SlideShare a Scribd company logo

DTLS-SRTP Handling in SIP B2BUAs

Victor Pascual Ávila
Victor Pascual Ávila

This document discusses possible man-in-the-middle attacks when a back-to-back user agent (B2BUA) is involved in a SIP call. It outlines three modes of B2BUAs - media relay, media aware, and media terminator - and the associated risks. It proposes mitigations like mandatory authenticated identity management to prevent attacks when the B2BUA modifies signaling or media. The goal is to maintain end-to-end security between the original endpoints while allowing flexibility for B2BUAs.

Internet
1 of 24
Download to read offline
DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar Reddy, Gonzalo Salgueiro, Victor Pascual 1
Agenda B2BUA modes and possible MITM attacks 2
B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 3
Legitimate Media Relay Media Forwards packets without inspection or modification Only modifies the L3 and L4 headers Signaling It MUST forward the received certificate fingerprint without any modifications 4
Malicious Media Relay Media Forwards packets with inspection or modification Signaling Modifies the certificate fingerprint and signals its own fingerprint 5
Possible Mitigation Mandate authenticated identity management in SIP (draft-ietf-stir- rfc4474bis) signed-identity-digest carries the signed hash of certificate fingerprint Mandate Identity headers to be present 6
2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA here just changes UDP/IP header and does not modify payload INVITE Challenge INVITE INVITE INVITE Alice atlanta.com atlanta.com bob@biloxy.com 1.Alice calls Bob Authenticated identity management Alice Alice’s Proxy SIP Cloud bob Alice’s B2BUA (Back-to- Back User Agent)
B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 8
Legitimate Media Aware Media Modifies the RTP header Signaling Terminates the DTLS connection and acts as a DTLS proxy -Changes the certificate fingerprint and signals its own fingerprint -Decrypts and re-encrypts the payload 9
Malicious Media Aware Media Inspects or modifies the payload. 10
2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA changes the RTP header INVITE Challenge INVITE INVITE INVITE Alice atlanta.com atlanta.com bob@biloxy.com 1.Alice calls Bob B2BUA in the same administrative domain Alice Alice’s Proxy SIP Cloud bob Alice’s B2BUA (Back-to- Back User Agent)
Possible mitigations Option 1> SRTP for cloud services (draft-cheng-srtp-cloud-00) proposes a mechanism where confidentiality and message authentication is independent of the RTP header Option 2> Trust the B2BUA 12
2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA changes the RTP header INVITE Challenge INVITE INVITE INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in different administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to- Back User Agent)
Possible mitigation SRTP for cloud services (draft- cheng-srtp-cloud-00) proposes a mechanism where confidentiality and message authentication is independent of the RTP header 14
B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 15
Media Terminator Media terminator modifies the payload Terminates the DTLS connection, acts as a DTLS proxy -Changes the certificate fingerprint and signals its own fingerprint -Decrypts and re-encrypts the payload 16
Possible attacks Breaks end-to-end security. 17
2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA modifies the payload INVITE Challenge INVITE INVITE INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in same administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to- Back User Agent)
Possible mitigations Clients can be configured to maintain the B2BUA server's certificate fingerprints. This way the client is aware that B2BUA is playing the role of a media- proxy. 19
2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA modifies the payload INVITE Challenge INVITE INVITE INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in different administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to- Back User Agent)
Possible mitigations Discourage media terminator mode. 21
Next Steps 22 DTLS-SRTP Handling in SIP B2BUAs
Backup 23
B2BUA Modes Media Relay - Only changes UDP/IP header- e.g.: topology hiding, privacy Media Aware - relay which can change RTP/RTCP headers- e.g.: monitors RTCP for QoS, mux/demuxes RTP/RTCP on same 5-tuple Media Terminator - Transcoders, Conference Servers 24

Recommended

Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
OW2
 
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
Martin Prosek
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
NETFest
 
Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur?
Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur? Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur?
Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur?
ASP4all
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018
Peter Souter
 
Brander Group Buy IPv4 Address Blocks
Brander Group Buy IPv4 Address BlocksBrander Group Buy IPv4 Address Blocks
Brander Group Buy IPv4 Address Blocks
JakeIskhakov
 
WebRTC vs VoIP: IIT-RTC Oct 2013
WebRTC vs VoIP: IIT-RTC Oct 2013WebRTC vs VoIP: IIT-RTC Oct 2013
WebRTC vs VoIP: IIT-RTC Oct 2013
Reid Stidolph
 

