430 likes | 447 Views
Session Initiation Protocol. R94922133 張榮宏 R94922143 呂詩禹. Sipsak Demo. What is it?. SIPSAK: It’s a small command line tool for developers and administrators of Session Initiation Protocol applications. Try it on FreeBSD: /usr/ports/net/sipsak Web site: sipsak.org. How to use it?.
E N D
Session Initiation Protocol R94922133 張榮宏 R94922143 呂詩禹
What is it? • SIPSAK: • It’s a small command line tool for developers and administrators of Session Initiation Protocol applications. • Try it on FreeBSD: • /usr/ports/net/sipsak • Web site: • sipsak.org
How to use it? • man sipsak • Send an OPTIONS request to nobody@foo.bar and display received replies • sipsak -vv -s sip:nobody@foo.bar • Send the instant message "Lunch time!" to the colleague and show result: • sipsak -M -v -s sip:colleaue@work -B "Lunch time!"
What problems do users face? • 四面楚歌
SIP Security • SIP security is a vast and challenging field. • Authentication • Can users steal other users identity? • Integrity • Is the SIP message received the same as the one sent? • Confidentiality • Is someone else listening on your SIP call setup?
Threats • Fake requests (e.g., fake From) • Modification of content • REGISTER Contact • SDP to redirect media • Insertion of requests into existing dialogs: BYE, re-INVITE • Denial of service (DoS) attacks • Privacy • Trust domains – can proxies be trusted?
SIP Security Mechanisms • SIP is HTTP-like • How do we secure HTTP services? • HTTP • HTTPS (SSL) • TCP based Transport Layer Security (TSL) • E-mail • PGP (Pretty Good Privacy) • S/MIME • IP based communication • IPsec (IP Security)
HTTP Digest Authentication • Example given in RFC 2617 • Client request • (user: Mufasa passwd: Circle Of Life) ? • Server response:
HTTP Digest Authentication • Generating the MD5 values
HTTP Digest authentication • response = H(H(A1):nonce:nc:cnonce:qop:H(A2)) • A1 = username:realm:password • A2 = method:URI or method:URI:H(body) • where H(x) = MD5(x)
Invite SIP Proxy Digest Authentication • Proxy Server using Digest Authentication Proxy Server
Invite SIP Proxy Digest Authentication • Proxy Server using Digest Authentication Proxy Server Challenge
TLS security: SIPS URI • SIPS scheme added in RFC 3261 • sips:alice@example.com • TLS must be used on the whole path. • Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol) • Applied hop-by-hop • All SIP proxies required to implement
How to secure the talk? • Securing the real-time media streams • Multimedia streams are packet-oriented • Encryptions and authentication algorithms should not cause too much delay • Transmission must be UDP based • Only two security mechanisms are currently available.
