sip security in ip telephony
DESCRIPTION
Presented by: Muhammad Yeasir Arafat ElastixWorld 2013 Today, the session initiation protocol (SIP) is the predominant protocol for IP Telephony Signalling. The intention of this paper is to present an overview of IP Telephony security issues - both current and future – focusing on SIP. We start by presenting some fundamental differences between IP Telephony and the public switched telephone network (PSTN). We then look at specific problems for SIP signalling that arise from these differences. We summarize current activities regarding SIP security, including recent developments in the research community and standardization efforts within the IETF. Finally, the paper gives an outlook on the security issues of IP Telephony. Download paper at: http://elx.ec/ssiiptTRANSCRIPT
INTRODUCTION
• Session Initiation Protocol (SIP) is a Requests For Comments
(RFC) of the Internet Engineering Task Force (IETF)
• First standardized in March 1999 in RFC 2543 (Obsolete)
• A second version in 2002 in RFC 3261
INTRODUCTION
• Today, the session initiation protocol (SIP) is the predominant
protocol for IP Telephony Signalling. This paper addresses IP
Telephony security issues - both current and future – focusing
on SIP.
• We summarize current activities regarding SIP security,
including recent developments in the research community
and standardization efforts within the IETF.
SIP OVERVIEW (1)
• ASCII based, signaling protocol
• Analogous to HTTP messages, SIP is a text base protocol.
• Works independent of the underlying network transmission
protocol and indifferent to media
SIP OVERVIEW (1)
It provides mechanisms to:
• Establish a session
• Maintain a session
• Modify and Terminate a session
• Session Initiation Protocol (SIP) is an application layer protocol, which is
used to establish, maintain and terminate multimedia session.
• These sessions may include voice, video, instant messaging.
SIP Components
System using SIP can be viewed in two Dimensions:
• Client/Server
• Individual Network Elements
SIP Components
Client : : A client is any network element that sends SIP
requests and receives SIP responses.
Server: A server is a network element that receives requests
in order to service them and sends back responses to those
requests.
• Example of Servers: Proxies, user agent servers, redirect
servers, and registrars.
SIP Components (2)
Two general categories of SIP are
User Agent (UA): Resides in every SIP end station
SIP Servers
SIP Components (2)
User Agent (UA)
Has two roles:
SIP User Agent Client(UAC): Issues SIP requests.
SIP User Agent Server (UAS): Receives SIP requests, and
Generates a response that accepts, rejects, or redirects the
request.
SIP Components (2)
SIP Servers
• Proxy Server: The proxy server is an intermediary entity that acts as both a server and a
client for the purpose of making requests on behalf of other clients. A proxy server primarily
plays the role of routing, meaning that its job is to ensure that a request is sent to another
entity closer to the targeted user.
• Redirect Server: Used during session initiation, Determine the address of the called device,
Returns this information to the calling device.
• Registrar Server: A registrar is a server that accepts REGISTER requests and places the
information it receives (the SIP address and associated IP address of the registering device) in
those requests into the location service for the domain it handles.
SIP Functions
Scalability
Functionality such as proxying, redirection, location, or registration can
reside in different physical servers.
Distributed functionality allows new processes to be added without
affecting other components.
Interoperability
An open standard
Can implement to communicate with other SIP based products
SIP Functions (2)
Mobility
• Supports user mobility by proxying and redirecting requests to a
user’s current location.
• The user can be using a PC at work, PC at home, wireless phone, IP
phone, or regular phone.
• Users must register their current location.
• Proxy servers will forward calls to the user’s current location.
• Example mobility applications include presence and call forking.
RELATED PROTOCOL
SIP
IPv4 / IPv6
TCP UDP
SDP
MGCP RTSP RTCP RTP RSVP
Signaling Gateway control QoS
SIP CAPABILITIES
• Determine location of target points – Support address resolution, name mapping, call redirection
• Determine media capabilities – SIP uses Session Description Protocol (SDP) for this
• Determine availability – returns a message why the remote party cannot be contacted
• Establish a session between end points – also support mid call changes, changes of media characteristics or codec
• Handles termination of calls – transfer of calls
• Permits interaction between devices via signalling messages
SIP CAPABILITIES
• INVITE: Invite a user to join a call• ACK: Confirm that a client has received a final response to an invite• BYE: Terminates the call between two of the users on a call• OPTIONS: Request information on the capabilities of a Server• CANCEL: Ends a pending Request , but doesn’t end the call• REGISTER: Provide the map of address resolution that lets the server know the location of the users.
