1 / 43

Session Initiation Protocol

Session Initiation Protocol. R94922133 張榮宏 R94922143 呂詩禹. Sipsak Demo. What is it?. SIPSAK: It’s a small command line tool for developers and administrators of Session Initiation Protocol applications. Try it on FreeBSD: /usr/ports/net/sipsak Web site: sipsak.org. How to use it?.

gladyso
Download Presentation

Session Initiation Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Session Initiation Protocol R94922133 張榮宏 R94922143 呂詩禹

  2. Sipsak Demo

  3. What is it? • SIPSAK: • It’s a small command line tool for developers and administrators of Session Initiation Protocol applications. • Try it on FreeBSD: • /usr/ports/net/sipsak • Web site: • sipsak.org

  4. How to use it? • man sipsak • Send an OPTIONS request to nobody@foo.bar and display received replies • sipsak -vv -s sip:nobody@foo.bar • Send the instant message "Lunch time!" to the colleague and show result: • sipsak -M -v -s sip:colleaue@work -B "Lunch time!"

  5. SIP Security

  6. What problems do users face? • 四面楚歌

  7. SIP Security • SIP security is a vast and challenging field. • Authentication • Can users steal other users identity? • Integrity • Is the SIP message received the same as the one sent? • Confidentiality • Is someone else listening on your SIP call setup?

  8. Threats • Fake requests (e.g., fake From) • Modification of content • REGISTER Contact • SDP to redirect media • Insertion of requests into existing dialogs: BYE, re-INVITE • Denial of service (DoS) attacks • Privacy • Trust domains – can proxies be trusted?

  9. SIP Security Mechanisms • SIP is HTTP-like • How do we secure HTTP services? • HTTP • HTTPS (SSL) • TCP based Transport Layer Security (TSL) • E-mail • PGP (Pretty Good Privacy) • S/MIME • IP based communication • IPsec (IP Security)

  10. Solutions for securing SIP

  11. HTTP Digest Authentication • Example given in RFC 2617 • Client request • (user: Mufasa passwd: Circle Of Life) ? • Server response:

  12. HTTP Digest Authentication • Generating the MD5 values

  13. HTTP Digest authentication

  14. HTTP Digest authentication • response = H(H(A1):nonce:nc:cnonce:qop:H(A2)) • A1 = username:realm:password • A2 = method:URI or method:URI:H(body) • where H(x) = MD5(x)

  15. Invite SIP Proxy Digest Authentication • Proxy Server using Digest Authentication Proxy Server

  16. Invite SIP Proxy Digest Authentication • Proxy Server using Digest Authentication Proxy Server Challenge

  17. TLS security: SIPS URI • SIPS scheme added in RFC 3261 • sips:alice@example.com • TLS must be used on the whole path. • Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol) • Applied hop-by-hop • All SIP proxies required to implement

  18. How to secure the talk? • Securing the real-time media streams • Multimedia streams are packet-oriented • Encryptions and authentication algorithms should not cause too much delay • Transmission must be UDP based • Only two security mechanisms are currently available.

  19. Securing the real-time media streams

  20. Secure Real-Time Transport Protocol (SRTP) • The Secure RTP Packet Format:

  21. SRTP • Default Encryption Algorithm

  22. Secure Real-Time Transport Protocol (SRTP) • The Secure RTCP Packet Format:

  23. Conclusion • VoIP security is complex • Numerous protocols • NAT/firewall traversal issues • QoS issues • Technologies are in place to secure VoIP • Solutions we’ve discussed • However, no “standard” approach is being used • Current VoIP providers do not secure calls

  24. SIP Programming

  25. SIP Programming • SIP follows HTTP programming model • Three mechanisms suggested in IETF • Call Processing Language ( SIP – CPL ) • Common Gateway Interface ( SIP – CGI ) • SIP Servlet • Other Options • Creation Markup Language (SCML) • Voice Extensible Markup Language (VoiceXML) • Call Control extensible Markup Language (CCXML)

  26. SIP Programming • Examples • “discard all calls from Monica during my business hours” • “redirect authenticated friends to my cell phone, anyone else to my secretary” • “if busy, return my homepage and redirect to recorder” • Users and third parties may program

