Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham

Similar presentations


Presentation on theme: "SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham"— Presentation transcript:

1 SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham mailto:Stephen.Kingham@aarnet.edu.au sip:Stephen.Kingham@aarnet.edu.au

2 2 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Copyright Stephen.Kingham@aarnet.edu.au 2006 ©Stephen Kingham@aarnet.edu.au

3 3 Outline and Objectives Demonstrations DNS Authentication Routing ENUM Security QoS ©Stephen Kingham@aarnet.edu.au

4 4 SIP is PBX/Centrex ready call waiting/multiple callsRFC 3261 holdRFC 3264 transferRFC 3515/Replaces conferenceRFC 3261/callee caps message waitingmessage summary package call forwardRFC 3261 call parkRFC 3515/Replaces call pickupReplaces do not disturbRFC 3261 call blastRFC 3261 from Rohan Mahys VON Fall 2003 talk Courteous of Quincy.Wu simultaneous ringing (forking)RFC 3261 basic shared linesdialog/reg. package barge-inJoin Take Replaces Shared-line privacy dialog package divert to adminRFC 3261 intercomURI convention auto attendantRFC 3261/2833 attendant consoledialog package night serviceRFC 3261 centrex-style features boss/admin features attendant features

5 5 SIP PROXY Server call flow ©Stephen Kingham@aarnet.edu.au

6 6 SIP REDIRECT Server call flow ©Stephen Kingham@aarnet.edu.au

7 7 DNS is integral to SIP routing. DNS is used to find a priority list of SIP servers for a domain using in SIP specific SRV records into the DNS. –Just like MX records in DNS for mail. So it turns out it is easy to have backup servers in SIP. Good description found on the MIT Internet2 sip.edu project cookbook: http://mit.edu/sip/sip.edu/dns.shtml http://mit.edu/sip/sip.edu/dns.shtml SIP and DNS ©Stephen Kingham@aarnet.edu.au

8 8 Specific SRV records added to your DNS for SIP, eg IN A 192.94.63.28 ;If we place the SRV record above the next line it fails to load $ORIGIN aarnet.edu.au. _sip._udp SRV 0 1 5060 ser.yarralumla.aarnet.edu.au. _sip._udp SRV 1 1 5060 ser.nsw.aarnet.edu.au. ser.yarrulumla.aarnet..edu.au. IN A 192.94.63.28 ser.nsw.aarnet..edu.au. IN A 138.44.16.90 SIP and DNS ©Stephen Kingham@aarnet.edu.au

9 9 On a unix host use the dig command: dig -t SRV _sip._udp.aarnet.edu.au You should get a response that has this in it: ;; QUESTION SECTION: ;_sip._udp.aarnet.edu.au. IN SRV ;; ANSWER SECTION: _sip._udp.aarnet.edu.au. 333 IN SRV 1 1 5060 ser.yarralumla.aarnet.edu.au. SIP and DNS TEST ©Stephen Kingham@aarnet.edu.au

10 10 Outline and Objectives SIP Authentication –Who are you? SIP Authorisation –What are you allowed to do? SIP Presence and Instant Messaging (the SIMPLE protocol) –I am available! –Buddy lists. ©Stephen Kingham@aarnet.edu.au

11 11 Both ends must know the same secret password (key). The password is used to encrypt certain information such as the users password. Originated from HTTP (WWW) and often called HTTP digest, Digest Authentication is described by RFC 2671. RFC 3261 (SIP) describes how Digest Authentication is applied to SIP. Authentication in SIP ©Stephen Kingham@aarnet.edu.au

12 12 SIP REGISTER with Digest Authentication REGISTER bruce@uni.edu.au (with out credentials)bruce@uni.edu.au UA Proxy Server 407 Proxy Authentication Required REGISTER bruce@uni.edu.au (password encrypted with key)bruce@uni.edu.au 200 OK ask user for a password ©Stephen Kingham@aarnet.edu.au

