sip, nat, and firewalls

112/04/22 1Information Networking Security and Assurance LabNational Chung Cheng University

SIP, NAT, and Firewalls

Information Networking Security and Assurance LabNational Chung Cheng University 2

Outline

Understanding the problem with SIP and Firewalls Overview of Internet Telephony and Voice over IP

RTP SDP SIP Overview

Internet Firewalls IP Addressing Issues Introduction to Security in SIP Summary Reference


Understanding the problems with SIP and Firewalls

Firewall

Port 5060SIP

RTP

Firewall do not know a certain address and emphermal port

Port ?


Understanding the problems with SIP and Firewalls (cont)

SIP, declares where to send media to (IP address / Port number) NOT where it comes from

Now with private IP, the problem is not only what ports to open but also to change its IP addresses in SIP message and telling the firewall about its usage

End-to-end encryption and authentication is impossible in the exchange of addresses

ALG and Real Specific IP


Overview of Internet Telephony and Voice over IP

http://www.cisco.com/warp/public/788/voip/voip-nat-6.gif


Overview of Internet Telephony and Voice over IP (cont)

RTPSDPSIP Overview


Streaming Audio –the Real Time Protocol

In RTP header, the sequence number is used to detect lost and out of order packets

The reason for not supporting retransmissionSolution

To ignore the lost data To extrapolate sound from previous audio samples

to make up the lost onesRTP uses UDP not TCP


Processing and encapsulation


The RTP header


Real Time Control Protocol (RTCP)

RFC 1889The main purpose is to give feedback on the

quality of the delivery of dataRTCP is sent periodicallyRTP -> even port number ; RTCP -> higher

and odd port number


The Session Description Protocol

The three main objectives To tell what kind of media you want to receive To understand how the media to be coded To inform where the addresses and port to be

delivered to Text based


The Structure of SDP

The grammar for SDP is very structured and strict <type>=<value> Only one character in type-field and this character is

in lower case


SDP header fields

Session description v= (protocol version) o= (owner/creator and session identifier). s= (session name) i=* (session information) u=* (URI of description) e=* (email address) p=* (phone number) c=* (connection information - not required if included in all media) b=* (bandwidth information) One or more time descriptions z=* (time zone adjustments) k=* (encryption key) a=* (zero or more session attribute lines) Zero or more media descriptions

Time description t= (time the session is active) r=* (zero or more repeat times)

Media description m= (media name and transport address) i=* (media title) c=* (connection information - optional if included at session-level) b=* (bandwidth information) k=* (encryption key) a=* (zero or more media attribute lines)

* optional item


SDP header fields (cont)

the origin field o=<username> <session id> <version> <network type> <address type> <address>

the connection field c=<network type> <address type> <connection address>

the media field m=<media> <port> <transport> <fmt list>


Payload types (PT) for standard audio and video encodings


SIP Overview

SIP, [RFC2543]Call setup -1

Between two users It’s not mandatory for SIP to use SDP, but it is the

only one defined so far


Setting up a SIP session


Call setup-2 with Routing SIP messages


Call setup-2 (cont)


SIP addresses

SIP addresses, the so-called SIP URLFormat sip:user@hostWe could find SIP URLs in

(1) the Request line, (2) the To field, (3) the From field, (4) the Via field, (5) the Contact filed, (6) the Record-route field, and (7) the Route field.

Examples sip:[email protected]

sip:[email protected]


Transportation protocol for SIP

It’ independent of service of any specific transport protocol

TCP, UDP, ATM AAL5, IPX, frame relay, X.25


SIP Terminology

User Agent User Agent Client (UAC) User Agent Server (UAS)

SIP Server SIP Proxy server SIP Redirect Server

Call leg –to identify a session between two SIP clients Call-ID The From field The To field


SIP message structure

Based on the Augmented Backus-Naur Form (ABNF) [RFC 2234]

Syntax specification “ | ” “ () ” CRLF - the end-of- line indicator, carriage return followed by

line feed “ * ”

Example SIP-message =Request | Response generic-message = start-line *message-header CRLF [ message-

body ]


Summary of SIP requests

INVITEACKOPTIONSBYECANCELREGISTER


Summary of SIP response codes


Complete list of response codes


Summary of SIP headers


Internet Firewalls

Packet filtering Gateways Stateful Stateless Do not have ability to make changes to content On per interface and per direction


Packet filtering Gateways


Circuit-Level Gateways


Application Level Gateways

It works as proxies similar with circuit level gateway

On other occasions, it runs in cooperation with a firewall performing NAT

Some features Doesn’t support particular service/application It supports TCP and UDP (TFTP) With a NAT, it will examine the application data


IP addressing issues

IPv4IPv6Private Addresses


NAT

Static NAT Requires the same number of globally unique IP addresses The same mapping between local addresses and global

addresses Dynamic NAT NAPT Some problems

If a session is not initiated from the inside SIP, put IP addresses and port numbers inside the application

data in the IP packets


Introduction to Security in SIP

Encryption End-to-end between user agents, or hop-by-hop between SIP

entities To work on transport level or the network level Suggested in IPSec Basic rules

All header fields must not be encrypted All header fields that are not encrypted must precede those that are

encrypted An encryption header must be inserted to indicate the encryption

mechanism The responses to encrypted should be encrypted with a key


Encryption


Authentication


Authentication (cont)


Hide Route

Via field encryptionIntermediate proxies encrypts either the entire

Via list or only the top-most entry


Summary

Next issues Implementation of an ALG for SIP RSIP

Integrity of SIP and current network equipments is very interesting


Reference

SIP, NAT, and Firewalls Master’s Thesis By Fredrik Thernelius

http://cui.unige.ch/db-research/Enseignement/analyseinfo/AboutBNF.html

RFC2234

sip, nat, and firewalls

Documents