420 likes | 610 Views
SIP, NAT, and Firewalls. Outline. Understanding the problem with SIP and Firewalls Overview of Internet Telephony and Voice over IP RTP SDP SIP Overview Internet Firewalls IP Addressing Issues Introduction to Security in SIP Summary Reference.
E N D
Outline • Understanding the problem with SIP and Firewalls • Overview of Internet Telephony and Voice over IP • RTP • SDP • SIP Overview • Internet Firewalls • IP Addressing Issues • Introduction to Security in SIP • Summary • Reference
Understanding the problems with SIP and Firewalls SIP Port 5060 Port ? Firewall RTP Firewall do not know a certain address and emphermal port
Understanding the problems with SIP and Firewalls (cont) • SIP, declares where to send media to (IP address / Port number) NOT where it comes from • Now with private IP, the problem is not only what ports to open but also to change its IP addresses in SIP message and telling the firewall about its usage • End-to-end encryption and authentication is impossible in the exchange of addresses • ALG and Real Specific IP
Overview of Internet Telephony and Voice over IP http://www.cisco.com/warp/public/788/voip/voip-nat-6.gif
Overview of Internet Telephony and Voice over IP (cont) • RTP • SDP • SIP Overview
Streaming Audio –the Real Time Protocol • In RTP header, the sequence number is used to detect lost and out of order packets • The reason for not supporting retransmission • Solution • To ignore the lost data • To extrapolate sound from previous audio samples to make up the lost ones • RTP uses UDP not TCP
Real Time Control Protocol (RTCP) • RFC 1889 • The main purpose is to give feedback on the quality of the delivery of data • RTCP is sent periodically • RTP -> even port number ; RTCP -> higher and odd port number
The Session Description Protocol • The three main objectives • To tell what kind of media you want to receive • To understand how the media to be coded • To inform where the addresses and port to be delivered to • Text based
The Structure of SDP • The grammar for SDP is very structured and strict • <type>=<value> • Only one character in type-field and this character is in lower case
SDP header fields • Session description • v= (protocol version) • o= (owner/creator and session identifier). • s= (session name) • i=* (session information) • u=* (URI of description) • e=* (email address) • p=* (phone number) • c=* (connection information - not required if included in all media) • b=* (bandwidth information) • One or more time descriptions • z=* (time zone adjustments) • k=* (encryption key) • a=* (zero or more session attribute lines) • Zero or more media descriptions • Time description • t= (time the session is active) • r=* (zero or more repeat times) • Media description • m= (media name and transport address) • i=* (media title) • c=* (connection information - optional if included at session-level) • b=* (bandwidth information) • k=* (encryption key) • a=* (zero or more media attribute lines) • * optional item
SDP header fields (cont) • the origin field o=<username> <session id> <version> <network type> <address type> <address> • the connection field c=<network type> <address type> <connection address> • the media field m=<media> <port> <transport> <fmt list>
SIP Overview • SIP, [RFC2543] • Call setup -1 • Between two users • It’s not mandatory for SIP to use SDP, but it is the only one defined so far
SIP addresses • SIP addresses, the so-called SIP URL • Format sip:user@host • We could find SIP URLs in • (1) the Request line, (2) the To field, (3) the From field, (4) the Via field, (5) the Contact filed, (6) the Record-route field, and (7) the Route field. • Examples • sip:uabfrth@134.138.228.159 sip:Fredrik.Thernelius@uab.ericsson.se
Transportation protocol for SIP • It’ independent of service of any specific transport protocol • TCP, UDP, ATM AAL5, IPX, frame relay, X.25
SIP Terminology • User Agent • User Agent Client (UAC) • User Agent Server (UAS) • SIP Server • SIP Proxy server • SIP Redirect Server • Call leg –to identify a session between two SIP clients • Call-ID • The From field • The To field
SIP message structure • Based on the Augmented Backus-Naur Form (ABNF) [RFC 2234] • Syntax specification • “ | ” • “ () ” • CRLF - the end-of- line indicator, carriage return followed by line feed • “ * ” • Example • SIP-message =Request | Response • generic-message = start-line *message-header CRLF [ message-body ]
SIP message structure (cont) • Example • start-line = Request-Line | Status-Line message-header = ( general-header | request-header | response-header | entity-header ) • message-header = field-name ":" [ field-value ] CRLF • Request = Request-Line *( general-header | request-header | entity-header ) CRLF [message-body] Request-Line = Method SP Request-URI SP SIP-Version CRLF Method = "INVITE" | "ACK" | "OPTIONS" | "BYE" | "CANCEL" | "REGISTER“ • Response = Status-Line *( general-header | response-header | entity-header ) CRLF [ message-body ] Status-Line = SIP-version SP Status-Code SP Reason-Phrase CRLF Status-Code = Informational | Success | Redirection | Client-Error | Server-Error | Global-Failure | extension-code
Summary of SIP requests • INVITE • ACK • OPTIONS • BYE • CANCEL • REGISTER
Internet Firewalls • Packet filtering Gateways • Stateful • Stateless • Do not have ability to make changes to content • On per interface and per direction
Application Level Gateways • It works as proxies similar with circuit level gateway • On other occasions, it runs in cooperation with a firewall performing NAT • Some features • Doesn’t support particular service/application • It supports TCP and UDP (TFTP) • With a NAT, it will examine the application data
IP addressing issues • IPv4 • IPv6 • Private Addresses
NAT • Static NAT • Requires the same number of globally unique IP addresses • The same mapping between local addresses and global addresses • Dynamic NAT • NAPT • Some problems • If a session is not initiated from the inside • SIP, put IP addresses and port numbers inside the application data in the IP packets
Introduction to Security in SIP • Encryption • End-to-end between user agents, or hop-by-hop between SIP entities • To work on transport level or the network level • Suggested in IPSec • Basic rules • All header fields must not be encrypted • All header fields that are not encrypted must precede those that are encrypted • An encryption header must be inserted to indicate the encryption mechanism • The responses to encrypted should be encrypted with a key
Hide Route • Via field encryption • Intermediate proxies encrypts either the entire Via list or only the top-most entry
Summary • Next issues • Implementation of an ALG for SIP • RSIP • Integrity of SIP and current network equipments is very interesting
Reference • SIP, NAT, and Firewalls Master’s Thesis By Fredrik Thernelius • http://cui.unige.ch/db-research/Enseignement/analyseinfo/AboutBNF.html • RFC2234