presented by : shivanagouda biradar yousof pakzad

Presented by:Shivanagouda Biradar

Yousof Pakzad

This presentation is submitted to Prof. El Saddik in partial fulfillment of the requirements for the course ELG 5121: Multimedia Communications

April 22, 2023

Multimedia Communications:

Introduction to SIP and

Securing SIP Solutions

School of Information Technology and Engineering (SITE), University of Ottawa

Shivangouda Biradar and Yousof Pakzad: Introduction to SIP and Securing SIP Solutions, SITE, April 22, 2023

Overview Introduction to SIP

ComponentsMessagesApplicationsBenefits

Secured SolutionsSecurity RequirementsSecurity ThreatsSecurity SolutionsSIP, Firewall and NAT

Conclusion and Future Directions


Telecommunication Network Migration PSTN Network - traditionally centralized voice-centric

applications ( $1 trillion industry world wide) IP network is distributed, mostly used for text data and

multimedia applications

PSTN PBX

IPRouter

PSTNNetwork

PSTN PBX

IP Network

IPRouter

PSTN Phones

IPClients

IPClients

PSTN Phones


IP Network and PSTN Network Convergence Seamless Integration of telephony and conferencing with

many other internet applications, such as e-mail, text messaging, presence and instant messaging

IP SoftPhones

PSTNNetwork

PSTNPBX

IP Network

IPRouter

IP EnabledPBX

IPRouter

IP-PSTNGateway

IP SoftPhones

IP Phones

PSTNPhones

IP-PSTNGateway


IP Call Processing Protocols H.323 - ITU H.248/MEGACO/MGCP (ITU)

SIP – Session Initiation Protocol (IETF)

H.323 MGCP RTP

Physical Layer

Link Layer

IPv4, IPv6

SIP RTSP

Multimedia Applications ( text, audio, video)

TCP UDP

RTCPRSVP

Signaling Quality of ServiceMedia

Transport


SIP – Session Initiation Protocol The SIP is a application layer signaling protocol, used to

setup, modify and teardown multimedia sessions Also used for Presence notification and Instant Messaging

over the Internet IETF Standard (RFC3261, 2002) for real-time multimedia

communication signaling Approved by Third-Generation Partnership Project (3GPP)

as the Signaling protocol for Multimedia Applications in 3G Mobile Networks

Resources: Sponsors:


SIP Network Components Servers

Proxy , Redirect Registration, Location Conference

H.323 Soft Phones

PSTNNetwork

Corporate SIPGateway

SIP SoftPhones

PSTNPhones

PSTNPhones

SIP-PSTNGateway

ISDNPhone

PSTNPBX

PSTNPhones

ISDNPhones

H.323Terminal

SIP Phones

ConferenceServer

Proxy/Redirect Server

RegistrationServer

Corporate SIPSoft-Switch

SIP SoftPhones

SIPPhones

Location Server

IP Network

SIP-H.323Gateway

H.323Network

Gateways SIP-PSTN SIP-H.323 SIP-MGCP

Clients User Agent Client User Agent Server


SIP Applications End to End Multimedia Call Setup Conference call Setup Instant Messaging User Presence Notification Unified Messaging User Mobility Value Added Services on IP Enabled PBX


SIP Messages

INVITE - Invite an userACK - Response for InviteBYE - Terminate a CallCANCEL - Cancel a Call

REGISTER - Register URLOPTIONS - Media CapabilitiesSUBSCRIBE - Request notification NOTIFY - Event notificationMESSAGE - Instant Message

Provisional (info only, not reliable)100 Trying180 Ringing

Final (guaranteed) 200 OK400 Bad request401 Unauthorized407 Proxy authorization required

Request Messages

Response Messages


URI Registration

User Addressuser@domain , User@hostuser@IP_Addressim: [email protected]: [email protected]:[email protected]:[email protected]:[email protected]

Telephone NumbersPhone_number@gatewayExample:tel:411;phone-context=+1613tel:5625800;phone-context=+1613tel:+16135625800sip:[email protected];user=phone

