VoIP –was ist m öglich - decus.de XX/07 global capability. personal accountability. VoIP –was...
Transcript of VoIP –was ist m öglich - decus.de XX/07 global capability. personal accountability. VoIP –was...
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 1
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
VoIP VoIP –– was ist mwas ist mööglich ?glich ?
3B07 - Welche verschiedenen Szenarien sind beim Einsatz von
VoIP möglich (IP PBX, IP Centrex usw.)
Andreas AurandSales EngineerApril 19th, 2007
2
Verizon Communications Inc.Verizon Communications Inc.
Revenue• 2006 Revenue: $88.1 billion(+26.8% compared to 2005)
• World’s second biggest telecommunications provider*
• 50th on Fortune Global 500
Profit• One of the world’s most profitable telecommunications providers*
• 36th on Fortune Global 500
* Source: Fortune Global 500, CNN Money, 2006
About Verizon
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 2
3
Verizon BusinessVerizon Business
• Customers include 94% of the Fortune 500
• Over 30,000 employees
• Operations in 75 countries
• Customers in 2,700 cities in 152 countries
• Most expansive IP network worldwide (based upon PoPs)
• Most connected backbone according to TeleGeography
About Verizon
4
Verizon BusinessVerizon Business’’ PortfolioPortfolio
Managed Network Services
WAN Management
Professional Services
LAN Management Managed Telephony
CPE
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 3
5
AgendaAgenda
• SIP Signalling
• VoIP Services
• VoIP Security
• Unified Messaging
• Verizon Business VoIP solutions
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
SIP SignallingSIP Signalling
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 4
7
Traditional Voice Services Traditional Voice Services -- Circuit SwitchedCircuit Switched
PBX
Signaling
• QSIG
• ISDN PRI
• …
Signalling between phone and PBX
or telephone switch
• Digital: ISDN BRI - Q.931
• Analogue: E&M, Loop Start, Ground Start
Signaling between PBX and CO
• ISDN PRI - Q.931 (digital)
• analog (usually obsolete)
Signaling (using a separate network)
• SS7 (digital)
Voice circuit
• analogue: dedicated circuit
• digital: fixed TDM slot
8
VoIP VoIP Services Services –– Packet SwitchedPacket Switched
PBX
Signaling
• QSIG
• ISDN PRI
• E&M
Signaling between phone and PBX
• Digital: ISDN BRI - Q.931
• Analogue: E&M, Loop Start, Ground Start
IP voice circuit
• RTP or SRTP
VVVV
VoIP Signalling
• ITU H.323 protocol
• IETF SIP protocol
• Cisco Skinny protocol
• Asterisk IAX2 (InterAsterisk eXchange)
• IETF MGCP or MeGaCo
IP PBX
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 5
9
VoIP Signaling VoIP Signaling –– SIP and H.323SIP and H.323
• IETF SIP protocol (RFC3261)
– A flexible, scalable, text-based call control protocol (similar to HTTP and SMTP)
– Besides signalling, SIP also supports presence and instant message applications.
» Conferencing (e.g. Microsoft Live Meeting)
» Presence and Instant Messaging (e.g. Microsoft Communicator)
– Robust security mechanisms
» Authentication using HTTP Digest, TLS or S/MIME
» Encryption using TLS or S/MIME
» Message Integrity using TLS or S/MIME
• ITU H.323 protocol
– Based on ISDN, uses binary-encoded ASN.1 messages
– Is exclusively a signalling protocol
– Widely deployed in small PSTN replacement networks for handling simple phone calls
– Dominates the IP videoconferencing market
10
SIP SIP ProtocolProtocol
• Call control or signalling protocol that establishes and terminates media sessions. – Individual voice or conference calls
– Videoconferences and point-to-point video-enabled calls
– Web collaboration and chat sessions
– Instant messaging sessions
• Open standard protocol; specifies the basic and supplementary services
to create, modify and delete multimedia sessions or calls. – Client-server based peer-to-peer protocol, not an IP-to-PSTN gateway control protocol
such as MGCP, MEGACO or H.248.
• Integrates with other Internet services, such as e-mail, Web, voice mail, instant messaging, multiparty conferencing, and multimedia collaboration.
– Phone numbers are just another URL
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 6
11
SIP SIP ProtocolProtocol
• SIP uses Uniform Resource Locators (URL) that can look like e-mail address or may contain phone numbers:
– sip:[email protected]
– sip:[email protected]
– The names are resolved to an IP address by using SIP proxy server and
DNS lookups at the time of the call.
