4 URI Registration User Address user@domain, User@host user@IP_Address im: email@example.com sip: firstname.lastname@example.org@uottawa.ca sip:email@example.com sips:firstname.lastname@example.org pres:email@example.com Telephone Numbers Phone_number@gateway Example: tel:411;phone-context=+1613 tel:5625800;phone-context=+1613 tel:+16135625800 sip:+firstname.lastname@example.org;user=phone Location server Registrar Server User Agent User Registration REGISTER sip:email@example.com REGISTER sip:firstname.lastname@example.org 200 OK Location Server
5 SIP - Presence Presence functionality gives the opportunity to know who is online among your contact lists SUBSCRIBE, NOTIFY messages are used to subscribe and notify the presence SUBSCRIBE NOTIFY sip:email@example.com sip:firstname.lastname@example.org yahoo.com aol.com Presence Agent Presence Server 202 Accepted 200 OK
6 SIP – Instant Messaging Instant messaging enables you to send short messages to another person. Very useful for short requests and responses Has better real-time characteristics than an e-mail Yahoo, AOL, MSN Messengers etc MESSAGE sip:email@example.com sip:firstname.lastname@example.org @yahoo.com @aol.com IM Agent IM Agent Proxy Server Proxy Server 200 OK MESSAGE 200 OK
7 SIP - End to End Call Setup INVITE M1 INVITE M2 INVITE M1 200 OK M9 200 OK M10 180 Ringing M7 100 Trying M5 100 Trying M3 180 Ringing M8 200 OK M11 Media Session ACK M12 180 Ringing M6 sip:email@example.com:firstname.lastname@example.org yahoo.com aol.com User Agent User Agent Proxy Server Proxy Server BYE M13 200 OK M14 SIP Proxy Server forwards requests on behalf of SIP agents May update the SIP message before forwarding it called party
8 SIP - End to End Call Setup (Redirect) INVITE M1 INVITE M4 INVITE M5 200 OK M9 200 OK M10 100 Trying M6 180 Ringing M8 Media Session ACK M11 180 Ringing M7 sip:email@example.com sip:firstname.lastname@example.org yahoo..com uottawa.ca User Agent User Agent Proxy Server Redirect Server BYE M12 200 OK M13 302 Moved Temporarily M2 ACK M3 SIP Redirect Server responds to a UA request with redirection response indicating the current location of the called party
9 SIP Security Threats SIP Snooping, Eavesdropping Tampering With the Message Bodies Replaying Attack Impersonating a Server Impersonating Users Registration Hijacking Tearing Down a Session Denial of Service and Distributed Dos Attack
10 Authenticating Users Authenticating Servers (Proxy, Registrar, Redirect) Message Confidentiality and Integrity Privacy SIP Security Requirements Location server Proxy Server SIP UA SIP Text Messages SIP UA Media: RTP
12 SIP Security: Confidentiality and Message Integrity End-to-End Encryption: –From Caller’s UA to Callee’s UA –Message Body and Some parts of the Headers –Using S/MIME, Secure Multipurpose Internet Mail Extension, RFC 2633 Hop-by-Hop Encryption: –To protect header information that needed by intermediaries –Rely on Network Level (IPSec) or Transport level(TLS) protocols
13 SIP Security Mechanisms: HTTP DIGEST A challenge-based Authentication mechanism Based on MD5 hash function Limitations of HTTP Digest –It requires a pre-existing shared secret keys –Scope of realm –Not secure enough, based on secret keys not PKI –No Message Integrity Protection – No Confidentiality
14 SIP Security Mechanisms: S/MIME S/MIME: Secure Multipurpose Internet Mail Extension –Confidentiality and integrity of MIME message bodies –SIP headers can also be encapsulated in MIME body for end-to-end Authentication, integrity and confidentiality –End-to-End Mutual Authentication –S/MIME Authentication Does Not Require a Shared Secret Key –Requires a common PKI Certificate Aauthority Limitations of S/MIME –Lack of infrastructure for user Public Key Exchange –It can result in very large messages
15 SIP Security Mechanisms: TLS Authentication, Integrity, Confidentiality Usually used for server authentication Can authenticate clients, but requires distribution of client certificates Limitations of TLS: –Runs on TCP Only, not UDP –Offers only hop-by-hop authentication –Security in one hop doesn’t mean security in other hops –More Tightly Integrated with SIP Application
16 SIP Security Mechanisms: IPSec IPSec –Confidentiality, Authentication and Integrity –Supports TCP and UDP –Requires Pre-Shared Keys –Does not requires integration with SIP
17 Secure SIP URI Scheme SIPS URI Scheme –New URI Scheme –SIPS:email@example.com – MUST Implement If You Support TLS –If Request-URI Is SIPS, All Hops MUST Be Secure –If a hop cannot be secured, the transaction fails
18 SIP and Firewall Challenges for SIP Problem for the Media Stream –RTP will be blocked by FWs Solutions: –FW must understand SIP and open ‘pin-holes’ for the RTP –Use Application-Level Gateways(ALG) trusted by FW –Some FWs have built-in ALG –Auth’n and Security policy controlled by ALG, not FW –ALG is B2BUA which proxies both the SIP signalling and Media Stream
19 SIP and NAT Network Address Translators: Serious problems for SIP ! Changes IP Addresses and Port Numbers –SIP messages not routable ! Solutions: SIP has a mechanism to detect presence of NAT –UAs and Proxy Sever can fix the IP addresses –This solves SIP signaling problem but NOT the Media Stream problem ! New Protocols and Extensions for NAT traversal under development: STUN, ICE, rport, symmetric RTP, TURN, connection reuse, SDP attribute for RTCP, and others.
Your consent to our cookies if you continue to use this website.