ssl tunneling for sip

SSL TUNNELING

SIP

SIP is Standard Interchange Protocol. It’s not a standard in the technical sense since no standards body has ratified it but 3M has published a version 1 and 2 and they have become the de facto way that library services interact with the ILS.

SIP

Hoopla

Overdrive

Self Check Equipment

Etc…

Evergreen

SIP

EvergreenSIP Service

SIP traffic goes both ways, to Evergreen and back to the service.

Source of the Problems

SIP is plain text and done over telnet. The plain text part will be important.

Telnet is an old technology that was used because it was easy and universal.

Essentially, it has been the path of least resistance (and expense) for vendors.

Reading SIP

A SIP message isn’t easy to read but you can if you know the format.

Reading a SIP Query

This is the most common query a SIP service sends to Evergreen. It’s a patron information request. (user name and password are blurred out and these images are from an

actual SIP transaction)

Reading a SIP Response

As you can see even without knowing how SIP is structured you can get a patron’s name, email, phone number and street address. Other queries can give

you EVEN MORE INFORMATION.

The Hand Offs

EvergreenSIP Service

Internet traffic works via hand offs. Each packet is sent through servers between the SIP Service and

Evergreen.

Prying Eyes

EvergreenSIP Service

Since each server hands off the messages that also means each one has to handle it and can read it.

Privacy Problems

1.Not every SIP service needs all of the information we send them. That will need to be addressed separately but will be.

2.We need to prevent non-library services from reading our patron data.

Solution

Envelopes were created to preserve privacy and that is what we need to do.

SSLed SIP

EvergreenSIP Service

Once protected, the traffic can’t be read by all the eyes in between.

Imperfect Analogy

We won’t actually be wrapping the packets but encrypting them. So, people can try to read them

but it won’t be very productive.

User Name, Address, Bills,Email Address,Phone number,Zodiac Sign,Etc…

EnCt2bd62c4ebe77aa876ed97900950a1ccd0de2cd9c2bd62c4ebe77aa876ed979009IqGAoeNh8gJcko2BXFb7gdmaXtDKwD+D/kTthzJQQz9ajIoFRw+qOe4cE1Cl9cfZ5iY6GCCxXXi1HHzkfXTSrWI3NjlcDqoeXIqvoOkE+y+igXtZn/ouCxBi7A==

How?

SSL (Secure Sockets Layers) is best known for protecting web pages such as your email or

shopping sites.

With What?

We will use an open source implementation of SSL called OpenSSL and an open source tunneling

application called stunnel. Just some of the companies that use OpenSSL are Cisco, HP, Google, IBM, Intel and

Microsoft.

https://www.stunnel.org

https://www.openssl.org/

Our Sip Servers

EvergreenOur SIP Server

This only works where we control the SIP server. Internet sign up, automated sorters and self checkout

systems are typical examples.

Vendor SIP Servers

EvergreenSIP Service

Vendors can setup SSL-ed connections and we will support this but are likely to have to insist on this.

This will be services like Hoopla and Overdrive.

Abandon Hope All Ye Who Enter Here

The rest of this will be mostly of interest to members of the sysadmin group but feel free to

read on.

Will we need new versions of our SIP software?

No.

Ports

Server

Servers keep different ports for different traffic. This is why one machine can serve different internet functions and keep them separate. We will support unencrypted

and encrypted SIP on different ports.

21 FTP22 SSH80 WEB 443 SSL WEB6001 SIP6010 SSL SIP The Internet

Normal SIP Applications

Server

SIP information changes hands within a server before it ever goes to the Internet. The server’s operating system is what actually sends it to a

remote server.

SIP Application

Request OS to send

SIP out 6001

Operating System

Port 6001

Forward

The Internet

And back again.

Server

SIP information then comes back and again is forwarded to the SIP application rather than from it

this time.

SIP Application

OS sends to SIP Operating System

Port 6001

Forward

The Internet

Server

SIP Application

Operating System

Port 6001

The Internet

Notice that the information remains plain text and readable at every step.

Using Stunnel

Stunnel intercepts local SIP messages and encrypts before they leave the machine. SIP applications continue

to send and received plaintext messages.

SIP Application

Request OS to send

SIP out 6010

Operating System

Port 127.0.0.1:

6010

Forward

The Internet

StunnelApplication

Forward

Port 6010

Encrypted message

sent to Evergreen

Receiving Encrypted SIP

Stunnel does the same in reverse for received messages, unencrypting them and sending the plain text SIP

messages to the SIP application.

SIP Application

OS forwards to SIP Operating System

Port 127.0.0.1:

6010

Forward

The Internet

StunnelApplication

Forward

Port 6010

Encrypted message

from Evergreen

The End