sip dns sip authentication sip peering sip workshop apan tokyo japan 22 january 2005 by stephen...
TRANSCRIPT
SIP DNSSIP Authentication
SIP Peering
SIP WorkshopAPAN Tokyo Japan 22 January 2005
By Stephen Kinghammailto:[email protected]
2
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Copyright [email protected] 2006
©Stephen [email protected]
3
Outline and Objectives
• Demonstrations
• DNS• Authentication• Routing• ENUM• Security• QoS
©Stephen [email protected]
4
SIP is PBX/Centrex readycall waiting/multiple calls RFC 3261
hold RFC 3264
transfer RFC 3515/Replaces
conference RFC 3261/callee caps
message waiting message summary package
call forward RFC 3261
call park RFC 3515/Replaces
call pickup Replaces
do not disturb RFC 3261
call blast RFC 3261
from Rohan Mahy’s VON Fall 2003 talkCourteous of Quincy.Wu
simultaneous ringing (forking) RFC 3261
basic shared lines dialog/reg. package
barge-in Join
“Take” Replaces
Shared-line “privacy” dialog package
divert to admin RFC 3261
intercom URI convention
auto attendant RFC 3261/2833
attendant console dialog package
night service RFC 3261
centr
ex-s
tyle
featu
res
boss/admin features
attendant features
5
SIP UA SIP UA
SIP Location Server
Call Control
Call Control andAudio and Video
SIP Proxy Server
DNS
Audio and VideoRTP UDP
Flinders University
SIP “PROXY” Server call flow
SIP UA SIP UA
SIP Location Server
Call Control
Call Control andAudio and Video
SIP Proxy Server
DNS
Flinders University
SIP UA SIP UA
SIP Location Server
Call Control
Call Control andAudio and Video
SIP Proxy Server
DNS
Flinders University
SIP UA SIP UA
SIP Location Server
Call Control
Call Control andAudio and Video
SIP Proxy Server
DNS
Flinders University
©Stephen [email protected]©Stephen [email protected]
6
SIP “REDIRECT” Server call flow
SIP UA SIP UA
SIP Location Server
Call Control
Call Control andAudio and Video
SIP Redirect Server
DNS
Flinders University
Audio and VideoRTP UDP
©Stephen [email protected]
7
• DNS is integral to SIP routing.• DNS is used to find a priority list of SIP servers for a
domain using in SIP specific SRV records into the DNS.– Just like MX records in DNS for mail.
• So it turns out it is easy to have backup servers in SIP.
• Good description found on the MIT Internet2 sip.edu project cookbook: http://mit.edu/sip/sip.edu/dns.shtml
SIP and DNS
©Stephen [email protected]©Stephen [email protected]
8
• Specific SRV records added to your DNS for SIP,eg
IN A 192.94.63.28
;If we place the SRV record above the next line it fails to load
$ORIGIN aarnet.edu.au.
_sip._udp SRV 0 1 5060 ser.yarralumla.aarnet.edu.au._sip._udp SRV 1 1 5060 ser.nsw.aarnet.edu.au.
ser.yarrulumla.aarnet..edu.au. IN A 192.94.63.28ser.nsw.aarnet..edu.au. IN A 138.44.16.90
SIP and DNS
©Stephen [email protected]
9
• On a unix host use the dig command:dig -t SRV _sip._udp.aarnet.edu.au
• You should get a response that has this in it:
;; QUESTION SECTION:;_sip._udp.aarnet.edu.au. IN SRV
;; ANSWER SECTION:_sip._udp.aarnet.edu.au. 333 IN SRV 1 1 5060 ser.yarralumla.aarnet.edu.au.
SIP and DNS TEST
©Stephen [email protected]
10
Outline and Objectives
• SIP Authentication– Who are you?
• SIP Authorisation– What are you allowed to do?
• SIP Presence and Instant Messaging(the SIMPLE protocol)– I am available!– Buddy lists.
©Stephen [email protected]
11
• Both ends must know the same secret password (key).• The password is used to encrypt certain information such as the
user’s password.• Originated from HTTP (WWW) and often called HTTP digest, Digest
Authentication is described by RFC 2671.• RFC 3261 (SIP) describes how Digest Authentication is applied to
SIP.
Authentication in SIP
©Stephen [email protected]
12
SIP REGISTER with Digest Authentication
REGISTER [email protected] (with out credentials)
UA Proxy Server
407 Proxy Authentication Required
REGISTER [email protected] (password encrypted with key)
200 OK
ask user for a password
©Stephen [email protected]
13
SIP INVITE with Digest Authentication
INVITE [email protected] (with out credentials)
UA Proxy Server
407 Proxy Authentication Required
ACK
100 TRYING
UA
INVITE [email protected] (with encrypted password)
INVITE [email protected] (password removed)
ask user for a password
©Stephen [email protected]
14
Protect Gateways from un-authorised use• Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP
control is via Proxy.• Configure gateways so that they only respond to SIP from your SIP Proxy.