13 13 SIP INVITE with Digest Authentication INVITE fred@uni.edu.au (with out credentials) UA Proxy Server 407 Proxy Authentication Required ACK 100 TRYING UA INVITE fred@uni.edu.au (with encrypted password) INVITE fred@uni.edu.au ( password removed) ask user for a password ©Stephen Kingham@aarnet.edu.au

14 14 Protect Gateways from un-authorised use Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP control is via Proxy. Configure gateways so that they only respond to SIP from your SIP Proxy. –Filter TCP and UDP traffic to port 5060 on the Gateway. –Also do the same for H.323, TCP traffic to port 1720 on the gateway. ©Stephen Kingham@aarnet.edu.au

15 15 Secure SIP SIPS, a close cousin of SIP, is a good and low cost means of encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks and is the same technology used for SSL. This means a SIPS call will fail rather than complete insecurely. Open SER now supports TLS. Microsoft Messenger supports TLS ©Stephen Kingham@aarnet.edu.au

16 16 Two interesting drafts (related to SPAM and SPIT) http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt Abstract The existing security mechanisms in the Session Initiation Protocol are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document recommends practices and conventions for identifying end users in SIP messages, and proposes a way to distribute cryptographically-secure authenticated identities.http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt This document provides an overview of the concept of identity in Internet messaging systems as a means of preventing impersonation. It describes the architectural roles necessary to provide identity, and details some approaches to the generation of identity assertions and the transmission of such assertions within messages. The trade-offs of various design decisions are explained.http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt ©Stephen Kingham@aarnet.edu.au

17 17 SIP FORKING (native to SIP) Never need to forward phones to other phones again!!!! This is a big mindset change for the user. ©Stephen Kingham@aarnet.edu.au

18 18 SIP Forking: Introduction SIP natively does forking: Make several phones and UAs ring all at the same time. The SIP Server recieves an INVITE, and generates many INVITEs to all the phones the user has defined. In SER that is done by creating static entries in the location database with this command: serctl ul add Stephen.Kingham sip:61419417471@gw1.aarnet.edu.au You may want to add entries to the aliase table to point telphone numbers to a user. serctl alias add +61262223575 sip:Stephen.Kingham@aarnet.edu.au ©Stephen Kingham@aarnet.edu.au

19 19 Presence and Instant Messaging SIP is not just Voice and Video, It also has Presence and Instant Messaging. ©Stephen Kingham@aarnet.edu.au

20 20 Case Study from Edith Cowan University SIP Enabled their core. SIP integrated Voice, PABX, Room based Video, Desktop Video, mobile SIP phones on campus, Instant Messaging and Presence. Unexpected demand was the Presence and Instant Messaging. Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrustructure EDU May 2005

21 21 Case Study from Edith Cowan University Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrastructure Edith Cowan Uni May 2005

22 22 The SIMPLE protocol for presence SUBSCRIBE NOTIFY SER Presence module, ref to Internet2 PIC Working Group. ©Stephen Kingham@aarnet.edu.au

23 23 SIP History H.323SIP ITU-T protocolIETF protocol May 1995Became proposed standard in March 1999. Study Group 16Working Groups: SIP, SIPPING, and SIMPLE Now V.5Now RFC 3261 from Quincy Wus talk, http://www.apan.net Cairns 2004http://www.apan.net ©Stephen Kingham@aarnet.edu.au

24 24 H323-SIP Comparison of Components H.323SIP End Station TerminalSIP UA Network Server GatekeeperRegistrar, Redirect Server, Proxy Server MCUConference Server PSTN Gateway from Quincy Wus talk, http://www.apan.net Cairns 2004http://www.apan.net

25 25 H323-SIP Comparison of Protocols H.323SIP SignalingRAS/Q.931SIP Capacity NegotiationH.245SDP CodecsAny Real-time Communication RTP/RTCP from Quincy Wus talk, http://www.apan.net Cairns 2004http://www.apan.net

