Secure VoIP: call establishment and media protection

1. Secure VoIP: call establishment and media protection Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn

3. AKE for Secure VoIP Which protocol? IKE (RFC 2409) widely deployed and acknowledged MIKEY (RFC 3830) specifically designed for protection of multimedia services MIKEY profile defined for SRTP How to combine the AKE and the SIP signaling? “out-of-band”, performed in additional messages, or integrated, carried in the SIP messages

4. Performance metrics Ringing delay (RD) from sending the INVITE to receiving the ringing notification includes caller authentication Media clipping (MC) media transmission is hindered by ongoing cryptographic processing Ghost ringing the caller cancels the call after the callee started ringing

5. IKE and SIP signaling IKE performed “out of band” SIP preconditions (RFC 3312) extended for IKE setup

6. MIKEY and SIP signaling MIKEY integrated with SIP / SDP Without reliable provisional responses Processing of the MIKEY response in the 200 OK creates media clipping

7. Implementation Signaling protection using TLS Media protection SRTP AKE using MIKEY in the SDP offer-answer IPSEC – ESP AKE using MIKEY in a separate MIME payload proposed MIKEY profile for ESP No reliable provisional response Open source (LGPL and GPL)

8. Secure call setup - delays

9. Measurements

10. Conclusions and future work In all the measured cases, the ringing delay is not significant for a human person (~ 75 ms) The key exchange for SRTP results in a short transmit clipping on both sides (~170 ms) The use of IPSec results in a major media clipping on both sides (~ 800 ms). We believe this to be a Linux IPSec implementation issue. Adding support for reliable provisional responses, to carry the MIKEY response, would cancel those clippings. We recommend the use of SRTP for media protection, TLS for signaling protection, and an authenticated key exchange based on MIKEY.