a survey of sip peering - lars...
TRANSCRIPT
![Page 1: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/1.jpg)
A survey of SIP Peering
Lars Strand (presenter)andWolfgang Leister
NATO ASIARCHITECTS OF SECURE NETWORKS (ASIGE10)17-22 May 2010
![Page 2: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/2.jpg)
ASIGE10 - Lars Strand
![Page 3: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/3.jpg)
ASIGE10 - Lars Strand
![Page 4: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/4.jpg)
ASIGE10 - Lars Strand
Switchboard operators
![Page 5: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/5.jpg)
ASIGE10 - Lars Strand
![Page 6: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/6.jpg)
ASIGE10 - Lars Strand
![Page 7: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/7.jpg)
ASIGE10 - Lars Strand
Problem: Scalability
the New York Telephone Exchange 1888
Salt Lake City, over 50 women, ca 1914
![Page 8: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/8.jpg)
ASIGE10 - Lars Strand
Automatic telephone exchange
![Page 9: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/9.jpg)
ASIGE10 - Lars Strand
Public Switched Telephony Network (PSTN)
● Standardization body: • International Telecommunication
Union Standardization (ITU-T) can be traced back to 1865.
● Historically: • Big operators (only one for smaller
countries)
• Peering agreement between them
• E.164 addresses (telephone numbers)
![Page 10: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/10.jpg)
ASIGE10 - Lars Strand
Plain Old Telephony Service (POTS)
➔ “Just works”
➔ 100+ year old technology
➔ PSTN 99.999% uptime (D.R. Kuhn, 1997) (<5 min/year)
“Can call anyone, anytime, anywhere with a good-quality telephonic conversation”
“This is an elusive, currently-unachievable goal for the VoIP-industry” (Minoli, 2006)
![Page 11: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/11.jpg)
ASIGE10 - Lars Strand
Voice over IP (VoIP)
● VoIP is here to stay:● Cheaper (both communication and operational costs)● More functionality (video, presence, IM, …)● High industry focus
● VoIP loaded with security issues● Inherit (traditional) packet switched network security
issues and introduces new ones (because of new technology).
![Page 12: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/12.jpg)
ASIGE10 - Lars Strand
"It's appalling how much worse VoIP is compared to the PSTN. If these problems aren't fixed, VoIP is
going nowhere."
--- Philip Zimmerman on VoIP security in
“SIP Security”, Sisalem et. al. (2009)
![Page 13: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/13.jpg)
ASIGE10 - Lars Strand
![Page 14: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/14.jpg)
ASIGE10 - Lars Strand
VoIP – how does it work?● Session Initiation Protocol (SIP) is the de facto standard signaling
protocol for VoIP● Application layer (TCP, UDP, SCTP)
● Setting up, modifying and tearing down multimedia sessions
● Not media transfer (voice/video)
● Establishing and negotiating the context of a call
● RTP transfer the actual multimedia
● SIP specified in RFC 3261 published by IETF 2002● First iteration in 1999 (RFC2543) – over ten years old
● Additional functionality specified in over 120 different RFCs(!)
● Even more pending drafts...
● Known to be complex and sometimes vague – difficult for software engineers to implement
● Interoperability conference - “SIPit”
![Page 15: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/15.jpg)
ASIGE10 - Lars Strand
![Page 16: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/16.jpg)
ASIGE10 - Lars Strand
Excerpts from an email posted on IEFT RAI mailing list: I'm finally getting into SIP. I've got Speakeasy VoIP service, two sipphone accounts, a Cisco 7960 and a copy of x-ten on my Mac.
And I still can't make it work. Voice flows in one direction only. I'm not even behind a NAT or firewall -- both machines have global addresses, with no port translations or firewalls.
I've been working with Internet protocols for over 20 years. I've implemented and contributed to them. And if *I* can't figure out how to make this stuff work, how is the average grandmother expected to do so? SIP is unbelievably complex, with extraordinarily confusing terms. There must be half a dozen different "names" -- Display Name, User Name, Authorization User Name, etc -- and a dozen "proxies". Even the word "domain" is overloaded a half dozen different ways. This is ridiculous!
Sorry. I just had to get this off my chest. Regards,
Reference: http://www.ietf.org/mail-archive/web/rai/current/msg00082.html
![Page 17: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/17.jpg)
ASIGE10 - Lars Strand
SIP message syntax - INVITE
v=0o=alice 2060633878 2060633920 IN IP4 156.116.8.106s=SIP callc=IN IP4 156.116.8.106t=0 0m=audio 8000 RTP/AVP 0 8 3 98 97 101.............