Secure Real-Time Transport Protocol (SRTP) • The Secure RTP Packet Format:
SRTP • Default Encryption Algorithm
Secure Real-Time Transport Protocol (SRTP) • The Secure RTCP Packet Format:
Conclusion • VoIP security is complex • Numerous protocols • NAT/firewall traversal issues • QoS issues • Technologies are in place to secure VoIP • Solutions we’ve discussed • However, no “standard” approach is being used • Current VoIP providers do not secure calls
SIP Programming • SIP follows HTTP programming model • Three mechanisms suggested in IETF • Call Processing Language ( SIP – CPL ) • Common Gateway Interface ( SIP – CGI ) • SIP Servlet • Other Options • Creation Markup Language (SCML) • Voice Extensible Markup Language (VoiceXML) • Call Control extensible Markup Language (CCXML)
SIP Programming • Examples • “discard all calls from Monica during my business hours” • “redirect authenticated friends to my cell phone, anyone else to my secretary” • “if busy, return my homepage and redirect to recorder” • Users and third parties may program
Where Services Locate? Source: H. Schulzrinne: “Industrial Strength IP Telephony”
Common Gateway Interface • Almost identical to HTTP CGI • Language independent ( Perl, Tcl, C, C++, ... ) • Any binary may be executed as a separate program • Communicates through IO and environment variables. • More flexible but more risky • Unmanaged Resource Allocating • Single CGI may crash the server or user client • Feb. 1, 2001: RFC 3050(Common Gateway Interface for SIP) published
Call Processing Language • Designed by the IETF to support sophisticated telephony services • May be used by both SIP or H.323. • XML based scripting language • Extensive • Easily edited by GUI tools • Portability allows users to move across servers. • Lightweight CPL interpreter is need • Better security
An Example A simple script that blocks anonymous callers <?xml version="1.0" ?><!DOCTYPE cpl PUBLIC "-//IETF//DTD RFCxxxx CPL 1.0//EN" "cpl.dtd"><cpl> <incoming> <address-switch field="origin" subfield="user"> <address is="anonymous"> <reject status="reject" reason="I don't accept anonymous calls" /> </address> </address-switch> </incoming></cpl>
Java Servlets • Similar to HTTP servlets • Resource Managed By Container • The class runs within a JVM (Java Virtual Machine) on server • Security provided by Java • Portable between OSs & servers
JAIN SIP • The Java-standard interface to a SIP signaling stack. • Standardizes the interface to the stack. • Standardizes message interface. • Standardizes events and event semantics. • Application portability -verified via the TCK. • Designed for developers who require powerful access to the SIP protocol. • JAIN SIP can be utilized in a user agent, proxy, registrar or imbedded into a service container.
Packages • General package • Defines the architectural interfaces, the transaction and dialog interfaces and the event objects of the specification. • Address package • Address package contains a generic URI wrapper and defines SIP URI and Tel URIs interfaces. • Message package • Defines the interfaces necessary for the Request and Response messages. • Header packages • Header package defines interfaces for all the supported headers and extension headers
Application - Stack Creation Initialize Stack using SipFactory: try { Properties properties = new Properties(); properties.setProperty("javax.sip.IP_ADDRESS", "129.6.55.181"); properties.setProperty("javax.sip.OUTBOUND_PROXY", "129.6.55.182:5070/UDP"); ……// Other initialization properties. try { sipStack = sipFactory.createSipStack(properties); } catch(SipException e) { System.exit(-1); } }
Application – Request Creation Initialize Request using Factories: try { SipURI requestURI = addressFactory.createSipURI (toUser, toSipAddress); // … Create other headers Request request = messageFactory.createRequest (requestURI, Request.INVITE, callIdHeader, cSeqHeader, fromHeader, toHeader, viaHeaders, maxForwards); }
Application - Sending Requests Send outgoing messages: try { // Create the client transaction ClientTransaction inviteTid = sipProvider.getNewClientTransaction(request); // send the request inviteTid.sendRequest(); }
HIGH-LEVEL SERVICE CREATION FRAMEWORK • Service Creation Environment (SCE) • GUI Develop IDE • Service Logic Execution Environment (SLEE)
Mechanism choosing • Portability vs Performance • Portability needed if services deployed at multiple servers or end-devices. • Portable languages (CPL) need to be interpreted (processing delay) • Deployment scenario decides service creation mechanism.
Implementations • BaseVoice Vanilla • J2EE-based SIP Server, JAIN SIP API v1.1. • SIPD • SIP CGI-BIN support • Meetinghouse SIP Proxy • CPL support Source: “http://www.iptel.org/info/products/”
Reference • http://netlab.boun.edu.tr/mast/sip/ • http://iptel.org/sip/siptutorial.pdf • http://java.sun.com/products/jain/JAIN-SIP-Tutorial.pdf • Creating Value Added Services in Internet Telephony: An Overview and a Case Study on a High-Level Service Creation Environment -- Roch H. Glitho, Ferhat Khendek, and Alessandro De Marco