Recommended

Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
Take control back on Android devices with Flyve MDM, OW2con'18, June 7-8, 201...
OW2
 
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
Mobile Identity 2013 - Optimising and simplifying authentication and authoriz...
Martin Prosek
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
.NET Fest 2019. Kevin Dockx. OpenID Connect In Depth
NETFest
 
Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur?
Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur? Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur?
Hoe ontwerp je een Managed Security Cloud-referentiearchitectuur?
ASP4all
 
Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018Consul Connect - EPAM SEC - 22nd september 2018
Consul Connect - EPAM SEC - 22nd september 2018
Peter Souter
 
Brander Group Buy IPv4 Address Blocks
Brander Group Buy IPv4 Address BlocksBrander Group Buy IPv4 Address Blocks
Brander Group Buy IPv4 Address Blocks
JakeIskhakov
 
WebRTC vs VoIP: IIT-RTC Oct 2013
WebRTC vs VoIP: IIT-RTC Oct 2013WebRTC vs VoIP: IIT-RTC Oct 2013
WebRTC vs VoIP: IIT-RTC Oct 2013
Reid Stidolph
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
Warren Bent
 
Comandos voz cisco
Comandos voz ciscoComandos voz cisco
Comandos voz ciscoJavier Argandoña
 
ieeehs042204d
ieeehs042204dieeehs042204d
ieeehs042204dJohn Hines
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
ASP4all
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
Lilminow
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
XenMobile Packet Flow
XenMobile Packet FlowXenMobile Packet Flow
XenMobile Packet Flow
Nuno Alves
 
Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)
Aruba, a Hewlett Packard Enterprise company
 
rsa_authentication_manager_8.4_setup_config_guide.pdf
rsa_authentication_manager_8.4_setup_config_guide.pdfrsa_authentication_manager_8.4_setup_config_guide.pdf
rsa_authentication_manager_8.4_setup_config_guide.pdf
BarCode7
 
Authentication services
Authentication servicesAuthentication services
Authentication services
Greater Noida Institute Of Technology
 
Autodiscover flow in an office 365 environment part 3#3 part 31#36
Autodiscover flow in an office 365 environment part 3#3 part 31#36Autodiscover flow in an office 365 environment part 3#3 part 31#36
Autodiscover flow in an office 365 environment part 3#3 part 31#36
Eyal Doron
 
From MSS to TelScale - Mobicents Summit 2011
From MSS to TelScale - Mobicents Summit 2011From MSS to TelScale - Mobicents Summit 2011
From MSS to TelScale - Mobicents Summit 2011telestax
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?
zunda
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 
IETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPIETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIP
Victor Pascual Ávila
 
IETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use casesIETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use cases
Victor Pascual Ávila
 

More Related Content

Similar to DTLS-SRTP Handling in SIP B2BUAs

Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
Warren Bent
 
Certification authority
Certification authorityCertification authority
Certification authority
proser tech
 
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
ASP4all
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
Lilminow
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
promediakw
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
ssuser865ecd
 
XenMobile Packet Flow
XenMobile Packet FlowXenMobile Packet Flow
XenMobile Packet Flow
Nuno Alves
 
Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)
Aruba, a Hewlett Packard Enterprise company
 
rsa_authentication_manager_8.4_setup_config_guide.pdf
rsa_authentication_manager_8.4_setup_config_guide.pdfrsa_authentication_manager_8.4_setup_config_guide.pdf
rsa_authentication_manager_8.4_setup_config_guide.pdf
BarCode7
 
Authentication services
Authentication servicesAuthentication services
Authentication services
Greater Noida Institute Of Technology
 
Autodiscover flow in an office 365 environment part 3#3 part 31#36
Autodiscover flow in an office 365 environment part 3#3 part 31#36Autodiscover flow in an office 365 environment part 3#3 part 31#36
Autodiscover flow in an office 365 environment part 3#3 part 31#36
Eyal Doron
 
From MSS to TelScale - Mobicents Summit 2011
From MSS to TelScale - Mobicents Summit 2011From MSS to TelScale - Mobicents Summit 2011
From MSS to TelScale - Mobicents Summit 2011telestax
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?
zunda
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
Aruba, a Hewlett Packard Enterprise company
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Blueboxer2014
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
Mohamed Loey
 

Similar to DTLS-SRTP Handling in SIP B2BUAs (20)

Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Comandos voz cisco
Comandos voz ciscoComandos voz cisco
Comandos voz cisco
 
ieeehs042204d
ieeehs042204dieeehs042204d
ieeehs042204d
 
Certification authority
Certification authorityCertification authority
Certification authority
 
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
Hoe ontwerp en realiseer je een managed security cloud referentiearchitectuur?
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
2019_USA RSAConference_stir-shake-n-sip-to-stop-robocalling.pdf
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptxOralce SSL walelt -TCPS_Troubleshooting_PB.pptx
Oralce SSL walelt -TCPS_Troubleshooting_PB.pptx
 
XenMobile Packet Flow
XenMobile Packet FlowXenMobile Packet Flow
XenMobile Packet Flow
 
Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)Virtual Intranet Access (VIA)
Virtual Intranet Access (VIA)
 
rsa_authentication_manager_8.4_setup_config_guide.pdf
rsa_authentication_manager_8.4_setup_config_guide.pdfrsa_authentication_manager_8.4_setup_config_guide.pdf
rsa_authentication_manager_8.4_setup_config_guide.pdf
 
Authentication services
Authentication servicesAuthentication services
Authentication services
 
Autodiscover flow in an office 365 environment part 3#3 part 31#36
Autodiscover flow in an office 365 environment part 3#3 part 31#36Autodiscover flow in an office 365 environment part 3#3 part 31#36
Autodiscover flow in an office 365 environment part 3#3 part 31#36
 
From MSS to TelScale - Mobicents Summit 2011
From MSS to TelScale - Mobicents Summit 2011From MSS to TelScale - Mobicents Summit 2011
From MSS to TelScale - Mobicents Summit 2011
 
Do you trust that certificate?
Do you trust that certificate?Do you trust that certificate?
Do you trust that certificate?
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
 
ClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User GuideClearPass Policy Manager 6.3 User Guide
ClearPass Policy Manager 6.3 User Guide
 
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile DevicesDecrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
Decrease Your Circle of Trust: An Investigation of PKI CAs on Mobile Devices
 
Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2Computer Security - CCNA Security - Lecture 2
Computer Security - CCNA Security - Lecture 2
 

More from Victor Pascual Ávila

IETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPIETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIP
Victor Pascual Ávila
 
IETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use casesIETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use cases
Victor Pascual Ávila
 
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
Victor Pascual Ávila
 
WebRTC standards update (April 2015)
WebRTC standards update (April 2015)WebRTC standards update (April 2015)
WebRTC standards update (April 2015)
Victor Pascual Ávila
 
Upperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introUpperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC intro
Victor Pascual Ávila
 
WebRTC standards update - November 2014
WebRTC standards update - November 2014WebRTC standards update - November 2014
WebRTC standards update - November 2014
Victor Pascual Ávila
 
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Victor Pascual Ávila
 
WebRTC from the service provider prism
WebRTC from the service provider prismWebRTC from the service provider prism
WebRTC from the service provider prism
Victor Pascual Ávila
 
WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)
Victor Pascual Ávila
 
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAsIETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
Victor Pascual Ávila
 
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
Victor Pascual Ávila
 
WebRTC standards update (Jul 2014)
WebRTC standards update (Jul 2014)WebRTC standards update (Jul 2014)
WebRTC standards update (Jul 2014)
Victor Pascual Ávila
 
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Victor Pascual Ávila
 
WebRTC standards update (April 2014)
WebRTC standards update (April 2014)WebRTC standards update (April 2014)
WebRTC standards update (April 2014)Victor Pascual Ávila
 
WebRTC DataChannels demystified
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystified
Victor Pascual Ávila
 
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...Victor Pascual Ávila
 
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...Victor Pascual Ávila
 
WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)
Victor Pascual Ávila
 
WebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guideWebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guideVictor Pascual Ávila
 
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)Victor Pascual Ávila
 

More from Victor Pascual Ávila (20)

IETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPIETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIP
 
IETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use casesIETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use cases
 
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
 
WebRTC standards update (April 2015)
WebRTC standards update (April 2015)WebRTC standards update (April 2015)
WebRTC standards update (April 2015)
 
Upperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introUpperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC intro
 
WebRTC standards update - November 2014
WebRTC standards update - November 2014WebRTC standards update - November 2014
WebRTC standards update - November 2014
 
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
 
WebRTC from the service provider prism
WebRTC from the service provider prismWebRTC from the service provider prism
WebRTC from the service provider prism
 
WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)
 
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAsIETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
 
