Upload
aracely-couse
View
257
Download
0
Embed Size (px)
Citation preview
Session Initiation ProtocolSession Initiation Protocol
R94922133 張榮宏R94922143 呂詩禹
Sipsak DemoSipsak Demo
What is it?
• SIPSAK:– It’s a small command line tool for developers
and administrators of Session Initiation Protocol applications.
• Try it on FreeBSD:– /usr/ports/net/sipsak
• Web site:– sipsak.org
How to use it?
• man sipsak• Send an OPTIONS request to
[email protected] and display received replies– sipsak -vv -s sip:[email protected]
• Send the instant message "Lunch time!" to the colleague and show result: – sipsak -M -v -s sip:colleaue@work -B "Lunch
time!"
SIP SecuritySIP Security
What problems do users face?What problems do users face? 四面楚歌
SIP SecuritySIP Security
• SIP security is a vast and challenging field.
• Authentication– Can users steal other users identity?
• Integrity– Is the SIP message received the same as the
one sent?
• Confidentiality– Is someone else listening on your SIP call
setup?
ThreatsThreats
• Fake requests (e.g., fake From)• Modification of content
– REGISTER Contact– SDP to redirect media
• Insertion of requests into existing dialogs: BYE, re-INVITE
• Denial of service (DoS) attacks• Privacy• Trust domains – can proxies be trusted?
SIP Security MechanismsSIP Security Mechanisms
• SIP is HTTP-like
• How do we secure HTTP services?– HTTP
• HTTPS (SSL)• TCP based Transport Layer Security (TSLTSL)
– E-mail• PGP (Pretty Good Privacy)• S/MIME
– IP based communication• IPsec (IP Security)
Solutions for securing SIPSolutions for securing SIP
HTTP Digest AuthenticationHTTP Digest Authentication• Example given in RFC 2617
– Client request• (user: Mufasa passwd: Circle Of Life)
– Server response:?
HTTP Digest AuthenticationHTTP Digest Authentication• Generating the MD5 values
HTTP Digest authenticationHTTP Digest authentication
parameter meaningrealm client domain
domain destination
algorithm hash algorithm: MD5, MD5-sess
nonce server-chosen nonce
cnonce client-chosen nonce
nc # times nonce has been used
digest-uri destination
qop protection (auth, auth-int)
opaque string echoed by client
username user’s name in specified realm
response H(H(A1):nonce:nc:cnonce:qop:H(A2))
HTTP Digest authenticationHTTP Digest authentication
• response = H(H(A1):nonce:nc:cnonce:qop:H(A2))
• A1 = username:realm:password
• A2 = method:URI or method:URI:H(body)
• where H(x) = MD5(x)
SIP Proxy Digest AuthenticationSIP Proxy Digest Authentication
• Proxy Server using Digest AuthenticationProxy Server
Invite
SIP Proxy Digest AuthenticationSIP Proxy Digest Authentication
• Proxy Server using Digest AuthenticationProxy Server
Invite
Challenge
TLS security: SIPS URITLS security: SIPS URI
• SIPS scheme added in RFC 3261– sips:[email protected]
• TLS must be used on the whole path.
• Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol)
• Applied hop-by-hop
• All SIP proxies required to implement
How to secure the talk?How to secure the talk?
• Securing the real-time media streams
• Multimedia streams are packet-oriented
• Encryptions and authentication algorithms should not cause too much delay
• Transmission must be UDP based
• Only two security mechanisms are currently available.
Securing the real-time media streamsSecuring the real-time media streams
Secure Real-Time Transport Protocol (SRTP)
Secure Real-Time Transport Protocol (SRTP)
• The Secure RTP Packet Format:
SRTPSRTP
• Default Encryption Algorithm
Secure Real-Time Transport Protocol (SRTP)
Secure Real-Time Transport Protocol (SRTP)
• The Secure RTCP Packet Format:
ConclusionConclusion
• VoIP security is complex– Numerous protocols– NAT/firewall traversal issues– QoS issues
• Technologies are in place to secure VoIP– Solutions we’ve discussed– However, no “standard” approach is being
used
• Current VoIP providers do not secure calls
SIP ProgrammingSIP Programming
SIP Programming
• SIP follows HTTP programming model• Three mechanisms suggested in IETF
– Call Processing Language ( SIP – CPL )– Common Gateway Interface ( SIP – CGI )– SIP Servlet
• Other Options– Creation Markup Language (SCML)– Voice Extensible Markup Language (VoiceXML)– Call Control extensible Markup Language (CCXML)
SIP Programming
• Examples– “discard all calls from Monica during my business
hours”– “redirect authenticated friends to my cell phone,
anyone else to my secretary”– “if busy, return my homepage and redirect to recorder”
• Users and third parties may program
SIP Programming
Where Services Locate?
