intro to sip draft final

8/2/2019 Intro to SIP Draft Final

1/122

SIP TutorialIntroduction to SIP

Original Slides by Alan Johnston and Henry Sinnreich, MCI (atVON03)


2/122

2

Contents

SIP OverviewSIP in detail

SIP Call Flow Scenarios

SIP SecuritySIP Programming

Some Related Works


3/122

SIP Overview

What SIP is, Multimedia ProtocolStack, Short Historyand Related

Protocolsare included.


4/122

4

Why packet switching? Why SIP?

0

10

20

30

40

50

60

70

80

90100

1980 1985 1987 1990 1995 2000 2001

electromech

analog

digital

Technology evolution of PSTN


5/122

5

Session Initiation Protocol Overview

Application Layer Signaling Protocol

Used to establish, modify, and terminatemultimedia sessions

Part of Internet Multimedia Architecture

Can use UDP, TCP, TLS, SCTP, etc.Based on HTTP (Web) Similar text-based structure

Uses URIs (Uniform Resource Indicators)

Applications include (but not limited to): Voice, video, gaming, instant messaging,

presence, call control, etc.


6/122

6

Security & Privacy

SIP Authentication Challenge/Response based on shared secret - SIP Digest Mechanism also used by HTTP

Used for client devices

Encryption using private/public keys Used between servers

Privacy and security SIP signaling can be encrypted

S/MIME (Secure/Multipurpose Internet Mail Extensions) Defined in RFC 2633

SIP can be transported over IPSec

Defined in RFC 2401

TLS (Transport Layer Security) Defined in RFC 2246


7/122

7

Internet Multimedia Protocols

RTSP


8/122

8

A Short History of SIP

Internet Engineering Task Force (IETF) protocol

Inventors: M. Handley, H. Schulzrinne, E. Schooler,and J. Rosenberg

Became Proposed Standard and RFC 2543 in March1999 in MMUSIC WG.

Separate SIP WG established in September 1999.Now new SIPPING (applications) and SIMPLE(presence and instant messaging) WGs using SIP.

RFC2543bis-09 I-D became RFC 3261 in June 2002

Added four new authors: G. Camarillo, A. Johnston, J.Peterson, and R. Sparks.

Entire spec rewritten for clarity, but some new features

Mostly backwards compatible with RFC 2543


9/122

9

SIP Requests and Responses

SIP Responses use anumerical code and a

reason phrase

Classes:

1xx Informational

2xx Final

3xx Redirection

4xx Client Error5xx Server Error

6xx Global Failure

Example: 404 Not Found

SIP Request types arecalled methods

Methods in base spec:

INVITE

ACK

OPTIONS

CANCELBYE

REGISTER


10/122

10

Related Protocols: SDP

SIP carries (encapsulates) SDP messages

SDP specifies codecs and media terminationpoints

Only one of many possible MIME attachments

carried by SIPSDP Session Description Protocol Used to describe media session.

Carried as a message body in SIP messages.

Is a text-based protocol Uses RTP/AVP Profiles for common media types

Defined by RFC 2327 E.g. RFC 3551 RTP Profile for Audio and Video Conferences

with Minimal Control


11/122

11

Related Protocol: RTP

RTP Real-time Transport ProtocolUsed to transport media packets over IP

RTP adds a bit-oriented header containing:name of media source

timestampcodec type

sequence number

Defined by H. Schulzrinne et al, RFC 1889.

Profiles defined by RFC 1890. RTCP for exchange of participant and quality

reports.


12/122

12

SIP Uniform Resource Indicators (URIs)

Same form as email addresses: user@domain

Two URI schemes: sip:[email protected] is a SIP URI

Most common form introduced in RFC 2543

sips:[email protected] is a Secure SIP URI New scheme introduced in RFC 3261

Requires TLS over TCP as transport for security

Two types of SIP URIs: Address of Record (AOR) (identifies a user)

sip:[email protected] (Needs DNS SRV records to locate SIP Serversfor mci.com domain)

Contact (identifies a device and is usually a Fully Qualified DomainName, FQDN) sip:[email protected] or sip:[email protected]

(Which needs no resolution for routing)


13/122

13

SIP Trapezoid

OutboundProxy Server

User Agent B

Inbound

Proxy Server

User Agent A

SIP

SIP

SIP

Media (RTP)

DNS Server

DNS

Location

Server

SIP
http://www.omnisky.com/products/index.htmlhttp://commerce.www.ibm.com/cgi-bin/ncommerce/CategoryDisplay?cgrfnbr=2059075&cntrfnbr=1&cgmenbr=1&cntry=840&lang=en_US


14/122

14

SIP Elements User Agents


Inbound

Proxy Server

Capable of sending

and receiving SIPrequests.

UAC User Agent Client

UAS User Agent Server

End Devices

SIP phone

PC/laptop withSIP Client

PDA

mobile phone

PSTN Gateways

are a type of UserAgent

SIP

SIP

SIP

DNS Server

DNS

Location

Server

User Agent BUser Agent A

Media (RTP)

SIP


15/122

15

SIP Elements Proxy Servers


Inbound

Proxy Server

Forward or proxyrequests on behalf ofUser Agents

Consult databases:

DNS

Location ServerTypes:

Stateless

Transaction Stateful

Call Stateful

No media capabilities Ignore SDP.

Normally bypassed oncedialog established, butcan Record-Route to

stay in path.