– Filter TCP and UDP traffic to port 5060 on the Gateway.– Also do the same for H.323, TCP traffic to port 1720 on the gateway.
PSTNGatewaySIP Proxy(record Route)
Process Authentication and Authorisation as required
SIP UA
©Stephen [email protected]
15
Secure SIP• SIPS, a close cousin of SIP, is a good and low cost means of
encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks and is the same technology used for SSL. This means a SIPS call will fail rather than complete insecurely.
• Open SER now supports TLS.• Microsoft Messenger supports TLS
©Stephen [email protected]
16
Two interesting drafts (related to SPAM and SPIT)• http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt
Abstract The existing security mechanisms in the Session Initiation Protocol are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document recommends practices and conventions for identifying end users in SIP messages, and proposes a way to distribute cryptographically-secure authenticated identities.
• http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txtThis document provides an overview of the concept of identity in Internet messaging systems as a means of preventing impersonation. It describes the architectural roles necessary to provide identity, and details some approaches to the generation of identity assertions and the transmission of such assertions within messages. The trade-offs of various design decisions are explained. ©Stephen [email protected]
17 SIP UA
SIP Proxy Server
PABX
PSTNCarrier
Voice GATEWAY
Voice Mail
PSTNCarrier
Voice GATEWAY
Someone calls 02 6222 3575
SIP FORKING (native to SIP)Never need to forward phones to other phones again!!!!
This is a big mindset change for the user.
©Stephen [email protected]
18
SIP Forking: IntroductionSIP natively does forking: Make several phones and UAsring all at the same time.
The SIP Server recieves an INVITE, and generates manyINVITEs to all the phones the user has defined.
In “SER” that is done by creating static entries in the “location” database with this command:
serctl ul add Stephen.Kingham sip:[email protected]
You may want to add entries to the aliase table to point telphone numbers to a user.
serctl alias add +61262223575 sip:[email protected]
©Stephen [email protected]
19
Presence and Instant Messaging• SIP is not just Voice and Video,
It also has Presence and Instant Messaging.
©Stephen [email protected]
20
Case Study from Edith Cowan University• SIP Enabled their core.• SIP integrated Voice, PABX, Room based Video, Desktop Video,
mobile SIP phones on campus, Instant Messaging and Presence.• Unexpected demand was the Presence and Instant
Messaging.
Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrustructure EDU May 2005
21
Case Study from Edith Cowan University
Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrastructure Edith Cowan Uni May 2005
NAT Device
NAT Device
ERICSSON PABX
Jasomi Device
DMZ
2X E1
External Virtual Firewall
Internal Virtual Firewall
SIP Phone Users
Soft Phone Users
Soft Phone Users
Service Provider NAT
Soft Phone Users
SIP Phone Users2 xE1
Digital & AnalogLegacy phone Users
ECU 802.11 Wireless Network
Windows Messenger
Users
Internet
ADSLHome User
H323 (or SIP) Video Endpoints
PSTN
Microsoft Live
Communications Server
Front End Server
Home Server Home Server
ASTERISK SERVER
SIP Proxy
SIP Proxy
`
Mirial H323 (or SIP) Video Endpoints
139.230.225.30
Radvision INVISION 108
MCU
Radvision H320 to H323Gateway
SIP Proxy
SIP Proxy
139.230.225.31
139.230.225.32
139.230.225.33 139.230.225.34
H323 Gatekeeper
RadvisioniVIEW
Network Manager
RadvisionECS / VCS
Server
ExternalLegacy phone
Users
ExternalH320 ISDN
Video Endpoint
Radjo1 Radjo2
22
The “SIMPLE” protocol for presence• SUBSCRIBE• NOTIFY
• SER Presence module, ref to Internet2 PIC Working Group.
©Stephen [email protected]
23
SIP HistoryH.323 SIP
ITU-T protocol IETF protocol
May 1995 Became “proposed standard” in March 1999.
