Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SIP & TLS - Security in a peer to peer world

16,907 views

Published on

A short talk about how to do SIP & TLS right (hint: Using SIP Outbound) and some issues we have to resolve.

Published in: Technology

SIP & TLS - Security in a peer to peer world

  1. 1. SIP &TLS Security in a peer to peer world Olle E. Johansson, oej@edvina.net, Fosdem 2016, january 30-31, Brussels
 Twitter @oej
  2. 2. TLS IN ONE PICTURE Server Network Link Application Client Identity check Algorithm agreement Key Set up Encryption of data Without prior agreement Certificate validation
  3. 3. A SIP REGISTRATION AND CALL SIP client/server
 (phone) SIP serverHello, here’s my current location
 SIP Contact URI
 (IPv6 or IPv4 address + port) Incoming callIncoming call Contact
 URI Two separate
 Connections/Flows
  4. 4. …WITHTLS SIP client/server
 (phone) SIP server Hello, here’s my current location
 SIP Contact URI
 (IPv6 or IPv4 address + port) Incoming call Incoming call TLS TLS The phone needs to be a TLS server with a certificate Contact
 URI The cert needs to match
 the Contact URI.
 Which is changing unless you use GRUU Contact
 URI
  5. 5. SIPS: - WAS A BAD IDEA. Just forget it. SIP doesn’t work like the web.And the web is also changing.
  6. 6. SIP MATCHING CERTIFICATE sip:alice@example.com SIP server cn: example.com san: ww.example.com SIP server cn: namn.se san: example.com SIP server cn: example.com DNS SRV for example.com points to
 sip01.siphosting.com FAIL OK!OK! SIP server cn: *.example.com Fail Wildcards are
 not allowed. With no SAN, CN is used.
 But only with no SAN. RFC 5922 - SIP domain certificates
  7. 7. COMPARE WITH XMPP - CONNECTION = “AVAILABLE” XMPP client XMPP
 server Incoming message TLS A client without a connection is off line. OneTCP/TLS connection.
  8. 8. SIP XMPP STYLE
 = SIP OUTBOUND SIP client/server
 (phone) SIP server Incoming call TLS Reuse the same connection, managed by the client! REGISTER INVITE As long as we have at least one connection, the UA is ”online” and available. RFC 5626
  9. 9. SIP OUTBOUND AND IP FLOWS SIP ”it’s really hard to notice that aTCP connection is dead”
 Panagiotis Stathopoulos at #Fosdem 2016 UA SIP SIP SIP edge proxys SIP location server
  10. 10. SECURITY? 
 NO GUARANTEES, EVER SIP SIP UA UA You can only control and
 verify the first hop
  11. 11. SIP PEER 2 PEER SIP proxy
 (man in the middle)
  12. 12. …WITH FORKING The payload and message reach
 everyone!
  13. 13. AND CONFERENCE CALLS
  14. 14. MY QUESTION:
 A SECURE SESSION IS? SIP proxy
 (man in the middle) SIP is a rendevous protocol. We find each other and establish a session. Can we find a way to secure that session and trust it?
  15. 15. MY QUESTION:
 WHAT IS A SECURE SESSION? SIP proxy
 (man in the middle) MSRP? 
 WebRTC Datachannels? This applies to webrtc, XMPP, SIP and other solutions…
  16. 16. IN SHORT FOR SIP: WITHOUT OUTBOUND,YOU’RE A NO GO Managing client certs is a pain and a high cost. The standards doesn’t work, only outbound…
  17. 17. WORKTO DO Kill SIPS: 
 Finally. Get rid of it. Clarify SIP/TLS usage. Mandate outbound for UAs. Standardize SIP client certificates. Standardise DANE usage in SIP. Work on Peer-to- peer security for all protocols.

×