1 / 41

SIP, NAT, and Firewalls

SIP, NAT, and Firewalls. Outline. Understanding the problem with SIP and Firewalls Overview of Internet Telephony and Voice over IP RTP SDP SIP Overview Internet Firewalls IP Addressing Issues Introduction to Security in SIP Summary Reference.

susan
Download Presentation

SIP, NAT, and Firewalls

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. SIP, NAT, and Firewalls

  2. Outline • Understanding the problem with SIP and Firewalls • Overview of Internet Telephony and Voice over IP • RTP • SDP • SIP Overview • Internet Firewalls • IP Addressing Issues • Introduction to Security in SIP • Summary • Reference

  3. Understanding the problems with SIP and Firewalls SIP Port 5060 Port ? Firewall RTP Firewall do not know a certain address and emphermal port

  4. Understanding the problems with SIP and Firewalls (cont) • SIP, declares where to send media to (IP address / Port number) NOT where it comes from • Now with private IP, the problem is not only what ports to open but also to change its IP addresses in SIP message and telling the firewall about its usage • End-to-end encryption and authentication is impossible in the exchange of addresses • ALG and Real Specific IP

  5. Overview of Internet Telephony and Voice over IP http://www.cisco.com/warp/public/788/voip/voip-nat-6.gif

  6. Overview of Internet Telephony and Voice over IP (cont) • RTP • SDP • SIP Overview

  7. Streaming Audio –the Real Time Protocol • In RTP header, the sequence number is used to detect lost and out of order packets • The reason for not supporting retransmission • Solution • To ignore the lost data • To extrapolate sound from previous audio samples to make up the lost ones • RTP uses UDP not TCP

  8. Processing and encapsulation

  9. The RTP header

  10. Real Time Control Protocol (RTCP) • RFC 1889 • The main purpose is to give feedback on the quality of the delivery of data • RTCP is sent periodically • RTP -> even port number ; RTCP -> higher and odd port number

  11. The Session Description Protocol • The three main objectives • To tell what kind of media you want to receive • To understand how the media to be coded • To inform where the addresses and port to be delivered to • Text based

  12. The Structure of SDP • The grammar for SDP is very structured and strict • <type>=<value> • Only one character in type-field and this character is in lower case

  13. SDP header fields • Session description • v= (protocol version) • o= (owner/creator and session identifier). • s= (session name) • i=* (session information) • u=* (URI of description) • e=* (email address) • p=* (phone number) • c=* (connection information - not required if included in all media) • b=* (bandwidth information) • One or more time descriptions • z=* (time zone adjustments) • k=* (encryption key) • a=* (zero or more session attribute lines) • Zero or more media descriptions • Time description • t= (time the session is active) • r=* (zero or more repeat times) • Media description • m= (media name and transport address) • i=* (media title) • c=* (connection information - optional if included at session-level) • b=* (bandwidth information) • k=* (encryption key) • a=* (zero or more media attribute lines) • * optional item

  14. SDP header fields (cont) • the origin field o=<username> <session id> <version> <network type> <address type> <address> • the connection field c=<network type> <address type> <connection address> • the media field m=<media> <port> <transport> <fmt list>

  15. Payload types (PT) for standard audio and video encodings

  16. SIP Overview • SIP, [RFC2543] • Call setup -1 • Between two users • It’s not mandatory for SIP to use SDP, but it is the only one defined so far

  17. Setting up a SIP session

  18. Call setup-2 with Routing SIP messages

  19. Call setup-2 (cont)

  20. SIP addresses • SIP addresses, the so-called SIP URL • Format sip:user@host • We could find SIP URLs in • (1) the Request line, (2) the To field, (3) the From field, (4) the Via field, (5) the Contact filed, (6) the Record-route field, and (7) the Route field. • Examples • sip:uabfrth@134.138.228.159 sip:Fredrik.Thernelius@uab.ericsson.se

  21. Transportation protocol for SIP • It’ independent of service of any specific transport protocol • TCP, UDP, ATM AAL5, IPX, frame relay, X.25

  22. SIP Terminology • User Agent • User Agent Client (UAC) • User Agent Server (UAS) • SIP Server • SIP Proxy server • SIP Redirect Server • Call leg –to identify a session between two SIP clients • Call-ID • The From field • The To field

  23. SIP message structure • Based on the Augmented Backus-Naur Form (ABNF) [RFC 2234] • Syntax specification • “ | ” • “ () ” • CRLF - the end-of- line indicator, carriage return followed by line feed • “ * ” • Example • SIP-message =Request | Response • generic-message = start-line *message-header CRLF [ message-body ]

  24. SIP message structure (cont) • Example • start-line = Request-Line | Status-Line message-header = ( general-header | request-header | response-header | entity-header ) • message-header = field-name ":" [ field-value ] CRLF • Request = Request-Line *( general-header | request-header | entity-header ) CRLF [message-body] Request-Line = Method SP Request-URI SP SIP-Version CRLF Method = "INVITE" | "ACK" | "OPTIONS" | "BYE" | "CANCEL" | "REGISTER“ • Response = Status-Line *( general-header | response-header | entity-header ) CRLF [ message-body ] Status-Line = SIP-version SP Status-Code SP Reason-Phrase CRLF Status-Code = Informational | Success | Redirection | Client-Error | Server-Error | Global-Failure | extension-code

  25. Summary of SIP requests • INVITE • ACK • OPTIONS • BYE • CANCEL • REGISTER

  26. Summary of SIP response codes

  27. Complete list of response codes

  28. Summary of SIP headers

  29. Internet Firewalls • Packet filtering Gateways • Stateful • Stateless • Do not have ability to make changes to content • On per interface and per direction

  30. Packet filtering Gateways

  31. Circuit-Level Gateways

  32. Application Level Gateways • It works as proxies similar with circuit level gateway • On other occasions, it runs in cooperation with a firewall performing NAT • Some features • Doesn’t support particular service/application • It supports TCP and UDP (TFTP) • With a NAT, it will examine the application data

  33. IP addressing issues • IPv4 • IPv6 • Private Addresses

  34. NAT • Static NAT • Requires the same number of globally unique IP addresses • The same mapping between local addresses and global addresses • Dynamic NAT • NAPT • Some problems • If a session is not initiated from the inside • SIP, put IP addresses and port numbers inside the application data in the IP packets

  35. Introduction to Security in SIP • Encryption • End-to-end between user agents, or hop-by-hop between SIP entities • To work on transport level or the network level • Suggested in IPSec • Basic rules • All header fields must not be encrypted • All header fields that are not encrypted must precede those that are encrypted • An encryption header must be inserted to indicate the encryption mechanism • The responses to encrypted should be encrypted with a key

  36. Encryption

  37. Authentication

  38. Authentication (cont)

  39. Hide Route • Via field encryption • Intermediate proxies encrypts either the entire Via list or only the top-most entry

  40. Summary • Next issues • Implementation of an ALG for SIP • RSIP • Integrity of SIP and current network equipments is very interesting

  41. Reference • SIP, NAT, and Firewalls Master’s Thesis By Fredrik Thernelius • http://cui.unige.ch/db-research/Enseignement/analyseinfo/AboutBNF.html • RFC2234

More Related