Microsoft PowerPoint - Course-08 [相容模式]

580 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
580
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Microsoft PowerPoint - Course-08 [相容模式]

  1. 1. Advanced Issues- Wireless VoIP, Issues- IPv6 and Security 陳懷恩 博士 助理教授兼計算機中心資訊網路組組長 國立宜蘭大學資工所 Email: wechen@niu.edu.tw TEL: 03-9357400 # 340
  2. 2. Outline Wireless VoIP IPv6 Solutions and Transition SIP Security 2
  3. 3. Wireless VoIP
  4. 4. Introduction to wireless VoIP Voice over Wireless LAN expands the capability of p p y Wireless LANs Wireless VoIP is a natural extension of VolP Wireliess VoIP is the added feature which will enable users to make phone calls using this mobile internet access 4
  5. 5. Introduction to wireless VoIP VoIP and Wireless LAN VoIP SIP, RTP H 323 SIP RTP, H.323 Wireless LAN WiFi : 802.11a/b/g 802 11 /b/ WiMAX : 802.16 802.20 802 20 5
  6. 6. Introduction to wireless VoIP Wireless VoIP Protocol stack 6
  7. 7. Why wireless VoIP? y Low cost Free Charge of ISM Band ISM band : free (2.4-2.4835 GHz) 3G band : NTD 10 Billion Inexpensive network deployment Reuse of existing network, and easy to setup Low cost of Access Point VS. High cost of Base Station 7
  8. 8. Why wireless VoIP? y Low complexity p y Centralized architecture in cellular network PBX contains most intelligence of the network Hard to maintain the proprietary system Decentralized architecture in VoIP network Intelligence are implemented in User Agent Easy for maintenance 8
  9. 9. Why wireless VoIP? y Low transmission power p Small coverage of the AP, small transmission power needed GSM: 500mW ~ 2W WLAN: < 100mW Easy for providing value-added service Voice and data service is integrated into VoIP Flexibility of SIP protocol 9
  10. 10. Why wireless VoIP? y Market trend Voice over WLAN market will reach $507 million (end user revenue) by 2007 (In Stat/MDR) Voice over WLAN handset will grow by more than 89 p percent annually until 2007 when there will be more than y 653,000 (On world) 10
  11. 11. Requirements of wireless VoIP q Performance Voice quality must be as well as wired network Delay >100 ms is sensible by human Low latency : <50 ms latency is recommended Reliable transmission over wireless channel Low packet lost rate User mobility management Support roaming between wireless network 11
  12. 12. Requirements of wireless VoIP q Capacity management p y g Heavy traffic load increase packet lost rate and latency Number of Users must be controlled Channel assignment 11 channels in 802 11b 802.11b Manage operating channel among adjacent Access Point 12
  13. 13. Requirements of wireless VoIP q Security y Data ciphering Wireless channel is insecure Data over wireless should be protected AAA Authentication : legal user identification Authorization : different service levels Accounting : billing statistics A ti billi t ti ti Location Tracking 13
  14. 14. Challenges of wireless VoIP g Due to the requirements of wireless VoIP, several q , issue should be solved User Mobility Issue y Power Consumption Issue Security Issue QoS Issue Capacity Issue Other Related Issue 14
  15. 15. Challenges of wireless VoIP g User mobility y User mobility is an important feature of wireless VoIP Concern on two factors Handoff latency Packet lost rate Seamless handoff Fast handover : reducing handoff latency Smooth handover : reducing packet loss during handoff 15
  16. 16. Challenges of wireless VoIP g Power consumption issue p Limited battery power available at mobile device System CPU, Memory, LCD, DSP/Codec WLAN Physical Layer: Radio Frequency MAC Layer: 802.11a/b/g, 802.16, and 802.20… Network Layer: TCP/IP 16
