Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP.edu & VoIP Security 2nd Workshop on Securing VoIP June 1-2, Washington, DC Ben Teitelbaum 2nd Workshop on Securing.

Similar presentations


Presentation on theme: "SIP.edu & VoIP Security 2nd Workshop on Securing VoIP June 1-2, Washington, DC Ben Teitelbaum 2nd Workshop on Securing."— Presentation transcript:

1 SIP.edu & VoIP Security 2nd Workshop on Securing VoIP June 1-2, Washington, DC Ben Teitelbaum 2nd Workshop on Securing VoIP June 1-2, Washington, DC Ben Teitelbaum

2 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 2 Outline Internet2 SIP.edu Goal Architecture Status Security Concerns Abilene Observatory VoIP Observatory?

3 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 3 Internet2 Who? Elevator Explanation Internet2's mission is to develop and deploy advanced network applications and technologies, accelerating the creation of tomorrows Internet Who we really are Membership organization of 200+ US research universities Parent 501.3c (UCAID) has board of university presidents Project supported by numerous partnerships (government, industry, international) Goals Enable new generation of applications Re-create leading edge R&E network capability Transfer capability to global production internet

4 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 4 Internet2 Universities 206 University Members, March 2005

5 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 5 High Performance Networks

6 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 6 Internet2 Partnerships Internet2 universities are recreating the partnerships that fostered the Internet in its infancy Industry Government International Additional Participation Over 60 Internet2 Corporate Members Over 40 Affiliate Members New Association Member Category Over 30 International Partners

7 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 7 Sponsored Education Group Participants

8 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 8 Internet2 Focus Areas Advanced Network Infrastructure 10 GB Abilene backbone Advanced regional networks 100 MB to the desktop National fiber-optic facility Middleware Directories Authentication Authorization Engineering Multicast IPv6 Measurement New Arch Advanced Applications Gigabit+ file transfer High-end video Remote instrumentation Distributed computation Virtual co- laboratories Distance learning Integrated Communications

9 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 9 Advanced Applications (high-end, few users)

10 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 10 Many ways VoIP can be better… Multi-media integration Integration with campus IT assets Use of IPv6 and Multicast Fidelity Addressing Mobility Privacy Survivability Emergency services Advanced Communications (less high-end, many users) * Drawings by VoIP user, Louis Teitelbaum (age 6)

11 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 11 Internet2s Secret Sauce Demographics ~3.8 million students (tech-savvy, talk a lot, adapt easily) And, by the way, they graduate (tech-transfer à la ) Institutional Commitments Internet2 members have committed to advance IP communications and promote collaborative apps Commitment to advance communication way beyond POTS Connectivity Great networking connectivity and campus middleware High-bandwidth, low-loss, low-jitter End-to-end transparency (few NATs) Emerging middleware infrastructure for authentication & authorization IPv6 and multicast too! Strong commitment to open standards

12 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 12 SIP.edu Working Group Fearless Leader Dennis Baron, MIT (Chair) Web Site

13 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 13 Ends and Means Ends Grow SIP connectivity in Internet2 Increase value proposition for end-user SIP adoption Promote SIP and converged identity Provide a useful service, while supporting R&D Means Cookbook with various recipes Corporate sponsorship and promotional pricing Cisco, Avaya, Pulver.com so far Build community

14 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 14 Users should not be burdened with device addresses, when its people they care about Addresses should be mnemonic and empower enterprises to manage the identities of their users Its time to put E.164 numbers behind us! A.G. Bell did not say: , come here. I need you! Why Phone NUMBERS?

15 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 15 SIP.edu Architecture v0.1 SIP Proxy SIP-PBX Gateway PBX INVITE INVITE DNS SRV query sip.udp.bigu.edu telephoneNumber where mail=bob PRI / CAS bigu.edu Campus Directory Bob's Phone DNS SRV SIP User Agent

16 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 16 INVITE DNS SRV query sip.udp.bigu.edu bigu.edu SIP User Agent location DB REGISTER (Contact: ) INVITE SIP Proxy Bob's SIP Phones SIP Registrar IP Voice, Video, IM,... If Bob has registered, ring his SIP UAs; Else, call his extension through the PBX. SIP.edu Architecture v0.2 DNS SRV

17 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 17 Campus Deployments

18 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 18 SIP.edu Security Considerations VoIP is wonderful, but returns us to the bad old days of in-band signaling DoS, SPIT, SPIM, Spideo, all concerns Toll fraud - not so much SIP.edu community looking seriously at draft-ietf-sip-identity-05 (Peterson & Jennings) to deter spoofing Possible leverage of Shibboleth / InCommon PKI