SIP

SIP

SIP

DNS Server

DNS

Location

Server


Media (RTP)

SIP


16/122

16

SIP Elements Other Servers


Inbound

Proxy Server

Location Server

Database of locations ofSIP User Agents

Queried by Proxies in

routingUpdated by User Agents

by Registration

DNS Server

SRV (Service) Recordsused to locateInbound Proxy

Servers

SIP

SIP

SIP

DNS Server

DNS

Location

Server


Media (RTP)

SIP


17/122

17

SIP Client and Server

SIP Elements are either

User Agents (end devices that initiate and terminatemedia sessions)

Servers (that assist in session setup)

Proxies

Registrars

Redirect servers

A User Agent acts as a

Client when it initiates a request (UAC) Server when it responds to a request (UAS)


18/122

18

SIP Registrar, 1

SIP server that can receive and process REGISTER requests

A user has an account created which allows them to REGISTERcontacts with a particular server

The account specifies a SIP Address of Record (AOR)


19/122

19

SIP Registrar, 2

SIP Registrars store the location of SIPendpoints Each SIP endpoint Registers

with a Registrar using its Address of Record and Contactaddress

Address of Record for John Smith in From: headerFrom: John Smith


20/122

20

Proxy Server

SIP Proxy servers route SIP messages

Stateless Proxies use stateless protocols like UDP to

talk to endpoints

Low Proxy overhead

Ephemeral connections, dropped as soon as message isforwarded

Stateful Proxies use TCP or other stateful protocols

to set up a permanent connection

High Proxy overhead Endpoint connection must be set up, maintained and torn

down for the duration of the session


21/122

21

SIP Proxy Server

SIP Server which acts on behalf of User Agents

Receives a SIP request

Adds some headers

Modifies some of the headers

Forwards request to next hop server or client


22/122

22

Stateless vs. Stateful Proxy

Stateless Proxy

Forwards every request downstream and response upstream

Keeps no state (does not have any notion of a transaction)

Never performs message retransmissions

Stateless proxies scale very well

can be very fast good for network cores

Stateful Proxy

Maintains state information for the duration of either the:

Transaction (request)

Transaction Stateful

Dialogue (from INVITE to BYE)

Dialogue Stateful

Performs message retransmission


23/122

23

SIP Redirect Server

Receives a request and returns a redirection response(3xx)

Contact header in response indicates where requestshould be retried

Similar to database query

All Server types are logical NOT Physical


24/122

24

Locating SIP Servers

Manual provisioning

DHCP SIP Option 120

RFC 3361

Multicast (deprecated)

DNS SRV method

Get local domain name automatically from DHCP server

Perform SRV record query through DNS on that domain for_sip._udp.

Send SIP REGISTER message to resolved server

phone is up and running without user intervention


25/122

SIP in detail

Now, we are going to study SIP indetail including SIP Request, SIPResponse and SIP Header


26/122

26

SIP Request Methods, 1

SIP used for Peer-to-Peer Communicationthough it uses a Client-Server model

Requests are called methods

Six methods are defined in base RFC 3261: INVITEACK

OPTIONS

BYE

CANCEL

REGISTER


27/122

27

SIP Request Methods, 2

REGISTER

Register contact with RegistrarINVITE/ACK/BYE/CANCEL/UPDATE

Creates, negotiates and tears down a call (dialogue)

MESSAGE

Creates an Instant Messaging sessionSUBSCRIBE

Subscribe to a service (like message waiting indication)

NOTIFY

Notify a change in service state (new Voicemail)


28/122

28

SIP Methods - INVITE, 1

INVITE requests the establishment of asession

Carried in Message Body (SDP)

Type of session

IP Address

Port

Codec


29/122

29

SIP Methods - INVITE, 2

An INVITE during an existing session(dialogue) is called a re-INVITE

re-INVITEs can be used to

Place calls on or remove calls from hold

Change session parameters and codecs

The SIP UPDATE method is the proposedreplacement for this technique


30/122

30

SIP Methods - ACK

ACK completes the three way session setuphandshake (INVITE, final response, ACK)

Only used for INVITE

If INVITE did not contain media information

ACK must contain the media information


31/122

31

SIP Methods - OPTIONS

OPTIONS requests the capabilities of anotherUser Agent

Response lists supported methods,extensions, codecs, etc.

User Agent responds to OPTIONS the sameas if an INVITE (e.g. if Busy, returns 486Busy Here)

Very basic presence information


32/122

32

SIP Methods BYE and CANCEL

BYE terminates an established session

User Agents stop sending media packets (RTP)

CANCEL terminates a pending session.

INVITE sent but no final response (non-1xx) yet

received. User Agents and Proxies stop processing INVITE

Can be sent by a proxy or User Agent

Useful for forking proxy

Parallel search using multiple registration Contacts. First successful wins, rest are cancelled.


33/122

33

SIP Methods - REGISTER

Registration allows a User Agent to uploadcurrent location and URLs to a Registrar

Registrar can upload into Location Service

Incoming requests can then be proxied or

redirected to that locationBuilt in SIP support of mobility

UAs do not need static IP addresses

Obtain IP address via DHCP, REGISTER indicatingnew IP Address as contact


34/122

34

SIP Request URI

The Request-URI indicates the destination address of the

requestProxies and other servers route requests based onRequest-URI.

The Request-URI is modified by proxies as the address isresolved.

