310 likes | 450 Views
Developing Secure, Multi-lateral Peer to Peer SIP Applications. Jim.Dalton@TransNexus.com. V. V. Market Problem. Terminating Domain ?. Routing. Access Control. Accounting. Originating Domain. PSTN. Settlement. €£¥$ call. Ethernet Switch. Router. PSTN. Internet or IP Network.
E N D
Developing Secure, Multi-lateralPeer to Peer SIP Applications Jim.Dalton@TransNexus.com
V V Market Problem Terminating Domain ? Routing Access Control Accounting Originating Domain PSTN Settlement €£¥$ call Ethernet Switch Router PSTN Internet or IP Network PSTN PSTN Service Provider POP
Current Status of Peering • Ad hoc bilateral peering arrangements • ENUM provides a solution for peer to peer route discovery But how to handle? • Inter-domain Access control • Accounting • Settlement disputes • Backwards compatibility with Operations and Billing Support Systems for H.323 networks • Evolution to new services
Benefits of secure multi-lateral peering • Efficient peer to peer communications eliminates signaling bottlenecks • Access control is greatly simplified • IP access lists are eliminated • Asymmetric key management is simpler and more secure than shared secrets • Eliminates costly overhead of managing many bilateral interconnect agreements
Solution: Open Settlement Protocol • Open Settlement Protocol (OSP): • Global standard for inter-domain transaction authorization and usage reporting. • Developed by ETSI in 1998, now in version 4.1.1 • Based on existing standards • Uses Asymmetric Public Key Infrastructure (PKI) services for non-repudiation of transactions • Broad support: Asterisk, SER, Cisco, Alcatel, Radvision, UTStarcom, Mediaring, ISDN Communications, Veraz, Vovida, Teles • Protocol Independent • Works with SIP, H.323, SMS, MMS, IAX …
OSP Server Authentication Authorization Token IP Network Domain A Domain B SIP INVITE with Token RTP Overview I - How OSP Works • Route discovery • Inter-domain access control
OSP Server Accounting: Encrypted CDR Accounting: Encrypted CDR IP Network Domain A Domain B Overview II - How OSP Works • CDR collection
The Basics of Public-key Cryptosystems Security services between parties rely on exchange of public keys and security of private keys. Critical Points: • Public / Private keys used for encryption / decryption and digital signatures • Public keys are public – easy to distribute • A digital certificate signed by a trusted 3rd party ensures the public-key is legitimate • Digital signatures provide data integrity, authentication and non-repudiation • Certificates may be chained from a root authority
Sign with CA private key Certificate VoIP Device Information VoIP Device Public Key Certified by Cert. Authority CA Signature Establishing PKI Security Services SIP Device Certificate Authority (CA) for Peer to Peer Authorization (OSP Server) Client Device requests public-key and certificate from CA CA sends its public key and its certificate Client Device sends certificate request to CA CA returns signed certificate
Authorization Request Source Peer Authentication OSP Server • Routing request to OSP Server is digitally signed with VoIP device’s private key. • OSP server verifies client signature with client’s public key to authenticate routing request. IP Network Carrier A
SIP INVITE with Token Inter-Domain Access Control OSP Server Authorization Response with Token • OSP Server digitally signs authorization token • Authorization token included in SIP Invite • Domain B has no trusted relationship with Domain A, but verifies digital signature with CA public key • Carrier can retain digital signature for non-repudiation IP Network Domain A Domain B
Authorization Token • Destination • IP address, domain name, sip uri, tel uri, E164, trunk group • Destination Protocol • SIP, Q931, H323-LRQ, IAX, other • Transaction ID • Service Type, Bandwidth, Number of Channels • Call ID, Session ID, MultiSession ID • Valid after – Valid Until • Authorized amount • Seconds, packets, bytes, pages, call, session, price, currency • Authority URL
OSP Server Usage Indication: Encrypted CDR Usage Indication: Encrypted CDR IP Network Domain A Domain B Secure Accounting • Domains A and B encrypt CDRs with CA public key • OSP Server decrypts CDR with CA private key • For auditing, OSP Server can request in real time that a domain digitally sign a batch of CDRs
Capabilities & Pricing Messages • OSP enables clients to update OSP server database in real time. • Capabilities Exchange messages can be used • To indicate service features available • To indicate bandwidth or channel available • To indicate presence • Pricing Indication is used to provide rate changes • for services (voice, fax, message, video …) • based on seconds, pages, bytes, packets and currency
Examples of OSP Peering • Enterprise VoIP VPN • Wholesale Inter-Carrier VoIP Services • Tiered Peering • Dundi Settlement Clearinghouse
