Session Initiation ProtocolSession Initiation Protocol

R94922133 張榮宏R94922143 呂詩禹

Sipsak DemoSipsak Demo

What is it?

• SIPSAK:– It’s a small command line tool for developers

and administrators of Session Initiation Protocol applications.

• Try it on FreeBSD:– /usr/ports/net/sipsak

• Web site:– sipsak.org

How to use it?

• man sipsak• Send an OPTIONS request to

nobody@foo.bar and display received replies– sipsak -vv -s sip:nobody@foo.bar

• Send the instant message "Lunch time!" to the colleague and show result: – sipsak -M -v -s sip:colleaue@work -B "Lunch

time!"

SIP SecuritySIP Security

What problems do users face?What problems do users face? 四面楚歌

SIP SecuritySIP Security

• SIP security is a vast and challenging field.

• Authentication– Can users steal other users identity?

• Integrity– Is the SIP message received the same as the

one sent?

• Confidentiality– Is someone else listening on your SIP call

setup?

ThreatsThreats

• Fake requests (e.g., fake From)• Modification of content

– REGISTER Contact– SDP to redirect media

• Insertion of requests into existing dialogs: BYE, re-INVITE

• Denial of service (DoS) attacks• Privacy• Trust domains – can proxies be trusted?

SIP Security MechanismsSIP Security Mechanisms

• SIP is HTTP-like

• How do we secure HTTP services?– HTTP

• HTTPS (SSL)• TCP based Transport Layer Security (TSLTSL)

– E-mail• PGP (Pretty Good Privacy)• S/MIME

– IP based communication• IPsec (IP Security)

Solutions for securing SIPSolutions for securing SIP

HTTP Digest AuthenticationHTTP Digest Authentication• Example given in RFC 2617

– Client request• (user: Mufasa passwd: Circle Of Life)

– Server response:?

HTTP Digest AuthenticationHTTP Digest Authentication• Generating the MD5 values

HTTP Digest authenticationHTTP Digest authentication

parameter meaningrealm client domain

domain destination

algorithm hash algorithm: MD5, MD5-sess

nonce server-chosen nonce

cnonce client-chosen nonce

nc # times nonce has been used

digest-uri destination

qop protection (auth, auth-int)

opaque string echoed by client

username user’s name in specified realm

response H(H(A1):nonce:nc:cnonce:qop:H(A2))

HTTP Digest authenticationHTTP Digest authentication

• response = H(H(A1):nonce:nc:cnonce:qop:H(A2))

• A1 = username:realm:password

• A2 = method:URI or method:URI:H(body)

• where H(x) = MD5(x)

SIP Proxy Digest AuthenticationSIP Proxy Digest Authentication

• Proxy Server using Digest AuthenticationProxy Server

Invite

SIP Proxy Digest AuthenticationSIP Proxy Digest Authentication

• Proxy Server using Digest AuthenticationProxy Server

Invite

Challenge

TLS security: SIPS URITLS security: SIPS URI

• SIPS scheme added in RFC 3261– sips:alice@example.com

• TLS must be used on the whole path.

• Can not be applied to UDP-based SIP (only TCP or other reliable transport protocol)

• Applied hop-by-hop

• All SIP proxies required to implement

How to secure the talk?How to secure the talk?

• Securing the real-time media streams

• Multimedia streams are packet-oriented

• Encryptions and authentication algorithms should not cause too much delay

• Transmission must be UDP based

• Only two security mechanisms are currently available.

Securing the real-time media streamsSecuring the real-time media streams

Secure Real-Time Transport Protocol (SRTP)

Secure Real-Time Transport Protocol (SRTP)

• The Secure RTP Packet Format:

SRTPSRTP

• Default Encryption Algorithm

Secure Real-Time Transport Protocol (SRTP)

Secure Real-Time Transport Protocol (SRTP)

• The Secure RTCP Packet Format:

ConclusionConclusion

• VoIP security is complex– Numerous protocols– NAT/firewall traversal issues– QoS issues

• Technologies are in place to secure VoIP– Solutions we’ve discussed– However, no “standard” approach is being

used

• Current VoIP providers do not secure calls

SIP ProgrammingSIP Programming

SIP Programming

• SIP follows HTTP programming model• Three mechanisms suggested in IETF

– Call Processing Language ( SIP – CPL )– Common Gateway Interface ( SIP – CGI )– SIP Servlet

• Other Options– Creation Markup Language (SCML)– Voice Extensible Markup Language (VoiceXML)– Call Control extensible Markup Language (CCXML)

SIP Programming

• Examples– “discard all calls from Monica during my business

hours”– “redirect authenticated friends to my cell phone,

anyone else to my secretary”– “if busy, return my homepage and redirect to recorder”

• Users and third parties may program

SIP Programming

Where Services Locate?

