Presentation is loading. Please wait.

Presentation is loading. Please wait.

Examining Session Policy Topologies

Published byWinfred Percival Simon Modified over 5 years ago

Similar presentations

Presentation on theme: "Examining Session Policy Topologies"— Presentation transcript:

1 Examining Session Policy Topologies
Rohan Mahy

2 Typical Applications Cooperative NAT and Firewall Traversal
Bandwidth / Media / Codec Policy Logging

3 Explicit Policy Fetch atlanta.com biloxi.com Alice Bob
Works great when policies don’t depend on who you call, or dynamic properties like load. Obviates the need to mucking with typical INVITE flow much of the time. Still need another solution.

4 Full Redirect Model atlanta.com biloxi.com Alice Bob
Minimal session policy possible Doesn’t work at all through middleboxes Doesn’t work with the GRUU mechanism

5 Triangle Redirect Model
atlanta.com biloxi.com Alice Bob Most preferred model when allowed by policy Incompatible with policy requirements of many organizations

6 Trapezoid Redirect Model
atlanta.com biloxi.com Alice Bob Adds lots of extra RTTs Unclear what Alice is consenting to and how she can authorize the inclusion of arbitrary opaque data if this implies her “consent” Reveals information potentially private between Bob and biloxi.com

7 Foreign Piggyback Model
atlanta.com biloxi.com Alice Bob Meets both Alice’s and Bob’s consent requirement without leaking Bob’s data to Alice Fewer RTTs Requires Addition of bodies by biloxi.com. Backward compatible using “repack” option-tag (more on this later) Security is better. Authorization by Alice is simple Can also address AOR—Contact correlation problem

8 Full Piggyback Model atlanta.com biloxi.com Alice Bob
Doesn’t permit Alice to consent to modifications/insertions made by atlanta.com

9 Adding Bodies Safely: Secure and Backwards Compatible
biloxi.com may only add a body to a request when retargeting to a UAS registered in the biloxi.com domain (for example: Bob). Never responses. Any additions are always marked as “added-by” biloxi.com. Biloxi either signs its additions with S/MIME or forwards them directly over TLS to Bob Bob includes an option-tag in a REGISTER to indicate it supports body repacking. Q: Is this secure? See the Contact— AOR correlation problem…

10 Contact Correlation Problem
How does Alice know that (a contact) corresponds to (an AOR)? Not really a problem in a triangle topology. Slightly problematic in a trapezoid if either user is roaming. (Alice is using what appears to be a hotel lobby wireless network with a mandatory SIP proxy. No way to automatically judge trust of this proxy) Obvious solution is request history. Proxies that retarget, provided signed “cookie trail” to the eventual Contact. Works with proposal to add/repack bodies

11 Addressing Requirements with Foreign Piggyback
Session Policies of UAC and UAS are independent (only one needs to support session policies) Consent principle still applies Works even better when used in concert with out-of-band mechanism (STUN for NATs, SUB/NOT for more general policies)

12 Midbox traversal–offer in INV
atlanta.com biloxi.com Alice Bob Alice can try to get STUN/TURN addresses If address in offer are not valid, atlanta sends 4xx proposing new addresses; if they are valid, open pinholes/create bindings Bob can try STUN to fetch addresses biloxi adds proposed answer for Bob, and forwards Bob responds with an answer for Alice, and (in NAT case) can include Bob’s actual addresses

13 Midbox traversal–late offer
atlanta.com biloxi.com Alice Bob biloxi adds either proposed generic offer for Bob or address of STUN server, and forwards Bob responds with an offer for Alice, and (in NAT case) can include Bob’s actual addresses Alice can try to get STUN/TURN addresses, sends addresses in answer in PRACK or ACK

Download ppt "Examining Session Policy Topologies"

Similar presentations

SIP(Session Initiation Protocol) - SIP Messages

SIP(Session Initiation Protocol) - SIP Messages
SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.

SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.
1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
Session-Independent Policies draft-ietf-sipping-session-indep-policy-01 Volker Hilt Gonzalo Camarillo

Session-Independent Policies draft-ietf-sipping-session-indep-policy-01 Volker Hilt Gonzalo Camarillo
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.
Session Initiation Protocol Winelfred G. Pasamba.

Session Initiation Protocol Winelfred G. Pasamba.
ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.

ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.
Proposed Fix to HERFP* (Heterogeneous Error Response Forking Problem) Rohan Mahy * for INVITE transactions.

Proposed Fix to HERFP* (Heterogeneous Error Response Forking Problem) Rohan Mahy * for INVITE transactions.
Rohan Mahy draft-ietf-sip-join and Semantics of REFER.

Rohan Mahy draft-ietf-sip-join and Semantics of REFER.
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur.

The Session Initiation Protocol (SIP) Common Log Format (CLF)‏ IETF 74, March 2009, San Francisco, CA (USA)‏ Vijay K. Gurbani Eric Burger Humberto Abdelnur.
 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.
RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.

RTCWEB Signaling Matthew Kaufman. Scope Web Server Browser.

Similar presentations

Ads by Google