presented by: shivanagouda biradar yousof pakzad this presentation is submitted to prof. el saddik...
Post on 21-Dec-2015
217 views
TRANSCRIPT
Presented by:Shivanagouda Biradar
Yousof Pakzad
This presentation is submitted to Prof. El Saddik in partial fulfillment of the requirements for the course ELG 5121: Multimedia Communications
April 18, 2023
Multimedia Communications:
Introduction to SIP and
Securing SIP Solutions
School of Information Technology and Engineering (SITE), University of Ottawa
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
Overview Introduction to SIP
ComponentsMessagesApplicationsBenefits
Secured SolutionsSecurity RequirementsSecurity ThreatsSecurity SolutionsSIP, Firewall and NAT
Conclusion and Future Directions
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
Telecommunication Network Migration PSTN Network - traditionally centralized voice-centric
applications ( $1 trillion industry world wide) IP network is distributed, mostly used for text data and
multimedia applications
PSTN PBX
IPRouter
PSTNNetwork
PSTN PBX
IP Network
IPRouter
PSTN Phones
IPClients
IPClients
PSTN Phones
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
IP Network and PSTN Network Convergence Seamless Integration of telephony and conferencing with
many other internet applications, such as e-mail, text messaging, presence and instant messaging
IP SoftPhones
PSTNNetwork
PSTNPBX
IP Network
IPRouter
IP EnabledPBX
IPRouter
IP-PSTNGateway
IP SoftPhones
IP Phones
PSTNPhones
IP-PSTNGateway
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
IP Call Processing Protocols H.323 - ITU H.248/MEGACO/MGCP (ITU)
SIP – Session Initiation Protocol (IETF)
H.323 MGCP RTP
Physical Layer
Link Layer
IPv4, IPv6
SIP RTSP
Multimedia Applications ( text, audio, video)
TCP UDP
RTCPRSVP
Signaling Quality of ServiceMedia
Transport
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP – Session Initiation Protocol The SIP is a application layer signaling protocol, used to
setup, modify and teardown multimedia sessions Also used for Presence notification and Instant Messaging
over the Internet IETF Standard (RFC3261, 2002) for real-time multimedia
communication signaling Approved by Third-Generation Partnership Project (3GPP)
as the Signaling protocol for Multimedia Applications in 3G Mobile Networks
Resources: Sponsors:
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Network Components Servers
Proxy , Redirect Registration, Location Conference
H.323 Soft Phones
PSTNNetwork
Corporate SIPGateway
SIP SoftPhones
PSTNPhones
PSTNPhones
SIP-PSTNGateway
ISDNPhone
PSTNPBX
PSTNPhones
ISDNPhones
H.323Terminal
SIP Phones
ConferenceServer
Proxy/Redirect Server
RegistrationServer
Corporate SIPSoft-Switch
SIP SoftPhones
SIPPhones
Location Server
IP Network
SIP-H.323Gateway
H.323Network
Gateways SIP-PSTN SIP-H.323 SIP-MGCP
Clients User Agent Client User Agent Server
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Applications End to End Multimedia Call Setup Conference call Setup Instant Messaging User Presence Notification Unified Messaging User Mobility Value Added Services on IP Enabled PBX
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Messages
INVITE - Invite an userACK - Response for InviteBYE - Terminate a CallCANCEL - Cancel a Call
REGISTER - Register URLOPTIONS - Media CapabilitiesSUBSCRIBE - Request notification NOTIFY - Event notificationMESSAGE - Instant Message
Provisional (info only, not reliable)100 Trying180 Ringing
Final (guaranteed) 200 OK400 Bad request401 Unauthorized407 Proxy authorization required
Request Messages
Response Messages
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
URI Registration
User Addressuser@domain , User@hostuser@IP_Addressim: [email protected]: [email protected]:[email protected]:[email protected]:[email protected]