Via: SIP/2.0/UDP 156.116.8.106:5060;rport;branch=z9hG4bK2EACE3AF14BF466648A37D2E1B587744From: Alice <sip:alice@NR>;tag=2093912507To: <sip:bob@NR>Contact: <sip:[email protected]:5060>Call-ID: [email protected]: 41961 INVITEMax-Forwards: 70Content-Type: application/sdpUser-Agent: X-Lite release 1105dContent-Length: 312
Message body(SDP content)
Messageheaders
Start line(method)
INVITE sip:bob@NR SIP/2.0
![Page 18: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/18.jpg)
ASIGE10 - Lars Strand
SIP exampleDirect call UA to UA
● Caller must know callee's IP or hostname● No need for intermediate SIP nodes● Problems:
– Traversing firewalls / NAT– Must know IP/hostname of user– Mobility – change IP/hostname
![Page 19: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/19.jpg)
ASIGE10 - Lars Strand
SIP example
![Page 20: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/20.jpg)
ASIGE10 - Lars Strand
Global reachability?
● SIP has won the “signaling battle” (over H.323)● (like SMTP won over X.400)
● SIP incorporates many elements from HTTP and SMTP
● Design goal: Global reachability like SMTP● We call this the “email model”
● SIP has reached deployment worldwide● VoIP has reached high penetration both in companies and for ISP
customers
● But very few open SIP servers – like originally planned
● Why?
![Page 21: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/21.jpg)
ASIGE10 - Lars Strand
SIP follows an “email alike model”
1) Email and SIP addresses are structured alike● username@domain
● address-of-record (AoR): sip:[email protected]
2) Both SIP and email rely on DNS● Map domain name to a set of ingress points that handle the particular connection
3) The ingress points need to accept incoming request from the Internet
4) No distinction between end-users and providers
● Any end-user can do a DNS lookup and contact the SIP server directly
5) No need for a business relationship between providers● Since anyone can connect
6) Clients (usually) do not talk directly to each other – often one or more intermediate SIP/SMTP nodes
● Read more: RFC 3261 and RFC3263
![Page 22: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/22.jpg)
ASIGE10 - Lars Strand
Why has the email model failed?
1) Business – “sender keeps all” → breaks tradition● The traditional economic model is based on termination fee
● Since anybody can connect to anybody, no business relationship is needed
● No (economical) incentives for providers to deploy open SIP servers providers
2) Legal requirements → written for PSTN● Operators must comply to a wide range of regulatory requirements
● Example: Wiretapping, caller-id, hidden number, emergency calls, etc
3) Security considerations
A) Unwanted calls (SPIT)
B) Identity
C) Attack on availability (DoS)
![Page 23: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/23.jpg)
ASIGE10 - Lars Strand
A) Unwanted calls (SPIT)
● Hard – unknown attack vector● When there are enough open SIP servers, attackers will start to exploit them
● Low amount of SPIT today (because few open SIP servers)
● Worse than SPAM● Content only available after the user picks up the phone = harder to filter and detect
than email
● Users tend to pick up the phone when it rings = disruptive (users can choose when to check their email)
● A number of SPIT mitigation strategies has been proposed (active research)
● The research project “SPIDER” looked at SPIT● Good informative deliverables
● Project finished
“We're afraid of SPIT, so we don't have open SIP Servers”
![Page 24: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/24.jpg)
ASIGE10 - Lars Strand
B) Identity● PSTN
● Provide (reasonable) good caller-id
● Providers trust each others signaling
● SIP's email model breaks this
● Anyone can send
● SIP (INVITE) easily spoofed
● The SIP authentication is terrible
● Modeled (copied) after HTTP Digest authentication
● SIP also support TLS (and certificate authentication) but very limited deployment
● “SIP Identity” tries to fix this (RFC4474)
● Rely on certificates
● Not based on transitive trust between providers
● No one uses this
“Since SIP has so poor identity handling, we don't want to expose our SIP servers to the Internet”
![Page 25: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/25.jpg)
ASIGE10 - Lars Strand
C) Attack on availability (DoS)● Denial of Service (DoS) attacks are HARD!
● Simple and effective: Send more bogus traffic than the recipient can handle
● No simple solution to prevent DoS
● Example: DDoS for sale - The ad scrolls through several messages, including
● "Will eliminate competition: high-quality, reliable, anonymous."