Source: H. Schulzrinne: “Industrial Strength IP Telephony”
Common Gateway Interface
• Almost identical to HTTP CGI • Language independent ( Perl, Tcl, C, C++, ... )
– Any binary may be executed as a separate program
• Communicates through IO and environment variables.– More flexible but more risky
• Unmanaged Resource Allocating– Single CGI may crash the server or user client
• Feb. 1, 2001: RFC 3050 (Common Gateway Interface for SIP) published
Call Processing Language
• Designed by the IETF to support sophisticated telephony services– May be used by both SIP or H.323.
• XML based scripting language– Extensive– Easily edited by GUI tools– Portability allows users to move across servers.
• Lightweight CPL interpreter is need– Better security
An Example
A simple script that blocks anonymous callers
<?xml version="1.0" ?><!DOCTYPE cpl PUBLIC "-//IETF//DTD RFCxxxx CPL 1.0//EN" "cpl.dtd"><cpl> <incoming> <address-switch field="origin" subfield="user"> <address is="anonymous"> <reject status="reject" reason="I don't accept anonymous calls" /> </address> </address-switch> </incoming></cpl>
Java Servlets
• Similar to HTTP servlets• Resource Managed By Container• The class runs within a JVM (Java Virtual
Machine) on server• Security provided by Java• Portable between OSs & servers
JAIN SIP
• The Java-standard interface to a SIP signaling stack. – Standardizes the interface to the stack. – Standardizes message interface. – Standardizes events and event semantics. – Application portability -verified via the TCK.
• Designed for developers who require powerful access to the SIP protocol.
• JAIN SIP can be utilized in a user agent, proxy, registrar or imbedded into a service container.
SIP Implementation Structure
Packages
• General package– Defines the architectural interfaces, the transaction and dialog
interfaces and the event objects of the specification.
• Address package– Address package contains a generic URI wrapper and defines
SIP URI and Tel URIs interfaces.
• Message package– Defines the interfaces necessary for the Request and Response
messages.
• Header packages– Header package defines interfaces for all the supported headers
and extension headers
Application - Stack Creation
Initialize Stack using SipFactory:try {
Properties properties = new Properties();properties.setProperty("javax.sip.IP_ADDRESS",
"129.6.55.181");properties.setProperty("javax.sip.OUTBOUND_PROXY",
"129.6.55.182:5070/UDP");……// Other initialization properties.
try {sipStack = sipFactory.createSipStack(properties);
} catch(SipException e) {System.exit(-1);
}}
Application – Request Creation
Initialize Request using Factories:try {
SipURI requestURI = addressFactory.createSipURI(toUser, toSipAddress);
// … Create other headersRequest request = messageFactory.createRequest
(requestURI, Request.INVITE, callIdHeader,cSeqHeader, fromHeader, toHeader,viaHeaders, maxForwards);
}
Application - Sending Requests
Send outgoing messages:
try { // Create the client transaction ClientTransaction inviteTid = sipProvider.getNewClientTransaction(request); // send the request inviteTid.sendRequest();
}
HIGH-LEVEL SERVICE CREATION FRAMEWORK
• Service Creation Environment (SCE)– GUI Develop IDE
• Service Logic Execution Environment (SLEE)
HIGH-LEVEL SERVICE CREATION FRAMEWORK
Mechanism choosing
• Portability vs Performance – Portability needed if services deployed at
multiple servers or end-devices. – Portable languages (CPL) need to be
interpreted (processing delay)
• Deployment scenario decides service creation mechanism.
Implementations
• BaseVoice Vanilla – J2EE-based SIP Server, JAIN SIP API v1.1.
• SIPD– SIP CGI-BIN support
• Meetinghouse SIP Proxy– CPL support
Source: “http://www.iptel.org/info/products/”
Reference
• http://netlab.boun.edu.tr/mast/sip/• http://iptel.org/sip/siptutorial.pdf
• http://java.sun.com/products/jain/JAIN-SIP-Tutorial.pdf
• Creating Value Added Services in Internet Telephony: An Overview
and a Case Study on a High-Level Service Creation Environment
-- Roch H. Glitho, Ferhat Khendek, and Alessandro De Marco