Presentation is loading. Please wait.

Presentation is loading. Please wait.

Developing Secure, Multi-lateral Peer to Peer SIP Applications

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Developing Secure, Multi-lateral Peer to Peer SIP Applications"— Presentation transcript:

1 Developing Secure, Multi-lateral Peer to Peer SIP Applications Jim.Dalton@TransNexus.com

2 Market Problem V Ethernet Switch Router PSTN V Internet or IP Network €£¥$ call Originating Domain Terminating Domain ? Service Provider POP Routing Access Control Accounting Settlement

3 Current Status of Peering Ad hoc bilateral peering arrangements ENUM provides a solution for peer to peer route discovery But how to handle? o Inter-domain Access control o Accounting o Settlement disputes o Backwards compatibility with Operations and Billing Support Systems for H.323 networks o Evolution to new services

4 Benefits of secure multi-lateral peering Efficient peer to peer communications eliminates signaling bottlenecks Access control is greatly simplified o IP access lists are eliminated o Asymmetric key management is simpler and more secure than shared secrets Eliminates costly overhead of managing many bilateral interconnect agreements

5 Solution: Open Settlement Protocol Open Settlement Protocol (OSP): o Global standard for inter-domain transaction authorization and usage reporting. o Developed by ETSI in 1998, now in version 4.1.1 o Based on existing standards o Uses Asymmetric Public Key Infrastructure (PKI) services for non-repudiation of transactions o Broad support: Asterisk, SER, Cisco, Alcatel, Radvision, UTStarcom, Mediaring, ISDN Communications, Veraz, Vovida, Teles o Protocol Independent Works with SIP, H.323, SMS, MMS, IAX …

6 Overview I - How OSP Works Route discovery Inter-domain access control IP Network OSP Server Domain A Domain B Authentication Authorization Token SIP INVITE with Token RTP

7 Overview II - How OSP Works CDR collection IP Network OSP Server Domain A Domain B Accounting: Encrypted CDR Accounting: Encrypted CDR

8 The Basics of Public-key Cryptosystems Critical Points: Public / Private keys used for encryption / decryption and digital signatures Public keys are public – easy to distribute A digital certificate signed by a trusted 3rd party ensures the public-key is legitimate Digital signatures provide data integrity, authentication and non-repudiation Certificates may be chained from a root authority Security services between parties rely on exchange of public keys and security of private keys.

9 Establishing PKI Security Services SIP Device Certificate Authority (CA) for Peer to Peer Authorization (OSP Server) Client Device requests public-key and certificate from CA CA sends its public key and its certificate Client Device sends certificate request to CA CA returns signed certificate Sign with CA private key VoIP Device Information VoIP Device Public Key Certified by Cert. Authority CA Signature Certificate

10 Source Peer Authentication IP Network OSP Server Carrier A Authorization Request Routing request to OSP Server is digitally signed with VoIP device’s private key. OSP server verifies client signature with client’s public key to authenticate routing request.

11 Inter-Domain Access Control IP Network OSP Server Domain A Domain B Authorization Response with Token SIP INVITE with Token OSP Server digitally signs authorization token Authorization token included in SIP Invite Domain B has no trusted relationship with Domain A, but verifies digital signature with CA public key Carrier can retain digital signature for non-repudiation

12 Authorization Token Destination o IP address, domain name, sip uri, tel uri, E164, trunk group Destination Protocol o SIP, Q931, H323-LRQ, IAX, other Transaction ID Service Type, Bandwidth, Number of Channels Call ID, Session ID, MultiSession ID Valid after – Valid Until Authorized amount o Seconds, packets, bytes, pages, call, session, price, currency Authority URL

13 Secure Accounting IP Network OSP Server Domain A Domain B Usage Indication: Encrypted CDR Usage Indication: Encrypted CDR Domains A and B encrypt CDRs with CA public key OSP Server decrypts CDR with CA private key For auditing, OSP Server can request in real time that a domain digitally sign a batch of CDRs

14 Capabilities & Pricing Messages OSP enables clients to update OSP server database in real time. Capabilities Exchange messages can be used o To indicate service features available o To indicate bandwidth or channel available o To indicate presence Pricing Indication is used to provide rate changes o for services (voice, fax, message, video …) o based on seconds, pages, bytes, packets and currency

15 Examples of OSP Peering Enterprise VoIP VPN Wholesale Inter-Carrier VoIP Services Tiered Peering Dundi Settlement Clearinghouse

16 Enterprise VoIP Network Requirements: Internet Call Center Headquarters Sales Office Branch Office Manufacturing 1. Centralized routing 2. Secure inter-office access control 4. Autonomous local operation 3. Centralized accounting 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 5. Minimum bandwidth 1. Centralized routing 2. Secure inter-office access control 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation

17 Enterprise VoIP VPN OSP peering architecture provides secure VoIP VPN Internet Call Center Headquarters Sales Office Branch Office Manufacturing 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation 5. Minimum bandwidth 1. Centralized routing 2. Secure inter-office access control 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 1. Centralized routing 2. Secure inter-office access control 3. Centralized accounting 4. Autonomous local operation Internet VoIP VPN OSP Server

18 Wholesale Inter-Carrier Services Internet Challenge: How to manage interconnect access and billing among thousands of ITSP peers

19 Wholesale Inter-Carrier Services Internet Conventional solution is to route all calls via a softswitch or session border controller.

