A survey of SIP Peering

Similar documents
Analysing Protocol Implementations

A Survey of SIP Peering

IETF ENUM / SPEERMINT status update

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Overview of the Session Initiation Protocol

TSIN02 - Internetworking

VoIP Security Threat Analysis

Department of Computer Science. Burapha University 6 SIP (I)

Ingate SIParator /Firewall SIP Security for the Enterprise

INTERFACE SPECIFICATION SIP Trunking. 8x8 SIP Trunking. Interface Specification. Version 2.0

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Voice over IP (VoIP)

ZyXEL V120 Support Notes. ZyXEL V120. (V120 IP Attendant 1 Runtime License) Support Notes

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

ENSC 833-3: NETWORK PROTOCOLS AND PERFORMANCE. Implement Session Initiation Protocol (SIP) User Agent Prototype

IP Possibilities Conference & Expo. Minneapolis, MN April 11, 2007

Secure Telephony Enabled Middle-box (STEM)

Compliance with RFC 3261

Real Time Protocols. Overview. Introduction. Tarik Cicic University of Oslo December IETF-suite of real-time protocols data transport:

Multimedia Applications. Classification of Applications. Transport and Network Layer

P2PSIP, ICE, and RTCWeb

Reserving N and N+1 Ports with PCP

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

Application Scenario 1: Direct Call UA UA

ABC SBC: Secure Peering. FRAFOS GmbH

Unit 5 Research Project. Eddie S. Jackson. Kaplan University. IT530: Computer Networks. Dr. Thomas Watts, PhD, CISSP

Mohammad Hossein Manshaei 1393

Information About SIP Compliance with RFC 3261

Overview of SIP. Information About SIP. SIP Capabilities. This chapter provides an overview of the Session Initiation Protocol (SIP).

Multimedia networking: outline

Interworking Signaling Enhancements for H.323 and SIP VoIP

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

Security and Lawful Intercept In VoIP Networks. Manohar Mahavadi Centillium Communications Inc. Fremont, California

TLS for SIP and RTP. OpenWest Conference May 9, Corey zmonkey.org. v Corey Edwards, CC-BY-SA

SIP as an Enabling Technology

Tech-invite. RFC 3261's SIP Examples. biloxi.com Registrar. Bob's SIP phone

Modern IP Communication bears risks

ENUM: A heretic s view on SIP Routing

Session Initiation Protocol (SIP) Overview

Open Mic Webcast. Jumpstarting Audio- Video Deployments Tony Payne March 9, 2016

Approaches to Deploying VoIP Technology Instead of PSTN Case Study: Libyan Telephone Company to Facilitate the Internal Work between the Branches

Request for Comments: 3959 Category: Standards Track December 2004

A Review Paper on Voice over Internet Protocol (VoIP)

Session Initiation Protocol (SIP) Overview

atl IP Telephone SIP Compatibility

Cisco Unified Presence 8.0

Z24: Signalling Protocols

Extensions to Session Initiation Protocol (SIP) and Peer-to-Peer SIP

COSC 301 Network Management

The Session Initiation Protocol

NGN interconnection: technology challenges. Dr. Rochdi ZOUAKIA.

Application Note. Microsoft OCS 2007 Configuration Guide

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

become a SIP School Certified Associate endorsed by the Telecommunications Industry Association (TIA)

Chapter 3: IP Multimedia Subsystems and Application-Level Signaling

a. Draw a network diagram, showing how a telephone in the US would make calls to a telephone on Deception Island. (15 points).

Introduction. H.323 Basics CHAPTER

Internet Telephony: Advanced Services. Overview

Cisco Expressway Options with Cisco Meeting Server and/or Microsoft Infrastructure

6 Voice-over-IP Security

P2PSIP Draft Charter. Dean Willis March 2006

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

CSC 4900 Computer Networks: Multimedia Applications

The Future of Interconnection

What is SIP Trunking? ebook

Transporting Voice by Using IP

Unit 4: Firewalls (I)

STIR and SHAKEN Framework Overview. IIT Real-Time Conference 2016 Chris Wendt

Real-Time Control Protocol (RTCP)

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

8.4 IMS Network Architecture A Closer Look

Having fun with RTP Who is speaking???