Study Group 16 Working Groups: SIP, SIPPING, and SIMPLE
Now V.5 Now RFC 3261
from Quincy Wu’s talk, http://www.apan.net Cairns 2004
©Stephen [email protected]
24
H323-SIP Comparison of ComponentsH.323 SIP
End Station Terminal SIP UA
Network Server Gatekeeper Registrar, Redirect Server, Proxy Server
MCU Conference Server
PSTN Gateway PSTN Gateway
from Quincy Wu’s talk, http://www.apan.net Cairns 2004
25
H323-SIP Comparison of ProtocolsH.323 SIP
Signaling RAS/Q.931 SIP
Capacity Negotiation H.245 SDP
Codecs Any Any
Real-time Communication
RTP/RTCP RTP/RTCP
from Quincy Wu’s talk, http://www.apan.net Cairns 2004
26
H323-SIP Comparison of Protocols (cont.)H.323 SIP
Message Encoding Binary ASCII
Transport UDP and TCPMostly TCP
UDP and TCPMost UDP
Data Conference T.120
Instant Message RFC 3428
Inter-Domain Routing Annex G DNS
from Quincy Wu’s talk, http://www.apan.net Cairns 2004
28
IP Phones: VLAN, POE, QoS• Put IP phones into a separate VLAN
• IP Phones need power. Either from a power pack, or from the Ethernet switch using POE (Power Over Ethernet).
• Put “power fail” phones in strategic locations, these phones are analogue phones connected to a ATA (Analogue Telephone Adaptor) which is powered with a PABX grade UPS.
• QoS: The LAN must police the use of QoS at the “edge” (as close as possible to the users). Only VLANs with IP Phone (VoIP) can have DSCP = 46 (ToS=5). All other traffic should be marked with DSCP=0.
©Stephen [email protected]
29
Quality of Service
• Only relevant for IP Telephone and VoIP to replace existing Telephone Service such as PABX or some home situations.
• At the outgoing edge:– Classify the traffic (Voice, Data, Video, ..)– Mark the traffic (DSCP)– Shape (how much everyone should have)
• At the incoming edge– Policy incoming traffic from the outside (make sure it is within contract)
• Configure WAN routers to prioritise.
©Stephen [email protected]
30
PBX withVoIP
Gateway
CORE NETWORKwith QoS queuing only
Policing of QoS
H.323Terminal
IngressRouter
IngressRouter
IngressRouter
IP Telephone
Policing of QoS
Policing of QoS
Policing of QoS
QoS Queueing
QoS Queueing
QoS Queueing
VoIPGateway
PublicTelephone
Carrier
WAN QoS: AARNet3 hands policy control back to University
31
VoIP Monitor used in AARNet– Distributed monitoring WITH– Feeds QoS availability into VoIP routing. If a user wants QoS and the monitoring
indicates that QoS is not working then the calls gets “congestion” message.
– See http://noc.aarnet.edu.au points to http://lattice.act.aarnet.net.au/VoIPMonitor/
TEST
TEST
TEST
TEST POP
POP
POP
Member
Member
Member
Member
32
SIP & H.323 MCU
QoS Monitor,
AARNet SIP & H.323 network
QoS Monitor,QoS admission control
SIP UA (IP Telephone)
PABX
SIP ServerTranslate telephone numbers to IP
addresses Otheradvanced IP
network
ISDNCarrier
SIP & H323 VIDEO
GATEWAY
SIP b2bua
SIP & H323 Voice
GATEWAY
AARNetInternet with
QoS bandwidth SIP & H323 Voice
GATEWAY
PABX
©Stephen [email protected]
33
Other relevant talks at APAN Tokyo 2006• Monday 23 Jan
– SIP User Agents Configuration and Fault FindingSpeaker: Quincy Wu
– SER Configuration and SIP Peering including ENUMSpeaker: Stephen Kingham
– From Taiwan SIP Mobility in IPV4/IPV6 NetworkSpeaker:
– Using Radius and LDAP with SER SIP Proxy for user Authentication Speaker: Nimal Ratnayake
• 9:30 Wednesday 25 Jan– Global SIP Dialling Plans (Ben Teitelbaum and Dennis Barron)
• 16:00 Wednesday 25 Jan– APAN SIP-H.323 Working Group BoF
©Stephen [email protected]
SIP Routing and VoIP Peering
SIP WorkshopAPAN Tokyo Japan 22 January 2005
By Stephen Kinghammailto:[email protected]
35
Routing Telephone numbers!• WWW and email work by using the Domain Name Service
(DNS).– DNS turns human addresses into Internet addresses,– DNS on it’s own is very uninteresting or useful!
• The ENUM standard teaches DNS about Telephone numbers!– VoIP users can discover that they can make VoIP calls to a
number without routing it first to the PSTN!– Traditional Carriers around the world do not like ENUM.
Join the ACMA’s ENUM Trial, ref: enum.edu.au
©Stephen [email protected]
36
• Uses a common dial-plan called the Global Dialling Scheme (GDS), based on E.164 with 00 in front. AARNet runs one of the four International Root Gatekeepers. Although in Australia we use the International dialplan. http://www.aarnet.edu.au/engineering/projects/voip/gds/
• 27 Country Gatekeepers.• More than 156 advance voice and video networks.• A community of Higher Education, some industry, K-12 and
Research Organisations.• Enabler for international and national collaboration.
