320 likes | 398 Views
Multimedia Communications : Introduction to SIP and Securing SIP Solutions. Presented by : Shivanagouda Biradar Yousof Pakzad. August 16, 2014. School of Information Technology and Engineering (SITE), University of Ottawa.
E N D
Multimedia Communications:Introduction to SIP and Securing SIP Solutions Presented by: Shivanagouda Biradar Yousof Pakzad August 16, 2014 School of Information Technology and Engineering (SITE), University of Ottawa This presentation is submitted to Prof. El Saddik in partial fulfillment of the requirements for the course ELG 5121: Multimedia Communications
Overview • Introduction to SIP • Components • Messages • Applications • Benefits • Secured Solutions • Security Requirements • Security Threats • Security Solutions • SIP, Firewall and NAT • Conclusion and Future Directions
Telecommunication Network Migration PSTN Phones PSTN Phones PSTN Network PSTN PBX PSTN PBX IP Network IP Clients IP Clients IP Router IP Router • PSTN Network - traditionally centralized voice-centric applications ( $1 trillion industry world wide) • IP network is distributed, mostly used for text data and multimedia applications
IP Network and PSTN Network Convergence PSTN Phones IP Phones PSTN Network PSTN PBX IP-PSTN Gateway IP-PSTN Gateway IP Enabled PBX IP Router IP Network IP Router IP Soft Phones IP Soft Phones • Seamless Integration of telephony and conferencing with many other internet applications, such as e-mail, text messaging, presence and instant messaging
IP Call Processing Protocols Multimedia Applications ( text, audio, video) Media Transport Quality of Service Signaling RTP H.323 RTCP RSVP MGCP SIP RTSP TCP UDP IPv4, IPv6 Link Layer Physical Layer • H.323 - ITU • H.248/MEGACO/MGCP (ITU) • SIP – Session Initiation Protocol (IETF)
SIP – Session Initiation Protocol • The SIP is a application layer signaling protocol, used to setup, modify and teardown multimedia sessions • Also used for Presence notification and Instant Messaging over the Internet • IETF Standard (RFC3261, 2002) for real-time multimedia communication signaling • Approved by Third-Generation Partnership Project (3GPP) as the Signaling protocol for Multimedia Applications in 3G Mobile Networks • Resources: • Sponsors:
SIP Network Components PSTN Phones PSTN Phones PSTN Phones PSTN PBX Corporate SIP Gateway PSTN Network Location Server Conference Server ISDN Phone ISDN Phones Proxy/ Redirect Server SIP-PSTN Gateway IP Network SIP Phones Corporate SIP Soft-Switch H.323 Network H.323 Terminal SIP-H.323 Gateway Registration Server SIP Soft Phones H.323 Soft Phones SIP Phones SIP Soft Phones • Clients • User Agent Client • User Agent Server • Gateways • SIP-PSTN • SIP-H.323 • SIP-MGCP • Servers • Proxy , Redirect • Registration, Location • Conference
SIP Applications • End to End Multimedia Call Setup • Conference call Setup • Instant Messaging • User Presence Notification • Unified Messaging • User Mobility • Value Added Services on IP Enabled PBX
SIP Messages • Request Messages • Response Messages
URI Registration • User Registration REGISTER sip:shiva@137.122.88.74 REGISTER sip:shiva@137.122.88.74 200 OK Location server Location Server Registrar Server User Agent User Address user@domain , User@host user@IP_Address im: shiva@yahoo.com sip: shiva@uottawa.ca sip:shiva@137.122.92.219 sips:yousof@aol.ca pres:shivanna@yahoo.com • Telephone Numbers • Phone_number@gateway • Example: • tel:411;phone-context=+1613 • tel:5625800;phone-context=+1613 • tel:+16135625800 • sip:+16135625800@wcom.com;user=phone
