Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

Similar presentations


Presentation on theme: "1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst."— Presentation transcript:

1 1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

2 2 Lingid What_is_SIP.ppt

3 3 Internet ->> real-time communications network UDP ftp TCP DHCP POP3 HTTP SMTP ( ) TLS SIP SNMP IPv6WAP IM Presence PBX RSVP DiffSrv PPP PPPoE PPTP NAT IPv4 DNS RIP AAAA SRV NAPTR ENUM SOAP

4 4 URI Registration User Address im: sip: Telephone Numbers Example: tel:411;phone-context=+1613 tel: ;phone-context=+1613 tel: Location server Registrar Server User Agent User Registration REGISTER REGISTER 200 OK Location Server

5 5 SIP - Presence Presence functionality gives the opportunity to know who is online among your contact lists SUBSCRIBE, NOTIFY messages are used to subscribe and notify the presence SUBSCRIBE NOTIFY yahoo.com aol.com Presence Agent Presence Server 202 Accepted 200 OK

6 6 SIP – Instant Messaging Instant messaging enables you to send short messages to another person. Very useful for short requests and responses Has better real-time characteristics than an Yahoo, AOL, MSN Messengers etc MESSAGE IM Agent IM Agent Proxy Server Proxy Server 200 OK MESSAGE 200 OK

7 7 SIP - End to End Call Setup INVITE M1 INVITE M2 INVITE M1 200 OK M9 200 OK M Ringing M7 100 Trying M5 100 Trying M3 180 Ringing M8 200 OK M11 Media Session ACK M Ringing M6 yahoo.com aol.com User Agent User Agent Proxy Server Proxy Server BYE M OK M14 SIP Proxy Server forwards requests on behalf of SIP agents May update the SIP message before forwarding it called party

8 8 SIP - End to End Call Setup (Redirect) INVITE M1 INVITE M4 INVITE M5 200 OK M9 200 OK M Trying M6 180 Ringing M8 Media Session ACK M Ringing M7 yahoo..com uottawa.ca User Agent User Agent Proxy Server Redirect Server BYE M OK M Moved Temporarily M2 ACK M3 SIP Redirect Server responds to a UA request with redirection response indicating the current location of the called party

9 9 SIP Security Threats SIP Snooping, Eavesdropping Tampering With the Message Bodies Replaying Attack Impersonating a Server Impersonating Users Registration Hijacking Tearing Down a Session Denial of Service and Distributed Dos Attack

10 10 Authenticating Users Authenticating Servers (Proxy, Registrar, Redirect) Message Confidentiality and Integrity Privacy SIP Security Requirements Location server Proxy Server SIP UA SIP Text Messages SIP UA Media: RTP

11 11 SIP Security: Authentication Authenticating Servers: –TLS: Transport Layer Security, PKI certificates, RFC 2246 –HTTP Digest, RFC2617 Authenticating Users: –HTTP Digest, RFC2617 –TLS if users have certificates Authentication: –Hop-by-Hop –End-To-End

12 12 SIP Security: Confidentiality and Message Integrity End-to-End Encryption: –From Caller’s UA to Callee’s UA –Message Body and Some parts of the Headers –Using S/MIME, Secure Multipurpose Internet Mail Extension, RFC 2633 Hop-by-Hop Encryption: –To protect header information that needed by intermediaries –Rely on Network Level (IPSec) or Transport level(TLS) protocols

13 13 SIP Security Mechanisms: HTTP DIGEST A challenge-based Authentication mechanism Based on MD5 hash function Limitations of HTTP Digest –It requires a pre-existing shared secret keys –Scope of realm –Not secure enough, based on secret keys not PKI –No Message Integrity Protection – No Confidentiality

14 14 SIP Security Mechanisms: S/MIME S/MIME: Secure Multipurpose Internet Mail Extension –Confidentiality and integrity of MIME message bodies –SIP headers can also be encapsulated in MIME body for end-to-end Authentication, integrity and confidentiality –End-to-End Mutual Authentication –S/MIME Authentication Does Not Require a Shared Secret Key –Requires a common PKI Certificate Aauthority Limitations of S/MIME –Lack of infrastructure for user Public Key Exchange –It can result in very large messages

15 15 SIP Security Mechanisms: TLS Authentication, Integrity, Confidentiality Usually used for server authentication Can authenticate clients, but requires distribution of client certificates Limitations of TLS: –Runs on TCP Only, not UDP –Offers only hop-by-hop authentication –Security in one hop doesn’t mean security in other hops –More Tightly Integrated with SIP Application

16 16 SIP Security Mechanisms: IPSec IPSec –Confidentiality, Authentication and Integrity –Supports TCP and UDP –Requires Pre-Shared Keys –Does not requires integration with SIP

17 17 Secure SIP URI Scheme SIPS URI Scheme –New URI Scheme – MUST Implement If You Support TLS –If Request-URI Is SIPS, All Hops MUST Be Secure –If a hop cannot be secured, the transaction fails

18 18 SIP and Firewall Challenges for SIP Problem for the Media Stream –RTP will be blocked by FWs Solutions: –FW must understand SIP and open ‘pin-holes’ for the RTP –Use Application-Level Gateways(ALG) trusted by FW –Some FWs have built-in ALG –Auth’n and Security policy controlled by ALG, not FW –ALG is B2BUA which proxies both the SIP signalling and Media Stream

19 19 SIP and NAT Network Address Translators: Serious problems for SIP ! Changes IP Addresses and Port Numbers –SIP messages not routable ! Solutions: SIP has a mechanism to detect presence of NAT –UAs and Proxy Sever can fix the IP addresses –This solves SIP signaling problem but NOT the Media Stream problem ! New Protocols and Extensions for NAT traversal under development: STUN, ICE, rport, symmetric RTP, TURN, connection reuse, SDP attribute for RTCP, and others.


Download ppt "1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst."

Similar presentations


Ads by Google