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhdsMax-Forwards: 70To: Bob From: Alice ;tag=1928301774Call-ID: [email protected]

CSeq: 314159 INVITEContact: Content-Type: application/sdpContent-Length: 142

(Alice's SDP not shown)

Request-URI


35/122

35

SIP From and To Tags

Tags are pseudo-random numbers inserted inTo or From headers to uniquely identify a callleg

INVITE request From header contains a tag

Any User Agent or Server generating aresponse adds a tag to the To header in theresponse

To: sip:[email protected];tag=123456


36/122

36

SIP Method - INFO

Used to transport mid-call signaling

information

Only one pending INFO at a time

Typical use - PSTN signaling message carried

as MIME attachment E.g. ISDN User-to-User information

Defined in RFC 2976


37/122

37

SIP Method - REFER

Indicates that recipient (identified by theRequest-URI) should contact a third partyusing the contact information provided in therequest

Typical Use: Call Transfer featuresAllowed outside an established dialogue


38/122

38

SIP Method - PRACK

Provisional Response ACKnowlegement

Used to acknowledge receipt of provisionalresponse

183 Session Progress

Does not apply to 100 Trying responses Only provisional responses 101-199 may be sent

reliably and acknowledged with PRACK

If no PRACK sent, response retransmitted

Defined in RFC 3262


39/122

39

SIP Methods SUBSCRIBE and NOTIFY

SUBSCRIBE requests notification of when a

particular event occurs Use Expires=0 to unsubscribe

A NOTIFY message is sent to indicate the event

statusSample Applications

Presence

Message waiting indication for voicemail

Defined in RFC 3265


40/122

40

SIP Method - MESSAGE

Extension to SIP for Instant Messaging (IM)MESSAGE requests

carry the content in the form of MIME body parts

use the standard MIME headers to identify the

content


41/122

41

SIP Responses

SIP Requests generate Responses with codes

borrowed from HTTP

Classes:

1xx Informational

2xx Final 3xx Redirection

4xx Client Error

5xx Server Error

6xx Global Failure

Response example 404 Not Found


42/122

42

SIP Responses: 1xx-3xx

SIP Response Code Brief Description100 Trying Request received and action is being taken

180 Ringing UA received INVITE and is alerting user

181 Call Is Being Forwarded Used by proxy to indicate call is being forwarded

182 Queued Called party unavailable, call queued

183 Session Progress Used in early media and QoS setup

200 OK Request successful

300 Multiple Choices Address resolved to several choices

301 Moved Permanently User can no longer be found at Req-URI address

302 Moved Temporarily Temporarily cannot find user at Req-URI address

305 Use Proxy Resource MUST be accessed through proxy.

380 Alternative Service Call not successful. Alternatives possible.


43/122

43

SIP Responses: 4xxSIP Response Code Brief Description

400 Bad Request Request not understood due to malformed syntax

401 Unauthorized Request requires user authentication

402 Payment Required Reserved for future use

403 Forbidden UAS understood request and refuses to fulfill it

404 Not Found UAS finds that user doesn't exist in the domain

405 Method Not Allowed Method is understood but not allowed

406 Not Acceptable Response content not allowed by Accept header

407 Proxy Authentication Required Client must first authenticate itself with proxy

408 Request Timeout UAS could not produce response in time

410 Gone UAS resource unavailable; no forwarding addr.

413 Request Entity Too Large Request contains body longer than UAS accepts

414 Request-URI Too Long Req-URI longer than server is willing to interpret

415 Unsupported Media Type Format of the body not supported by UAS

416 Unsupported URI Scheme Scheme of URI unknown to server

420 Bad Extension UAS not understand protocol extension

421 Extension Required UAS needs particular extension process request

423 Registration Too Brief Contact header field expiration time too small

480 Temporarily Unavailable UAS contacted successfully but user unavailable

481 Call/Transaction Does Not Exist UAS Rx request not matching any exist ing dialog

482 Loop Detected UAS has detected a loop

483 Too Many Hops UAS received request containing Max-Forwards=0

484 Address Incomplete UAS Rx request with incomplete Request-URI

485 Ambiguous The Request-URI was ambiguous

486 Busy Here UAS contacted successfully but user busy

487 Request Terminated Request terminated by a BYE or CANCEL request

488 Not Acceptable Here Same as 606 but only applies to addressed entity

491 Request Pending UAS Rx req. & have pending req. for same dialog

493 Undecipherable UAS Rx request with encrypted MIME body & not have decryption key


44/122

44

SIP Responses: 5xx-6xx

SIP Reponse Code Brief Description500 Server Internal Error UAS unexpected condition & cannot fulfill request

501 Not Implemented UAS not support functionality to fulfill the request

502 Bad Gateway UAS Rx invalid response from a downstream server

503 Service Unavailable UAS can't process due to overload or maintenance

504 Server Time-out UAS not Rx response from external server

505 Version Not Supported UAS not support SIP version in request

513 Message Too Large Message length exceeded UAS capabilities

600 Busy Everywhere End systems contacted, user busy at all of them

603 Decline End systems contacted, user explicitly decline604 Does Not Exist Anywhere UAS has information Req-URI user not exist

606 Not Acceptable Some aspects of Session Desc. not acceptable


45/122

45

SIP Message Details

INVITE sip:[email protected] SIP/2.0Via: SIP/2.0/UDP proxy.munich.de:5060;branch=z9hG4bK8542.1

Via: SIP/2.0/UDP 100.101.102.103:5060;branch=z9hG4bK45a35h76Max-Forwards: 69

To: Heisenberg

From: E. Schroedinger ;tag=312345

Call-ID: [email protected]

CSeq: 1 INVITE

Contact: sip:[email protected]

Content-Type: application/sdpContent-Length: 159

First line of a SIP message is Start Line which contains:

the method or Request type: INVITE (session setup request).

the Request-URI which indicates who the request is forsip:[email protected]

Note: Request-URI can be either an AOR or Contact (FQDN)

This Request-URI is a FQDN, but the initial Request-URI was an AOR(same as To URI)

the SIP version number SIP/2.0


46/122

46

SIP Headers

SIP Requests and Responses contain Headers (similar

to Email headers) Required Headers

To

From

Via

Call-ID

CSeq

Max-Forwards

Optional Headers:

Subject, Date, Authentication (and many others)


47/122

47

SIP Message Details

INVITE sip:[email protected] SIP/2.0

Via: SIP/2.0/UDP proxy.munich.de:5060;branch=z9hG4bK8542.1

Via: SIP/2.0/UDP 100.101.102.103:5060;branch=z9hG4bK45a35h76Max-Forwards: 69To: Heisenberg



CSeq: 1 INVITE



Via headers show the path the request has taken

The bottom Viaheader is inserted by the User Agent which initiated

the request Additional Via headers are inserted by each proxy in the path

The Via headers are used to route responses back the same way

Required branchparameter contains a cookie (z9hG4bK) then a

transaction-ID.