Telephone NumbersPhone_number@gatewayExample:tel:411;phone-context=+1613tel:5625800;phone-context=+1613tel:+16135625800sip:[email protected];user=phone
LocationserverRegistrar
ServerUser Agent
User Registration
REGISTER
REGISTER
200 OKLocation
Server
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP - Presence Presence functionality gives the opportunity to know
who is online among your contact lists SUBSCRIBE, NOTIFY messages are used to
subscribe and notify the presence
SUBSCRIBE
NOTIFY
sip:[email protected] sip:[email protected] aol.com
Presence Agent
Presence Agent
Presence Server
Presence Server
202 Accepted
200 OK
200 OK
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP – Instant Messaging Instant messaging enables you to send short messages to
another person. Very useful for short requests and responses Has better real-time characteristics than an e-mail Yahoo, AOL, MSN Messengers etc
MESSAGE
sip:[email protected] sip:[email protected]@yahoo.com @aol.com
IM
Agent
IM Agent
Proxy
Server
Proxy
Server
200 OK200 OK
MESSAGE
200 OK
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP - End to End Call Setup (Proxy)
INVITE M1INVITE M2
INVITE M1
200 OK M9200 OK M10
180 Ringing M7
100 Trying M5100 Trying M3
180 Ringing M8
200 OK M11
Media Session
ACK M12
180 Ringing M6
sip:[email protected] sip:[email protected] aol.com
User
Agent
User
Agent
Proxy
Server
Proxy
Server
BYE M13
200 OK M14
SIP Proxy Server forwards requests on behalf of SIP agents May update the SIP message before forwarding it called party
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP - End to End Call Setup (Redirect)
INVITE M1
INVITE M4INVITE M5
200 OK M9200 OK M10
100 Trying M6
180 Ringing M8
Media Session
ACK M11
180 Ringing M7
sip:[email protected] sip:[email protected] uottawa.ca
User
Agent
User
Agent
Proxy
Server
Redirect
Server
BYE M12
200 OK M13
302 Moved Temporarily M2ACK M3
SIP Redirect Server responds to a UA request with redirection response indicating the current location of the called party
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP – Conference Setup Ad hoc
Point to point conversation is expanded with a series of INVITE messages. (Good for small group)
Meet meConferencing bridge is used to mix all the media and
forward on behalf of each client to other participant as a unicast message
Each participant establishes the point to point call to the conferencing bridge
Good, if all participants are interactive Interactive Broadcast
Conferencing bridge is used but mixed media is sent to a multicast address instead of being unicast to each participant
Can have active and passive participantsSIP signaling is required for interactive participants only
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP - Mobility Terminal Mobility (Mobile IP- SIP)
SIP user agent will be able to maintain its connections to the Internet as it moves from network to network and possibly changes its point of connection
Personal Mobility (SIP – REGISTER)SIP URI (similar e-mail address) is device independent. User can use any end-device to receive and to make calls
Service Mobility SIP user can keep the same services when mobileServices resident in user agent can be accessed over
Internet (Ex: Call Forwarding etc).
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
Benefits of SIPFeatures Benefits
Lightweight, ASCII based
protocol similar to HTTP, SMTP
Reuses other IETF protocols,
such as SDP, DNS, etc
Network Independent
Increasing market adoption
Can be tightly integrated with
Web based services
Can be used for any real time applications
Including voice, video, text messaging,
instance messaging and presence
Availability of SIP based
Products growing
Simplifies development
of applications
Application/media Independent
Can be used with non-IP networks such as ATM, MPLS
Protocol InteroperabilityCan inter-work with H.323, PSTN/ISDN,
Mobile Networks
Protocol Extensibility Can work with non telephony appl.