20 Wholesale Inter-Carrier Services Internet OSP Server OSP Server OSP Server Direct peering with OSP is more scalable, more reliable, better QoS, less bandwidth, lower cost. Route Lookup

21 Wholesale Inter-Carrier Services Internet OSP Server OSP Server OSP Server Call Detail Collection from both the source and destination eliminates settlement disputes Source CDR Dest. CDR

22 Tiered Peering Internet OSP Server OSP Server OSP Server OSP enables secure peering among multiple peering networks. OSP Server OSP Server OSP Server SIP INVITE with token for Purple network Yellow Peering Network Purple Peering Network 1. Auth. Request 3. Auth. Response 2. Auth. Request 4. Auth. Response

23 Tiered Peering CDR Reporting Internet OSP Server OSP Server OSP Server Top tier peering networks receive Call Detail Records from both source and destination peers. OSP Server OSP Server OSP Server Yellow Peering Network Purple Peering Network Source CDR Dest. CDR Source CDR Dest. CDR

24 DUNDi Distributed Universal Number Discovery Based on General Peering Agreement No Settlement

25 DUNDi Clearinghouse OSP Server 2¢ / minute! rate / minute? Token Request DUNDi nodes enroll with CA Route and rate discovery with DUNDi DUNDi nodes enroll with CA Route and rate discovery with DUNDi Source submits route & rate to clearinghouse for digitally signed token

26 DUNDi Clearinghouse SIP INVITE includes signed token Destination validates rate in token CDRs sent to clearinghouse OSP Server SIP INVITE with token CDR

27 DUNDi Clearinghouse Clearinghouse performs settlement billing OSP Server CDR $

28 Details of OSP An OSP server is a web server Message Formats Multipurpose Internet Mail Extensions (MIME) eXtensible Markup Language (XML) Secure MIME Communication Protocols Open Settlement Protocol XML Presentation HTTP V1.0 SSL / TLS TCP port 80 TCP port 443 IP

29 OSP Message Example HTTP/1.1 200 OK Server: IP address of OSP server Date: Thu, 12 May 2005 18:32:59 GMT Connection: Keep-Alive Keep-Alive: timeout=3600, max=5000 Content-Length: 1996 Content-Type: text/plain 2005-05-12T18:32:59Z 4785098287068543017 MTExNTkxOTE3Ny45 Called Number [IP Address:Port] HTTP Header OSP Message

30 OSP Message Example (cont.) 2005-05-12T18:32:59Z 4785098287068543017 MTExNTkxOTE3Ny45 Called Number [IP Address: Port] 14400 s 2005-05-12T18:27:59Z 2005-05-12T18:37:59Z sip Calling Number Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5Ua3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCnU9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz Unique Transaction ID per call Call ID from source device Called Number may be translated IP Address of Called Number Call authorized for 14440 seconds Call authorized to start in 10 minute window Protocol may be SIP, H323, IAX, … Digital signature of token ensures non-repudiation

31 Open Source Tools www.SIPfoundry.org o OSP Toolkit (client) o OpenOSP Server (based on Apache) o RAMS OSP Server www.Asterisk.org o Asterisk includes OSP client OSP Module for SIP Express Router o http://osp-module.berlios.de http://osp-module.berlios.de www.voxgratia.org o OSP enabled H323 proxy (future support for SIP) www.TransNexus.com o OSPrey – free OSP server

Download ppt "Developing Secure, Multi-lateral Peer to Peer SIP Applications"

Similar presentations

SIP and Instant Messaging. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CP3397 ECommerce.

CP3397 ECommerce.
MVTS & PortaBilling Integration between MVTS (Mera VoIP Transit Softswitch) and PortaBilling100 Vancouver, BC July 2004 Porta Software

MVTS & PortaBilling Integration between MVTS (Mera VoIP Transit Softswitch) and PortaBilling100 Vancouver, BC July 2004 Porta Software
Voice over IP Fundamentals

Voice over IP Fundamentals
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
IP Communications Services Redefining Communications Teresa Hastings Director WorldCom SIP Services Conference – April 18-20, 2001.

IP Communications Services Redefining Communications Teresa Hastings Director WorldCom SIP Services Conference – April 18-20, 2001.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security

Cryptography and Network Security
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Internet…issues Managing the Internet

Internet…issues Managing the Internet
Chapter 8 Web Security.

Chapter 8 Web Security.

Similar presentations

Ads by Google