48/122

48

SIP Message Details



Via: SIP/2.0/UDP 100.101.102.103:5060;branch=z9hG4bK45a35h76Max-Forwards: 69To: Heisenberg



CSeq: 1 INVITE



Max-Forwards is a count decremented by each proxy

that forwards the request.

When count goes to zero, request is discarded and 483Too Many Hops response is sent.

Used for stateless loop detection.

l


49/122

49

SIP Message Details



Via: SIP/2.0/UDP 100.101.102.103:5060;branch=z9hG4bK45a35h76

Max-Forwards: 69

To: Heisenberg From: E. Schroedinger ;tag=312345Call-ID: [email protected]: 1 INVITE


Content-Type: application/sdp

Content-Length: 159

Dialog (formerly called call leg) information is in headers:

To tag, From tag, and Call-ID (Note: Not URIs)

To and From URIs usually contain AOR URIs.All requests and responses in this call will use this same Dialoginformation.

Call-ID is unique identifier usually composed of

pseudo-random string @ hostname or IP Address

S l


50/122

50

SIP Message Details

CSeq Command Sequence Number

Initialized at start of call (1 in this example)

Incremented for each subsequent request Used to distinguish a retransmission from a new request

Also contains the request type (method) - INVITE




Max-Forwards: 69

To: Heisenberg

From: E. Schroedinger ;tag=312345Call-ID: [email protected]

CSeq: 1 INVITEContact: sip:[email protected]

Content-Type: application/sdp

Content-Length: 159

SIP M D il


51/122

51

SIP Message Details

Contact header contains a SIP FQDN URI for direct

communication between User Agents

If Proxies do not Record-Route, they can be bypassed IfRecord-Route is present in 200OK, then a Route

header is present in all future requests in this dialog.

Contact header is also present in 200OK response




Max-Forwards: 69

To: Heisenberg


CSeq: 1 INVITE

Contact: sip:[email protected]: application/sdp

Content-Length: 159

SIP M D t il


52/122

52

SIP Message Details

Content-Typeindicates the type of message bodyattachment (others could be text/plain,

application/cpl+xml, etc.)Content-Lengthindicates the octet (byte) count of

the message body.

Message body is separated from SIP header fields by ablank line (CRLF).




Max-Forwards: 69

To: Heisenberg


CSeq: 1 INVITE



SDP M B d D t il


53/122

53

SDP Message Body Details

v=0

o=Tesla 289084526 28904529 IN IP4 lab.high-voltage.org

s=-

c=IN IP4 100.101.102.103

t=0 0

m=audio 49170 RTP/AVP 0

a=rtpmap:0 PCMU/8000

Version number (ignored by SIP)

Origin (onlyversion used by SIP -28904529)

Subject (ignored by SIP)

Connection Data (IP Address for media - 100.101.102.103)

Time (ignored by SIP) Media (type - audio, port - 49170, RTP/AVP Profile - 0)

Attribute (profile - 0, codec - PCMU, sampling rate8000 Hz)

SIP R D t il


54/122

54

SIP Response Details

Via, To, From, Call-ID, &CSeq are all copied from request.

Tonow has a tag inserted by UAS

Contact and Message Body contain UAS information.

SIP/2.0 200 OKVia: SIP/2.0/UDP proxy.munich.de:5060;branch=z9hG4bK8542.1


To: Heisenberg ;tag=24019385From: E. Schroedinger ;tag=312345Call-ID: [email protected]

CSeq: 1 INVITE

Contact: sip:[email protected]: application/sdp

Content-Length: 173

v=0o=Heisenberg 2452772446 2452772446 IN IP4 200.201.202.203s=SIP Callc=IN IP4 200.201.202.203t=0 0

m=audio 56321 RTP/AVP 0a=rtpmap:0 PCMU/8000


55/122


As followings

SIP C ll Fl S i


56/122

56


Call Attempt - Unsuccessful

Presence Subscription Registration

Presence Notification

Instant Message Exchange

Call Setup Successful

Call Hold

Call Transfer

Call Flows and full message details:

SIP Basic Call Flow Examples I-D by A. Johnston et al.

SIP Service Examples I-D by A. Johnston et al.

SIP C ll S A S i


57/122

57

SIP Call Setup Attempt Scenario

Outbound

Proxy Server

Inbound

Proxy Server

1. INVITEContact: ASDP A

DNS Server LocationServer

1. A dials SIP AORURI sip:[email protected] Agent A sends

INVITE to outboundProxy Server.

2. Outbound Proxysends 100 Trying

response.

2. 100 Trying

User Agent B(Not Signed In)

User Agent A

SIP C ll S t Att t S i


58/122

58


Outbound

Proxy Server

Inbound

Proxy Server



3. Outbound Proxy doesDNS query to findproxy server for

mci.comdomain4. DNS responds with

IP address ofmci.com Proxy

Server

3. DNS Query:mci.com?

2. 100 Trying

4. Response: 1.2.3.4


User Agent A



59/122

59


Outbound

Proxy Server

Inbound

Proxy Server


5. Outbound Proxysends INVITE to

Inbound Proxy

Server.6. Inbound Proxy sends

100Trying

response.