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security SIP messages are sent in clear text
SIP security is independent of media security SIP uses the existing network security
mechanism: TLS, S/MIME, PKI, etc
LocationserverProxy
ServerSIP UA
SIP Text Messages SIP Text Messages
SIP UA
Media: RTP
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP UA SIP Proxy server
SIP UA
Location ServerDNS Server
SIP Proxy server
Media: RTP
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security Threats SIP Snooping, Eavesdropping Tampering With the Message Bodies Replaying Attack Impersonating a Server Impersonating Users Registration Hijacking Tearing Down a Session Denial of Service and Distributed Dos Attack
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
Authenticating Users Authenticating Servers (Proxy, Registrar, Redirect)
Message Confidentiality and Integrity Privacy
SIP Security Requirements
LocationserverProxy
ServerSIP UA
SIP Text Messages SIP Text Messages
SIP UA
Media: RTP
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security: Authentication Authenticating Servers:
TLS: Transport Layer Security, PKI certificates, RFC 2246
HTTP Digest, RFC2617
Authenticating Users: HTTP Digest, RFC2617
TLS if users have certificates
Authentication: Hop-by-Hop End-To-End
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security: Confidentiality and Message Integrity
End-to-End Encryption: From Caller’s UA to Callee’s UAMessage Body and Some parts of the HeadersUsing S/MIME, Secure Multipurpose Internet Mail Extension, RFC 2633
Hop-by-Hop Encryption: To protect header information that needed by
intermediariesRely on Network Level (IPSec) or Transport level(TLS)
protocols
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security Mechanisms: HTTP DIGEST A challenge-based Authentication mechanism Based on MD5 hash function
Limitations of HTTP Digest It requires a pre-existing shared secret keysScope of realmNot secure enough, based on secret keys not PKI
No Message Integrity Protection No Confidentiality
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security Mechanisms: S/MIME S/MIME: Secure Multipurpose Internet Mail Extension
Confidentiality and integrity of MIME message bodiesSIP headers can also be encapsulated in MIME body for
end-to-end Authentication, integrity and confidentiality
End-to-End Mutual Authentication S/MIME Authentication Does Not Require a Shared Secret Key
Requires a common PKI Certificate Aauthority
Limitations of S/MIMELack of infrastructure for user Public Key Exchange It can result in very large messages
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security Mechanisms: TLS Authentication, Integrity, Confidentiality Usually used for server authentication Can authenticate clients, but requires distribution of
client certificates
Limitations of TLS:Runs on TCP Only, not UDPOffers only hop-by-hop authenticationSecurity in one hop doesn’t mean security in other hops More Tightly Integrated with SIP Application
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP Security Mechanisms: IPSec IPSec
Confidentiality, Authentication and IntegritySupports TCP and UDPRequires Pre-Shared KeysDoes not requires integration with SIP
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
Secure SIP URI Scheme SIPS URI Scheme
New URI SchemeSIPS:[email protected] MUST Implement If You Support TLS If Request-URI Is SIPS, All Hops MUST Be Secure If a hop cannot be secured, the transaction fails
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP and Firewall Challenges for SIP Problem for the Media Stream
RTP will be blocked by FWs
Solutions:FW must understand SIP and open ‘pin-holes’ for the RTP Use Application-Level Gateways(ALG) trusted by FW Some FWs have built-in ALGAuth’n and Security policy controlled by ALG, not FWALG is B2BUA which proxies both the SIP signalling and
Media Stream
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
SIP and NAT Network Address Translators: Serious problems for SIP ! Changes IP Addresses and Port Numbers
SIP messages not routable !
Solutions: SIP has a mechanism to detect presence of NAT
UAs and Proxy Sever can fix the IP addressesThis solves SIP signaling problem but NOT the Media
Stream problem ! New Protocols and Extensions for NAT traversal under
development: STUN, ICE, rport, symmetric RTP, TURN, connection reuse, SDP attribute for RTCP, and others.
Best Current Practices for NAT Traversal for SIP draft-ietf-sipping-nat-scenarios-01
Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 18, 2023
Conclusion SIP is a power application layer signalling
protocol for multimedia applications SIP inter-work with PSTN, H.323 SIP is widely accepted as Internet signalling
protocol for both fixed and mobile 3G networks
SIP has many extensions under developmentSTUN: Simple Traversal of UDP Through NATsSIMPLE: SIP for Instant Messaging Leveraging Extensions
SIP Compression for wireless networks