LocationserverRegistrar

ServerUser Agent

User Registration

REGISTER

sip:[email protected]

REGISTER

sip:[email protected]

200 OKLocation

Server


SIP - Presence Presence functionality gives the opportunity to know

who is online among your contact lists SUBSCRIBE, NOTIFY messages are used to

subscribe and notify the presence

SUBSCRIBE

NOTIFY

sip:[email protected] sip:[email protected] aol.com

Presence Agent

Presence Agent

Presence Server

Presence Server

202 Accepted

200 OK

200 OK


SIP – Instant Messaging Instant messaging enables you to send short messages to

another person. Very useful for short requests and responses Has better real-time characteristics than an e-mail Yahoo, AOL, MSN Messengers etc

MESSAGE

sip:[email protected] sip:[email protected]@yahoo.com @aol.com

IM

Agent

IM Agent

Proxy

Server

Proxy

Server

200 OK200 OK

MESSAGE

200 OK


SIP - End to End Call Setup (Proxy)

INVITE M1INVITE M2

INVITE M1

200 OK M9200 OK M10

180 Ringing M7

100 Trying M5100 Trying M3

180 Ringing M8

200 OK M11

Media Session

ACK M12

180 Ringing M6

sip:[email protected] sip:[email protected] aol.com

User

Agent

User

Agent

Proxy

Server

Proxy

Server

BYE M13

200 OK M14

SIP Proxy Server forwards requests on behalf of SIP agents May update the SIP message before forwarding it called party


SIP - End to End Call Setup (Redirect)

INVITE M1

INVITE M4INVITE M5

200 OK M9200 OK M10

100 Trying M6

180 Ringing M8

Media Session

ACK M11

180 Ringing M7

sip:[email protected] sip:[email protected] uottawa.ca

User

Agent

User

Agent

Proxy

Server

Redirect

Server

BYE M12

200 OK M13

302 Moved Temporarily M2ACK M3

SIP Redirect Server responds to a UA request with redirection response indicating the current location of the called party


SIP – Conference Setup Ad hoc

Point to point conversation is expanded with a series of INVITE messages. (Good for small group)

Meet meConferencing bridge is used to mix all the media and

forward on behalf of each client to other participant as a unicast message

Each participant establishes the point to point call to the conferencing bridge

Good, if all participants are interactive Interactive Broadcast

Conferencing bridge is used but mixed media is sent to a multicast address instead of being unicast to each participant

Can have active and passive participantsSIP signaling is required for interactive participants only


SIP - Mobility Terminal Mobility (Mobile IP- SIP)

SIP user agent will be able to maintain its connections to the Internet as it moves from network to network and possibly changes its point of connection

Personal Mobility (SIP – REGISTER)SIP URI (similar e-mail address) is device independent. User can use any end-device to receive and to make calls

Service Mobility SIP user can keep the same services when mobileServices resident in user agent can be accessed over

Internet (Ex: Call Forwarding etc).


Benefits of SIPFeatures Benefits

Lightweight, ASCII based

protocol similar to HTTP, SMTP

Reuses other IETF protocols,

such as SDP, DNS, etc

Network Independent

Increasing market adoption

Can be tightly integrated with

Web based services

Can be used for any real time applications

Including voice, video, text messaging,

instance messaging and presence

Availability of SIP based

Products growing

Simplifies development

of applications

Application/media Independent

Can be used with non-IP networks such as ATM, MPLS

Protocol InteroperabilityCan inter-work with H.323, PSTN/ISDN,

Mobile Networks

Protocol Extensibility Can work with non telephony appl.