• SIP is an application-layer protocol
– Utilizes Session Description Protocol (SDP) for call setup
– Supported transport protocols
» UDP (Port 5060)
» TCP (Port 5060)
» Stream Control Transmission Protocol (SCTP, Port 5060)
» TLS (Port 5061)
12
SIP EntitiesSIP Entities
• User Agent (UA)– End devices– Initiate and terminate media sessions
» Client (UAC): initiates a request
» Server (UAS): responds to a request
• SIP Server– Assist in session setup
» Registrar
» Location Server
» Proxy Server
» Redirect Server
» Presence Server
• Back-to-Back User Agent (B2BUA)
– Intermediary device
– Appears as an endpoint to the two endpoints
Registrar
ProxyServerRedirect
Server
User Agent Server
Location Service
• SIP URI to IP address mapping
• Updated by UA REGISTER requests
User Agent Client
REGISTER request INVITE request
DNS Server
VVVV
Gateway (B2BUA)
Updates the „URI to IP address binding“ in the
Location Service database.
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 7
13
SIP Entities SIP Entities –– User AgentsUser Agents
• User agents– Applications in SIP endpoints (such as a SIP phone) that interface between the user and the SIP network.
– An agent can act as either a client or a server.
» When making a call it acts as an User Agent Client (UAC)
» when receiving a call it acts as an User Agent Server (UAS)
• A Back-to-Back User Agent (B2BUA) – An application that acts as an intermediary between two parties, but appears as an endpoint to both parties.
» It serves as both an UAS/UAC simultaneously to process session requests.
» For example a SIP Analogue Telephone Adapter (ATA) might work as a B2BUA
• SIP devices can communicate directly with each other if they know the other’s
URL, but in practice SIP servers are often used in the network to provide an
infrastructure for routing, registration, and the authentication/authorization
services.
14
SIP Entities SIP Entities –– SIP Server #1SIP Server #1
• Registrar Server– Registers users when they come on-line and stores information on the users logical identity, and the associated device or devices they will allow for communications.
– Accepts REGISTER requests and places the information it receives in those requests into the location service for the domain it handles.
• Location Server– A database that keeps track of users and the URL bindings that are "closer" to them.
» Contains a list of bindings of address-of-record keys to zero or more contact addresses.
– The location service gets its input from the registrar server and provides key information for the proxy and redirect servers.
– Used by a SIP redirect or proxy server to obtain information about a callee's possible location(s).
• Redirect Server– Maps a SIP request destined for a user to the URL of the device "closest" to the user.
» Accepts SIP INVITE request from the calling user agent,
» Obtains the correct SIP address of the called user agent (from a location service)
» Replies to the calling user agent with the correct SIP address using 3xx responses
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 8
15
SIP Entities SIP Entities –– SIP Server #2SIP Server #2
• Proxy Server– Services SIP requests by processing them and passing them along to other SIP
servers.
» Routing: ensures that a request is sent to another entity "closer" to the targeted user.
» Enforcing policies; for example, making sure a user is allowed to make a call.
– A proxy server may act as both a server and a client, and can modify a SIP request
before passing it along.
» Interprets, and rewrites specific parts of a request message before forwarding it.
– A proxy is involved only in the set-up and teardown of communications.
» Once a session is established, communications occur directly between the parties.
• Presence Server– Accepts, stores, and distributes presence information.
» Presentities clients (producers of information) provide presence information to the server to be
stored and distributed.
» Watchers clients (consumers of information) receive presence information from the server.
16
SIP MessagesSIP Messages
• SIP Requests (called „methods“) – Client to Server
– Six base ones: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER
• SIP Response – Server to Client
– SIP Requests generate responses with a numerical response codes
» Borrowed from the HTTP protocol
– 1xx Informational
– 2xx Final
– 3xx Redirection
– 4xx Client Error
– 5xx Server Error
– 6xx Global Failure
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 9
17
SIP Message FormatSIP Message Format
• SIP Header
– Required Headers: To, From, Via, Call-ID, CSeq
– Optional Headers: Subject, Date, Authentication and many others
» Used for invoking various types of services and features.