Status Codes1xxInformational• 100 Trying• 180 Ringing (ringing tone
played locally)• 181 Call is Being
Forwarded• 182 Queued• 183 Session progress
2xxSuccess• 200 ok
3xx Redirection• 300 Multiple Choices• 301 Moved Permanently• 302 Moved Temporarily• 380 Alternative server
4xxClient error• 400 Bad Request• 401 Unauthorized• 403 Forbidden • 404 Not Found• 405 Bad Method• 415 Unsupported
Content• 420 Bad Extensions• 482 Detected• 486 Busy Here5xxServer failure• 500 Server Internal
Error• 501 Not
Implemented• 503 Unavailable• 504 Timeout
6xxGlobal Failure• 600 Busy Everywhere• 603 Decline• 604 Doesn’t Exist• 606 Not Acceptable
SIP Basic Call Setup
SIP Headers
• Session Initiation Protocol (RFC3261) for call signaling
• Header format is similar to HTTPS
• UDP Port 5060 used (recommended)
• TCP is also allowed (required for SIPS)
• Responsible for connection setup and release: INVITE, OK, ACK, BYE, CANCEL
• Registration service for mobile user agents: REGISTER
• Uses DNS for routing (RFC3263;)
SIP Headers
• Session Description Protocol (RFC 2327) for parameter exchange
• Body of SIP-Messages
• Looks (a little bit) like sendmail mail queue format
• Contact address (ip address, port #) c=IN IP4 172.16.1.127
• Codec m=audio 7078 RTP/AVP 8 0 2 102 100 97 101
• (Master)Key for SRTP k=clear:geheim
SIP Headers (2)
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport Max-Forwards: 70 Contact: <sip:[email protected]:6256> To: <sip:[email protected]> From: "09611301525"<sip:[email protected]>;tag=015ccc4a Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: PortGo v6.8, Build 07112011 Content-Length: 474
Breakdown of Header
INVITE :message typeAddress of called partySIP version used by callerSemicolon indicates start of URI parametersEg:- user=phone indicates call is for a phone number and not a SIP IP addressINVITE sip:[email protected] SIP/2.0Via:History of message’s path through network(s)Helps to prevent looping and ensures replies route back to originatorIndicates the used transport protocol, ip address and port of sender Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport
SDP Headers
• Describes components of communication channel under negotiation
• Includes information about :
– Codecs
– Ports
– Streaming protocols
• Usually sent with INVITE and 200 OK in SIP based devices
• Describes how data stream is going to be support via Real Time Transport Protocol (RTP, RFC 1889)
SIP & SDP Header AnalysisFor INVITE sip:[email protected] SIP/2.0 details message looks like this:
202.4.100.35:6256 202.4.97.11:5060 INVITE sip:[email protected] SIP/2.0
Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport Max-Forwards: 70
Contact: <sip:[email protected]:6256> To: <sip:[email protected]> From: "09611301525"<sip:[email protected]>;tag=015ccc4a Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: PortGo v6.8, Build 07112011 Content-Length: 474 v=0 o=- 59935706 59935706 IN IP4 172.16.1.127 s=http://www.portsip.com c=IN IP4 172.16.1.127 t=0 0 m=audio 21006 RTP/AVP 8 0 3 121 100 9 97 101 a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:3 GSM/8000 a=rtpmap:121 G7221/16000 a=rtpmap:100 SPEEX/16000 a=rtpmap:9 G722/8000 a=rtpmap:97 iLBC/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20 a=sendrecv m=video 40180 RTP/AVP 34 a=rtpmap:34 H263/90000 a=fmtp:34 CIF=1 QCIF=1 a=sendrecv
Security Attacks
Signaling Layer Attacks
• SIP Registration Hijacking: Attacker impersonates a valid UA to a registrar himself as a valid user agent. so attacker can receive calls for a valid user.
• Impersonating a Server: When an attacker impersonates a remote server and user agent request are served by the attacker machine.
Security Attacks
Signaling Layer Attacks
• SIP Message Modification: If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system.
• SIP Cancel / SIP BYE attack
• SIP DOS attack: In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.
Security Solutions
Two types of security solutions
End-to End security:
• In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could be protected using S/MIME.
• Media is transferred directly, so end-to-end security is achieved by SRTP.
Hop-by-hop security
• TLS, IPSec.
SIP Security Mechanisms
The SIP standard, as specified in RFC 3261 , includes several security mechanisms:
• S/MIME: Because SIP is using MIME for message bodies, S/MIME can be used to send authenticated and encrypted messages between user agents.
• Digest Authentication: SIP entities sharing a secret (e.g. a password) can authenticate each other with a challenge-response mechanism.
• TLS & IPSec: Hop-by-hop security for SIP signaling can be achieved either on the transport layer (TLS) or on the network layer (IP sec).
SIP-Secure over TLS• SIPS is like HTTPS: Is set on top of
TCP only• Signaling over sips URI:
sips:[email protected];transport=tcp, Demands for TLS along the (signaling)path.
• Server authentication via Certificate• Client authentication (mostly) via
username/digest.• Client authentication via Certificate
possible• Only Hop by Hop Security
• S/MIME − secure SDP• Data format based on S/MIME mail.• Encryption of the SDP portion of the
SIP message• End-to-End or Hop by Hop allowed:
Tunneled (and S/MIME encrypted) SDP also allowed
• Supports UDP or TCP: TCP is recommended because of UDP fragmentation.
S/MIME − secure SDP
CONCLUSION
The SIP is such a protocol, which does not have any built-in security. This makes it more vulnerable to common VoIP attacks. In this implementation of the SIP security threats and countermeasures, the SIP secure model is designed to provide security mechanisms by following the best practices for securing a SIP based VOIP system.
CONCLUSION
The intention of this paper has been to present an overview of important challenges and current activities on SIP security.
SIP is used to initiate IP Telephony communications. Thus, SIP security will remain an active and interesting research area in the near future.
THANK YOU
Muhammad Yeasir Arafat
Systems Engineer
Email: [email protected]
Dhakacom Limited
Dhaka, Bangladesh