  17. 17. Challenges of wireless VoIP g Security issue Data ciphering WEP, 802 11i WEP 802.11i AAA (Authentication, Authorization, Accounting) 802.1x, RADIUS, 802 1x RADIUS DIAMETER 17
  18. 18. Challenges of wireless VoIP g Q QoS issue Voice quality is depend on the delay and loss rate of packets No QoS guarantee in legacy 802.11 DCF, since each mobile device contends for the channel by using CSMA/CA There are some proprietary QoS schemes proposed, but QoS is ill Q S i still an open issue i 18
  19. 19. Challenges of wireless VoIP g Capacity Issue p y Voice quality is a key component of voice service (real- time, high throughput) CSMA/CA mechanism limits the max number of subscribers under the AP A VoIP streams typically requires less than 10Kbps Ideally, the number of simultaneously VoWLAN sessions is 11M / (10K * 2) = 550 However, th maximum number of VoIP sessions i about 12 if H the i b f V IP i is b t GSM 6.10 (13.2Kbps) is used 19
  20. 20. Challenges of wireless VoIP g Other Related Issue Codec Compression The ability to maximize the wireless bandwidth for voice, intelligent use of compression codec is important. Often require hardware assist, the target device is hardware dependent and needs to be specially designed 20
  21. 21. Challenges of wireless VoIP g Other Related Issue Combine WLAN and Cellular WLAN High bandwidth, Low Cost, Multimedia Service, Video Phone Cellular Large Coverage, High Mobility, Mature Billing System, Popularity 21
  22. 22. Challenges of wireless VoIP g Other Related Issue Combine WLAN and Cellular 22
  23. 23. Summary for Wireless VoIP y The existing wireless VoIP solutions may not be g y robust and reliable enough to support deployment for a large base of users g QoS of wireless VoIP is always an open issue Security and Capabilities for fast handoff between APs still needs improvement 23
  24. 24. IPv6 Solutions and Transition
  25. 25. IP Header [1/2] Version 4 Header Length Type of Service yp Total Length Identification, Flags, and Fragment Offset , g, g A datagram can be split into fragments Identify data fragments Flags a datagram can be fragmented or not Indicate the last fragment TTL A number of hops ( p (not a number of seconds) ) 25
  26. 26. IP Header [2/2] Protocol The higher-layer protocol TCP (6); UDP (17) Source and Destination IP Addresses 26
  27. 27. IP Version 6 The explosive growth of the Internet p g IPv4 address space, 32-bit Real-time and interactive applications Expanded address space, 128 bits Simplified header format Enabling easier processing of IP datagrams Improved support for headers and extensions Enabling greater flexibility for the introduction of new options Flow-labeling capability Better B tt support at the IP level for real-time app. t t th l lf l ti Authentication and privacy 27
  28. 28. IPv6 Header [1/3] 28
  29. 29. IPv6 Header [2/3] Version 6 Traffic Class 8-bit Class, 8 bit For the quality of service Flow L b l 20 bit Fl Label, 20-bit Label sequences of packets that belong to a single flow A flow := source address, destination address, flow label 29
  30. 30. IPv6 Header [3/3] Payload Length, 16 bit unsigned integer 16-bit The length of payload in octets Header extensions are part of the payload Next Header, 8-bit The Th next higher-layer protocol t hi h l t l Same as the IPv4 The existence of IPv6 header extensions Hop Limit, 8-bit unsigned integer The Th TTL field of the IPv4 header fi ld f h IP 4 h d Source and Destination Addresses, 128-bit 30
  31. 31. IPv6 addresses XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XX XX:XXXX X is a hexadecimal character E.g., 1511:1:0:0:0:FA22:45:11 The Th symbol “::” can be used to represent a number of b l“ ” b d b f contiguous fields with zero values. = 1511 1 FA22 45 11 1511:1::FA22:45:11 0:0:0:0:AA11:50:22:F77 = ::AA11:50:22:F77 “::” can appears only once 31
