sip, nat, and firewalls
DESCRIPTION
SIP, NAT, and Firewalls. Outline. Understanding the problem with SIP and Firewalls Overview of Internet Telephony and Voice over IP RTP SDP SIP Overview Internet Firewalls IP Addressing Issues Introduction to Security in SIP Summary Reference. - PowerPoint PPT PresentationTRANSCRIPT
112/04/22 1Information Networking Security and Assurance LabNational Chung Cheng University
SIP, NAT, and Firewalls
Information Networking Security and Assurance LabNational Chung Cheng University 2
Outline
Understanding the problem with SIP and Firewalls Overview of Internet Telephony and Voice over IP
RTP SDP SIP Overview
Internet Firewalls IP Addressing Issues Introduction to Security in SIP Summary Reference
Information Networking Security and Assurance LabNational Chung Cheng University 3
Understanding the problems with SIP and Firewalls
Firewall
Port 5060SIP
RTP
Firewall do not know a certain address and emphermal port
Port ?
Information Networking Security and Assurance LabNational Chung Cheng University 4
Understanding the problems with SIP and Firewalls (cont)
SIP, declares where to send media to (IP address / Port number) NOT where it comes from
Now with private IP, the problem is not only what ports to open but also to change its IP addresses in SIP message and telling the firewall about its usage
End-to-end encryption and authentication is impossible in the exchange of addresses
ALG and Real Specific IP
Information Networking Security and Assurance LabNational Chung Cheng University 5
Overview of Internet Telephony and Voice over IP
http://www.cisco.com/warp/public/788/voip/voip-nat-6.gif
Information Networking Security and Assurance LabNational Chung Cheng University 6
Overview of Internet Telephony and Voice over IP (cont)
RTPSDPSIP Overview
Information Networking Security and Assurance LabNational Chung Cheng University 7
Streaming Audio –the Real Time Protocol
In RTP header, the sequence number is used to detect lost and out of order packets
The reason for not supporting retransmissionSolution
To ignore the lost data To extrapolate sound from previous audio samples
to make up the lost onesRTP uses UDP not TCP
Information Networking Security and Assurance LabNational Chung Cheng University 8
Processing and encapsulation
Information Networking Security and Assurance LabNational Chung Cheng University 9
The RTP header
Information Networking Security and Assurance LabNational Chung Cheng University 10
Real Time Control Protocol (RTCP)
RFC 1889The main purpose is to give feedback on the
quality of the delivery of dataRTCP is sent periodicallyRTP -> even port number ; RTCP -> higher
and odd port number
Information Networking Security and Assurance LabNational Chung Cheng University 11
The Session Description Protocol
The three main objectives To tell what kind of media you want to receive To understand how the media to be coded To inform where the addresses and port to be
delivered to Text based
Information Networking Security and Assurance LabNational Chung Cheng University 12
The Structure of SDP
The grammar for SDP is very structured and strict <type>=<value> Only one character in type-field and this character is
in lower case
Information Networking Security and Assurance LabNational Chung Cheng University 13
SDP header fields
Session description v= (protocol version) o= (owner/creator and session identifier). s= (session name) i=* (session information) u=* (URI of description) e=* (email address) p=* (phone number) c=* (connection information - not required if included in all media) b=* (bandwidth information) One or more time descriptions z=* (time zone adjustments) k=* (encryption key) a=* (zero or more session attribute lines) Zero or more media descriptions
Time description t= (time the session is active) r=* (zero or more repeat times)
Media description m= (media name and transport address) i=* (media title) c=* (connection information - optional if included at session-level) b=* (bandwidth information) k=* (encryption key) a=* (zero or more media attribute lines)
* optional item
Information Networking Security and Assurance LabNational Chung Cheng University 14
SDP header fields (cont)
the origin field o=<username> <session id> <version> <network type> <address type> <address>
the connection field c=<network type> <address type> <connection address>
the media field m=<media> <port> <transport> <fmt list>
Information Networking Security and Assurance LabNational Chung Cheng University 15
Payload types (PT) for standard audio and video encodings
Information Networking Security and Assurance LabNational Chung Cheng University 16
SIP Overview
SIP, [RFC2543]Call setup -1
Between two users It’s not mandatory for SIP to use SDP, but it is the
only one defined so far
Information Networking Security and Assurance LabNational Chung Cheng University 17
Setting up a SIP session
Information Networking Security and Assurance LabNational Chung Cheng University 18
Call setup-2 with Routing SIP messages
Information Networking Security and Assurance LabNational Chung Cheng University 19
Call setup-2 (cont)
Information Networking Security and Assurance LabNational Chung Cheng University 20
SIP addresses
SIP addresses, the so-called SIP URLFormat sip:user@hostWe could find SIP URLs in
(1) the Request line, (2) the To field, (3) the From field, (4) the Via field, (5) the Contact filed, (6) the Record-route field, and (7) the Route field.
