190 likes | 197 Views
Learn about the security threats and requirements in SIP, including authentication, confidentiality, and message integrity. Explore security mechanisms like HTTP Digest and S/MIME.
E N D
Kommunikatsiooniteenuste arendusIRT0080 Loeng 5Avo Otstelekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.avo.ots@ttu.ee
Lingid http://www.cs.columbia.edu/sip/ What_is_SIP.ppt http://www.ietf.org/rfc/rfc3261.txt?number=3261 http://www.ietf.org/rfc/rfc2633.txt?number=2633
PPPoE PPTP PPP TLS DiffSrv SOAP IM RSVP SIP HTTP Presence IPv6 WAP PBX SMTP (Email) SNMP ftp POP3 AAAA DNS IPv4 DHCP NAT SRV TCP ENUM UDP RIP NAPTR Internet ->> real-time communications network
User Registration REGISTER sip:shiva@137.122.88.74 REGISTER sip:shiva@137.122.88.74 200 OK Location server Location Server Registrar Server User Agent URI Registration User Address user@domain , User@host user@IP_Address im: shiva@yahoo.com sip: shiva@uottawa.ca sip:shiva@137.122.92.219 sips:yousof@aol.ca pres:shivanna@yahoo.com • Telephone Numbers • Phone_number@gateway • Example: • tel:411;phone-context=+1613 • tel:5625800;phone-context=+1613 • tel:+16135625800 • sip:+16135625800@wcom.com;user=phone
SIP - Presence • Presence functionality gives the opportunity to know who is online among your contact lists • SUBSCRIBE, NOTIFY messages are used to subscribe and notify the presence sip:shiva@yahoo.com sip:yousof@aol.com yahoo.com aol.com Presence Agent Presence Server Presence Server Presence Agent SUBSCRIBE 202 Accepted 200 OK NOTIFY 200 OK
sip:shiva@yahoo.com sip:yousof@aol.com @yahoo.com @aol.com IM Agent Proxy Server Proxy Server IM Agent MESSAGE 200 OK 200 OK MESSAGE 200 OK SIP – Instant Messaging • Instant messaging enables you to send short messages to another person. • Very useful for short requests and responses • Has better real-time characteristics than an e-mail • Yahoo, AOL, MSN Messengers etc
yahoo.com sip:shiva@yahoo.com aol.com sip:yousof@aol.com User Agent Proxy Server Proxy Server User Agent INVITE M1 INVITE M2 INVITE M1 100 Trying M3 100 Trying M5 180 Ringing M6 180 Ringing M7 180 Ringing M8 200 OK M9 200 OK M10 200 OK M11 ACK M12 Media Session BYE M13 200 OK M14 SIP - End to End Call Setup • SIP Proxy Server forwards requests on behalf of SIP agents • May update the SIP message before forwarding it called party
sip:shiva@yahoo.com sip:yousof@uottawa.ca yahoo..com uottawa.ca User Agent Redirect Server Proxy Server User Agent INVITE M1 302 Moved Temporarily M2 ACK M3 INVITE M4 INVITE M5 100 Trying M6 180 Ringing M7 180 Ringing M8 200 OK M9 200 OK M10 ACK M11 Media Session BYE M12 200 OK M13 SIP - End to End Call Setup (Redirect) • SIP Redirect Server responds to a UA request with redirection response indicating the current location of the called party
SIP Security Threats • SIP Snooping, Eavesdropping • Tampering With the Message Bodies • Replaying Attack • Impersonating a Server • Impersonating Users • Registration Hijacking • Tearing Down a Session • Denial of Service and Distributed Dos Attack
SIP Security Requirements SIP UA • Authenticating Users • Authenticating Servers (Proxy, Registrar, Redirect) • Message Confidentiality and Integrity • Privacy Media: RTP SIP Text Messages SIP Text Messages Location server SIP UA Proxy Server
SIP Security: Authentication • Authenticating Servers: • TLS: Transport Layer Security, PKI certificates, RFC 2246 • HTTP Digest, RFC2617 • Authenticating Users: • HTTP Digest, RFC2617 • TLS if users have certificates • Authentication: • Hop-by-Hop • End-To-End
SIP Security: Confidentiality andMessage Integrity • End-to-End Encryption: • From Caller’s UA to Callee’s UA • Message Body and Some parts of the Headers • Using S/MIME, Secure Multipurpose Internet Mail Extension, RFC 2633 • Hop-by-HopEncryption: • To protect header information that needed by intermediaries • Rely on Network Level (IPSec) or Transport level(TLS) protocols
SIP Security Mechanisms: HTTP DIGEST • A challenge-based Authentication mechanism • Based on MD5 hash function • Limitations of HTTP Digest • It requires a pre-existing shared secret keys • Scope of realm • Not secure enough, based on secret keys not PKI • No Message Integrity Protection • No Confidentiality
SIP Security Mechanisms: S/MIME • S/MIME: Secure Multipurpose Internet Mail Extension • Confidentiality and integrity of MIME message bodies • SIP headers can also be encapsulated in MIME body for end-to-end Authentication, integrity and confidentiality • End-to-End Mutual Authentication • S/MIME Authentication Does Not Require a SharedSecret Key • Requires a common PKI Certificate Aauthority • Limitations of S/MIME • Lack of infrastructure for user Public Key Exchange • It can result in very large messages
SIP Security Mechanisms: TLS • Authentication, Integrity, Confidentiality • Usually used for server authentication • Can authenticate clients, but requires distribution of clientcertificates • Limitations of TLS: • Runs on TCP Only, not UDP • Offers only hop-by-hop authentication • Security in one hop doesn’t mean security in other hops • More Tightly Integrated with SIP Application
SIP Security Mechanisms: IPSec • IPSec • Confidentiality, Authentication and Integrity • Supports TCP and UDP • Requires Pre-Shared Keys • Does not requires integration with SIP
Secure SIP URI Scheme • SIPS URI Scheme • New URI Scheme • SIPS:user@example.com • MUST Implement If You Support TLS • If Request-URI Is SIPS, All Hops MUST Be Secure • If a hop cannot be secured, the transaction fails
SIP and Firewall • Challenges for SIP • Problem for the Media Stream • RTP will be blocked by FWs • Solutions: • FW must understand SIP and open ‘pin-holes’ for the RTP • Use Application-Level Gateways(ALG) trusted by FW • Some FWs have built-in ALG • Auth’n and Security policy controlled by ALG, not FW • ALG is B2BUA which proxies both the SIP signalling andMedia Stream
SIP and NAT • Network Address Translators: Serious problems for SIP ! • Changes IP Addresses and Port Numbers • SIP messages not routable ! Solutions: • SIP has a mechanism to detect presence of NAT • UAs and Proxy Sever can fix the IP addresses • This solves SIP signaling problem but NOT the Media Stream problem ! • New Protocols and Extensions for NAT traversal under development: STUN, ICE, rport, symmetric RTP, TURN, connection reuse, SDP attribute for RTCP, and others.