● "Flooding of stationary and mobile phones."
● "Pleasant prices: 24-hours start at $80. Regular clients receive significant discounts."
● "Complete paralysis of your competitor/foe."Reference: http://isc.sans.org/diary.html?storyid=5380
“We're terrified to become a victim of a DDoS attack”
![Page 26: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/26.jpg)
ASIGE10 - Lars Strand
So, what is the result?
Providers do NOT have open SIP servers
All non-local calls are sent to the PSTN
Why is that a bad thing?
![Page 27: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/27.jpg)
ASIGE10 - Lars Strand
Disadvantages1) Administrative overhead – more systems to keep track of
● IP-to-PSTN gateway
2) More expensive than “SIP only”
● Must pay a termination fee to the PSTN provider
● Must maintain the IP-to-PSTN gateway
3) Poor(er) voice quality
● Voice must be transcoded from G.711 to the PSTN (and back again)
● Can not use wide-band codecs, like G.722 that provides superior sound quality (“HD sound”)
4) Only applies to voice – miss out other functionality that SIP supports
● IM, presence, mobility, etc.
![Page 28: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/28.jpg)
ASIGE10 - Lars Strand
SIP Peering● Peering overcome these disadvantages
● Do not need an open SIP server on the Internet
● Industry has started to do this ad-hoc● But not standardized in any way
![Page 29: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/29.jpg)
ASIGE10 - Lars Strand
SPEERMINT
● IETF has recognized that SIP Peering must be standardized● (New) Working Group (WG) will fix that
● “Session PEERing for Multimedia INTerconnect” (SPEERMINT)
● Goal:● Identify architecture requirements
● Discuss security considerations
● Define best practices for SIP peering
● “Get SIP to work reliably in a worldwide deployment”
● Documents:
● RFC5486: Session Peering for Multimedia Interconnect (SPEERMINT) Terminology
● RFC5344: Presence and Instant Messaging Peering Use Cases
● And several drafts pending
![Page 30: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/30.jpg)
ASIGE10 - Lars Strand
SPEERMINT architecture
![Page 31: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/31.jpg)
ASIGE10 - Lars Strand
Telephone number mapping (ENUM)
● Example: +47 2134 5678● How do we find the domain name and route the request?
● E.164 NUmber Mapping (ENUM)● Telephone numbers are organized in the E.164 standard
● IP adresses on Internet uses DNS
● E.164 + DNS = ENUM
● New DNS zone: e164.arpa● example: tel:+47 2123 4567 → 7.6.5.4.3.2.1.2.7.4.e164.arpa → DNS lookup
● Originally planned to be global● All the world (PSTN) phone numbers should be reachable via ENUM
● (Part of the “email model” of SIP)
● Did not happened
● Used locally within SSP and between peers
![Page 32: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/32.jpg)
ASIGE10 - Lars Strand
Peering scenarios
1) Static – peering between SSP1 and SSP2 is pre-provisioned independent of any SIP sessions between users
2) Ondemand – peering is established when a SIP session between SSP1 and SSP2 are needed
A) Direct – direct peer between SSP1 and SSP2
B) Indirect or transit – via an intermediate SSP● In combination with assisted LUF/LRF● XConnect
![Page 33: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/33.jpg)
ASIGE10 - Lars Strand
Federation
“A group of SSPs which agree to receive calls from each other via SIP, and who agree on a set of administrative rules for such calls (settlement, abuse-handling, ...) and the specific rules for the technical details.”
Can this scale globally?
![Page 34: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/34.jpg)
ASIGE10 - Lars Strand
Further work
● Identity? Is it solved by peering?
a) SIP Identity (RFC4474) → Require PKI
b) Transitive trust between SSPs? (Combine RFC3324 and RFC3325) → Utopian?
c) Multi-factor authentication?
d) Web-of-trust? (aka PGP)● SPIT? Is it solved by peering?
● DDoS? Is it solved by peering?
Some discussion in “SPEERMINT Security Threats and Suggested Countermeasures”, IETF draft pending.
![Page 35: A Survey of SIP Peering - Lars Strandlarsstrand.no/NR/papers/conf/asige10/ASIGE10-presentation.pdf · Any end-user can do a DNS lookup and contact the SIP server directly 5) No need](https://reader035.vdocuments.us/reader035/viewer/2022070912/5fb3dcaf79cb66459b0bb0de/html5/thumbnails/35.jpg)
ASIGE10 - Lars Strand
Thank you
Project homepage: http://eux2010sec.nr.no