Strategy for VOIP

advertisement
IEEE NJ Coast Section
Seminar on Wireless LAN &
IP Telephony
Session I5
Creating Secure Services for Internet Telephony
Henning Schulzrinne
Columbia University
hgs@cs.columbia.edu
Overview



What are IP telephony services?
Where do services reside?
How to create services?
–
–
–
–
–



basic “fixed” services (call forwarding, follow me, ...)
registration-based services: caller preferences
sip-cgi model
Call Processing Language (CPL)
sip servlets & JAIN
Event notification and presence
Example of an enterprise IP telephony platform
Billing in IP telephony
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 2
Overview

Security in IP telephony
– dealing with NATs and firewalls
– differences to classical PSTN networks
– threats
•
•
•
•
theft of service
registration impersonation
denial of service
privacy
– current SIP approaches

Summary and conclusion
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 3
Aside: evolution of SIP

Not quite what we had in mind
– initially, SIP for initiating multicast conferencing
• in progress since 1992
• still small niche
• even the IAB and IESG meet by POTS conference…
– then VoIP
• written-off equipment (circuit-switched) vs. new equipment (VoIP)
• bandwidth is (mostly) not the problem
• “can’t get new services if other end is POTS’’  “why use VoIP if I
can’t get new services”
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 4
Evolution of SIP

VoIP: avoiding the installed base issue
– cable modems – lifeline service
– 3GPP – vaporware?

Finally, IM/presence and events
– probably, first major application
– offers real advantage: interoperable IM
– also, new service
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 5
VoIP at Home


Lifeline (power)
Multiple phones per household
–
–
–
–

expensive to do over PNA or 802.11
BlueTooth range too short
need wireless SIP base station + handsets
PDAs with 802.11 and GSM? (Treo++)
Incentives
– SMS & IM services
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 6
SIP phones

Hard to build really basic phones
– need real multitasking OS
– need large set of protocols:
• IP, DNS, DHCP, maybe IPsec, SNTP and SNMP
• UDP, TCP, maybe TLS
• HTTP (configuration), RTP, SIP
– user-interface for entering URLs is a pain



see “success” of Internet appliances
“PCs with handset” cost $500 and still have a Palmsize display
thus, offer services
– Java-programmable
– XML forms input
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 7
Example SIP phones
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 8
What are IP telephony services?


Services (features) modify basic call behavior
Can be
– invoked by user
– pre-programmed into network elements (e.g., SIP proxies)
– programmable feature logic

PSTN: CLASS (Custom local area signaling services)
features
–
–
–
–
–
–

call waiting
call forwarding
caller ID (calling number delivery)
distinctive ringing
selective call rejection
three-way calling, ...
PSTN: pre-subscribed for feature access codes (e.g.,
*66)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 9
IP telephony services

Call routing services: precall, one party
–
–
–
–
–
–
–
–
–
–

speed dial
click-to-dial
call forwarding
“follow me”
call filtering/blocking (in/out)
do not disturb
distinctive ringing
call prioritization
feature-based agent selection
call return
Call handling features
– hotline
– autoanswer
– intercom

Multi-party features
– call waiting
– whispered call waiting
– blind transfer: no confirmation of
success
– attended transfer
– consultative transfer: three-party
conference  transfer
– conference call
– call park
– call pickup
– music on hold
– call monitoring
– barge-in
– speakerphone paging
– single-line extension
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 10
IP telephony features – Internet-specific

Presence-enabled calls
– place call only if callee is available

Presence-enabled conferencing
– call conference participants when all are online and not busy

IM conference alerts
– receive IM when someone joins a conference

Unified messaging
– receive email with new voice message
– IM alert for voicemails
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 11
Voice-enabled features

Interactive Voice Response (IVR)
– VoiceXML
– voice browser
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 12
Voice-enabled features: VoiceXML
<?xml version="1.0"?>
<vxml version="2.0">
<form id="basic">
<field name="acctnum" type="digits">
<prompt> What is your account number? </prompt>
</field>
<field name="acctphone" type="phone">
<prompt> What is your home telephone number?
</prompt>
<filled>
<!-- The values obtained by the two fields are
supplied to the calling dialog by the "return"
element. -->
<return namelist="acctnum acctphone"/> </filled>
</field>
</form>
</vxml>
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 13
PSTN vs. Internet Telephony
Internet Telephony
end system
PSTN
Number of lines
or pending calls
is virtually unlimited
Single line,
12 buttons and
hook flash to signal
More intelligence, PCs
can be considered to be
end-user devices
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 14
PSTN vs. Internet Telephony
PSTN:
Signaling & Media
Internet
telephony:
Signaling & Media
Signaling
Signaling
Media
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 15
Service provider architectures

Models of providing services:
– IP PBX
– IP Centrex (and cable/DSL)
– Carrier / 3G

Similar equipment (logically), but
– different trust models
– sharing of resources (SIP proxies, gateways)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 16
IP PBX
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 17
IP Centrex
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 18
IP Carrier
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 19
3G Architecture (Registration)
mobility management
signaling
serving
CSCF
interrogating
proxy
interrogating
home IM domain
registration signaling (SIP)_
visited IM domain
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 20
Service models & protocols

Master-slave protocols (MGCP, Megaco)
– feature logic in media gateway controller (MGC)
– send detailed behavioral commands to MG
• send ring tone
• expect dialed digit string
• play announcement
– MG can only “guess” what is meant
– assembly-language instructions

Peer-to-peer protocols (SIP, H.323)
– more like function calls
– methods (SIP method, H.323 request) and parameters (SIP
headers, H.323 ASN.1 variables)
– H.323: per-feature specification (H.450.x)
– SIP: building blocks (Headers, REFER, JOIN, ...)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 21
Combining peer-to-peer and master-slave
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 22
CLASS services: Caller-ID


SIP To/From headers (+ Organization)
Also: Call-Info
Call-Info: http://alice.com/photo.jpg ;purpose=icon,
<http://alice.com/> ;purpose=info


Can be “anonymous’’
Cannot necessarily be trusted, since inserted by user
Remote-Party-ID: "John Doe"
<sip:jdoe@foo.com>;party=calling;
idtype=subscriber;privacy=full;screen=yes
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 23
CLASS services: call forwarding, follow-me


Built into core SIP
Call forwarding:
– either at proxy or at end system
– 302 + Contact: temporary forwarding
– 301 + Contact: permanent forwarding

Follow me:
– REGISTER using single identifier
– with different temporary IP addresses
– “adopt” different hardware via (e.g.,) i-button
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 24
SIP personal mobility
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 25
Call filtering (in/out)



Outbound call filtering done by outbound proxy
Often, outbound proxy controls firewall
Inbound call filtering at any of the stages:
– e.g., sip:alice@bigcorp.com  sip:alice@paris.eng.bigcorp.com
– proxies can do filtering at
• bigcorp.com
• eng.bigcorp.com
• paris.eng.bigcorp.com

Fixed or programmable rules (later)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 26
Call routing -- forking
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 27
Call routing -- ENUM





Translation between E.164 telephone numbers and
URIs (e.g., SIP URIs)
RFC 2916
+46-8-9761234 becomes
4.3.2.1.6.7.9.8.6.4.e164.arpa
Look up using (new) NAPTR DNS record
Example  contact 1st using SIP, 2nd using email:
$ORIGIN 4.3.2.1.6.7.9.8.6.4.e164.arpa.
IN NAPTR 100 10 "u" "sip+E2U"
"!^.*$!sip:info@tele2.se!" .
IN NAPTR 102 10 "u" "mailto+E2U"
"!^.*$!mailto:info@tele2.se!" .
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 28
Call routing – TRIP and SLP


TRIP (RFC 3219) allows routing of SIP requests to
the “best” IP telephony gateway
Based on BGP model of route propagation
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 29
Do not disturb & distinctive ringing



End system or proxy features
Distinctive ringing inserted by proxy:
Alert-Info:
http://www.example.com/sounds/moo.wav
Do not disturb:
– 600 (Busy)
– 603 (Decline)
– with Retry-After
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 30
Call prioritization



SIP Priority header
Subject: A tornado is heading our way!
Priority: emergency
Can be inserted or removed by proxy
Useful for call routing
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 31
Caller preferences

One SIP address  many destinations:
– home vs. office
– cell phone vs. landline
– PC video phone vs. black phone


Callee’s proxy decides, but caller preferences
mechanism allows caller to influence choices
Can influence:
–
–
–
–
–
whether to proxy or redirect
which URI to proxy or redirect to
whether to fork or not
whether to search recursively or not
whether to search in parallel or sequentially
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 32
Caller preferences


Adds parameters to Contact headers describing
properties of location:
Carol speaks English, Spanish and German and can
send/receive audio + video, but only wants this
address to be used for urgent calls:
Contact: Carol <sip:carol@example.com>
;language="en,es,de"
;media="audio/*,video/*,application/chat"
;duplex="full"
;priority="urgent“

INVITE request then contains headers:
Accept-Contact:
sip:user@host;feature="voicemail&attendant"
Accept-Contact:
sip:user@foo.edu;mobility="!fixed"
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 33
Using URIs for SIP Service Control





RFC 3087
User part is left to local configuration
Voice mail services
sip:rjs@vm.wcom.com;mode=deposit
sip:670002@vm.wcom.com
Ad-hoc conferences
Invoke VoiceXML scripts
sip:dialog.vxml.http%3a//dialogs.server.com/scr
ipt32.vxml@vxmlservers.com
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 34
Using SIP events for services

Many telecom services generate asynchronous events:
– participant joined or left conference
– message waiting
– call leg completed or terminated


SIP defines event notification requests: SUBSCRIBE and
NOTIFY
Event packages for call legs, conferences, message waiting, IM,
DTMF, ...
NOTIFY sip:rohan@rmahy-phone.cisco.com SIP/2.0
To: <sip:rohan@cisco.com>;tag=78923
From: <sip:rohan@cisco.com>;tag=4442
Event: message-summary
Content-Type: application/simple-message-summary
Messages-Waiting: yes
Voicemail: 4/8 (1/2)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 35
Call waiting
no notion of “lines”  unlimited number of line presences
Line 2 ringing
A
Talk on line 1
INVITE,
SDP’s c=0
Wait 2 minutes
Press line 2
180 Ringing INVITE
182 Wait 2 minutes
200 OK
B
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
C
March 28, 2002 36
Call waiting
A
Hold on line 1
200 OK
Talk on line 2
B
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
C
March 28, 2002 37
Call transfer (unsupervised)
B1
3
BYE A
1
REFER B2
Referred-By: B1
A
2
INVITE B2
Referred-By: B1
B2
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 38
Multi-party features


Permanently or temporarily mixing multiple media
streams
Generally, combinations of
– adding conference servers (ad-hoc conferences)
– transfer: use REFER to ask other party to do something
– combinations of who asks whom to do what  recipient just follows
instructions
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 39
Third-party call control



Separate signaling and media endpoints
Also sometimes called back-to-back UA (B2BUA)
but some B2BUA’s handle media, too
RTP
200
200
3
INVITE
2
SDP (from 2)
5
ACK
SDP (from 4)
6
4
INVITE
no SDP
1
SIP
ACK
SIP
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 40
End system vs. Network server
Network server
End system
Permanent IP address
Always on
(User can have unique address
and can always be reached)
Temporary IP address
Powered off so often
(User’s address always changed
and can not be reached sometime)
Ample computational capacity
High bandwidth
(Conference)
Limited computational capacity
Low bandwidth
(One to one or small size conf.)
Indirect user interaction
Usually only deals with signaling
(Based on predefined mechanisms,
or indirect user interaction, like
through web page)
Direct user interaction
Signal and media converge
(easier to deal with human
interaction, easier to deal with
interaction with media)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 41
End system vs. Network server
Network server
End system
Information hiding
Busy handling
Logical call distribution
Call transfer
Gateway
Distinctive ringing
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 42
Service location examples
Service
End system
Network (proxy)
Network with Media (UA)
Distinctive ringing
Yes
Can assist
Can assist
Visual call id
Yes
Can assist
Can assist
Call waiting
Yes
No
Yes(*)
CF busy
Yes
Yes(*)
Yes(*)
CF no answer
Yes
Yes
Yes
CF no device
No
Yes
Yes
Location hiding
No
Yes
Yes
Transfer
Yes
No
No
Conference bridge
Yes
No
Yes
Gateway to PSTN
No
No
Yes
Firewall control
No
No
Yes
Voicemail
Yes
No
Yes
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
(*) = with information provided by end system
March 28, 2002 43
Service architecture
Programming language model
Service Logic
Programming
Interface
Requests
Requests
SIP Server Function
Responses
Responses
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 44
Programmable service creation


Can’t win by (just) recreating PSTN services
Programmable services:
–
–
–
–
equipment vendors, operators: JAIN
local sysadmin, vertical markets: sip-cgi
proxy-based call routing: CPL
voice-based control: VoiceXML
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 45
Programmable service creation
API
servlets
sip-cgi
CPL
languageindependent
no
Java only
yes
own
secure
no
mostly
can be
yes
end user
service
creation
no
yes
power users yes
GUI tools
no
no
no
yes
Multimedia
some
yes
yes
yes
call creation
yes
no
no
no
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 46
APIs (e.g., JAIN)




Tradition of TAPI,
JTAPI, ...
Typically, call model
Treat calls as objects
to be manipulated
e.g., JAIN:
– bearer independent
(PSTN, IP, ATM)
– protocol-independent
(ISUP, SIP, H.323, BICC,
...)
– protocol APIs and
application APIs
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 47
SIP servlets



Servlet runs in SIP server
Receives SIP objects and processes them
Example: call rejection application
import org.ietf.sip.*;
public class RejectServlet extends SipServletAdapter {
protected int statusCode;
protected String reasonPhrase;
public void init(ServletConfig config) {
super.init(config);
try {
statusCode = Integer.parseInt(getInitParameter("status-code"));
reasonPhrase = getInitParameter("reason-phrase");
} catch (Exception _) {...}
}
public boolean doInvite(SipRequest req) {
SipResponse res = req.createResponse();
res.setStatus(statusCode, reasonPhrase);
res.send();
return true;
}
}
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 48
sip-cgi

web common gateway interface (cgi):
– oldest (and still most commonly used) interface for dynamic content
generation
– web server invokes process and passes HTTP request via
• stdin (POST body)
• environment variables  HTTP headers, URL
• arguments as POST body or GET headers (?arg1=var1&arg2=var2)
– new process for each request  not very efficient
– but easy to learn, robust (no state)
– support from just about any programming language (C, Perl, Tcl,
Python, VisualBasic, ...)


Adapt cgi model to SIP  sip-cgi
RFC 3050
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 49
sip-cgi

Designed for SIP proxies and end systems:
–
–
–
–





call routing
controlling forking
call rejection
call modification (Priority, Call-Info, Alert-Info)
cgi: once per HTTP request
sip-cgi: maintain state via an opaque token
script gets body of request on stdin
script gets SIP headers via environment variables
initiates actions via stdout:
–
–
–
–
proxy request
return response
generate request
generate response
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 50
sip-cgi examples

Block *@vinylsiding.com:
if (defined $ENV{SIP_FROM} && $ENV{SIP_FROM} =~
"sip:*@vinylsiding.com") {
print "SIP/2.0 600 I can't talk right
now\n\n";
}

Make calls from boss urgent:
if (defined $ENV{SIP_FROM} && $ENV{SIP_FROM} =~
/sip:boss@mycompany.com/) {
foreach $reg (get_regs()) {
print "CGI-PROXY-REQUEST $reg SIP/2.0\n";
print "Priority: urgent\n\n";
}
}
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 51
Call Processing Language (CPL)








XML-based “language” for processing requests
intentionally restricted to branching and subroutines
no variables, no loops
thus, easily represented graphically
mostly used for SIP, but protocol-independent
integrates notion of calendaring (time ranges)
structured tree describing actions performed on call
setup event
top-level events: incoming and outgoing
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 52
CPL

Location set stored as implicit global variable
– operations can add, filter and delete entries

Switches:
–
–
–
–



address
language
time, using CALSCH notation (e.g., exported from Outlook)
priority
Proxy node proxies request and then branches on
response (busy, redirection, noanswer, ...)
Reject and redirect perform corresponding protocol
actions
Supports abstract logging and email operation
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 53
CPL example
busy
Call
String-switch
field: from
location
url: sip:jones@
example.com
proxy
timeout: 10s
timeout
failure
match:
*@example.com
otherwise
location
url: sip:jones@
voicemail.
example.com
merge: clear
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
redirect
March 28, 2002 54
CPL example
<?xml version="1.0" ?>
<!DOCTYPE call SYSTEM "cpl.dtd">
<cpl>
<incoming>
<lookup source="http://www.example.com/cgibin/locate.cgi?user=jones"
timeout="8">
<success>
<proxy />
</success>
<failure>
<mail
url="mailto:jones@example.com&Subject=lookup%20failed" />
</failure>
</lookup>
</incoming>
</cpl>
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 55
CPL example: anonymous call screening
<cpl>
<incoming>
<address-switch field="origin" subfield="user">
<address is="anonymous">
<reject status="reject"
reason="I don't accept anonymous calls" />
</address>
</address-switch>
</incoming>
</cpl>
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 56
Billing

PSTN: evolution from distance/time-sensitive perminute billing
– bucket of minutes
– flat-rate plans (“all you can eat”): Canada, AT&T

Per-minute billing doesn’t fit well:
– SIP sessions can remain open for months, without sending a single
packet
– voice silence suppression  unfair to charge for both directions for
large conferences
utility
– incremental value is
non-linear
– thus, video unlikely
bit rate
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 57
Billing and charging

What are we billing for?
– infrastructure
– services
• unlikely to be able to charge for call forwarding for corporate users
• but Yahoo might for residential users
– traffic
• but network cost depends on peak usage, not average usage
• treat all traffic the same?
• 3G: charge more for data traffic than voice traffic?
– escalation of traffic cloaking and detection

A simple billing model
– bill per-minute for calls gatewayed into the PSTN
– bill for services on a subscription basis (e.g., as part of ISP service)
– bill for traffic
• independent of traffic type
• by volume, 95th percentile, congestion pricing
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 58
Open Settlement Protocol (OSP)

clearing-house model
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 59
AAA = Authentication, Authorization, Accounting



separate SIP protocol elements from making
authentication/authorization decisions
allow visited proxy to ask home proxy of visitor
whether visitor is legit
accounting:
– resource dimensioning
– apportionment of charges
– commercial billing

three primary protocols:
– RADIUS – used for dial-up servers, popular with ISPs
• can lose data (UDP)
– DIAMETER – successor of RADIUS
• will be used in 3G for AAA
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 60
Challenges: Security


Classical model of restricted access systems 
cryptographic security
Objectives:
–
–
–
–
identification for access control & billing
phone/IM spam control (black/white lists)
call routing
privacy
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 61
SIP security




Bar is higher than for email – telephone expectations
(albeit wrong)
SIP carries media encryption keys
Potential for nuisance – phone spam at 2 am
Safety – prevent emergency calls
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 62
System model
outbound proxy
SIP trapezoid
a@foo.com:
128.59.16.1
registrar
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 63
Threats


Bogus requests (e.g., fake From)
Modification of content
– REGISTER Contact
– SDP to redirect media






Insertion of requests into existing dialogs: BYE, reINVITE
Bid-down attacks: attacker gets to pick algorithm
Denial of service (DoS) attacks
Privacy: SDP may include media session keys
Inside vs. outside threats
Trust domains – can proxies be trusted?
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 64
Threats

third-party
– not on path
– can generate requests

passive man-in-middle (MIM)
– listen, but not modify



active man-in-middle
replay
cut-and-paste
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 65
L3/L4 security options

IPsec





Provides keying mechanism
but IKE is complex and has interop problems
works for all transport protocol (TCP, SCTP, UDP, …)
no credential-fetching API
TLS
 provides keying mechanism
 good credential binding mechanism
 no support for UDP; SCTP in progress
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 66
Hop-by-hop security: TLS


Server certificates well-established for web servers
Per-user certificates less so
– email return-address (class 1) certificate not difficult (Thawte,
Verisign)

Server can challenge client for certificate  last-hop
challenge
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 67
HTTP Digest authentication

Allows user-to-user (registrar) authentication
– mostly client-to-server
– but also server-to-client (Authentication-Info)

Also, Proxy-Authenticate and Proxy-Authorization
– May be stacked for multiple proxies on path
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 68
HTTP Digest authentication
401 Unauthorized
WWW-Authenticate: Digest
realm="alice@example.com",
qop=auth,
nonce="dcd9"
REGISTER
To: sip:alice@example.com
REGISTER
To: sip:alice@example.com
Authorization: Digest
username="alice",
nc=00000001,
cnonce="defg",
response="9f01"
REGISTER
To: sip:alice@example.com
Authorization: Digest
username="alice",
nc=00000002,
cnonce="abcd",
response="6629"
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 69
End-to-end authentication

What do we need to prove?
–
–
–
–
Person sending BYE is same as sending INVITE
Person calling today is same as yesterday
Person is indeed "Alice Wonder, working for Deutsche Bank"
Person is somebody with account at MCI Worldcom
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 70
End-to-end authentication

Why end-to-end authentication?
– prevent phone/IM spam
– nuisance callers
– trust: is this really somebody from my company asking about the
new widget?

Problem: generic identities are cheap
– filtering bozo@aol.com doesn't prevent calls from jerk@yahoo.com
(new day, sam person)
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 71
End-to-end authentication and confidentiality

Shared secrets
– only scales (N2) to very small groups


OpenPGP chain of trust
S/MIME-like encapsulation
– CA-signed (Verisign, Thawte)
• every end point needs to have list of Cas
• need CRL checking
– ssh-style
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 72
Ssh-style authentication


Self-signed (or unsigned) certificate
Allows active man-in-middle to replace with own
certificate
– always need secure (against modification) way to convey public key

However, safe once established
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 73
DOS attacks



CPU complexity: get SIP entity to perform work
Memory exhaustion: SIP entity keeps state (TCP
SYN flood)
Amplification: single message triggers group of
message to target
– even easier in SIP, since Via not subject to address filtering
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 74
DOS attacks: amplification

Normal SIP UDP operation:
– one INVITE with fake Via
– retransmit 401/407 (to target) 8 times

Modified procedure:
– only send one 401/407 for each INVITE

Suggestion: have null authentication
– prevents amplification of other responses
– E.g., user "anonymous", password empty
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 75
DOS attacks: memory



SIP vulnerable if state kept after INVITE
Same solution: challenge with 401
Server does not need to keep challenge nonce, but
needs to check nonce freshness
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 76
Challenges: NATs and firewalls

NATs and firewalls reduce Internet to web and email
service
–
–
–
–
firewall, NAT: no inbound connections
NAT: no externally usable address
NAT: many different versions -> binding duration
lack of permanent address (e.g., DHCP) not a problem -> SIP
address binding
– misperception: NAT = security
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 77
Challenges: NAT and firewalls

Solutions:
– longer term: IPv6
– longer term: MIDCOM for firewall control?
• control by border proxy?
– short term:
•
•
•
•
NAT: STUN and SHIPWORM
send packet to external server
server returns external address, port
use that address for inbound UDP packets
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 78
Emergency calls

Opportunity for enhanced services:
– video, biometrics, IM

Finding the right emergency call center (PSAP)
– VoIP admin domain may span multiple 911 calling areas


Common emergency address
User location
– GPS doesn’t work indoors
– phones can move easily – IP address does not help
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 79
Emergency calls
common emergency identifier: sos@domain
EPAD
REGISTER sip:sos
302 Moved
Contact: sip:sos@psap.leonia.nj.us
Contact: tel:+1-201-911-1234
Location: 07605
INVITE sip:sos
Location: 07605
SIP
proxy
INVITE sip:sos@psap.leonia.nj.us
Location: 07605
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 80
Scaling and redundancy

Single host can handle 10-100 calls +
registrations/second  18,000-180,000 users
– 1 call, 1 registration/hour


Conference server: about 50 small conferences or
large conference with 100 users
For larger system and redundancy, replicate proxy
server
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 81
Scaling and redundancy

DNS SRV records allow static load balancing and
fail-over
– but failed systems increase call setup delay
– can also use IP address “stealing” to mask failed systems, as long
as load < 50%

Still need common database
– can separate REGISTER
– make rest read-only
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 82
Large system
stateless proxies
sip1.example.com
a1.example.com
a2.example.com
sip2.example.com
sip:bob@example.com
sip:bob@b.example.com
b1.example.com
sip3.example.com
b2.example.com
_sip._udp SRV 0 0 sip1.example.com
_sip._udp SRV 0 0 b1.example.com
0 0 sip2.example.com
0 0 b2.example.com
0 0 sip3.example.com
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 83
Enterprise VoIP



Allow migration of enterprises to IP multimedia
communication
Add capacity to existing PBX, without upgrade
Allow both
– IP centrex: hosted by carrier
– “PBX”-style: locally hosted
– Unlike classical centrex, transition can be done transparently
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 84
Motivation



Not cheaper phone calls
Single number, follow-me – even for analog phone
users
Integration of presence
– person already busy – better than callback
– physical environment (IR sensors)

Integration of IM
– no need to look up IM address
– missed calls become IMs
– move immediately to voice if IM too tedious
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 85
Migration strategy
Add IP phones to existing PBX or Centrex system –
PBX as gateway
1.
–
2.
3.
4.
Initial investment: $2k for gateway
Add multimedia capabilities: PCs, dedicated video
servers
“Reverse” PBX: replace PSTN connection with
SIP/IP connection to carrier
Retire PSTN phones
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 86
Example: Columbia Dept. of CS

About 100 analog phones on small PBX
– DID
– no voicemail





T1 to local carrier
Added small gateway and T1 trunk
Call to 7134 becomes sip:7134@cs
Ethernet phones, soft phones and conference room
CINEMA set of servers, running on 1U rackmount
server
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 87
CINEMA components
Cisco 7960
MySQL
sipconf
user database
rtspd
LDAP server
conferencing
server
(MCU)
RTSP
media
server
sipd
RTSP
plug'n'sip
wireless
802.11b
proxy/redirect server
unified
messaging
server
Pingtel
Nortel
Meridian
Cisco
2600
sipum
VoiceXML
server
PBX
T1
T1
SIP
sipvxml
PhoneJack interface
sipc
SIP-H.323
converter
sip-h323
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 88
Experiences

Need flexible name mapping
– Alice.Cueba@cs  alice@cs
– sources: database, LDAP, sendmail aliases, …

Automatic import of user accounts:
– In university, thousands each September
• /etc/passwd
• LDAP, ActiveDirectory, …
– much easier than most closed PBXs

Integrate with Ethernet phone configuration
– often, bunch of tftp files

Integrate with RADIUS accounting
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 89
Experiences

Password integration difficult
– Digest needs plain-text, not hashed


Different user classes: students, faculty, admin,
guests, …
Who pays if call is forwarded/proxied?
– authentication and billing behavior of PBX and SIP system may
differ
– but much better real-time rating
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 90
SIP doesn’t have to be in a phone
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 91
Event notification


Missing new service in the Internet
Existing services:
– get & put data, remote procedure call: HTTP/SOAP (ftp)
– asynchronous delivery with delayed pick-up: SMTP (+ POP, IMAP)

Do not address asynchronous (triggered) +
immediate
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 92
Event notification

Very common:
–
–
–
–
operating systems (interrupts, signals, event loop)
SNMP trap
some research prototypes (e.g., Siena)
attempted, but ugly:
• periodic web-page reload
• reverse HTTP
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 93
SIP event notification

Uses beyond SIP and IM/presence:
– Alarms (“fire on Elm Street”)
– Web page has changed
• cooperative web browsing
• state update without Java applets
– Network management
– Distributed games
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 94
Conclusion


Service creation as central reason for IP telephony
Beyond replication of PSTN services:
–
–
–
–
–

modularity
easy interface to external databases
user-created services
interface to web services (SOAP)
event model as versatile service component
Security as core component
– protect users against impersonation, phone/IM spam
– user privacy
– operator protection often secondary
• unless SIP is used in billing

Deploying SIP services
– example of a PBX-like service
IEEE NJ Coast Section seminar on Wireless LAN & IP Telephony
March 28, 2002 95
Download