Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007."— Presentation transcript:

1 © 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007

2 © 2006 Solegy LLC Internal Use Only This Session will Cover: Why VoIP Calls are Being Blocked How VoIP Calls are Being Blocked Technical Approaches to Avoid SIP Blocking What You Can do to Leverage Development Efforts

3 © 2006 Solegy LLC Internal Use Only This Session is Not About: Authentication (Identity Verification) Privacy/Confidentiality Intrusion Protection Denial of Service Attacks SPIT

4 © 2006 Solegy LLC Internal Use Only What is VoIP Blocking? Denial of Service Degradation of Service Encourage Aura of Inconsistency Project Image of Poor Quality

5 © 2006 Solegy LLC Internal Use Only Why are VoIP Calls Being Blocked? Net Neutrality Avoiding Competition Differentiate Own Services Protecting Legacy Services Security Control Communications Protection from Unknown

6 © 2006 Solegy LLC Internal Use Only From Cingular Data Subscriber Agreement: Data Service sessions may only be conducted for the following purposes: (i) Internet browsing; (ii) e-mail; and (iii) corporate intranet access (including access to corporate e-mail, customer relationship management, sales force automation, and field service automation applications). The Services cannot be used with server devices or host computer applications. Prohibited uses include, but are not limited to, telemetry applications, automated data feeds, continuous jpeg file transfers, Web camera posts or broadcasts, other machine-to-machine applications, and voice over IP.

7 © 2006 Solegy LLC Internal Use Only How are VoIP Calls Being Blocked? IP Address Blocking DNS Blocking Port Blocking Default SIP Port 5060 RTP Buffers Packet Inspection Commercial Solutions Available SIP-Aware ALG SIP Message Transfiguration Registration Hijacking Exploit VIA Header

8 © 2006 Solegy LLC Internal Use Only Reminder: Basic Topology Alice AtlantaBiloxi Bob INVITE OK RTP SIP and RTP follow different paths –SIP: Signaling path –RTP: Media path Media path is often faster (fewer hops) X X X

9 © 2006 Solegy LLC Internal Use Only SIP Is Easy To Detect SIP/SDP Headers are ASCII Text Layer IPSEC TLS or DTLS for SIP/SDP SRTP for Media ZRTP (ZPhone) for Media Application Layer S/MIME (treat SIP like email)

10 © 2006 Solegy LLC Internal Use Only Using Encryption to Avoid SIP Blocking Considerations: Divergent Objectives Security by Obscurity? Ease of Implementation Ease of Use Who’s in the Ecosystem? ATA/Device Vendors Proxy Vendors Service Providers

11 © 2006 Solegy LLC Internal Use Only Common Approaches to Encryption: Transport Layer IPSEC TLS or DTLS for SIP/SDP SRTP for Media ZRTP (ZPhone) for Media Application Layer S/MIME (treat SIP like email)

12 © 2006 Solegy LLC Internal Use Only IPSEC: ProCon Easy to ImplementPoint-to-Point Solution; does not Support Mobility Supported by Many ATA/Router Combos Usually Requires New CPE Widely Known and UnderstoodRequires Tunnel to Proxy Protects all Communication (not just SIP) Always Requires Media Proxy

13 © 2006 Solegy LLC Internal Use Only TLS/DTLS: ProCon Standard; TLS - RFC 2246 DTLS - draft-jennings-sip-dtls-03 Does not Protect Media; RTP Encryption Optional TLS uses TCP – looks like web traffic Requires PKI, Server Certificates Addresses Privacy and Authentication Issues Difficult to Implement Gaining Support from Solution Providers Easy to Use

14 © 2006 Solegy LLC Internal Use Only SRTP: ProCon Standard – RFC 3711Requires PKI, MIKEY or DTLS Gaining Adoption among Solution Providers Networks Can Block Access to PKI Does Not Require Media ProxyRequires Handshake; Can Increase Call Setup Time Does Not Address SIP/SDP Encryption

15 © 2006 Solegy LLC Internal Use Only ZRTP: ProCon SRTP without PKIDoes Not Address SIP/SDP Encryption Easy to Use SDKNot Widely Supported Zimmerman Pedigree Addresses Privacy and Authentication Issues Does Not Require Media Proxy

16 © 2006 Solegy LLC Internal Use Only Design Choices Handshake in signaling channel –MIKEY, Security Descriptions –Already written up and implemented –Problems with forking and media-before-SDP-answer Handshake in media channel –ZRTP, EKT, RTP/DTLS –Internet Drafts only –Work well with forking and media-before-SDP-answer

17 © 2006 Solegy LLC Internal Use Only Uncommon Approaches to Encryption: Security by Obscurity Why Skype Thrived Changing VoIP Signature Simple Ciphers Applied to SIP/SDP Only Applied to Media

18 © 2006 Solegy LLC Internal Use Only Simple Ciphers: ProCon Easy to ImplementRequires Support Through Ecosystem Easy to UseNot Difficult to Detect Can Apply to Signaling and MediaDoes not Address Privacy or Authentication

19 © 2006 Solegy LLC Internal Use Only Lessons from the Field: Control all you can – DNS, Proxy Always use non-standard ports DNS-SRV for IP Address flexibility Simple ciphers work best if you can get support from ecosystem Engineer flexibility into the solution Plan to proxy media

20 © 2006 Solegy LLC Internal Use Only Questions?

Download ppt "© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.

Secure Internet Solutions Geoff Huston Chief Scientist, Internet Telstra.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Addressing Security Issues IT Expo East 2011. Addressing Security Issues Unified Communications SIP Communications in a UC Environment.

Addressing Security Issues IT Expo East Addressing Security Issues Unified Communications SIP Communications in a UC Environment.
Overview of SIP Media Security Options

Overview of SIP Media Security Options
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.

1 Kommunikatsiooniteenuste arendus IRT0080 Loeng 5 Avo Ots telekommunikatsiooni õppetool, TTÜ raadio- ja sidetehnika inst.
Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.
Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)

Voice over IP and IP telephony Network convergence – Telephone and IT – PoE (Power over Ethernet) Mobility and Roaming Telco – Switched -> Packet (IP)
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
SIP Security Matt Hsu.

SIP Security Matt Hsu.

Similar presentations

Ads by Google