Presentation is loading. Please wait.

Presentation is loading. Please wait.

STI Interworking with SIP-PBXs

Published byLucinda Ellis Modified over 6 years ago

Similar presentations

Presentation on theme: "STI Interworking with SIP-PBXs"— Presentation transcript:

1 STI Interworking with SIP-PBXs
Chris Wendt (Comcast) David Hancock (CableLabs)

2 Applying STI to Multi-homed SIP-PBX
Service Provider 1 Service Provider 2 3 Service Provider x INVITE TN-x PAI:TN-1; To:TN-x; Date: t Identity: ??? SP-1 TNs SP-2 TNs 2 INVITE TN-x 1 PAI:TN-1; To:TN-x; Date: t Problem Description SP-1 and SP-2 each assign a set of TNs to PBX PBX initiates a call via SP-2 with calling TN belonging to SP-1 SP-2 sends INVITE on to SP-x owner of called TN-x Problem: In step-3, how does SP-2 create Identity signature for a calling TN that it does not own? TN-1 TN-2 TN-3 … TN-a TN-b TN-c SIP-PBX

3 One Solution Approach – have PBX sign calling identity
Service Provider 1 Service Provider 2 3 Service Provider x INVITE TN-x PAI:TN-1; To:TN-x; Date: t Identity: ppt=shaken attest=full orig/dest/date=1/x/t signature=E(1,x,t) info = SPa-cert-URL  SP-1 TNs SP-2 TNs 1 Solution Description SP-1 and SP-2 allocate TNs to PBX. PBX adds Identity header containing signature of calling TN-1 in INVITE to SP-2. SP-2 verifies received Identity signature, and if valid, it replaces received Identity with new Identity containing SP-a generated signature of calling TN-1. Question: How does PBX generate signature for calling TN? 2 INVITE TN-x PAI:TN-1; To:TN-x; Date: t Identity: TN-1 TN-2 TN-3 … TN-a TN-b TN-c ppt=shaken attest=full orig/dest/date=1/x/t signature=E(1,x,t) info = Cert-URL  SIP-PBX

4 Two Solution Options Option-1: Option-2
PBX obtains Identity Identity header from the host SP that owns the calling TN Option-2 PBX generates Identity header using certificate and private key obtained from host SP that owns calling TN

5 Option-1: PBX obtains Identity Header from SP
Public STI Architecture SP hosts a TN signing service that PBX invokes per call. Message Sequence PBX user TN-1 initiates DOD call PBX asks SP-1 to sign calling TN-1 (since SP-1 owns TN-1). SP-1 returns Identity header containing signature for TN-1 PBX includes received Identity header in INVITE to SP-2. SP-2 verifies Identity signature. SP-2 sends INVITE to terminating network, containing either received Identity header, or newly created Identity header. Pros: Leverages already-supported signing functionality of Service Provider Cons: Uses resources of Service Provider (per-call) PA/CA SP-2 SP STI Functions (KMS, SKS, AS, etc.) [5] INVITE Identity: <TN-1> Call Control SP-1 SIP-PBX [2] Sign TN-1 [4] INVITE Identity: <TN-1> [3] Identity <TN-1> [1] Orig call request Call Control

6 Option-2: PBX generates Identity Header
Architecture SP provides an STI Proxy service to PBX Message Sequence PBX user TN-1 initiates DOD call PBX asks PBX STI Function to sign calling TN. PBX STI Function sends certificate request to STI Proxy. STI Proxy returns certificate to PBX STI Function. This cert could be a child of a certificate that SP-1 had previously obtained from the CA. This new child cert could specify PBX-unique attributes, such as the cert lifetime, the set of TNs covered by cert, etc. PBX STI function returns Identity header to Call Control. and 7) Same as option-1; PBX includes received Identity header in INVITE to SP-2, etc. Pros: Avoids use of real-time resources in Service Provider. Cons: Adds STI functionality to PBX Public STI PA/CA SP-1 SP-2 STI Proxy [7] INVITE Identity: <TN-1> Call Control [3] Get Cert [4] <cert> SIP-PBX PBX STI Functions (KMS, SKS, AS, etc.) [6] INVITE Identity: <TN-1> [2] Sign TN-1 [5] Identity <TN-1> [1] Orig call request Call Control

Download ppt "STI Interworking with SIP-PBXs"

Similar presentations

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.

Zero Touch Provisioning for NETCONF/RESTCONF Call Home draft-ietf-netconf-zerotouch-02 NETCONF WG IETF #92 Dallas, TX, USA.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)

1 Key Establishment Symmetric key problem: How do two entities establish shared secret key over network? Solution: trusted key distribution center (KDC)
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.

Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.
7/6/20061 Speermint Use Case for Cable IETF 66 Yiu L. Lee JULY 2006.

7/6/20061 Speermint Use Case for Cable IETF 66 Yiu L. Lee JULY 2006.
1 SPEERMINT Use Cases for Cable IETF 66 Montreal 11 JULY 2006 Presented by Yiu L. Lee.

1 SPEERMINT Use Cases for Cable IETF 66 Montreal 11 JULY 2006 Presented by Yiu L. Lee.
Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.
Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.

Academia Sinica Grid Computing Certification Authority (ASGCCA) Jinny Chien.
Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.

Pkiuniversity.com. Alice Bob Honest Abe’s CA Simple PKI hierarchy.
Fall 2006CS 395: Computer Security1 Key Management.

Fall 2006CS 395: Computer Security1 Key Management.
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.

Soapbox (S-Series) Certificate Validation Jens Jensen, STFC.
Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79.

Host Identifier Revocation in HIP draft-irtf-hiprg-revocation-01 Dacheng Zhang IETF 79.

Similar presentations

Ads by Google