SIP - Presence • Presence functionality gives the opportunity to know who is online among your contact lists • SUBSCRIBE, NOTIFY messages are used to subscribe and notify the presence sip:shiva@yahoo.com sip:yousof@aol.com yahoo.com aol.com Presence Agent Presence Server Presence Server Presence Agent SUBSCRIBE 202 Accepted 200 OK NOTIFY 200 OK
SIP – Instant Messaging sip:shiva@yahoo.com sip:yousof@aol.com @yahoo.com @aol.com IM Agent Proxy Server Proxy Server IM Agent MESSAGE 200 OK 200 OK MESSAGE 200 OK • Instant messaging enables you to send short messages to another person. • Very useful for short requests and responses • Has better real-time characteristics than an e-mail • Yahoo, AOL, MSN Messengers etc
SIP - End to End Call Setup (Proxy) yahoo.com sip:shiva@yahoo.com aol.com sip:yousof@aol.com User Agent Proxy Server Proxy Server User Agent INVITE M1 INVITE M2 INVITE M1 100 Trying M3 100 Trying M5 180 Ringing M6 180 Ringing M7 180 Ringing M8 200 OK M9 200 OK M10 200 OK M11 ACK M12 Media Session BYE M13 200 OK M14 • SIP Proxy Server forwards requests on behalf of SIP agents • May update the SIP message before forwarding it called party
SIP - End to End Call Setup (Redirect) sip:shiva@yahoo.com sip:yousof@uottawa.ca yahoo..com uottawa.ca User Agent Redirect Server Proxy Server User Agent INVITE M1 302 Moved Temporarily M2 ACK M3 INVITE M4 INVITE M5 100 Trying M6 180 Ringing M7 180 Ringing M8 200 OK M9 200 OK M10 ACK M11 Media Session BYE M12 200 OK M13 • SIP Redirect Server responds to a UA request with redirection response indicating the current location of the called party
SIP – Conference Setup • Ad hoc • Point to point conversation is expanded with a series of INVITE messages. (Good for small group) • Meet me • Conferencing bridge is used to mix all the media and forward on behalf of each client to other participant as a unicast message • Each participant establishes the point to point call to the conferencing bridge • Good, if all participants are interactive • Interactive Broadcast • Conferencing bridge is used but mixed media is sent to a multicast address instead of being unicast to each participant • Can have active and passive participants • SIP signaling is required for interactive participants only
SIP - Mobility • Terminal Mobility (Mobile IP- SIP) • SIP user agent will be able to maintain its connections to the Internet as it moves from network to network and possibly changes its point of connection • Personal Mobility (SIP – REGISTER) • SIP URI (similar e-mail address) is device independent. • User can use any end-device to receive and to make calls • Service Mobility • SIP user can keep the same services when mobile • Services resident in user agent can be accessed over Internet (Ex: Call Forwarding etc).
Benefits of SIP Benefits Features Lightweight, ASCII based protocol similar to HTTP, SMTP Simplifies development of applications Can be tightly integrated with Web based services Reuses other IETF protocols, such as SDP, DNS, etc Can be used for any real time applications Including voice, video, text messaging, instance messaging and presence Application/media Independent Network Independent Can be used with non-IP networks such as ATM, MPLS Can inter-work with H.323, PSTN/ISDN, Mobile Networks Protocol Interoperability Increasing market adoption Availability of SIP based Products growing Protocol Extensibility Can work with non telephony appl.