ICE: the ultimate way of beating NAT in SIP

An Efficient NAT Traversal for SIP and Its Associated Media sessions

IP MULTIMEDIA SUBSYSTEM (IMS) SECURITY MODEL

TODAY AGENDA. VOIP Mobile IP

This is a sample chapter of WebRTC: APIs and RTCWEB Protocols of the HTML5 Real-Time Web by Alan B. Johnston and Daniel C. Burnett.

ENUM - Tag. ENUM Interconnect of VoIP Islands. Is there a Life after Phone Call Charges? Sep / 3 / 2007

Extensions to SIP and P2PSIP

Session Initiation Protocol (SIP)

TSM350G Midterm Exam MY NAME IS March 12, 2007

Configuration Guide IP-to-IP Application

Outline Overview Multimedia Applications Signaling Protocols (SIP/SDP, SAP, H.323, MGCP) Streaming Protocols (RTP, RTSP, HTTP, etc.) QoS (RSVP, Diff-S

GLOSSARY. Advanced Encryption Standard. Cisco Adaptive Security Appliance. Business-to-business. Binary Floor Control Protocol.

ENUM in the UK..and the NGN standards arena

Location Based Advanced Phone Dialer. A mobile client solution to perform voice calls over internet protocol. Jorge Duda de Matos

Provide a generic transport capabilities for real-time multimedia applications Supports both conversational and streaming applications

White Paper. SIP Trunking: Deployment Considerations at the Network Edge

IETF Video Standards A review, some history, and some reflections. Colin Perkins

secure communications

Cisco Expressway Session Classification

Implementation Profile for Interoperable Bridging Systems Interfaces (Phase 1)

Networked Multimedia and Internet Video. Colin Perkins

Firewalls for Secure Unified Communications

map q850-cause through mgcp packagecapability

Allstream NGNSIP Security Recommendations

Voice over IP. What You Don t Know Can Hurt You. by Darren Bilby

SIP Session Initiation Protocol Part 2. ITS VoIP; 2009 P. Campbell, H.Kruse

Basic Concepts in Intrusion Detection

Politecnico di Torino. Porto Institutional Repository

Transcription:

A survey of SIP Peering Lars Strand (presenter) and Wolfgang Leister NATO ASI ARCHITECTS OF SECURE NETWORKS (ASIGE10) 17-22 May 2010

Switchboard operators

Problem: Scalability the New York Telephone Exchange 1888 Salt Lake City, over 50 women, ca 1914

Automatic telephone exchange

Public Switched Telephony Network (PSTN) Standardization body: International Telecommunication Union Standardization (ITU-T) can be traced back to 1865. Historically: Big operators (only one for smaller countries) Peering agreement between them E.164 addresses (telephone numbers)

Plain Old Telephony Service (POTS) Just works 100+ year old technology PSTN 99.999% uptime (D.R. Kuhn, 1997) (<5 min/year) Can call anyone, anytime, anywhere with a good-quality telephonic conversation This is an elusive, currently-unachievable goal for the VoIP-industry (Minoli, 2006)

Voice over IP (VoIP) VoIP is here to stay: Cheaper (both communication and operational costs) More functionality (video, presence, IM, ) High industry focus VoIP loaded with security issues Inherit (traditional) packet switched network security issues and introduces new ones (because of new technology).