3. DNS Query: mci.com?

2. 100 Trying

4. Response:1.2.3.4

6. 100 Trying


User Agent A





60/122

60


Outbound

Proxy Server

Inbound

Proxy Server


7. Inbound Proxyconsults LocationServer.

8. Location Serverresponds with NotSigned In.

3. DNS Query: mci.com?

2. 100 Trying

4. Response:1.2.3.4

6. 100 Trying

7. LS Query: B? 8. Response: NotSigned In


User Agent A





61/122

61


Outbound

Proxy Server

Inbound

Proxy Server


9. Inbound Proxy sends480TemporarilyUnavailable

response.10. Outbound Proxy sends

ACK response.


2. 100 Trying

4. Response:1.2.3.4

6. 100 Trying

7. LS Query: B? 8. Response:Not Signed

In

9. 480 Temporarily Unavailable

10. ACK


User Agent A





62/122

62


Outbound

Proxy Server

Inbound

Proxy Server


11. Outbound Proxyforwards 480 response

to A.12. A sends ACK response.


2. 100 Trying

4. Response:1.2.3.4

6. 100 Trying

7. LS Query: B? 8. Response:Not Signed

In



10. ACK

12. ACK


User Agent A



SIP P esence E ample


63/122

63

SIP Presence Example

Outbound

Proxy Server

InboundProxy Server

1. SUBSCRIBE

DNS ServerPresence

Server

1. A wants to be informedwhen B signs on, sosends a SUBSCRIBE

2. Outbound Proxyforwards to InboundProxy

3. Inbound Proxy forwardsto Bs Presence Server

2. SUBSCRIBE

3. SUBSCRIBE


User Agent A



64/122

64


Outbound

Proxy Server

InboundProxy Server

1. SUBSCRIBE

DNS ServerPresence

Server

4. Presence Serverauthorizes subscription

by sending a 200OK.5. & 6. 200OK proxied

back to A.6. 200 OK

2. SUBSCRIBE

5. 200 OK

3. SUBSCRIBE 4. 200 OK


User Agent A



65/122

65


Outbound

Proxy Server

InboundProxy Server

DNS ServerPresence

Server

7. Presence Server sendsNOTIFY containing

current presence status

of B (Not Signed In).8. and 9. NOTIFY is

proxied back to A.

10. A acknowledges receiptof notification with

200OK.11. & 12. 200OK is

proxied back to BsPresence Server.

10. 200 OK

11. 200 OK

7. NOTIFY

12. 200 OK


User Agent A

8. NOTIFY

9. NOTIFY

SIP Registration Example


66/122

66


Outbound

Proxy Server


DNS ServerLocation

Server

2. Update database:B = [email protected]

1. REGISTER

Contact: [email protected]

1. B signs on to his SIPPhone which sends aREGISTER message

containing the FQDNURI of Bs User Agent.

2. Database update is sentto the Location Server




67/122

67


Outbound

Proxy Server


DNS ServerLocation

Server

2. Update database:B = [email protected] 3. OK

1. REGISTER


4. 200 OK


3. Location Serverdatabase update isconfirmed.

4. Registration is confirmedwith a 200OK

response.




68/122

68


Outbound

Proxy Server

InboundProxy Server

DNS ServerPresence

Server

13. Presence Server learnsof Bs new status fromthe Location Server andsends a NOTIFY

containing new status

of B (Signed In).14. & 15. NOTIFY is

proxied back to A.

16. A acknowledges receiptof notification with 200OK.

17. & 18. 200OK is

proxied back toPresence Server.

16. 200 OK

17. 200 OK

18. 200 OK


13. NOTIFY

14. NOTIFY

15. NOTIFY

SIP Instant Message Scenario


69/122

69


Outbound

Proxy Server

InboundProxy Server

1. MESSAGE


1. A sends an InstantMessage to B saying

Can you talk now?in a MESSAGE

request.

2., 3. & 4. MESSAGE

request is proxied,

Location Serverqueried.

5. Inbound Proxyforwards MESSAGE to

B.

6. User Agent B respondswith 200OK.

7. & 8. 200OK is proxied

back to A.

8. 200 OK

7. 200 OK

3. LS Query: B? 4. Response:sip:[email protected]

6. 200 OK


2. MESSAGE

5. MESSAGE



70/122

70


Inbound

Proxy Server


LocationServer

DNS Server1. B sends an Instant

Message to A saying

Sure. in aMESSAGEsent to As

AOR URI.

2. & 3. DNS Server isqueried.

4. Outbound Proxyforwards MESSAGE to

Inbound Server.

5. & 6. Location Server isqueried.

7. Inbound Proxyforwards to A.

8. User Agent A respondswith 200OK.

9. & 10. 200OK is proxied

back to B.

8. 200 OK

9. 200 OK

10. 200 OK

5. LS Query: A? 6. Response:sip:[email protected]

2. DNS Query:globalipcom.com?

3. Response: 5.6.7.8


7. MESSAGE

4. MESSAGE

1. MESSAGE



71/122

71


Outbound

Proxy Server

InboundProxy Server


1. to 5. A retriesINVITE to B which

routes through twoProxy Servers.

6. Location Server

responds with theFQDN SIP URI of BsSIP Phone.

7. Inbound Proxy Serverforwards INVITE to

Bs SIP Phone.