  32. 32. IPv6 special addresses p The all-zeros address, :: An unspecified address; a node does not yet know its address The loopback address, ::1 On a virtual internal interface IPv6 address with embedded IPv4 address (type 1) 96-bit zeros + 32-bit IPv4 address ::140.113.17.5 Used by IPv6 hosts and routers that tunnel IPv6 packets through an IPv4 infrastructure IPv6 address with embedded IPv4 address (type 2) 80-bit zeros + FFFF + 32-bit IPv4 address 0:0:0:0:0:FFFF:140.113.17.5 ::FFFF:140.113.17.5 Applied to nodes that do not support IPv6 32
  33. 33. IPv6 Header Extensions To be placed between the fixed header and the actual p data payload Next Header The type of payload carried in the IP datagram The type of header extension Each extension has its own next header field. 33
  34. 34. Header extension Use the next header field 34
  35. 35. UDP Client/Server Programming g g UDP Client UDP Server socket socket bind data d t sendto recvfrom data recvfrom sendto close/ close/ closesocket closesocket l k These functions are the same for both IPv4 and IPv6. 35
  36. 36. IPv4/IPv6 Socket Parameter Mapping pp g Socket參數名稱轉換 IPv4 IPv6 AF_INET AF_INET6 PF_INET PF INET PF_INET6 PF INET6 IN_ADDR_ANY inaddr6_any 36
  37. 37. IPv4/IPv6 Data Structure Mapping pp g 資料結構轉換 IPv4 IPv6 in_addr in6_addr sockaddr sockaddr_in6 sockaddr_in sockaddr_in6 37
  38. 38. IPv4/IPv6 Data Structure Mapping pp g 資料結構參數轉換 IPv4 IPv6 sin_len sin6_len sin_family sin family sin6_family sin6 family sin_port sin6_port sin_addr sin6_addr s_addr s addr s6_addr s6 addr 38
  39. 39. Domain Name and IP Conversion APIs 函式轉換 IPv4 IPv6 inet_aton() Name-to-address inet_addr() inet_pton() Functions inet_ntoa() inet_ntop() Address conversion getipnodebyname() gethostbyname() getipnodebyaddr() Functions gethostbyaddr() getnameinfo() getaddrinfo() t dd i f () 39
  40. 40. Results of Using Checkv4.exe g 40
  41. 41. IPv4 SIP User Agent g Provided by CCL/ITRI and NTPO y SIP-based VoIP phone running on Windows Support H 263 Video codec H.263 Support G.711u/G.711a/G.723/G.729 Audio codecs Support registration Support authentication pp 41
  42. 42. GUI Problem IP Address Control IPv4 specified (A) Do not accept domain name and IPv6 The V i bl l th Th Variable-length Input Component (B) 42
  43. 43. Get Local Address SIP User Agent should provide the IPv4 and IPv6 address of g p the local host. The IPHelper functions Microsoft Windows system provides this function from Windows 98 This solution works on both Windows XP and 2003 It’s Windows-only solution I ’ a Wi d l l i Function name: GetAdaptersAddresses() 43
  44. 44. Parsing IPv6 URI in SIP and SDP g IPv4 SIP URI sip:wechen@140.113.131.12:5060 sip:wechen@140.113.131.12:5060 IPv6 SIP URI sip:wechen@[3ffe:1345:5643::3]:5060 sip:wechen@[3ffe:1345:5643::3]:5060 IPv4 parser assumes that semicolon is used to separate p p the IP address and port number, and the SIP parser in SIP and SDP protocol stacks should be modified to process IPv6 address and port number number. IP6 address type and IPv6 address in Session Description Protocol (SDP) c=IN IP6 FE80:60::2 44
  45. 45. IPv6 Link-local Address Problem Link- Link-local IPv6 address with scope-id p E.g. fe80::201:2ff:fe85:37ed%3 Used by link-local address link local Identify the same address on different interface Scope-id must be specified when connecting to sites using link-local address An extra parameter should be added in the data structure 45