  27. SIP Programming

  28. Where Services Locate? Source: H. Schulzrinne: “Industrial Strength IP Telephony”

  29. Common Gateway Interface • Almost identical to HTTP CGI • Language independent ( Perl, Tcl, C, C++, ... ) • Any binary may be executed as a separate program • Communicates through IO and environment variables. • More flexible but more risky • Unmanaged Resource Allocating • Single CGI may crash the server or user client • Feb. 1, 2001: RFC 3050(Common Gateway Interface for SIP) published

  30. Call Processing Language • Designed by the IETF to support sophisticated telephony services • May be used by both SIP or H.323. • XML based scripting language • Extensive • Easily edited by GUI tools • Portability allows users to move across servers. • Lightweight CPL interpreter is need • Better security

  31. An Example A simple script that blocks anonymous callers <?xml version="1.0" ?><!DOCTYPE cpl PUBLIC "-//IETF//DTD RFCxxxx CPL 1.0//EN" "cpl.dtd"><cpl>  <incoming>    <address-switch field="origin" subfield="user">      <address is="anonymous">        <reject status="reject"          reason="I don't accept anonymous calls" />      </address>    </address-switch>  </incoming></cpl>

  32. Java Servlets • Similar to HTTP servlets • Resource Managed By Container • The class runs within a JVM (Java Virtual Machine) on server • Security provided by Java • Portable between OSs & servers

  33. JAIN SIP • The Java-standard interface to a SIP signaling stack. • Standardizes the interface to the stack. • Standardizes message interface. • Standardizes events and event semantics. • Application portability -verified via the TCK. • Designed for developers who require powerful access to the SIP protocol. • JAIN SIP can be utilized in a user agent, proxy, registrar or imbedded into a service container.

  34. SIP Implementation Structure

  35. Packages • General package • Defines the architectural interfaces, the transaction and dialog interfaces and the event objects of the specification. • Address package • Address package contains a generic URI wrapper and defines SIP URI and Tel URIs interfaces. • Message package • Defines the interfaces necessary for the Request and Response messages. • Header packages • Header package defines interfaces for all the supported headers and extension headers

  36. Application - Stack Creation Initialize Stack using SipFactory: try { Properties properties = new Properties(); properties.setProperty("javax.sip.IP_ADDRESS", "129.6.55.181"); properties.setProperty("javax.sip.OUTBOUND_PROXY", "129.6.55.182:5070/UDP"); ……// Other initialization properties. try { sipStack = sipFactory.createSipStack(properties); } catch(SipException e) { System.exit(-1); } }

  37. Application – Request Creation Initialize Request using Factories: try { SipURI requestURI = addressFactory.createSipURI (toUser, toSipAddress); // … Create other headers Request request = messageFactory.createRequest (requestURI, Request.INVITE, callIdHeader, cSeqHeader, fromHeader, toHeader, viaHeaders, maxForwards); }

  38. Application - Sending Requests Send outgoing messages: try { // Create the client transaction ClientTransaction inviteTid = sipProvider.getNewClientTransaction(request); // send the request inviteTid.sendRequest(); }

  39. HIGH-LEVEL SERVICE CREATION FRAMEWORK • Service Creation Environment (SCE) • GUI Develop IDE • Service Logic Execution Environment (SLEE)

  40. HIGH-LEVEL SERVICE CREATION FRAMEWORK

  41. Mechanism choosing • Portability vs Performance • Portability needed if services deployed at multiple servers or end-devices. • Portable languages (CPL) need to be interpreted (processing delay) • Deployment scenario decides service creation mechanism.

  42. Implementations • BaseVoice Vanilla   • J2EE-based SIP Server, JAIN SIP API v1.1. • SIPD • SIP CGI-BIN support • Meetinghouse SIP Proxy • CPL support Source: “http://www.iptel.org/info/products/”

  43. Reference • http://netlab.boun.edu.tr/mast/sip/ • http://iptel.org/sip/siptutorial.pdf • http://java.sun.com/products/jain/JAIN-SIP-Tutorial.pdf • Creating Value Added Services in Internet Telephony: An Overview and a Case Study on a High-Level Service Creation Environment -- Roch H. Glitho, Ferhat Khendek, and Alessandro De Marco

More Related