» In most cases, it will be the type of voice traffic, speech, data or FAX
• SIP Message Body
– Similar to an attachment in an email message
– SIP body in an INVITE request contains a description of the media session
using another protocol:
» Usually SDP (Session Description Protocol – RFC …)
– SIP body can be encrypted using S/MIME for end-to-end security
18
SAP Call FlowSAP Call Flow
• Direct Session Establishment (example from RFC 3665)
• SIP Invite RequestINVITE [email protected] SIP/2.0Via: SIP/2.0/UDP 10.185.224.28Call-ID: [email protected]: sip:[email protected]: sip:[email protected]: application/sdpContent-length: 276
v=0o=andreas .. … IN IP4 10.185.224.28s=test on unixi=Group [email protected]=IN IP4 239.255.232.123/15t=1038556894 1038557194a=tool:sdr v2.4a6a=type:meetingm=audio 23376 RTP/AVP 0c=IN IP4 239.255.232.123/15a= ptime:40
• SIP Response – 180 RingingSIP/2.0 150 RingingVia: SIP/2.0/UDP 10.185.224.28Call-ID: [email protected]: sip:[email protected]: sip:[email protected]:192.168.224.68
• SIP-Response – 200 OKSIP/2.0 200 OKVia: SIP/2.0/UDP 10.185.224.28Call-ID:[email protected]: sip:[email protected]: sip:[email protected]:192.168.224.68
User Agent [email protected]
User Agent [email protected]
INVITE (1)
ACK (4)
180 Ringing (2)
200 OK (3)
BYE (5)
200 OK (6)
RTP Media Session
off-hook
on-hook
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 10
19
SIP Call FlowSIP Call Flow
• Session Establishment through a SIP Proxies (RFC 3665)– The initial INVITE (1) contains a pre-loaded Route header with the address of the Proxy
Server (configured as a default outbound proxy for UA A).
– The Proxy Server inserts a Record-Route header into the INVITE message to ensure that it
is present in all subsequent message exchanges.
User Agent A Proxy Server User Agent B
INVITE (1)
100 Trying (3)
200 OK (6)
RTP Media Session
INVITE (2)
180 Ringing (4)
180 Ringing (5)
200 OK (7)
ACK (8)
Location Service(SIP URI to IP address mapping)
20
SIP Call FlowSIP Call Flow
• Session via Redirect and Proxy Servers (example from RFC 3665)– The INVITE message is first sent to the Redirect Server (1).
– The Server returns a 302 Moved Temporarily response (2) containing a Contact header with UA B's current SIP address
– UA A then generates a new INVITE (3) and sends to UA B via the Proxy Server and the call proceeds normally
User Agent BUser Agent A
200 OK (9)
INVITE (5)
180 Ringing (7)
Redirect Server Proxy Server
RTP Media Session
INVITE (4)
100 Trying (6)
180 Ringing (8)
200 OK (10)
ACK (8)
INVITE (1)
302 Moved Temp.(2)
ACK (3)
Location Service(SIP URI to IP
address mapping)
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 11
21
ENUM ENUM -- ((E.164 Number Mapping, RFC 3716)E.164 Number Mapping, RFC 3716)
• Mapping between an E.164 number and other services
• DNS used to identify the services bound to the E.164 number
– Format: <reverse phone number> .e164.arpa
– Example: “+130355553031” becomes “1.3.0.3.5.5.5.53.0.3.1.e164.arpa”
• One NAPTR entry in the DNS database for each available service
– E.g. SIP, H.323, Web, Email, PSTN
» IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:[email protected]!"
» IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:[email protected]!“
» IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:[email protected]!”
– SIP translates E.164 numbers into URIs
» Resolved to an IP address using the SIP redirect and/or location service
22
ENUM Queries and SIPENUM Queries and SIP
Gateway
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 12
23
ENUM ENUM -- Query ExampleQuery Example
$ORIGIN 1.3.0.3.5.5.5.3.0.3.1.e164.arpa. (Query)
IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:[email protected]!"
IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:[email protected]!“
IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:[email protected]!”
• IN – Internet Class – class of record – this is always IN
• NAPTR – Naming Authority Pointer Record – Type of DNS resource record (RR)
• 1xx – Order – first arbiter of preference (Lower is better)
• 10 – Preference – Weight for how the user would like to be contacted, used when orders match
• "u" "tel+E2U" - Flag – indicates service field and resolution service.
• Text after this reflects regular expression matching of URIs (1 per line).
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
VoIP ServicesVoIP Services
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 13
25
SelfSelf--provided VoIPprovided VoIP
• No provider (like Skype, T-Online etc.) is used to provide the voice
service– The end-users install a dedicated VoIP product on their systems
» The IP address of the called party must be known to the caller before placing a call
� Instant Message and Presence service can solve this problem
» Example: Microsoft NetMeeting
– The VoIP infrastructure is installed within a company’s local network
» Voice routing can be done manual or using SIP Proxies, H.323 Gateways, IP PBX …
� Example: Manual voice routing between two PBX systems with E1 interfaces
Voice port1/0:15
Voice port1/0:15
Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default
PRISignaling
PRISignaling
26
SelfSelf--provided VoIP provided VoIP –– Manual Voice RoutingManual Voice Routing
isdn switch-type primary-net5!
controller E1 1/0pri-group timeslots 1-30
!
interface Serial1/0:15isdn switch-type primary-net5isdn incoming-voice voice
interface serial 0/0ip address 172.16.1.123
!
dial-peer voice 1 potsdestination-pattern 555....port 1/0:15
dial-peer voice 3 voipdestination-pattern 119....session target ipv4:172.16.65.182(session protocol cisco)
isdn switch-type primary-net5!
