Secure Peering with Asterisk TM [email_address] VON.x – San Jose, CA March 2008
What is Secure Peering? <ul><li>Secure Peer to Peer VoIP based on a shared Public Key Infrastructure (PKI)  </li></ul>Inte...
Establishing PKI Security Services Certificate Authority (CA) for Peer to Peer Authorization (OSP Server) Client Device re...
Benefits of secure multi-lateral peering <ul><li>Efficient peer to peer communications eliminates signaling bottlenecks </...
Examples of Secure Peering <ul><li>Enterprise VoIP VPN </li></ul><ul><li>Wholesale Inter-Carrier VoIP Services </li></ul><...
Enterprise VoIP Network <ul><li>Requirements: </li></ul>Internet Call Center Headquarters Sales Office Branch Office Manuf...
Enterprise VoIP VPN <ul><li>Secure peering architecture provides VoIP VPN  </li></ul>Internet Call Center Headquarters Sal...
Wholesale Inter-Carrier Services <ul><li>Challenge: How to manage interconnect access and billing among thousands of ITSP ...
Wholesale Inter-Carrier Services <ul><li>Conventional solution is to route all calls via a softswitch or session border co...
Wholesale Inter-Carrier Services <ul><li>Secure peering is more scalable, more reliable, better QoS, less bandwidth, lower...
Wholesale Inter-Carrier Services <ul><li>Call Detail Collection from both the source and destination eliminates settlement...
Tiered Peering <ul><li>Secure peering among multiple peering networks. </li></ul>Internet Peering Server Peering Server Ye...
Tiered Peering CDR Reporting <ul><li>Top tier peering networks receive Call Detail Records from both source and destinatio...
DUNDi <ul><li>Distributed Universal Number Discovery </li></ul><ul><li>Based on General Peering Agreement </li></ul><ul><l...
DUNDi Clearinghouse <ul><li>DUNDi nodes enroll with CA </li></ul><ul><li>Route and rate discovery with DUNDi </li></ul><ul...
DUNDi Clearinghouse <ul><li>Destination validates token and rate </li></ul><ul><li>CDRs sent to clearinghouse </li></ul>SI...
DUNDi Clearinghouse <ul><li>Clearinghouse performs settlement billing </li></ul>$ $ Peering Server
Details of Secure Peering <ul><li>ETSI OSP protocol defines standardized messages for the secure exchange IP based session...
OSP Message Example HTTP/1.1 200 OK Server: IP address of OSP server Date: Thu, 12 May 2005 18:32:59 GMT Connection: Keep-...
OSP Message Example (cont.) < AuthorizationResponse  componentId='11703738490'> <Timestamp>2005-05-12T18:32:59Z</Timestamp...
Tools for Secure Peering <ul><li>www.Asterisk.org </li></ul><ul><ul><li>Asterisk includes OSP client </li></ul></ul><ul><l...
Upcoming SlideShare
Loading in …5
×