  46. 46. Porting IPv4 SIP UA to IPv6 Results g IPv4 SIP UA contains about 100,000-line codes in 150 files. We change about 600-line codes in 39 files. About 300-line codes are not identified by checkv4.exe SIPv6 UA supports IPv4 or IPv6 communication IPv6 address in SIP and SDP IPv6 address in GUI 46
  47. 47. Result: A SIPv6 User Agent 4.Video Using IPv6 Addresses 1.Configuration 1 Configuration 2.Dialing 圖例: SIP Signaling (IPv6) SIP Signaling (Tunnel) 4.Video 4 Vid 3.3 INVITE 3.1 INVITE 3.4 200 OK SIPv6 UA SIPv6 UA 3.6 3 6 200 OK Tunneling g 3.2 INVITE 3.7 ACK 3.5 200 OK 3.9 ACK 4. RTP 3.8 ACK 4. RTP IPv6 Network Dual-stack 4. RTP Dual-stack IPv6 N IP 6 Network k Router Router (NCTU VoIP Lab) (Showroom) Internet (IPv4) 47
  48. 48. Why we need to modify our applications? y y pp v4/v6 Protocol-independent IPv4 APP. APP IPv6 APP. APP Application WinSock WinSock TCP/UDP TCP/UDPv6 Dual Stack TCP/UDP TCP/UDPv6 Host IPv4 IPv6 IPv4 IPv6 PHY & MAC PHY & MAC AF_INET AF_INET6 Some Socket APIs parameters and data structures of IPv6 are different from APIs, that of IPv4 and should be modified. 48
  49. 49. Socket- y Socket-layer Translator ( (SLT) ) IPv4 Applications Function Address Name Mapper Mapper Resolver Users can access IPv6 resources through IPv4 applications and SLT. 49
  50. 50. Address Translation Example: Originator p g Dual Stack Host6 DNS IPv4 Extension IPv6 app. Name Address Mapper Translator Resolver Resolve an IPv4 address for “host6” f Query ‘A’ and ‘AAAA’ for host6 Query ‘A’ Reply only with‘AAAA’ Request one IPv4 address (internal IPv4 address allocation) Reply with the IPv4 address Reply with the ‘A’ record Send an IPv4 packet to Host6 An IPv4 packet Request IPv6 address Translation Reply with the IPv6 address (v4->v6) Translate IPv4 to IPv6 An IPv6 Packet An IPv6 packet ( Reply) Request IPv4 address Reply with the IPv4 address Translation (v6->v4) Translate IPv6 into IPv4 50 An IPv4 packet
  51. 51. Address Translation Example: Recipient p p Dual Stack Host6 IPv4 Extension app. Address Translator Name Mapper IPv6 Resolver Receive a data from “host6” An IPv6 packet Request IPv4 address from table Translation Reply with the IPv4 address (v6->v4) Translate IPv6 to IPv4 header An IPv4 packet Reply an IPv4 data to “host6” An IPv4 reply packet Request IPv6 address from table Translation Reply with the IPv6 address (v4->v6) Translate v4 packet to v6 An IPv6 packet 51
  52. 52. SIPv6 Translator Through manual modification and Socket-layer Translator, we have g y , IPv6 SIP UAs (SIPv6 UAs SIPv6 UAs). However, only using SIPv6 UAs, which can utilize rich IPv6 addresses, does NOT solve the IP address shortage problem in VoIP deployment, because a SIPv6 UA cannot communicate with a SIPv4 UA (e.g. CISCO7960). ( g ) To solve this problem, we develop a SIPv6 Translator based on the architecture proposed in IETF RFC 2766 ( p p (Network Address Translation and Protocol Translation, NAT-PT). The SIPv6 Translator is a gateway between IPv6 and IPv4 networks. The SIPv6 Translator can translate not only the IP headers but also the application-layer headers (e.g. SIP and SDP). 52
  53. 53. NAT- NAT-PT with DNS-ALG DNS- DNS1 3ffe:3600:1::2 DNS2 DNS 140.113.87.1 DNS DNS-ALG IPv6 Network IPv4 Network Translator UA1 The NAT-PT translator configuration NAT- UA2 3ffe:3600:1::3 •Address Pool: 140.113.87.51-60 140.113.87.2 ua1.ipv6.nctu.edu.tw •NAT-PT Prefix: 3ffe:3600:2::/96 NAT PT ua2.ipv4.nctu.edu.tw ua2 ipv4 nctu edu tw 53
  54. 54. NAT- NAT-PT operations with DNS-ALG DNS- (IPv6 IPv4) IPv6 Network IPv4 Network DNS-ALG DNS ALG UA1 DNS1 + DNS2 UA2 NAT-PT DNS Query (AAAA) DNS Query (AAAA) 1.1 1.2 1.3 13 DNS Query (A) 1.4 DNS Response (A) 1.5 1.8 1.7 1.6 DNS Response (AAAA) DNS Response (AAAA) 1.9 ICMPv6 Message (MAC Address Query) 1.10 ICMPv6 Message (MAC Address Response) 1.11 IPv6 Packet 1.12 ARP Message (MAC Address Query) 1.13 ARP Message (MAC Address Response) 1.14 IPv4 Packet 54
