internet2 universities are recreating the partnerships that fostered the Internet in its infancy • Industry • Government • International • Additional Participation • Over 60 Internet2 Corporate Members • Over 40 Affiliate Members • New Association Member Category • Over 30 International Partners
Internet2 Focus Areas Advanced Network Infrastructure • 10 GB Abilene backbone • Advanced regional networks • 100 MB to the desktop • National fiber-optic facility Middleware • Directories • Authentication • Authorization Engineering • Multicast • IPv6 • Measurement • New Arch Advanced Applications • Gigabit+ file transfer • High-end video• Remote instrumentation • Distributed computation • Virtual co-laboratories • Distance learning • Integrated Communications
Advanced Communications(less high-end, many users) • Many ways VoIP can be better… • Multi-media integration • Integration with campus IT assets • Use of IPv6 and Multicast • Fidelity • Addressing • Mobility • Privacy • Survivability • Emergency services * Drawings by VoIP user, Louis Teitelbaum (age 6)
Internet2’s Secret Sauce • Demographics • ~3.8 million students (tech-savvy, talk a lot, adapt easily) • And, by the way, they graduate (tech-transfer à la email) • Institutional Commitments • Internet2 members have committed to advance IP communications and promote collaborative apps • Commitment to advance communication way beyond POTS • Connectivity • Great networking connectivity and campus middleware • High-bandwidth, low-loss, low-jitter • End-to-end transparency (few NATs) • Emerging middleware infrastructure for authentication & authorization • IPv6 and multicast too! • Strong commitment to open standards
SIP.edu Working Group • Fearless Leader • Dennis Baron, MIT (Chair)sip:dbaron@mit.edu • Web Site • http://www.internet2.edu/sip.edu/
Ends and Means • Ends • Grow SIP connectivity in Internet2 • Increase value proposition for end-user SIP adoption • Promote SIP and converged identity • Provide a useful service, while supporting R&D • Means • Cookbook with various “recipes” • Corporate sponsorship and promotional pricing • Cisco, Avaya, Pulver.com so far • Build community
Why Phone NUMBERS? • Users should not be burdened with device addresses, when it’s people they care about • Addresses should be mnemonic and empower enterprises to manage the identities of their users • sip:dbaron@mit.edu • It’s time to put E.164 numbers behind us! • A.G. Bell did not say: “+1-617-252-1232, come here. I need you!”
SIP.edu Architecture v0.1 DNS SRV CampusDirectory SIP User Agent INVITE (sip:bob@bigu.edu) DNS SRV query sip.udp.bigu.edu bigu.edu SIPProxy SIP-PBXGateway PRI / CAS INVITE(sip:12345@gw.bigu.edu) PBX telephoneNumberwhere mail=”bob” Bob's Phone
SIP.edu Architecture v0.2 If Bob has registered, ring his SIP UAs; Else, call his extension through the PBX. DNS SRV locationDB SIP User Agent IP Voice, Video, IM, ... INVITE (sip:bob@bigu.edu) DNS SRV query sip.udp.bigu.edu bigu.edu SIPProxy INVITE (sip:bob@207.75.164.131) SIPRegistrar REGISTER(Contact: 207.75.164.131) Bob's SIP Phones
SIP.edu Security Considerations • VoIP is wonderful, but returns us to the bad old days of in-band signaling • DoS, SPIT, SPIM, Spideo, all concerns • Toll fraud - not so much • SIP.edu community looking seriously at draft-ietf-sip-identity-05 (Peterson & Jennings) to deter spoofing • Possible leverage of Shibboleth / InCommon PKI
Security Should Not Compromise Security • CALEA • Tapping boxes could introduce fragility • Tapping boxes could be hacked • 911 • Short-term solutions could delay the deployment of much better long-term solutions • IP-enabled PSAPs • Better 911: multimedia, testability, low-cost, robustness • Columbia/Texas A&M/Internet2/NENA NG911 project • Priority and preemption systems • Open new opportunities for DoS attacks • Best-effort is often what you want in a crisis
SIP.edu Goals Revisted • Provide a useful service… • User-to-user connectivity to support mass-use of new collaborative applications • Eventual evolution of testbed deployments into production services • …while supporting R&D • Experimental deployment of new solutions • Access to statistics & measurement data
Abilene Observatory - Summary • History and Motivation • What is the Observatory? • Collocation Projects • Internet2 and NOC Measurements • Data Collections • Examples of Research Results • Participation in Research Proposals • Future Directions • Issues • http://abilene.internet2.edu/observatory/
History and Motivation • Original Abilene racks included measurement devices • Included a single PC • Early OWAMP, surveyor measurements • Optical splitters at some locations • Motivation was primarily operational • Data collections • Collected and maintained by the NOC • How is the network performing? • Available to other network operators • Data also proved valuable for research purposes
History and Motivation • An important decision was made during the last upgrade process (Juniper T-640 routers and OC-192c) • Two racks, one dedicated to measurement platform • Potential for research community to collocate • Created two components to the Observatory • Collocation - research groups are able to collocate equipment in the Abilene router nodes • Measurement - data is collected by the NOC, the Ohio ITEC, and Internet2, and made available to the research community
Abilene router node Power (48VDC) Power Eth. Switch Measurement Machines (nms) Out-of-band (M-5) Space! Measurement(Observatory) Rack T-640
Houston Router Node NMS machines PlanetLab machines Dedicated servers at each node
Collocation Research Projects • PlanetLab – Nodes installed in all Abilene Router Nodes • PlanetLab is a global overlay network for developing and accessing new network services • Goal is deploy 1000 nodes in a variety of networks • Designed to support both short-term experiments and long-running services • Larry Peterson, Princeton University is Research Lead • http://www.planet-lab.org • Potential new direction using MPLS L2VPNs
Collocation Projects • The AMP Project – Active Measurement Platform, Deployed in all Abilene Router Nodes • More than 150 nodes deployed worldwide • Measurements include path, round-trip-time, packet loss and on demand throughput tests • Project of NLANR/MNA • Tony McGregor NLANR/MNA, Waikato University is Research Lead • http://amp.nlanr.net
Collocation Projects • The PMA Project – Passive Measurement and Analysis, Deployed at Abilene Indianapolis Router Node • Analysis of header traces from over 20 sites, including OC-192 circuits in Abilene • Header traces of all packets in and out of the Indianapolis Abilene router – A router clamp • Joerg Micheel, NLANR/MNA, San Diego Supercomputer Center, UCSD, is research lead • http://pma.nlanr.net • http://pma.nlanr.net/Sites/ipls-2004/
Measurement Capabilities • One way latency, jitter, loss • IPv4 and IPv6 • Regular TCP/UDP throughput tests – ~1 Gbps • IPv4 and IPv6; On-demand available (see “pipes”) • SNMP (NOC) • Octets, packets, errors; collected frequently • “Netflow” (ITEC Ohio) • Addresses anonymized by 0-ing the low order 11 bits • Multicast beacon with historical data • Routing data • Both IGP and BGP - Measurement device participates in both • Japanese research techniques on routing research were implemented
Databases – Date Types • Data is collected locally and stored in a distributed databases • Databases • Usage Data • Netflow Data • Routing Data • Latency Data • Throughput Data • Router Data • Syslog Data
Databases - Interface • Variety of Interfaces to data • Simple web based for usage data • Rsync for netflow • Simple web based for routing data • SOAP interface for latency data • SOAP interface for throughput data • SOAP interface for Router data • Syslog data still under development
“SIP.edu Observatory”? • Could the Abilene Observatory be leveraged to support VoIP security research? • Are additional data (e.g. anonymized proxy logs) needed to support VoIP security research?