SIP Security SIP messages are sent in clear text

SIP security is independent of media security SIP uses the existing network security

mechanism: TLS, S/MIME, PKI, etc

LocationserverProxy

ServerSIP UA

SIP Text Messages SIP Text Messages

SIP UA

Media: RTP


SIP UA SIP Proxy server

SIP UA

Location ServerDNS Server

SIP Proxy server

Media: RTP


SIP Security Threats SIP Snooping, Eavesdropping Tampering With the Message Bodies Replaying Attack Impersonating a Server Impersonating Users Registration Hijacking Tearing Down a Session Denial of Service and Distributed Dos Attack


Authenticating Users Authenticating Servers (Proxy, Registrar, Redirect)

Message Confidentiality and Integrity Privacy

SIP Security Requirements

LocationserverProxy

ServerSIP UA

SIP Text Messages SIP Text Messages

SIP UA

Media: RTP


SIP Security: Authentication Authenticating Servers:

TLS: Transport Layer Security, PKI certificates, RFC 2246

HTTP Digest, RFC2617

Authenticating Users: HTTP Digest, RFC2617

TLS if users have certificates

Authentication: Hop-by-Hop End-To-End


SIP Security: Confidentiality and Message Integrity

End-to-End Encryption: From Caller’s UA to Callee’s UAMessage Body and Some parts of the HeadersUsing S/MIME, Secure Multipurpose Internet Mail Extension, RFC 2633

Hop-by-Hop Encryption: To protect header information that needed by

intermediariesRely on Network Level (IPSec) or Transport level(TLS)

protocols


SIP Security Mechanisms: HTTP DIGEST A challenge-based Authentication mechanism Based on MD5 hash function

Limitations of HTTP Digest It requires a pre-existing shared secret keysScope of realmNot secure enough, based on secret keys not PKI

No Message Integrity Protection No Confidentiality


SIP Security Mechanisms: S/MIME S/MIME: Secure Multipurpose Internet Mail Extension

Confidentiality and integrity of MIME message bodiesSIP headers can also be encapsulated in MIME body for

end-to-end Authentication, integrity and confidentiality

End-to-End Mutual Authentication S/MIME Authentication Does Not Require a Shared Secret Key

Requires a common PKI Certificate Aauthority

Limitations of S/MIMELack of infrastructure for user Public Key Exchange It can result in very large messages


SIP Security Mechanisms: TLS Authentication, Integrity, Confidentiality Usually used for server authentication Can authenticate clients, but requires distribution of

client certificates

Limitations of TLS:Runs on TCP Only, not UDPOffers only hop-by-hop authenticationSecurity in one hop doesn’t mean security in other hops More Tightly Integrated with SIP Application


SIP Security Mechanisms: IPSec IPSec

Confidentiality, Authentication and IntegritySupports TCP and UDPRequires Pre-Shared KeysDoes not requires integration with SIP


Secure SIP URI Scheme SIPS URI Scheme

New URI SchemeSIPS:[email protected] MUST Implement If You Support TLS If Request-URI Is SIPS, All Hops MUST Be Secure If a hop cannot be secured, the transaction fails


SIP and Firewall Challenges for SIP Problem for the Media Stream

RTP will be blocked by FWs

Solutions:FW must understand SIP and open ‘pin-holes’ for the RTP Use Application-Level Gateways(ALG) trusted by FW Some FWs have built-in ALGAuth’n and Security policy controlled by ALG, not FWALG is B2BUA which proxies both the SIP signalling and

Media Stream


SIP and NAT Network Address Translators: Serious problems for SIP ! Changes IP Addresses and Port Numbers

SIP messages not routable !

Solutions: SIP has a mechanism to detect presence of NAT

UAs and Proxy Sever can fix the IP addressesThis solves SIP signaling problem but NOT the Media

Stream problem ! New Protocols and Extensions for NAT traversal under

development: STUN, ICE, rport, symmetric RTP, TURN, connection reuse, SDP attribute for RTCP, and others.

Best Current Practices for NAT Traversal for SIP draft-ietf-sipping-nat-scenarios-01


Conclusion SIP is a power application layer signalling

protocol for multimedia applications SIP inter-work with PSTN, H.323 SIP is widely accepted as Internet signalling

protocol for both fixed and mobile 3G networks

SIP has many extensions under developmentSTUN: Simple Traversal of UDP Through NATsSIMPLE: SIP for Instant Messaging Leveraging Extensions

SIP Compression for wireless networks


Questions?

Thank You !

presented by : shivanagouda biradar yousof pakzad

Documents