26 26 H323-SIP Comparison of Protocols (cont.) H.323SIP Message EncodingBinaryASCII TransportUDP and TCP Mostly TCP UDP and TCP Most UDP Data ConferenceT.120 Instant MessageRFC 3428 Inter-Domain RoutingAnnex GDNS from Quincy Wus talk, http://www.apan.net Cairns 2004http://www.apan.net

27 Other Security stuff SIP Workshop AARNet By Stephen Kingham Stephen.Kingham@aarnet.edu.au

28 28 IP Phones: VLAN, POE, QoS Put IP phones into a separate VLAN IP Phones need power. Either from a power pack, or from the Ethernet switch using POE (Power Over Ethernet). Put power fail phones in strategic locations, these phones are analogue phones connected to a ATA (Analogue Telephone Adaptor) which is powered with a PABX grade UPS. QoS: The LAN must police the use of QoS at the edge (as close as possible to the users). Only VLANs with IP Phone (VoIP) can have DSCP = 46 (ToS=5). All other traffic should be marked with DSCP=0. ©Stephen Kingham@aarnet.edu.au

29 29 Quality of Service Only relevant for IP Telephone and VoIP to replace existing Telephone Service such as PABX or some home situations. At the outgoing edge: –Classify the traffic (Voice, Data, Video,..) –Mark the traffic (DSCP) –Shape (how much everyone should have) At the incoming edge –Policy incoming traffic from the outside (make sure it is within contract) Configure WAN routers to prioritise. ©Stephen Kingham@aarnet.edu.au

30 30 WAN QoS: AARNet3 hands policy control back to University

31 31 VoIP Monitor used in AARNet –Distributed monitoring WITH –Feeds QoS availability into VoIP routing. If a user wants QoS and the monitoring indicates that QoS is not working then the calls gets congestion message. –See http://noc.aarnet.edu.au points to http://lattice.act.aarnet.net.au/VoIPMonitor/http://noc.aarnet.edu.auhttp://lattice.act.aarnet.net.au/VoIPMonitor/

32 32 AARNet SIP & H.323 network ©Stephen Kingham@aarnet.edu.au

33 33 Other relevant talks at APAN Tokyo 2006 Monday 23 Jan –SIP User Agents Configuration and Fault Finding Speaker: Quincy Wu –SER Configuration and SIP Peering including ENUM Speaker: Stephen Kingham –From Taiwan SIP Mobility in IPV4/IPV6 Network Speaker: –Using Radius and LDAP with SER SIP Proxy for user Authentication Speaker: Nimal Ratnayake 9:30 Wednesday 25 Jan –Global SIP Dialling Plans (Ben Teitelbaum and Dennis Barron) 16:00 Wednesday 25 Jan –APAN SIP-H.323 Working Group BoF ©Stephen Kingham@aarnet.edu.au

34 SIP Routing and VoIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham mailto:Stephen.Kingham@aarnet.edu.au sip:Stephen.Kingham@aarnet.edu.au

35 35 Routing Telephone numbers! WWW and email work by using the Domain Name Service (DNS). –DNS turns human addresses into Internet addresses, –DNS on its own is very uninteresting or useful! The ENUM standard teaches DNS about Telephone numbers! –VoIP users can discover that they can make VoIP calls to a number without routing it first to the PSTN! –Traditional Carriers around the world do not like ENUM. Join the ACMAs ENUM Trial, ref: enum.edu.au ©Stephen Kingham@aarnet.edu.au

36 36 Uses a common dial-plan called the Global Dialling Scheme (GDS), based on E.164 with 00 in front. AARNet runs one of the four International Root Gatekeepers. Although in Australia we use the International dialplan. http://www.aarnet.edu.au/engineering/projects/voip/gds/ http://www.aarnet.edu.au/engineering/projects/voip/gds/ 27 Country Gatekeepers. More than 156 advance voice and video networks. A community of Higher Education, some industry, K-12 and Research Organisations. Enabler for international and national collaboration. Plans to migrate to DNS (ENUM) Routing. International H.323 routing Telephone numbers

37 37 H.323 routing (all static configuration)

38 38 SIP Proxy DNS SIP-PBX Gateway PBX INVITE (sip:bob@bigu.edu) INVITE (sip:12345@gw.bigu.edu) DNS SRV query sip.udp.bigu.edu telephoneNumber where mail=bob, What is returned is 12345 PRI / CAS bigu.edu Campus Directory SIP User Agent Bob's Phone SIP.edu Architecture (Phase 1) Dennis Baron, June 5, 2005 np128 Links the sip address to a plain old telephone Cheap and easy to do Hear from Dennis at APAN Tokyo 2006 On Wednesday morning.