Enterprise VoIP Network 1. Centralized routing 2. Secure inter-office access control 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 5. Minimum bandwidth 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 1. Centralized routing • Requirements: 2. Secure inter-office access control 4. Autonomous local operation 3. Centralized accounting 5. Minimum bandwidth 1. Centralized routing Branch Office Internet Headquarters Manufacturing Sales Office Call Center
OSP Server Internet VoIP VPN Enterprise VoIP VPN 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 5. Minimum bandwidth 1. Centralized routing 2. Secure inter-office access control 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 1. Centralized routing • OSP peering architecture provides secure VoIP VPN Branch Office Internet Headquarters Manufacturing Sales Office Call Center
Wholesale Inter-Carrier Services • Challenge: How to manage interconnect access and billing among thousands of ITSP peers Internet
Wholesale Inter-Carrier Services • Conventional solution is to route all calls via a softswitch or session border controller. Internet
OSP Server OSP Server OSP Server Wholesale Inter-Carrier Services • Direct peering with OSP is more scalable, more reliable, better QoS, less bandwidth, lower cost. Route Lookup Internet
OSP Server OSP Server OSP Server Dest. CDR Source CDR Wholesale Inter-Carrier Services • Call Detail Collection from both the source and destination eliminates settlement disputes Internet
OSP Server OSP Server OSP Server OSP Server OSP Server OSP Server 4. Auth. Response 2. Auth. Request 3. Auth. Response SIP INVITE with token for Purple network 1. Auth. Request Tiered Peering • OSP enables secure peering among multiple peering networks. Internet Purple Peering Network Yellow Peering Network
OSP Server OSP Server OSP Server OSP Server OSP Server OSP Server Dest. CDR Source CDR Dest. CDR Source CDR Tiered Peering CDR Reporting • Top tier peering networks receive Call Detail Records from both source and destination peers. Internet Purple Peering Network Yellow Peering Network
DUNDi • Distributed Universal Number Discovery • Based on General Peering Agreement • No Settlement
Token Request OSP Server DUNDi Clearinghouse • DUNDi nodes enroll with CA • Route and rate discovery with DUNDi • Source submits route & rate to clearinghouse for digitally signed token • DUNDi nodes enroll with CA • DUNDi nodes enroll with CA • Route and rate discovery with DUNDi rate / minute? 2¢ / minute!
CDR CDR OSP Server DUNDi Clearinghouse • SIP INVITE includes signed token • Destination validates rate in token • CDRs sent to clearinghouse SIP INVITE with token
OSP Server DUNDi Clearinghouse CDR CDR • Clearinghouse performs settlement billing $
Open Settlement Protocol XML Presentation HTTP V1.0 SSL / TLS TCP port 80 TCP port 443 IP Details of OSP • An OSP server is a web server • Message Formats • Multipurpose Internet Mail Extensions (MIME) • eXtensible Markup Language (XML) • Secure MIME • Communication Protocols
OSP Message Example HTTP/1.1 200 OK Server: IP address of OSP server Date: Thu, 12 May 2005 18:32:59 GMT Connection: Keep-Alive Keep-Alive: timeout=3600, max=5000 Content-Length: 1996 Content-Type: text/plain <?xml version='1.0'?> <Message messageId='11703738491' random='21655'> <AuthorizationResponse componentId='11703738490'> <Timestamp>2005-05-12T18:32:59Z</Timestamp> <TransactionId>4785098287068543017</TransactionId> <Destination> <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId> <DestinationInfo type='e164'>Called Number</DestinationInfo> <DestinationSignalAddress>[IP Address:Port]</DestinationSignalAddress> HTTP Header OSP Message
OSP Message Example (cont.) Unique Transaction ID per call <AuthorizationResponse componentId='11703738490'> <Timestamp>2005-05-12T18:32:59Z</Timestamp> <TransactionId>4785098287068543017</TransactionId> <Destination> <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId> <DestinationInfo type='e164'>Called Number</DestinationInfo> <DestinationSignalAddress>[IP Address: Port]</DestinationSignalAddress> <UsageDetail> <Amount>14400</Amount> <Unit>s</Unit> </UsageDetail> <ValidAfter>2005-05-12T18:27:59Z</ValidAfter> <ValidUntil>2005-05-12T18:37:59Z</ValidUntil> <DestinationProtocol>sip</DestinationProtocol> <SourceInfo type='e164'>Calling Number</SourceInfo> <Token encoding='base64'> Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5Ua3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCnU9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz Call ID from source device Called Number may be translated Call authorized for 14440 seconds IP Address of Called Number Call authorized to start in 10 minute window Protocol may be SIP, H323, IAX, … Digital signature of token ensures non-repudiation
Open Source Tools • www.SIPfoundry.org • OSP Toolkit (client) • OpenOSP Server (based on Apache) • RAMS OSP Server • www.Asterisk.org • Asterisk includes OSP client • OSP Module for SIP Express Router • http://osp-module.berlios.de • www.voxgratia.org • OSP enabled H323 proxy (future support for SIP) • www.TransNexus.com • OSPrey – free OSP server