Examples sip:[email protected]
Information Networking Security and Assurance LabNational Chung Cheng University 21
Transportation protocol for SIP
It’ independent of service of any specific transport protocol
TCP, UDP, ATM AAL5, IPX, frame relay, X.25
Information Networking Security and Assurance LabNational Chung Cheng University 22
SIP Terminology
User Agent User Agent Client (UAC) User Agent Server (UAS)
SIP Server SIP Proxy server SIP Redirect Server
Call leg –to identify a session between two SIP clients Call-ID The From field The To field
Information Networking Security and Assurance LabNational Chung Cheng University 23
SIP message structure
Based on the Augmented Backus-Naur Form (ABNF) [RFC 2234]
Syntax specification “ | ” “ () ” CRLF - the end-of- line indicator, carriage return followed by
line feed “ * ”
Example SIP-message =Request | Response generic-message = start-line *message-header CRLF [ message-
body ]
Information Networking Security and Assurance LabNational Chung Cheng University 24
SIP message structure (cont)
Example start-line = Request-Line | Status-Line message-header = ( general-
header | request-header | response-header | entity-header ) message-header = field-name ":" [ field-value ] CRLF Request = Request-Line *( general-header | request-header |
entity-header ) CRLF [message-body] Request-Line = Method SP Request-URI SP SIP-Version CRLF Method = "INVITE" | "ACK" | "OPTIONS" | "BYE" | "CANCEL" | "REGISTER“
Response = Status-Line *( general-header | response-header | entity-header ) CRLF [ message-body ] Status-Line = SIP-version SP Status-Code SP Reason-Phrase CRLF Status-Code = Informational | Success | Redirection | Client-Error | Server-Error | Global-Failure | extension-code
Information Networking Security and Assurance LabNational Chung Cheng University 25
Summary of SIP requests
INVITEACKOPTIONSBYECANCELREGISTER
Information Networking Security and Assurance LabNational Chung Cheng University 26
Summary of SIP response codes
Information Networking Security and Assurance LabNational Chung Cheng University 27
Complete list of response codes
Information Networking Security and Assurance LabNational Chung Cheng University 28
Summary of SIP headers
Information Networking Security and Assurance LabNational Chung Cheng University 29
Internet Firewalls
Packet filtering Gateways Stateful Stateless Do not have ability to make changes to content On per interface and per direction
Information Networking Security and Assurance LabNational Chung Cheng University 30
Packet filtering Gateways
Information Networking Security and Assurance LabNational Chung Cheng University 31
Circuit-Level Gateways
Information Networking Security and Assurance LabNational Chung Cheng University 32
Application Level Gateways
It works as proxies similar with circuit level gateway
On other occasions, it runs in cooperation with a firewall performing NAT
Some features Doesn’t support particular service/application It supports TCP and UDP (TFTP) With a NAT, it will examine the application data
Information Networking Security and Assurance LabNational Chung Cheng University 33
IP addressing issues
IPv4IPv6Private Addresses
Information Networking Security and Assurance LabNational Chung Cheng University 34
NAT
Static NAT Requires the same number of globally unique IP addresses The same mapping between local addresses and global
addresses Dynamic NAT NAPT Some problems
If a session is not initiated from the inside SIP, put IP addresses and port numbers inside the application
data in the IP packets
Information Networking Security and Assurance LabNational Chung Cheng University 35
Introduction to Security in SIP
Encryption End-to-end between user agents, or hop-by-hop between SIP
entities To work on transport level or the network level Suggested in IPSec Basic rules
All header fields must not be encrypted All header fields that are not encrypted must precede those that are
encrypted An encryption header must be inserted to indicate the encryption
mechanism The responses to encrypted should be encrypted with a key
Information Networking Security and Assurance LabNational Chung Cheng University 36
Encryption
Information Networking Security and Assurance LabNational Chung Cheng University 37
Authentication
Information Networking Security and Assurance LabNational Chung Cheng University 38
Authentication (cont)
Information Networking Security and Assurance LabNational Chung Cheng University 39
Hide Route
Via field encryptionIntermediate proxies encrypts either the entire
Via list or only the top-most entry
Information Networking Security and Assurance LabNational Chung Cheng University 40
Summary
Next issues Implementation of an ALG for SIP RSIP
Integrity of SIP and current network equipments is very interesting
Information Networking Security and Assurance LabNational Chung Cheng University 41
Reference
SIP, NAT, and Firewalls Master’s Thesis By Fredrik Thernelius
http://cui.unige.ch/db-research/Enseignement/analyseinfo/AboutBNF.html
RFC2234