19 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 19 Security Should Not Compromise Security CALEA Tapping boxes could introduce fragility Tapping boxes could be hacked 911 Short-term solutions could delay the deployment of much better long-term solutions IP-enabled PSAPs Better 911: multimedia, testability, low-cost, robustness Columbia/Texas A&M/Internet2/NENA NG911 project Priority and preemption systems Open new opportunities for DoS attacks Best-effort is often what you want in a crisis

20 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 20 SIP.edu Goals Revisted Provide a useful service… User-to-user connectivity to support mass- use of new collaborative applications Eventual evolution of testbed deployments into production services …while supporting R&D Experimental deployment of new solutions Access to statistics & measurement data

21 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 21 Abilene Observatory - Summary History and Motivation What is the Observatory? Collocation Projects Internet2 and NOC Measurements Data Collections Examples of Research Results Participation in Research Proposals Future Directions Issues

22 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 22 History and Motivation Original Abilene racks included measurement devices Included a single PC Early OWAMP, surveyor measurements Optical splitters at some locations Motivation was primarily operational Data collections Collected and maintained by the NOC How is the network performing? Available to other network operators Data also proved valuable for research purposes

23 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 23 History and Motivation An important decision was made during the last upgrade process (Juniper T-640 routers and OC-192c) Two racks, one dedicated to measurement platform Potential for research community to collocate Created two components to the Observatory Collocation - research groups are able to collocate equipment in the Abilene router nodes Measurement - data is collected by the NOC, the Ohio ITEC, and Internet2, and made available to the research community

24 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 24 Abilene router node Power Out-of-band Eth. Switch T-640 (M-5) Power (48VDC) Measurement Machines (nms) Space! Measurement (Observatory) Rack

25 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 25 Dedicated servers at each node Houston Router Node NMS machines PlanetLab machines

26 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 26 Collocation Research Projects PlanetLab – Nodes installed in all Abilene Router Nodes PlanetLab is a global overlay network for developing and accessing new network services Goal is deploy 1000 nodes in a variety of networks Designed to support both short-term experiments and long-running services Larry Peterson, Princeton University is Research Lead Potential new direction using MPLS L2VPNs

27 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 27 Collocation Projects The AMP Project – Active Measurement Platform, Deployed in all Abilene Router Nodes More than 150 nodes deployed worldwide Measurements include path, round-trip-time, packet loss and on demand throughput tests Project of NLANR/MNA Tony McGregor NLANR/MNA, Waikato University is Research Lead

28 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 28 Collocation Projects The PMA Project – Passive Measurement and Analysis, Deployed at Abilene Indianapolis Router Node Analysis of header traces from over 20 sites, including OC-192 circuits in Abilene Header traces of all packets in and out of the Indianapolis Abilene router – A router clamp Joerg Micheel, NLANR/MNA, San Diego Supercomputer Center, UCSD, is research lead

29 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 29 Measurement Capabilities One way latency, jitter, loss IPv4 and IPv6 Regular TCP/UDP throughput tests – ~1 Gbps IPv4 and IPv6; On-demand available (see pipes) SNMP (NOC) Octets, packets, errors; collected frequently Netflow (ITEC Ohio) Addresses anonymized by 0-ing the low order 11 bits Multicast beacon with historical data Routing data Both IGP and BGP - Measurement device participates in both Japanese research techniques on routing research were implemented

30 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 30 Databases – Date Types Data is collected locally and stored in a distributed databases Databases Usage Data Netflow Data Routing Data Latency Data Throughput Data Router Data Syslog Data

31 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 31 Databases - Interface Variety of Interfaces to data Simple web based for usage data Rsync for netflow Simple web based for routing data SOAP interface for latency data SOAP interface for throughput data SOAP interface for Router data Syslog data still under development

32 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 32 SIP.edu Observatory? Could the Abilene Observatory be leveraged to support VoIP security research? Are additional data (e.g. anonymized proxy logs) needed to support VoIP security research?

33 SIP.edu and VoIP Security2 nd Workshop on Securing VoIPJune 1-2Washington, DC 33


Download ppt "SIP.edu & VoIP Security 2nd Workshop on Securing VoIP June 1-2, Washington, DC Ben Teitelbaum 2nd Workshop on Securing."

Similar presentations


Ads by Google