• Plans to migrate to DNS (ENUM) Routing.
International H.323 routing Telephone numbers
37
H.323 routing (all static configuration)
H.323 GatekeeperAustralian Root
H.323 GatekeeperInternational Roots World Gatekeeper.
Multiple resilient gatekeepers distributed across the world
27 National Gatekeepers
Single or resilient cluster
H.323 GatekeeperUK Root
H.323 GatekeeperNth America Root
156+ Organisation Gatekeepers
Single or resilient cluster
Endpoints register to the organisation’s gatekeepers
H.323 GatekeeperACU
H.323 GatekeeperUSQ
38
SIPProxy
DNSSIP-PBXGateway
PBX
INVITE (sip:[email protected])
INVITE(sip:[email protected])
DNS SRV query sip.udp.bigu.edu
telephoneNumberwhere mail=”bob”,What is returned is 12345
PRI / CASbigu.edu
CampusDirectory
SIP User Agent
Bob's Phone
SIP.edu Architecture (Phase 1)
Dennis Baron, June 5, 2005np128
Links the sip address to a plain old telephoneCheap and easy to do
Hear from Dennis at APAN Tokyo 2006On Wednesday morning.
39
SIP.edu Reachable Users
Dennis Baron, June 5, 2005
40
SIP Addressing in the future will be the preferred address, in addition to Telephone numbers
“+61-2-6222 3575, come here. I need you!”
A. G. Bell did not say:
I will prefer to call people using sip:[email protected] the next year you will see this on the bottom of email footers and on business cards of Australian Universities.
© Ben Teitelbaum @ Internet2
Source Ben [email protected]
Hear from Ben at APAN Tokyo 2006On Wednesday morning.
41
SIP and E.164 routing• Remember H.323 is static routing for everything.• SIP can use the existing DNS to find people:
sip:[email protected], or variations of E.164 plus domain: sip:[email protected]
• Dial a number on a UA, eg 3575 = 3575@local domain.• SIP we still need to have static routing
just like H.323…….BUT WAIT…..• TRIP (rfc 3219) does for telephone numbers that BGP does for the
entire Internet. Dynamic routing.• and ENUM (rfc 2916) uses the DNS to find the full SIP address using
a telephone number. ACA might have ENUM Tier 1 into Australia soon http://www.aca.gov.au/telcomm/telephone_numbering/enum_nsg2/.
42
Peering SIP Networks• Easy to peer using sip addresses with domain name.
Everyone can call [email protected], or even [email protected]
• But routing E.164 (telephone) numbers is much harder.– ENUM– ISN/ITAD– TRIP
43
SIP peering using sip: address
SIP UA SIP UA
SIP Location Server
Call Control
Call Control andAudio and Video
SIP Redirect Server
DNS
Flinders University
Audio and VideoRTP UDP
©Stephen [email protected]
44
ENUM (SIP and H.323 Routing)
02 6222 3575
VoIP network
DNS
ENU
Mlo
okup
02 6222 3575
VoIP network
Telephone network
02 6222 3575 02 6
222
3575
VoIP network
02 6222 3575
02 6222 3575
VoIP network
Telephone network
02 6222 3575 02 6
222
3575
VoIP network
02 6222 3575
VoIP network
VoIP network
02 6222 3575
DNS
ENU
M L
ooku
p
+612
6222
3575
02 6222 3575
©Stephen [email protected]
45
• TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement!
• More research and experimentation needed here. – for example perhaps a simpler form of TRIP (STRIP?) by encapsulating in MIME and sending it using SIP? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004].
• But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006.
SIP and TRIP (Telephone Routing over IP)
©Stephen [email protected]©Stephen [email protected]
46
VoIP routing using ENUMDNS-Server
“ENUM”
SIP-Server
SIP-Server
Gateway
Gateway
Adapted from: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva
Forked SIP call
©Stephen [email protected]
47
ENUM in a nutshell• take phone number +46 86859131
• turn into domain name1.3.1.9.5.8.6.8.6.4.e164.arpa.
• return list of URI’s (NAPTR records) sip:[email protected]
• ask the DNS
mailto:[email protected]
Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva
©Stephen [email protected]
48
2. Today, many addresses
tel:+61 2 6222 3535
mailto:[email protected]
tel:+61 2 6222 3575
Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva
49
2. With ENUM, only one
Hand out enum enabled number +61 2 6222 3575
Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva
tel:+61 2 6222 3535
mailto:[email protected]
tel:+61 2 6222 3575
ENUM returns all of these for the caller to choose from:
50
• TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement!
• More research and experimentation needed here. – perhaps a simpler form of TRIP (STRIP?) encapsulated in MIME? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004].
• But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006.
SIP and TRIP (Telephone Routing over IP)
©Stephen [email protected]©Stephen [email protected]