SIP Security SIP UA • SIP messages are sent in clear text • SIP security is independent of media security • SIP uses the existing network security mechanism: TLS, S/MIME, PKI, etc Media: RTP SIP Text Messages SIP Text Messages Location server SIP UA Proxy Server
SIP UA SIP UA Location Server DNS Server SIP Proxy server SIP Proxy server Media: RTP
SIP Security Threats • SIP Snooping, Eavesdropping • Tampering With the Message Bodies • Replaying Attack • Impersonating a Server • Impersonating Users • Registration Hijacking • Tearing Down a Session • Denial of Service and Distributed Dos Attack
SIP Security Requirements SIP UA • Authenticating Users • Authenticating Servers (Proxy, Registrar, Redirect) • Message Confidentiality and Integrity • Privacy Media: RTP SIP Text Messages SIP Text Messages Location server SIP UA Proxy Server
SIP Security: Authentication • Authenticating Servers: • TLS: Transport Layer Security, PKI certificates, RFC 2246 • HTTP Digest, RFC2617 • Authenticating Users: • HTTP Digest, RFC2617 • TLS if users have certificates • Authentication: • Hop-by-Hop • End-To-End
SIP Security: Confidentiality and Message Integrity • End-to-End Encryption: • From Caller’s UA to Callee’s UA • Message Body and Some parts of the Headers • Using S/MIME, Secure Multipurpose Internet Mail Extension, RFC 2633 • Hop-by-HopEncryption: • To protect header information that needed by intermediaries • Rely on Network Level (IPSec) or Transport level(TLS) protocols
SIP Security Mechanisms: HTTP DIGEST • A challenge-based Authentication mechanism • Based on MD5 hash function • Limitations of HTTP Digest • It requires a pre-existing shared secret keys • Scope of realm • Not secure enough, based on secret keys not PKI • No Message Integrity Protection • No Confidentiality
SIP Security Mechanisms: S/MIME • S/MIME: Secure Multipurpose Internet Mail Extension • Confidentiality and integrity of MIME message bodies • SIP headers can also be encapsulated in MIME body for end-to-end Authentication, integrity and confidentiality • End-to-End Mutual Authentication • S/MIME Authentication Does Not Require a SharedSecret Key • Requires a common PKI Certificate Aauthority • Limitations of S/MIME • Lack of infrastructure for user Public Key Exchange • It can result in very large messages
SIP Security Mechanisms: TLS • Authentication, Integrity, Confidentiality • Usually used for server authentication • Can authenticate clients, but requires distribution of clientcertificates • Limitations of TLS: • Runs on TCP Only, not UDP • Offers only hop-by-hop authentication • Security in one hop doesn’t mean security in other hops • More Tightly Integrated with SIP Application
SIP Security Mechanisms: IPSec • IPSec • Confidentiality, Authentication and Integrity • Supports TCP and UDP • Requires Pre-Shared Keys • Does not requires integration with SIP
Secure SIP URI Scheme • SIPS URI Scheme • New URI Scheme • SIPS:user@example.com • MUST Implement If You Support TLS • If Request-URI Is SIPS, All Hops MUST Be Secure • If a hop cannot be secured, the transaction fails
SIP and Firewall • Challenges for SIP • Problem for the Media Stream • RTP will be blocked by FWs • Solutions: • FW must understand SIP and open ‘pin-holes’ for the RTP • Use Application-Level Gateways(ALG) trusted by FW • Some FWs have built-in ALG • Auth’n and Security policy controlled by ALG, not FW • ALG is B2BUA which proxies both the SIP signalling andMedia Stream
SIP and NAT • Network Address Translators: Serious problems for SIP ! • Changes IP Addresses and Port Numbers • SIP messages not routable ! Solutions: • SIP has a mechanism to detect presence of NAT • UAs and Proxy Sever can fix the IP addresses • This solves SIP signaling problem but NOT the Media Stream problem ! • New Protocols and Extensions for NAT traversal under development: STUN, ICE, rport, symmetric RTP, TURN, connection reuse, SDP attribute for RTCP, and others. • Best Current Practices for NAT Traversal for SIP draft-ietf-sipping-nat-scenarios-01
Conclusion • SIP is a power application layer signalling protocol for multimedia applications • SIP inter-work with PSTN, H.323 • SIP is widely accepted as Internet signalling protocol for both fixed and mobile 3G networks • SIP has many extensions under development • STUN: Simple Traversal of UDP Through NATs • SIMPLE: SIP for Instant Messaging Leveraging Extensions • SIP Compression for wireless networks
Questions? Thank You !