"It's appalling how much worse VoIP is compared to the PSTN. If these problems aren't fixed, VoIP is going nowhere." --- Philip Zimmerman on VoIP security in SIP Security, Sisalem et. al. (2009)

VoIP how does it work? Session Initiation Protocol (SIP) is the de facto standard signaling protocol for VoIP Application layer (TCP, UDP, SCTP) Setting up, modifying and tearing down multimedia sessions Not media transfer (voice/video) Establishing and negotiating the context of a call RTP transfer the actual multimedia SIP specified in RFC 3261 published by IETF 2002 First iteration in 1999 (RFC2543) over ten years old Additional functionality specified in over 120 different RFCs(!) Even more pending drafts... Known to be complex and sometimes vague difficult for software engineers to implement Interoperability conference - SIPit

Excerpts from an email posted on IEFT RAI mailing list: I'm finally getting into SIP. I've got Speakeasy VoIP service, two sipphone accounts, a Cisco 7960 and a copy of x-ten on my Mac. And I still can't make it work. Voice flows in one direction only. I'm not even behind a NAT or firewall -- both machines have global addresses, with no port translations or firewalls. I've been working with Internet protocols for over 20 years. I've implemented and contributed to them. And if *I* can't figure out how to make this stuff work, how is the average grandmother expected to do so? SIP is unbelievably complex, with extraordinarily confusing terms. There must be half a dozen different "names" -- Display Name, User Name, Authorization User Name, etc -- and a dozen "proxies". Even the word "domain" is overloaded a half dozen different ways. This is ridiculous! Sorry. I just had to get this off my chest. Regards, Reference: http://www.ietf.org/mail-archive/web/rai/current/msg00082.html

SIP message syntax - INVITE Start line (method) Message headers Message body (SDP content) INVITE sip:bob@nr SIP/2.0 Via: SIP/2.0/UDP 156.116.8.106:5060;rport;branch=z9hG4bK From: Alice <sip:alice@nr>;tag=2093912507 To: <sip:bob@nr> Contact: <sip:alice@156.116.8.106:5060> Call-ID: 361D2F83-14D0-ABC6-0844-57A23F90C67E@156.116.8. CSeq: 41961 INVITE Max-Forwards: 70 Content-Type: application/sdp User-Agent: X-Lite release 1105d Content-Length: 312 v=0 o=alice 2060633878 2060633920 IN IP4 156.116.8.106 s=sip call c=in IP4 156.116.8.106 t=0 0 m=audio 8000 RTP/AVP 0 8 3 98 97 101...

SIP example Direct call UA to UA Caller must know callee's IP or hostname No need for intermediate SIP nodes Problems: Traversing firewalls / NAT Must know IP/hostname of user Mobility change IP/hostname

SIP example

Global reachability? SIP has won the signaling battle (over H.323) (like SMTP won over X.400) SIP incorporates many elements from HTTP and SMTP Design goal: Global reachability like SMTP We call this the email model SIP has reached deployment worldwide VoIP has reached high penetration both in companies and for ISP customers But very few open SIP servers like originally planned Why?

SIP follows an email alike model 1) Email and SIP addresses are structured alike username@domain address-of-record (AoR): sip:alice@example.com 2) Both SIP and email rely on DNS Map domain name to a set of ingress points that handle the particular connection 3) The ingress points need to accept incoming request from the Internet 4) No distinction between end-users and providers Any end-user can do a DNS lookup and contact the SIP server directly 5) No need for a business relationship between providers Since anyone can connect 6) Clients (usually) do not talk directly to each other often one or more intermediate SIP/SMTP nodes Read more: RFC 3261 and RFC3263

Why has the email model failed? 1) Business sender keeps all breaks tradition The traditional economic model is based on termination fee Since anybody can connect to anybody, no business relationship is needed No (economical) incentives for providers to deploy open SIP servers providers 2) Legal requirements written for PSTN Operators must comply to a wide range of regulatory requirements Example: Wiretapping, caller-id, hidden number, emergency calls, etc 3) Security considerations A) Unwanted calls (SPIT) B) Identity C) Attack on availability (DoS)

A) Unwanted calls (SPIT) Hard unknown attack vector When there are enough open SIP servers, attackers will start to exploit them Low amount of SPIT today (because few open SIP servers) Worse than SPAM Content only available after the user picks up the phone = harder to filter and detect than email Users tend to pick up the phone when it rings = disruptive (users can choose when to check their email) A number of SPIT mitigation strategies has been proposed (active research) The research project SPIDER looked at SPIT Good informative deliverables Project finished We're afraid of SPIT, so we don't have open SIP Servers