Source: H. Schulzrinne: “Industrial Strength IP Telephony”

Common Gateway Interface

• Almost identical to HTTP CGI • Language independent ( Perl, Tcl, C, C++, ... )

– Any binary may be executed as a separate program

• Communicates through IO and environment variables.– More flexible but more risky

• Unmanaged Resource Allocating– Single CGI may crash the server or user client

• Feb. 1, 2001: RFC 3050 (Common Gateway Interface for SIP) published

Call Processing Language

• Designed by the IETF to support sophisticated telephony services– May be used by both SIP or H.323.

• XML based scripting language– Extensive– Easily edited by GUI tools– Portability allows users to move across servers.

• Lightweight CPL interpreter is need– Better security

An Example

A simple script that blocks anonymous callers

<?xml version="1.0" ?><!DOCTYPE cpl PUBLIC "-//IETF//DTD RFCxxxx CPL 1.0//EN" "cpl.dtd"><cpl>  <incoming>    <address-switch field="origin" subfield="user">      <address is="anonymous">        <reject status="reject"          reason="I don't accept anonymous calls" />      </address>    </address-switch>  </incoming></cpl>

Java Servlets

• Similar to HTTP servlets• Resource Managed By Container• The class runs within a JVM (Java Virtual

Machine) on server• Security provided by Java• Portable between OSs & servers

JAIN SIP

• The Java-standard interface to a SIP signaling stack. – Standardizes the interface to the stack. – Standardizes message interface. – Standardizes events and event semantics. – Application portability -verified via the TCK.

• Designed for developers who require powerful access to the SIP protocol.

• JAIN SIP can be utilized in a user agent, proxy, registrar or imbedded into a service container.

SIP Implementation Structure

Packages

• General package– Defines the architectural interfaces, the transaction and dialog

interfaces and the event objects of the specification.

• Address package– Address package contains a generic URI wrapper and defines

SIP URI and Tel URIs interfaces.

• Message package– Defines the interfaces necessary for the Request and Response

messages.

• Header packages– Header package defines interfaces for all the supported headers

and extension headers

Application - Stack Creation

Initialize Stack using SipFactory:try {

Properties properties = new Properties();properties.setProperty("javax.sip.IP_ADDRESS",

"129.6.55.181");properties.setProperty("javax.sip.OUTBOUND_PROXY",

"129.6.55.182:5070/UDP");……// Other initialization properties.

try {sipStack = sipFactory.createSipStack(properties);

} catch(SipException e) {System.exit(-1);

}}

Application – Request Creation

Initialize Request using Factories:try {

SipURI requestURI = addressFactory.createSipURI(toUser, toSipAddress);

// … Create other headersRequest request = messageFactory.createRequest

(requestURI, Request.INVITE, callIdHeader,cSeqHeader, fromHeader, toHeader,viaHeaders, maxForwards);

}

Application - Sending Requests

Send outgoing messages:

try { // Create the client transaction ClientTransaction inviteTid = sipProvider.getNewClientTransaction(request); // send the request inviteTid.sendRequest();

}

HIGH-LEVEL SERVICE CREATION FRAMEWORK

• Service Creation Environment (SCE)– GUI Develop IDE

• Service Logic Execution Environment (SLEE)

HIGH-LEVEL SERVICE CREATION FRAMEWORK

Mechanism choosing

• Portability vs Performance – Portability needed if services deployed at

multiple servers or end-devices. – Portable languages (CPL) need to be

interpreted (processing delay)

• Deployment scenario decides service creation mechanism.

Implementations

• BaseVoice Vanilla   – J2EE-based SIP Server, JAIN SIP API v1.1.

• SIPD– SIP CGI-BIN support

• Meetinghouse SIP Proxy– CPL support

Source: “http://www.iptel.org/info/products/”

Reference

• http://netlab.boun.edu.tr/mast/sip/• http://iptel.org/sip/siptutorial.pdf

• http://java.sun.com/products/jain/JAIN-SIP-Tutorial.pdf

• Creating Value Added Services in Internet Telephony: An Overview

and a Case Study on a High-Level Service Creation Environment

-- Roch H. Glitho, Ferhat Khendek, and Alessandro De Marco