2. 100 Trying

4. 100 Trying

5. LS Query: B 6. Response:sip:[email protected]





SIP Call Setup Scenario


72/122

72


Outbound

Proxy Server

InboundProxy Server

10. 180 Ringing


8. User Agent B alerts Band sends 180Ringing response.

9. & 10. 180Ringing

is proxied back to A.

9. 180 Ringing

8. 180 Ringing




73/122

73


Outbound

Proxy Server

InboundProxy Server

10. 180 Ringing


11. B accepts call andUser Agent B sends

200OK response.12. & 13. 200OK is

proxied back to A.

9. 180 Ringing

8. 180 Ringing


11. 200 OKContact: BSDP B





74/122

74


Outbound

Proxy Server

InboundProxy Server

10. 180 Ringing


14. ACK is sent by A to

confirm setup callbypassing proxies.

Media session beginsbetween A and B!

9. 180 Ringing

8. 180 Ringing

14. ACK

Media (RTP)





SIP Call Hold (re-INVITE)


75/122

75

SIP Call Hold (re INVITE)

Outbound

Proxy Server

InboundProxy Server


15. B places A on holdby sending a re-INVITE.

16. A accepts with a200OK.

17. B sends ACK to A.

No media between Aand B.

15. INVITE

SDP a=sendonly

17. ACKUser Agent BUser Agent A

16. 200 OKSDP A

SIP Call Transfer Scenario


76/122

76

20. NOTIFY

21. 200 OK


Outbound

Proxy Server

InboundProxy Server


18. B transfers A to Cusing REFER.

19. Transfer is acceptedby A with 202Accepted response.

20. Notification oftrying transfer issent to B in NOTIFY.

21. B sends 200OKresponse to NOTIFY

18 REFER Refer-To: sip:[email protected]

19. 202 Accepted




77/122

77


Outbound

Proxy Server

InboundProxy Server


1. to 5. A sends newINVITE to C which

routes through twoProxy Servers.

6. Location Serverresponds with theFQDN SIP URI of CsSIP Phone.

7. Inbound Proxy Serverforwards INVITE to

Cs SIP Phone.

2. 100 Trying

4. 100 Trying

5. LS Query: C? 6. Response:sip:[email protected]


User Agent C

1. INVITEContact: ARef-By: BSDP A





78/122

78


Outbound

Proxy Server

InboundProxy Server

10. 180 Ringing


8. User Agent C alerts Cand sends 180Ringing response.

9. & 10. 180Ringing

is proxied back to A.

11. C accepts call andsends 200OK

response.

12. & 13. 200OK is

proxied back to A.

14. ACK is sent by A toconfirm setup call.

Media session betweenA and C begins.

9. 180 Ringing

8. 180 Ringing

14. ACK

User Agent C

Media (RTP)

User Agent B

User Agent A

11. 200 OKContact: CSDP C





79/122

79


Outbound

Proxy Server

InboundProxy Server


20. Notification ofsuccessful transfer issent to B in NOTIFY.

21. B sends 200OK

response to NOTIFY22. B hangs up by

sending a BYE.

23. 200OK response toBYE is sent.20. NOTIFY

21. 200 OK

22. BYE

23. 200 OK User Agent BUser Agent A


80/122

SIP Security

Authorization


81/122

81

Authorization

SIP uses standard HTTP Digest Authentication with minorrevisions

Simple Challenge/Response schemeREGISTER ->


82/122

82

TLS and sips:

Implementation of TLS is mandatory for proxies, redirect

servers and registrars

The ;transport=tls URI parameter value is deprecated

A sips: URI scheme (otherwise identical to the sip: scheme)

indicates that all hops between the requestor and the resource

identified by the URI must be encrypted with TLS.

If the request is retargeted once the resource is reached, it

must use secured transports.

S/MIME


83/122

83

S/MIME

Provides end-to-end security of message body and/or headers.

Certificate identified by end user addressPublic key can be transported in SIP

Entire message can be protected by tunneling the message in

an S/MIME body

Header Fields

Header Fields

Body

Signature

Attacks


84/122

84

Attacks

IPhreakers

IP knowledge Known weaknesses

Evolution 2600Hz -> voicemail/intl GWs -> IP telephony

Internal or external threat ?

Targets: home user, enterprise, government, etc ?

Protocol implementations

PROTOS

The human element

Attacks : denial of service


85/122

85

a s de a o se e

Denial of service

Network Protocol (SIP INVITE)

Systems / Applications

Phone

Availability (BC/DR)

Requires: power

Alternatives (Business Continuity/Disaster Recovery) ?

E911 (laws and technical aspect) GSM

PSTN-to-GSM

Attacks : fraud


86/122

86

Call-ID spoofing

User rights takeover

Fake authentication server

Effects

Access to voicemail

Value added numbers Social engineering

Replay

Attacks: interception


87/122

87

p

Interception

Who talks with who (Network sniffing, Servers (SIP, CDR, etc)LAN

Physical access to the LAN

ARP attacks

Unauthenticated devices (phones and servers)

Different layers (MAC address, user, physical port, etc)Where to intercept ?

Where is the user located ?

Networks crossed ?

Lawful Intercept

CALEA

ETSI standard

Architecture and risks

Attacks : systems


88/122

88

y

Systems

Mostly none is hardened by default

Worms, exploits, Trojan horses

Attacks : phone

(S)IP phone Startup

DHCP, TFTP, etc.