B) Identity PSTN Provide (reasonable) good caller-id Providers trust each others signaling SIP's email model breaks this Anyone can send SIP (INVITE) easily spoofed The SIP authentication is terrible Modeled (copied) after HTTP Digest authentication SIP also support TLS (and certificate authentication) but very limited deployment SIP Identity tries to fix this (RFC4474) Rely on certificates Not based on transitive trust between providers No one uses this Since SIP has so poor identity handling, we don't want to expose our SIP servers to the Internet

C) Attack on availability (DoS) Denial of Service (DoS) attacks are HARD! Simple and effective: Send more bogus traffic than the recipient can handle No simple solution to prevent DoS Example: DDoS for sale - The ad scrolls through several messages, including "Will eliminate competition: high-quality, reliable, anonymous." "Flooding of stationary and mobile phones." "Pleasant prices: 24-hours start at $80. Regular clients receive significant discounts." "Complete paralysis of your competitor/foe." Reference: http://isc.sans.org/diary.html?storyid=5380 We're terrified to become a victim of a DDoS attack

So, what is the result? Providers do NOT have open SIP servers All non-local calls are sent to the PSTN Why is that a bad thing?

Disadvantages 1) Administrative overhead more systems to keep track of IP-to-PSTN gateway 2) More expensive than SIP only Must pay a termination fee to the PSTN provider Must maintain the IP-to-PSTN gateway 3) Poor(er) voice quality Voice must be transcoded from G.711 to the PSTN (and back again) Can not use wide-band codecs, like G.722 that provides superior sound quality ( HD sound ) 4) Only applies to voice miss out other functionality that SIP supports IM, presence, mobility, etc.

SIP Peering Peering overcome these disadvantages Do not need an open SIP server on the Internet Industry has started to do this ad-hoc But not standardized in any way

SPEERMINT IETF has recognized that SIP Peering must be standardized (New) Working Group (WG) will fix that Session PEERing for Multimedia INTerconnect (SPEERMINT) Goal: Identify architecture requirements Discuss security considerations Define best practices for SIP peering Get SIP to work reliably in a worldwide deployment Documents: RFC5486: Session Peering for Multimedia Interconnect (SPEERMINT) Terminology RFC5344: Presence and Instant Messaging Peering Use Cases And several drafts pending

SPEERMINT architecture

Telephone number mapping (ENUM) Example: +47 2134 5678 E.164 NUmber Mapping (ENUM) Telephone numbers are organized in the E.164 standard IP adresses on Internet uses DNS E.164 + DNS = ENUM New DNS zone: e164.arpa How do we find the domain name and route the request? example: tel:+47 2123 4567 7.6.5.4.3.2.1.2.7.4.e164.arpa DNS lookup Originally planned to be global All the world (PSTN) phone numbers should be reachable via ENUM (Part of the email model of SIP) Did not happened Used locally within SSP and between peers

Peering scenarios 1) Static peering between SSP1 and SSP2 is preprovisioned independent of any SIP sessions between users 2) Ondemand peering is established when a SIP session between SSP1 and SSP2 are needed A) Direct direct peer between SSP1 and SSP2 B) Indirect or transit via an intermediate SSP In combination with assisted LUF/LRF XConnect

Federation A group of SSPs which agree to receive calls from each other via SIP, and who agree on a set of administrative rules for such calls (settlement, abuse-handling,...) and the specific rules for the technical details. Can this scale globally?

Further work Identity? Is it solved by peering? a) SIP Identity (RFC4474) Require PKI b) Transitive trust between SSPs? (Combine RFC3324 and RFC3325) Utopian? c) Multi-factor authentication? d) Web-of-trust? (aka PGP) SPIT? Is it solved by peering? DDoS? Is it solved by peering? Some discussion in SPEERMINT Security Threats and Suggested Countermeasures, IETF draft pending.

Thank you Project homepage: http://eux2010sec.nr.no

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback