Download presentation


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The market problem faced by VoIP carriers is: Routing, there are many, many VoIP domains that can terminate calls to the PTSN. How to find the IP address of the terminating domain at the far edge of the network to complete the call? Factors for routing decision include price, quality and interoperability. Managing all the interconnect relationships is not practical. Access Control, the terminating network wants to accept and be paid for terminating traffic. But maintaining access control from a large and constantly changing list of originating domains is not practical. 3. Accounting, how to account for all traffic exchanged among all possible interconnections?
  • OSP has been a global standard for inter-domain transaction authorization and accounting since 1998. Version 4.1.1 of OSP was
  • Encryption using asymetric keys works. However, encryption with symmetric keys can be faster. If so, then as with SLL/TLS, use asymmetric keys for mutual authentication and sharing of a temporary symmetric key for encryption.
  • Download presentation

    1. 1. Developing Secure, Multi-lateral Peer to Peer SIP Applications [email_address] VoIP Developer Conference 4 Aug 2004 – San Jose
    2. 2. Market Problem Ethernet Switch Router PSTN PSTN PSTN PSTN Internet or IP Network €£¥$ call Originating Domain Terminating Domain ? Service Provider POP Routing Access Control Accounting Settlement V V
    3. 3. Current Status <ul><li>ENUM provides a solution for peer to peer route discovery </li></ul><ul><li>But how to handle? </li></ul><ul><ul><li>Inter-domain Access control </li></ul></ul><ul><ul><li>Accounting </li></ul></ul><ul><ul><li>Backwards compatibility with Operational Support Systems for H.323 networks </li></ul></ul><ul><ul><li>Evolution to new services </li></ul></ul>
    4. 4. Solution: Open Settlement Protocol <ul><li>Open Settlement Protocol (OSP): </li></ul><ul><ul><li>Global standard for inter-domain transaction authorization and usage reporting. </li></ul></ul><ul><ul><li>Developed by ETSI in 1998, now in version 4.1.1 </li></ul></ul><ul><ul><li>Based on existing standards </li></ul></ul><ul><ul><li>Uses Asymmetric Public Key Infrastructure (PKI) services for non-repudiation of transactions </li></ul></ul><ul><ul><li>Broad support: Cisco, Alcatel, Radvision, UTStarcom, Mediaring, ISDN Communications, Veraz, Vovida, Asterisk </li></ul></ul><ul><ul><li>Protocol Independent </li></ul></ul><ul><ul><ul><li>Works with SIP, H.323, SMS, MMS … </li></ul></ul></ul>
    5. 5. Details on OSP <ul><li>Message Formats </li></ul><ul><ul><li>Multipurpose Internet Mail Extensions (MIME) </li></ul></ul><ul><ul><li>eXtensible Markup Language (XML) </li></ul></ul><ul><ul><li>Secure MIME </li></ul></ul><ul><li>Communication Protocols </li></ul>
    6. 6. OSP Message Example --bar Content-Type: application/pkcs7-signature Content-Length: 191 GhyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIG fHfYT64VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756t bB9HGTrfvbnjn8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfH fYT6ghyHhHUujpfyF47GhIGfHfYT64VQbnj756 --bar-- Digital Signature --bar Content-Type: text/plain Content-Length: 524 <?xml version='1.0'?> <Message messageId=&quot;123454321&quot; random=&quot;12345678&quot;> <AuthorizationRequest componentId=&quot;9876567890&quot;> <Timestamp> 1998-04-24T17:03:00Z </Timestamp> <CallId> 1234432198766789 </CallId> <SourceInfo type=&quot;e164&quot;> 81458811202 </SourceInfo> <DestinationInfo type=&quot;e164&quot;> 4766841360 </DestinationInfo> <Service/> <MaximumDestinations> 5 </MaximumDestinations> </AuthorizationRequest> </Message> Message Content POST scripts/settlements HTTP/1.0 content-type: multipart/signed; protocol=&quot;application/pkcs7-signature&quot;; micalg=sha1; boundary=bar content-length: 844 HTTP Header
    7. 7. Overview I - How OSP Works <ul><li>Route discovery </li></ul><ul><li>Inter-domain access control </li></ul>IP Network OSP Server Domain A Domain B Authentication Authorization Token SIP INVITE with Token RTP
    8. 8. Overview II - How OSP Works <ul><li>CDR collection </li></ul>IP Network OSP Server Domain A Domain B Accounting: Encrypted CDR Accounting: Encrypted CDR
    9. 9. The Basics of Public-key Cryptosystems <ul><li>Critical Points: </li></ul><ul><li>Public / Private keys used for encryption / decryption and digital signatures </li></ul><ul><li>Public keys are public – easy to distribute </li></ul><ul><li>A digital certificate signed by a trusted 3 rd party ensures the public-key is legitimate </li></ul><ul><li>Digital signatures provide data integrity, authentication and non-repudiation </li></ul><ul><li>Certificates may be chained from a root authority </li></ul>Security services between parties rely on the exchange of public keys and security of corresponding private keys.
    10. 10. Establishing PKI Security Services SIP Device Certificate Authority for Peer to Peer Authorization (OSP Server) Client Device requests public-key and certificate from CA CA sends its public key and its certificate Client Device sends certificate request to CA CA returns signed certificate Sign with CA private key VoIP Device Information VoIP Device Public Key Certified by Cert. Authority CA Signature Certificate
    11. 11. Source Peer Authentication <ul><li>Routing request to OSP Server is digitally signed with VoIP device’s private key. </li></ul><ul><li>OSP server verifies client signature with client’s public key to authenticate routing request. </li></ul>IP Network OSP Server Carrier A Authentication
    12. 12. Inter-Domain Access Control <ul><li>OSP Server digitally signs authorization token </li></ul><ul><li>Authorization token included in SIP Invite </li></ul><ul><li>Domain B has no trusted relationship with Domain A, but verifies digital signature with CA public key </li></ul><ul><li>Carrier can retain digital signature for non-repudiation </li></ul>IP Network OSP Server Domain A Domain B Authorization Token SIP INVITE with Token
    13. 13. Authorization Token <ul><li>Destination </li></ul><ul><ul><li>IP address, domain name, sip uri, tel uri, E164, trunk group </li></ul></ul><ul><li>Destination Protocol </li></ul><ul><ul><li>SIP, Q931, H323-LRQ </li></ul></ul><ul><li>Transaction ID </li></ul><ul><li>Service Type, Bandwidth, Number of Channels </li></ul><ul><li>Call ID, Session ID, MultiSession ID </li></ul><ul><li>Valid after – Valid Until </li></ul><ul><li>Authorized amount </li></ul><ul><ul><li>Seconds, packets, bytes, pages, call, session </li></ul></ul><ul><li>Authority URL </li></ul>
    14. 14. Secure Accounting <ul><li>Domains A and B encrypt CDRs with CA public key </li></ul><ul><li>OSP Server decrypts CDR with CA private key </li></ul><ul><li>For auditing, OSP Server can request in real time that a domain digitally sign a batch of CDRs </li></ul>IP Network OSP Server Domain A Domain B Accounting: Encrypted CDR Accounting: Encrypted CDR
    15. 15. Benefits of secure multi-lateral peering <ul><li>Eliminates signaling bottlenecks </li></ul><ul><li>Greater access to restricted networks </li></ul><ul><li>Access control is greatly simplified </li></ul><ul><ul><li>IP access lists eliminated </li></ul></ul><ul><ul><li>Asymmetric key management is simpler and more secure than shared secrets </li></ul></ul><ul><li>Standards based format for CDRs </li></ul><ul><li>Protocol independent </li></ul><ul><ul><li>Single back office can support SIP and H.323 </li></ul></ul><ul><li>Can support future IP services </li></ul>
    16. 16. Open Source Tools <ul><li> </li></ul><ul><ul><li>Open source SIP PBX supports OSP </li></ul></ul><ul><li> </li></ul><ul><ul><li>Open source certificate authority </li></ul></ul><ul><ul><li>Plus many others </li></ul></ul><ul><li> </li></ul><ul><ul><li>Open source OSP server </li></ul></ul><ul><ul><li>Formally part of Vovida, merged with SIP Foundry </li></ul></ul><ul><li> </li></ul><ul><ul><li>Open source OSP client stack </li></ul></ul>