Physical access

Hidden configuration tabs TCP/IP stacks

Firmware/configuration

Trojan horse/rootkit

Defense


89/122

89

Signaling: SIP

Secure SIP vs SS7 (physical security)

Transport: Secure RTP (with MiKEY)

Network: QoS [LLQ] (and rate-limit)

Firewall: application level filteringPhone: signed firmware

Identification: TLS

Clients by the server

Servers by the client

3P: project, security processes and policies


90/122

SIP Programming

SIP based Application Interfaces


91/122

91

pp

These include :

JAIN SIP Low level and very complex API

CNRSIP API is one of available reference implementations.

SIP Servlets

proposed within JAIN

SIP API for J2ME

intermediate level API (minimal SIP knowledge required)

SIP CGI

CPL ( Call Processing Language)

XML based

HTTP Servlets


92/122

92

HTTP Java Servlets Widely Used in Web

Application Development

Applications Consist of Sets of HTTP

Servlets, Each of Which Processes a

Single Web Request in the Application

HTTP Servlets Return Web Pages to

Display

HTTP Servlets Can Create Session Data

e.g., shopping cart, that spans multiple

requests

Container Manages HTTP Servlet

Lifecycles, Fault Tolerance, Session State

HTTP Servlets Collected into a War File

Web Archive

HTTP Servlets

Web Server

Developer

Deployer

War File

SIP Servlet API


93/122

93

SIP Servlet API

Java extension API for SIP servers

Similar in spirit to HTTP servlet API

Server matches incoming messages against local rules in order to

decide which servlet to pass message to

The API gives full control to servlets to handle SIP messages, e.g.

has full access to headers and body

proxy or redirect requests

respond to or reject requests

forward responses upstream

initiate requestsServers may choose to provide constrained environment to

selected servlets (e.g. using sandbox security model)

Basic SIP Servlet Model


94/122

94

Servlet Engine

SIP Server

requests

responses

requests

responses

servletservlet

Location of SIP Server and servlet

engine: in same Java Virtual Machine

different process, same host

different hosts: 1:1, 1:n, n:1, n:m

Example: Routing Services


95/122

95

Server

servletUAC UAS

SIP SIP

RTP

Servlet proxies request to one or more destinations- forwards response to caller

Example: Servlet as UAS


96/122

96

Server

servlet

UAC

SIP

RTP

Servlets can reject (screen) calls

Can accept and set up media streams

Benefits of Servlet Model


97/122

97

Powerful:

Full access to SIP signaling

Performance:

No need to fork new process for each request

The same servlet can handle many requests simultaneously

Safety: type checked; no pointers; exception handling

Convenience: high level abstractions.

Tight integration with server: logging, security, location database

Lifecycle model allows servlets to

maintain state, e.g. database connections manage timers

Access to wide range of APIs

An Example: RejectServlet


98/122

98

import org.ietf.sip.*;

public class RejectServlet extends SipServletAdapter {protected int statusCode, reasonPhrase;

public void init(ServletConfig config) {

super.init(config);

try {

statusCode = Integer.parseInt(getInitParameter("status-code"));

reasonPhrase = getInitParameter("reason-phrase");} catch (Exception _) {

statusCode = SC_INTERNAL_SERVER_ERROR;

}

}

public boolean doInvite(SipRequest req) {

SipResponse res = req.createResponse();

res.setStatus(statusCode, reasonPhrase);res.send();

return true;

}

}

Relationship to JAIN SIP


99/122

99

JAIN SIP is a generic, low-level

interface for accessing SIPservices

Can be used in

Clients

Servers

Gateways

Focuses purely on the protocol

Complete access to SIP

capabilities

Supports transactions only

SIP Servlet Container is a

particular application of JAIN

SIP

SIP Protocol

SIP Servlet

Container

Servlet

JAIN SIP

SIP Servlet API

Servlet

Relationship to JAIN SIP


100/122

100

Servlets focus on highvolume carrier grade servers

Add significant, non-SIPprotocol functions

Lifecycle management

Domain objects

Context and configuration

Deployment descriptors

Archive files

Synchronization primitives

Security

Add significant SIP protocolfunctions

Construction of requestsand responses from domainobjects

Hide many parts of JAIN SIP

Direct access to many

headers is not provided

Write access to most

everything is often

restricted

Servlets should be defined to

allow a SIP container to be

built using JAIN SIP

SIP Objects in Servlet API

defined with interfaces that

match JAIN SIP signatures Cannot directly expose JAIN

SIP objects, though

SIP CGI


101/122

101

Almost identical to HTTP CGI

Language independent ( Perl, Tcl, C, C++, ... )

Any binary may be executed as a separate program

Suitable for services that contains substantial web content

Passes message parameters through environmental variables to

a separate program.

More flexible but more risky

Feb. 1, 2001: RFC 3050 (Common Gateway Interface for SIP)

published

Call Processing Language (CPL)


102/122

102

Designed by the IETF to support sophisticated telephony

servicesMay be used by both SIP or H.323.

XML based scripting language for describing controlling call

services

Simple SyntaxExtendible

Easily edited by GUI tools

Scripts runs on network SIP signaling server to create end user

services

Lightweight CPL interpreter is need to parser & validate scripts

CPL Example


103/122

103

A simple script that blocks anonymous callers


104/122

Some Related Works

Parlay

IMS

IPv6

Why Parlay is Important to Galaxy


105/122

105

Open standard

Range of services

Many levels of sophistication and complexity

Secure framework for discovery of and access toservices by third party applications

Registration of non-Parlay service APIs

Independent of specific network and software

environment

Why Unified Communications?