  55. 55. NAT- NAT-PT operations with DNS-ALG DNS- (IPv4 IPv6) IPv6 Network IPv4 Network DNS-ALG UA1 DNS1 + DNS2 UA2 NAT-PT DNS Query (A) 2.2 DNS Query (A) 2.1 2.4 2.3 DNS Query (AAAA) 2.5 DNS Response (AAAA) p ( ) 2.6 2.7 2.8 DNS Response (A) DNS Response (A) ARP Message (MAC Address Query) 2.9 29 ARP Message (MAC Address Response) 2.10 2.12 ICMPv6 Message (MAC Address Query) IPv4 Packet 2.11 2 11 2.13 ICMPv6 Message (MAC Address Response) 2.14 IPv6 Packet 55
  56. 56. System Architecture of SIPv6 Translator y IPv6-IPv4 SIIT Address Component Mapping ALG: Application Level Gateway DNS: Domain Name Service SIP: Session Initiation Protocol NIC: Network Interface Controller SIIT: Simple IP and ICMP Translation; see IETF RFC 2765 NAT-PT: Network Address Translation and Protocol Translation; see IETF RFC 2766 56
  57. 57. IPv4/IPv6 Translation for Registration g UA3 SIP-ALG SIPv4 Server 3.1 REGISTER sip.ipv4.nctu.edu.tw Via: SIP/2.0/UDP [3ffe:3600:1::4]:5060 3.2 REGISTER sip.ipv4.nctu.edu.tw To: <sip:1234@ipv4.nctu.edu.tw> Via: SIP/2.0/UDP 140.113.87.53:5061 From:<sip:3456@ipv4.nctu.edu.tw> To: <sip:1234@ipv4.nctu.edu.tw> Contact:<sip:1234@ [3ffe:3600:1::3]:5060> From:<sip:3456@ipv4.nctu.edu.tw> Contact:<sip:1234@ 140.113.87.52:5061> 3.3 200 OK Via: SIP/2.0/UDP 140.113.87.53:5061 3.4 3 4 200 OK To: i 1234@i 4 t d t T <sip:1234@ipv4.nctu.edu.tw> Via: SIP/2.0/UDP [3ffe:3600:1::4]:5060 From:<sip:3456@ipv4.nctu.edu.tw> To: <sip:1234@ipv4.nctu.edu.tw> Contact:<sip:1234@ 140.113.87.52:5061> From:<sip:3456@ipv4.nctu.edu.tw> Contact:<sip:1234@ [3ffe:3600:1::3]:5060> IPv6 Network IPv4 Network 57
  58. 58. IPv4/IPv6 Translation for INVITE Transaction (IPv4- (IPv4->IPv6) IPv6 Network IPv4 Network SIP-ALG UA1 NAT-PT NAT PT SIPv4 Server SIP 4 S UA2 4.2 INVITE sip:1234@140.113.87.52:5061 4.1 INVITE sip:1234@sip.ipv4.nctu.edu.tw Via: SIP/2.0/UDP 140.113.87.40:5060 Via: SIP/2.0/UDP 140.113.87.2:5060 4.3 INVITE sip:1234@[3ffe:3600:1::3]:5060 Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:5678@sip.ipv4.nctu.edu.tw> Via: SIP/2.0/UDP [3ffe:3600:2::140.113.87.40]:5060 Contact: <sip:5678@sip.ipv4.nctu.edu.tw> c=IN IP4 140.113.87.2 Via: SIP/2.0/UDP 140.113.87.2:5060 c=IN IP4 140.113.87.2 m=Audio 9000 RTP/AVP 0 4 8 Contact: C t t <sip:5678@sip.ipv4.nctu.edu.tw> i 5678@ i i 4 t d t m=Audio 9000 RTP/AVP 0 4 8 d / c=IN IP6 3ffe:3600:2::140.113.87.2 m=Audio 9000 RTP/AVP 0 4 8 4.4 200 OK Via: SIP/2.0/UDP [ / / [3ffe:3600:2::140.113.87.40]:5060 ] Via: SIP/2.0/UDP 140.113.87.2:5060 4.5 4 5 200 OK Contact: sip:1234@sip.ipv4.nctu.edu.tw Via: SIP/2.0/UDP 140.113.87.40:5060 c=IN IP6 3ffe:3600:1::3 Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:1234@sip.ipv4.nctu.edu.tw> 4.6 200 OK m=Audio 9000 RTP/AVP 0 Via: SIP/2.0/UDP 140.113.87.2:5060 c=IN IP4 140.113.87.52 m=Audio 9002 RTP/AVP 0 Contact: <sip:1234@sip.ipv4.nctu.edu.tw> c=IN IP4 140.113.87.52 m=Audio 9002 RTP/AVP 0 4.7 ACK sip:1234@sip.ipv4.nctu.edu.tw 4.8 ACK sip:1234@140.113.87.52:5061 Via: SIP/2.0/UDP 140.113.87.2:5060 Via: SIP/2.0/UDP 140.113.87.40:5060 SIP/2 0/UDP 140 113 87 40:5060 Contact: <sip:5678@sip.ipv4.nctu.edu.tw> C i 5678@ i i 4 d 4.9 ACK sip:1234@[3ffe:3600:1::3]:5060 Via: SIP/2.0/UDP 140.113.87.2:5060 Via: SIP/2.0/UDP [3ffe:3600:2::140.113.87.40]:5060 Contact: <sip:5678@sip.ipv4.nctu.edu.tw> Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:5678@sip.ipv4.nctu.edu.tw> 58
  59. 59. SIPv6 Analyzer y Control Panel Packet List Protocol Parser ( (using Ethereal parser) g p ) Hex Dump 59