Dalton Jim

395 views

Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Dalton Jim

  1. 1. Secure Peering with Asterisk TM [email_address] VON.x – San Jose, CA March 2008
  2. 2. What is Secure Peering? <ul><li>Secure Peer to Peer VoIP based on a shared Public Key Infrastructure (PKI) </li></ul>Internet Call Center Headquarters Sales Office Branch Office Manufacturing Peering Server Sales Office
  3. 3. Establishing PKI Security Services Certificate Authority (CA) for Peer to Peer Authorization (OSP Server) Client Device requests public-key and certificate from CA CA sends its public key and its certificate Client Device sends certificate request to CA CA returns signed certificate Asterisk Sign with CA private key VoIP Device Information VoIP Device Public Key Certified by Cert. Authority CA Signature Certificate Peering Server
  4. 4. Benefits of secure multi-lateral peering <ul><li>Efficient peer to peer communications eliminates signaling bottlenecks </li></ul><ul><li>Access control is greatly simplified </li></ul><ul><ul><li>IP access lists are eliminated </li></ul></ul><ul><ul><li>Asymmetric key management is simpler and more secure than shared secrets (passwords) </li></ul></ul><ul><li>Eliminates complexity of many peer to peer interconnect agreements </li></ul>
  5. 5. Examples of Secure Peering <ul><li>Enterprise VoIP VPN </li></ul><ul><li>Wholesale Inter-Carrier VoIP Services </li></ul><ul><li>Tiered Peering </li></ul><ul><li>Dundi Settlement Clearinghouse </li></ul>
  6. 6. Enterprise VoIP Network <ul><li>Requirements: </li></ul>Internet Call Center Headquarters Sales Office Branch Office Manufacturing 1. Centralized routing 2. Secure inter-office access control 4. Autonomous local operation 3. Centralized accounting 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 5. Minimum bandwidth 5. Minimum bandwidth 1. Centralized routing 1. Centralized routing 2. Secure inter-office access control 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation
  7. 7. Enterprise VoIP VPN <ul><li>Secure peering architecture provides VoIP VPN </li></ul>Internet Call Center Headquarters Sales Office Branch Office Manufacturing 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 5. Minimum bandwidth 1. Centralized routing 1. Centralized routing 2. Secure inter-office access control 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation Peering Server 1. Enrollment 2. Route Authorization 3. SIP INVITE with Token 4. CDR collection Internet VoIP VPN
  8. 8. Wholesale Inter-Carrier Services <ul><li>Challenge: How to manage interconnect access and billing among thousands of ITSP peers </li></ul>Internet
  9. 9. Wholesale Inter-Carrier Services <ul><li>Conventional solution is to route all calls via a softswitch or session border controller. </li></ul>Internet
  10. 10. Wholesale Inter-Carrier Services <ul><li>Secure peering is more scalable, more reliable, better QoS, less bandwidth, lower cost. </li></ul>Internet Peering Server Route Lookup OSP Server OSP Server
  11. 11. Wholesale Inter-Carrier Services <ul><li>Call Detail Collection from both the source and destination eliminates settlement disputes </li></ul>Internet Peering Server OSP Server OSP Server Dest. CDR Source CDR
  12. 12. Tiered Peering <ul><li>Secure peering among multiple peering networks. </li></ul>Internet Peering Server Peering Server Yellow Peering Network Purple Peering Network OSP Server OSP Server OSP Server OSP Server SIP INVITE with token for Purple network 1. Auth. Request 3. Auth. Response 2. Auth. Request 4. Auth. Response
  13. 13. Tiered Peering CDR Reporting <ul><li>Top tier peering networks receive Call Detail Records from both source and destination peers. </li></ul>Internet Peering Server Yellow Peering Network Purple Peering Network Peering Server OSP Server OSP Server Source CDR Dest. CDR Source CDR Dest. CDR OSP Server OSP Server
  14. 14. DUNDi <ul><li>Distributed Universal Number Discovery </li></ul><ul><li>Based on General Peering Agreement </li></ul><ul><li>No Settlement </li></ul>
  15. 15. DUNDi Clearinghouse <ul><li>DUNDi nodes enroll with CA </li></ul><ul><li>Route and rate discovery with DUNDi </li></ul><ul><li>Source submits route & rate to clearinghouse for digitally signed token </li></ul>2¢ / minute! rate / minute? <ul><li>DUNDi nodes enroll with CA </li></ul><ul><li>DUNDi nodes enroll with CA </li></ul><ul><li>Route and rate discovery with DUNDi </li></ul>Peering Server Token Request
  16. 16. DUNDi Clearinghouse <ul><li>Destination validates token and rate </li></ul><ul><li>CDRs sent to clearinghouse </li></ul>SIP INVITE with token <ul><li>SIP INVITE includes signed token </li></ul>Peering Server CDR CDR
  17. 17. DUNDi Clearinghouse <ul><li>Clearinghouse performs settlement billing </li></ul>$ $ Peering Server
  18. 18. Details of Secure Peering <ul><li>ETSI OSP protocol defines standardized messages for the secure exchange IP based sessions. </li></ul><ul><li>An OSP server is a web server </li></ul><ul><li>Message Formats </li></ul><ul><ul><ul><li>Multipurpose Internet Mail Extensions (MIME) </li></ul></ul></ul><ul><ul><ul><li>eXtensible Markup Language (XML) </li></ul></ul></ul><ul><ul><ul><li>Secure MIME </li></ul></ul></ul><ul><li>Communication Protocols </li></ul>OSP Peering Protocol XML Presentation HTTP V1.0 SSL / TLS TCP port 80 TCP port 443 IP
  19. 19. OSP Message Example HTTP/1.1 200 OK Server: IP address of OSP server Date: Thu, 12 May 2005 18:32:59 GMT Connection: Keep-Alive Keep-Alive: timeout=3600, max=5000 Content-Length: 1996 Content-Type: text/plain <?xml version='1.0'?> <Message messageId='11703738491' random='21655'> < AuthorizationResponse componentId='11703738490'> <Timestamp>2005-05-12T18:32:59Z</Timestamp> <TransactionId>4785098287068543017</TransactionId> <Destination> <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId> <DestinationInfo type='e164'> Called Number </DestinationInfo> <DestinationSignalAddress>[ IP Address:Port ]</DestinationSignalAddress> HTTP Header OSP Message
  20. 20. OSP Message Example (cont.) < AuthorizationResponse componentId='11703738490'> <Timestamp>2005-05-12T18:32:59Z</Timestamp> <TransactionId>4785098287068543017</TransactionId> <Destination> <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId> <DestinationInfo type='e164'> Called Number </DestinationInfo> <DestinationSignalAddress>[ IP Address: Port ]</DestinationSignalAddress> <UsageDetail> <Amount>14400</Amount> <Unit>s</Unit> </UsageDetail> <ValidAfter>2005-05-12T18:27:59Z</ValidAfter> <ValidUntil>2005-05-12T18:37:59Z</ValidUntil> <DestinationProtocol>sip</DestinationProtocol> <SourceInfo type='e164'> Calling Number </SourceInfo> <Token encoding='base64'> Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5Ua3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCnU9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz Unique Transaction ID per call Call ID from source device Called Number may be translated IP Address of Called Number Call authorized for 14440 seconds Call authorized to start in 10 minute window Protocol may be SIP, H323, IAX, … Digital signature of token ensures non-repudiation
  21. 21. Tools for Secure Peering <ul><li>www.Asterisk.org </li></ul><ul><ul><li>Asterisk includes OSP client </li></ul></ul><ul><li>www.SourceForge.net </li></ul><ul><ul><li>osp-toolkit (client) </li></ul></ul><ul><ul><li>RAMS OSP Server </li></ul></ul><ul><li>www.vovida.org </li></ul><ul><ul><li>OpenOSP Server (based on Apache) </li></ul></ul><ul><li>www.iptel.org </li></ul><ul><ul><li>SIP Express Router supports OSP </li></ul></ul><ul><li>www.OpenSER.org </li></ul><ul><ul><li>OpenSER SIP proxy supports OSP </li></ul></ul><ul><li>www.voxgratia.org </li></ul><ul><ul><li>OSP enabled H323 proxy </li></ul></ul><ul><li>www.TransNexus.com </li></ul><ul><ul><li>Free OSP server download </li></ul></ul>

×