106/122

106

MPEG

Private PrivateJob

Messages

Fax

E-mail

V-mail

SMS

Fixed

Job

Calls

Mobile

VoIP

IM

Architecture I:


107/122

107

S

IP

IN

AP

M

AP

IS

UP

Parlay

Application

Parlay as a Unifying Technology

Architecture II:


108/122

108

Gate

wayto

OtherNetworks

IPnetwork

SIP

ApplicationServlet/CGI/CPL Script

SIP as a Unifying Technology

Key Questions


109/122

109

Which of these two models is correct, or are there

opportunities for both approaches to co-exist?How well can a generic network API sit on top ofSIP? For example, would it severely limit a developer,and what advantages would it offer?

Which aspects of network functionality will actuallybe useful in practice to developers?

Parlay within Galaxy


110/122

110

SIP clients

PSTNPlatform

BT VBApps

Parlay Gateway

DCOM

BT C++Apps

CORBA

SIP Proxy VOIP gateway

Appium

UnifiedComms

Application

3rd PartyApplications

Feasibility: A proof of concept prototype


111/122

111

Feasibility: A proof of concept prototype ...

Player 2

Player 1

Game serverParlay

MRFC MRFP

Player 3

RTPSIP

Game eventsXML over JXTA

Some Challenges for Parlay


112/122

112

Which technologies should Parlay support?

How can interoperability testing be encouraged?How can Parlay get feedback from developers?

Sizeable specifications with complex interfaces and data typesgive long learning curve for developers?

Although specifications are maturing, still few Parlay productscommercially available. Why?

How does Parlay keep pace with new protocols?

Parlay on a SIP Network ?


113/122

113

Parlay adds security to SIP

Parlay provides many features not available in SIP APIs

Parlay provides a network independent model

BUT...

SIP APIs can make some simpler solutions for some applicationsenvisaged by Parlay group

Parlay could support SIP better

SO...

SIP will have a significant impact on the future of Parlay

SIP and Parlay can already work well together and are apowerful combination

Global SIP/IMS deployment needs IPv6


114/122

114

Introduction of SIP-based peer-to-peer services is an importantstep after current client-server based services.

IP Multimedia Subsystem (IMS) is a service infrastructure basedon the use of Session Initiation Protocol (SIP).

3GPP Release 5 and 6 specifications

3GPP2 specifications

In order to make peer-to-peer services work between differentoperators' networks, IPv6 is needed - peer-to-peer services workwell only with public IP addresses.

Small scale IMS deployment / piloting can be started with IPv4.

IPv6 is vital for wider scale, global IMS deployment.

Example of peer-to-peer IP connectivity


115/122

115

CSCFUMS

IPv6SIP

Inviteplayer

Peter acceptedthe challenge!

ThomasPeter

Thomaschallenges

you to agame of

checkers!

Accept DeclineAccept

IP Connection

Game data

Quit

Chat

Push toStream

Peter: 00:00:00Thomas: 00:00:00



116/122

116

CSCFUMS

SIP

Inviteplayer

Peter: 00:00:00Thomas: 00:00:00

Chat> Peter: I amgoing to winthis time!>Thomas:Yeah right, inyour dreams!

ThomasPeter

IP Connection

Game data

Chat

Push toStream

Quit

Chat

Peter: 00:00:00Thomas: 00:00:00

> Peter: I amgoing to win

this time!>Thomas:Yeah right, inyour dreams!

IPv6



117/122

117

CSCFUMS

SIP

Inviteplayer

Peter: 00:00:00Thomas: 00:00:00

Chat> Peter: hey,look whatjust passedby!

ThomasPeter

IP Connection

Game data

Streaming video

Push toStream

Quit

Peter chooses toadd a streamingcomponent to sharewhat he is seeing

Streaming video from Peter:

IPv6

Future mobile services = serverless media


118/122

118

CSCFUMS

SIP

ThomasPeter

IP Connection

Game data

Chat

Peter: 00:00:00Thomas: 00:00:00

No NATs in between, public IP addressesare needed

Example services: gaming, chat,streaming, Voice/video over IP, etc.

The SIP/IMS user plane is peer-to-peer innature - SIP/IMS sessions between mobiles indifferent Private IPv4 address spaces becomehighly complicated. This is why public IPaddresses are required. The only future proofsolution is provided by IPv6.

IPv6

Standardized technology enablers fornew mobile services are here today


119/122

119

e ob e se ces a e e e today

MMS

Java

XHTML andTCP/IP

Colordisplays

Imagingand cameraintegration

MultimediaStreaming

Presence

Positioning

DRM

GPRSEDGEWCDMA

CDMA2000Multimode

Video

MIDISymbian

IPv6 SIP

BluetoothWLAN

Technology and Application Trends


120/122

120

2G radio

interface(GSM / EDGE)

IPv4

Client-serverconnectivity

SMS textmessaging,WAP browsing,MMSmultimedia

messaging

2G and 3G radio interfaces

(WCDMA / CDMA2000)IPv4/IPv6 dual stack

Peer-to-peer connectivity

Richer, IP-based Applications

HTTP/TCP/IP browsing

Presence

Instant Messaging

Multimedia streaming

Gaming

Voice and video telephony

Sharing

Etc.

Multi-access IMS


121/122

121

Common IPversion (=IPv6)

makes the multi-access casemuch easier

GGSN

P-CSCF

S-CSCF

IMS(IPv6)3GPPaccessnw

PDSN 3GPP2accessnwWLAN

access nw

P-CSCF

SIP Signaling for building up the session

User IP data

SIP

P-CSCF

References


122/122

Anders Kristensen, Hewlett-Packard

Laboratories, Bristol, U.K

Nicolas FISCHBACH, Senior Manager, IPEngineering/Security - COLT Telecom

Jonathan Rosenberg, Dynamicsoft

Ed Luff, Newport Networks

Patrick Ferriter, ZULTYS

intro to sip draft final

Documents