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
 
WebRTC standards update (Jul 2014)
WebRTC standards update (Jul 2014)WebRTC standards update (Jul 2014)
WebRTC standards update (Jul 2014)
 
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
 
WebRTC standards update (April 2014)
WebRTC standards update (April 2014)WebRTC standards update (April 2014)
WebRTC standards update (April 2014)
 
WebRTC DataChannels demystified
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystified
 
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
 
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
 
WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)
 
WebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guideWebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guide
 
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
 

Recently uploaded

可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 

Recently uploaded (20)

可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 

DTLS-SRTP Handling in SIP B2BUAs

  • 1. DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar Reddy, Gonzalo Salgueiro, Victor Pascual 1
  • 2. Agenda B2BUA modes and possible MITM attacks 2
  • 3. B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 3
  • 4. Legitimate Media Relay Media Forwards packets without inspection or modification Only modifies the L3 and L4 headers Signaling It MUST forward the received certificate fingerprint without any modifications 4
  • 5. Malicious Media Relay Media Forwards packets with inspection or modification Signaling Modifies the certificate fingerprint and signals its own fingerprint 5
  • 6. Possible Mitigation Mandate authenticated identity management in SIP (draft-ietf-stir- rfc4474bis) signed-identity-digest carries the signed hash of certificate fingerprint Mandate Identity headers to be present 6
  • 7. 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA here just changes UDP/IP header and does not modify payload INVITE Challenge INVITE INVITE INVITE Alice atlanta.com atlanta.com bob@biloxy.com 1.Alice calls Bob Authenticated identity management Alice Alice’s Proxy SIP Cloud bob Alice’s B2BUA (Back-to- Back User Agent)
  • 8. B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 8
  • 9. Legitimate Media Aware Media Modifies the RTP header Signaling Terminates the DTLS connection and acts as a DTLS proxy -Changes the certificate fingerprint and signals its own fingerprint -Decrypts and re-encrypts the payload 9
  • 10. Malicious Media Aware Media Inspects or modifies the payload. 10
  • 11. 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA changes the RTP header INVITE Challenge INVITE INVITE INVITE Alice atlanta.com atlanta.com bob@biloxy.com 1.Alice calls Bob B2BUA in the same administrative domain Alice Alice’s Proxy SIP Cloud bob Alice’s B2BUA (Back-to- Back User Agent)
  • 12. Possible mitigations Option 1> SRTP for cloud services (draft-cheng-srtp-cloud-00) proposes a mechanism where confidentiality and message authentication is independent of the RTP header Option 2> Trust the B2BUA 12
  • 13. 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA changes the RTP header INVITE Challenge INVITE INVITE INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in different administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to- Back User Agent)
  • 14. Possible mitigation SRTP for cloud services (draft- cheng-srtp-cloud-00) proposes a mechanism where confidentiality and message authentication is independent of the RTP header 14
  • 15. B2BUA Modes 1.Media Relay 2.Media Aware 3.Media Terminator 15
  • 16. Media Terminator Media terminator modifies the payload Terminates the DTLS connection, acts as a DTLS proxy -Changes the certificate fingerprint and signals its own fingerprint -Decrypts and re-encrypts the payload 16
  • 17. Possible attacks Breaks end-to-end security. 17
  • 18. 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA modifies the payload INVITE Challenge INVITE INVITE INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in same administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to- Back User Agent)
  • 19. Possible mitigations Clients can be configured to maintain the B2BUA server's certificate fingerprints. This way the client is aware that B2BUA is playing the role of a media- proxy. 19
  • 20. 2. The outbound proxy for the Alice’s domain verifies that this is from Alice and adds an assertion(based of 4474bis) that is it from alice@atlanta.com 3. This assertion is signed with the atlanta.com certificate from a well known certificate authority 4. The B2BUA modifies the payload INVITE Challenge INVITE INVITE INVITE Alice atlanta.com ISP bob@biloxy.com 1.Alice calls Bob B2BUA in different administrative domain Alice Alice’s Proxy SIP Cloud bob B2BUA (Back-to- Back User Agent)
  • 21. Possible mitigations Discourage media terminator mode. 21
  • 22. Next Steps 22 DTLS-SRTP Handling in SIP B2BUAs
  • 24. B2BUA Modes Media Relay - Only changes UDP/IP header- e.g.: topology hiding, privacy Media Aware - relay which can change RTP/RTCP headers- e.g.: monitors RTCP for QoS, mux/demuxes RTP/RTCP on same 5-tuple Media Terminator - Transcoders, Conference Servers 24