  60. 60. SIP Viewer Call- Call-ID From To SIP Flowchart SIP Dialog Collection SIP Viewer automatically collect SIP messages. SIP Flowchart from Headers 60
  61. 61. RTP Viewer RTP Viewer can play back Video and Voice! RTP Session List Yueh-Hsin Sung Video Playback Video and Voice Control Panel RTP Viewer automatically collect RTP packets according to the SDP c and m fields. 61
  62. 62. The IPv6 SIP-based VoIP Deployment SIP- p y •0944006XXX is assign to IPv6 network. •0944004XXX is assign to IPv4 network. 0944004XXX i i t IP 4 t k •The forwarding rules are set in the SIP proxies. 62
  63. 63. The IPv6 and IPv4 SIP Environment PSTN Speaker Phone (PSTN) Ph Snom 200 CISCO 7940 Pingtel Windows Messenger g SIPv6 Translator SIPv6 UA (implemented by ( p y & SIPv6 A l SIP 6 Analyzer NCTU VoIP Lab) 63
  64. 64. The PSTN Gateways y CISCO 2621XM Gateway Vontel Gateway (implemented by ITRI/CCL Taiwan) 64
  65. 65. The Interoperability Test Results p y SIP M Message SDP M Message Request URI Contact Via From To c m o IP Soft Phone CCL Skin UA Windows Messenger 4.7.2009 IP Hard Phone PingTel 2.1.10 snom 200 Cisco IP Phone 7940 Series PSTN Gateway Vontel PSTN Gateway Cisco PSTN Gateway •The SIPv6 UA developed by NCTU can communicate with all of the commercial IPv4 SIP UAs through the SIPv6 Translator. g •The IPv4 SIP UAs are deploy in the NTP VoIP platform. http://www.voip.ntpo.org.tw 65
  66. 66. SIP Security
  67. 67. SIP Security y SIP communications are susceptible to several types p yp of attacks. The simplest attack in SIP is snooping, which permits an attacker to gain information on users users’ identities, services, media, network topology, and so on. on 67
  68. 68. SIP Security y SIP messages may contain information a user or g y server wishes to keep private. The headers can reveal information about the communication patterns and content of individuals, or other confidential information. The SIP message body may also contain user information (media type, codec, addresses and ports, etc.) that should not be revealed. tb l d 68
  69. 69. SIP Security y Securing SIP header and body information can be g y motivated by two different reasons: Maintain private user and network information in order to p guarantee a certain level of privacy Avoiding SIP sessions being set up or changed by g g p g y someone faking the identity of someone else 69
  70. 70. SIP Security y The mechanisms that provide security in SIP can be p y classified as end-to-end or hop-by-hop protection. End-to-end mechanisms involve the caller and/or callee E dt d h i i l th ll d/ ll SIP user agents and are realized by features of the SIP protocol specifically designed for this purpose (e.g., SIP (e g authentication and SIP message body encryption). Hop-by-hop mechanisms secure the communication p y p between two successive SIP entities in the path of signaling messages. 70
  71. 71. SIP Security y SIP does not provide specific features for hop-by- p p p y hop protection and relies on network-level (IPsec) or transport-level security (TLS). p y( ) Hop-by-hop Hop by hop mechanisms are needed because intermediate elements may play an active role in SIP processing by reading and/or writing some parts of the SIP messages. 71
  72. 72. SIP Security y End-to-end security cannot apply to these p y pp y parts of messages that are read/written by intermediate SIP entities. 72
  73. 73. SIP Security y Two main security mechanisms are used with SIP: y Authentication Data encryption 73
  74. 74. SIP Security y Data authentication is used to authenticate the sender of the message, and to ensure that some critical message information was unmodified in transit. g This is to prevent an attacker from modifying and/or replaying SIP requests and responses. 74