39 39 SIP.edu Reachable Users Dennis Baron, June 5, 2005

40 40 SIP Addressing in the future will be the preferred address, in addition to Telephone numbers +61-2-6222 3575, come here. I need you! A. G. Bell did not say: I will prefer to call people using sip:Stephen.Kingham@aarnet.edu.au Within the next year you will see this on the bottom of email footers and on business cards of Australian Universities. © Ben Teitelbaum @ Internet2 Source Ben Teitelbaum@internet2.edu Hear from Ben at APAN Tokyo 2006 On Wednesday morning.

41 41 SIP and E.164 routing Remember H.323 is static routing for everything. SIP can use the existing DNS to find people: sip:stephen.kingham@aarnet.edu.au, or variations of E.164 plus domain: sip:3575@aarnet.edu.au Dial a number on a UA, eg 3575 = 3575@local domain. SIP we still need to have static routing just like H.323…….BUT WAIT….. TRIP (rfc 3219) does for telephone numbers that BGP does for the entire Internet. Dynamic routing. and ENUM (rfc 2916) uses the DNS to find the full SIP address using a telephone number. ACA might have ENUM Tier 1 into Australia soon http://www.aca.gov.au/telcomm/telephone_numbering/enum_nsg2/.

42 42 Peering SIP Networks Easy to peer using sip addresses with domain name. Everyone can call Bruce@aarnet.edu.au, or even 3590@aarnet.edu.auBruce@aarnet.edu.au3590@aarnet.edu.au But routing E.164 (telephone) numbers is much harder. –ENUM –ISN/ITAD –TRIP

43 43 SIP peering using sip: address ©Stephen Kingham@aarnet.edu.au

44 44 ENUM (SIP and H.323 Routing) ©Stephen Kingham@aarnet.edu.au

45 45 TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement! More research and experimentation needed here. – for example perhaps a simpler form of TRIP (STRIP?) by encapsulating in MIME and sending it using SIP? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004]. But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006. SIP and TRIP (Telephone Routing over IP) ©Stephen Kingham@aarnet.edu.au

46 46 VoIP routing using ENUM DNS-Server ENUM SIP-Server Gateway Adapted from: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva Forked SIP call ©Stephen Kingham@aarnet.edu.au

47 47 ENUM in a nutshell take phone number +46 86859131 turn into domain name 1.3.1.9.5.8.6.8.6.4.e164.arpa. return list of URIs (NAPTR records) sip:paf@cisco.com ask the DNS mailto:paf@cisco.com Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva ©Stephen Kingham@aarnet.edu.au

48 48 2. Today, many addresses sip:Stephen.Kingham@aarnet.edu.au tel:+61 2 6222 3535 mailto:Stephen.Kingham@aarnet.edu.au tel:+61 2 6222 3575 Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva

49 49 2. With ENUM, only one Hand out enum enabled number +61 2 6222 3575 Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva sip:Stephen.Kingham@aarnet.edu.au tel:+61 2 6222 3535 mailto:Stephen.Kingham@aarnet.edu.au tel:+61 2 6222 3575 ENUM returns all of these for the caller to choose from:

50 50 TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement! More research and experimentation needed here. – perhaps a simpler form of TRIP (STRIP?) encapsulated in MIME? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004]. But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006. SIP and TRIP (Telephone Routing over IP) ©Stephen Kingham@aarnet.edu.au


Download ppt "SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham"

Similar presentations


Ads by Google