  75. 75. SIP Security y SIP makes use of Proxy-Authenticate, Proxy- y , y Authorization, Authorization, and WWW- Authenticate header fields, similar to those of HTTP, , , for authentication of the end system by means of a digital signature. g g Instead, hop-by-hop authentication can be performed using transport- or network-layer authentication transport network layer protocols such as TLS or IPsec. 75
  76. 76. SIP Security y Data encryption is used to ensure confidentiality of yp y SIP communications, letting only the intended recipient decrypt and read the data. p yp This is usually done using encryption algorithms such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES) (AES). 76
  77. 77. SIP Security y SIP supports two forms of encryption: pp yp end-to-end hop by hop hop-by-hop 77
  78. 78. SIP Security y End-to-end encryption provides confidentially for all yp p y information (some SIP headers and the message body) that does not need to be read by intermediate y) y proxy servers. End-to-end encryption is performed by S/MIME mechanisms. mechanisms 78
  79. 79. SIP Security y Hop-by-hop encryption of whole SIP messages can p y p yp g be used in order to protect the information that should be accessed by intermediate entities, such us y , From, To, and Via headers. Encryption of such information can prevent malicious users from determining who calls who, or who accessing route information. 79
  80. 80. SIP Security y Hop-by-hop encryption can be p p y p yp performed by security y y mechanisms external to SIP (IPsec or TLS). 80
  81. 81. SIP Security y IPsec is a network layer mechanism that can be used y to introduce security directly at the IP layer. Usually IPsec is used to provide security based on network node identity and this is done identity, independently by the SIP architecture. 81
  82. 82. SIP Security y For this reason, IPsec can be used in SIP mainly , y between SIP entities that have a preconfigured and q quite static security association ( g , servers within y (e.g., the same IP telephony provider). 82
  83. 83. SIP Security y TLS provides transport-layer security over p p y y connection-oriented protocols (TCP), and it is suited to architectures in which hop-by-hop security is p y p y required between hosts with a more dynamic security association. 83
  84. 84. SIP Security y Note that if a user agent uses IPsec or TLS to send g SIP requests to a proxy server (hop by hop), this does not guarantee that secure transport will be used g p on the rest of the end-to-end path. 84
  85. 85. SIP Security y The most recent version of the SIP specification p includes a way to specify that a resource (e.g., a server or user) should be reached securely using TLS. ) y g In particular, the address of a user is normally defined in SIP using a SIP uniform resource identifier (URI) in the form of sip:hsn@ndhuee.com. 85
  86. 86. SIP Security y If a user address is expressed using a new type of p g yp URI, a SIP Secure (SIPS) URI ( p (sips:hsn@ndhuee.com), it means that the use of @ ), TLS is requested. The security mechanisms must be combined properly to obtain a trusted network scenario scenario. 86
  87. 87. SIP Security y An example of this combination: p 87
  88. 88. SIP Security y The Authentication Procedure in SIP: The SIP authentication procedure is derived from HTTP Digest authentication It is a challenge-based mechanism when a server receives a request, it may challenge the initiator of the request to provide assurance of its identity. 88
  89. 89. SIP Security y Digest authentication: g 89

×