controller E1 1/0pri-group timeslots 1-30
!
interface Serial1/0:15isdn switch-type primary-net5isdn incoming-voice voice
interface serial 0/0ip address 172.16.65.182
!
dial-peer voice 1 potsdestination-pattern 119....port 1/0:15
dial-peer voice 3 voipdestination-pattern 555....session target ipv4:172.16.1.123(session protocol cisco)
Voice port1/0:15
Voice port1/0:15
Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default
PRISignaling
PRISignaling
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 14
27
SelfSelf--Provided VoIP Provided VoIP -- IP PBXIP PBX
IP Backbone
VVVV
PSTN
IP voice circuit
• RTP or SRTP
Voice Signalling
• SIP
• H.323
• Cisco Skinny
• Asterisk IAX2
• MGCP
• MeGaCo / H.248
28
SelfSelf--Provided VoIP Provided VoIP -- IP PBXIP PBX
• IP PBX systems will be installed by a company without using a
voice service provider
• Various implementations using different vendors are possible
– Cisco, Avaya, Siemens, Nortel, Asterisk (Open Source) …
– Outsourcing of the management and maintenance of these IP PBX systems
• PSTN outbreak using separate gateways
– Controlled via H.323, SIP, MGCP or MeGaCo / H.248
• Problem: Interconnection between IP PBX systems from different
vendors could be a nightmare
– Often only a very limited subset of subscriber features are possible (e.g. if
H.323 is used for the interconnection)
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 15
29
CentrexCentrex--based Solutionsbased Solutions
• Only SIP phones at location; PBX is located in provider network– Survivability: Additional IP access or a local PSTN outbreak
– Emergency Services: Local PSTN outbreak or provider maintains a mapping
database between phone number and location
» Problem with mobile users (WLAN VoIP phones, VoIP soft clients …)
» Database must be manually kept up-to-date
SIP Signalling
Traditional PBX withVoIP Interface
IP Backbone
Provider‘s SIP-based VoIP infrastructure PSTN
RTP
VVVV
30
IP Trunking IP Trunking –– Toll BypassToll Bypass
• Trunk connection between PBX systems located in different sites– Kind of connection depends on the vendor (e.g. H.323, SIP or other protocols)
– Not very scalable
– Usually a PSTN outbreak in every site (for emergency numbers)
IP Trunk: SIP, H.323 or any vendor proprietary protocol
Traditional PBX withVoIP Interface
Traditional PBX withVoIP InterfacePSTN
IP Backbone
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 16
31
IP Trunking IP Trunking –– PBX InterconnectionPBX Interconnection
• SIP trunk connection between different IP PBX systems and a central Soft PBX within the provider network
• Service Provider provides external PSTN long-distance and local access, handled through their SIP network– Emergency services are an issue: The number of traditional local trunks needed in the branches
can be reduced to just the number required for survivability or emergency services
SIP Signalling
Traditional PBX withE1 Interface
IP Backbone
SIP-based VoIP infrastructure of the
provider
PSTN
RTP
Traditional PBX withVoIP Interface
VVVV
32
Emergency Services for VoIPEmergency Services for VoIP
• Usually not a problem for fixed phone.– The location details of the phones are entered in a database
» This information will be transferred to the emergency service answering points
» Must be ensured that the location details for each phone is up-to-date
• A big issue with mobile phones like PC soft phones or WLAN IP phones
• IETF ECRIT (Emergency Context Resolution with Internet Technologies) concept:– IP phones have to know their actual location
» GPS
» Information from a DHCP server
» Manual
– Global available geographical mapping database
» Contains the Internet address for the local responsible Emergency Service
Answering Points (police, fire department etc.)
– http://www.ietf.org/html.charters/ecrit-charter.html
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 17
33
VoIP in VoIP in thethe Provider Provider CoreCore
• Next Generation network (NGN)
– Transmission von voice and data over a common IP-based network
– Connection between the different types networks (PSTN, Mobile, DSL etc.)
– Can provide intelligent services like presence or instant messaging
ProviderIP Backbone
Mobile (GSM & UMTS)
PSTN
VVVVP-CSCF
Private IP networks(MPLS based)
Router
IMS (IP Multimedia Subsystem)
Media Gateway
34
VoIP in VoIP in thethe Provider Provider CoreCore –– IMS (IP Multimedia IMS (IP Multimedia Subsystem)Subsystem)
• Defined by the 3rd Generation Partnership Project (3GPP) – 3GPP is a collaboration agreement that brings together a number of telecommunications standards bodies (like ETSI)
– A reference service delivery platform architecture for the provision of IP Multimedia services within a mobile all-IP network environment, such as UMTS Release 5.
• Provides signalling to control of real time multi media services– Based on SIP signalling
• Uses the packet-switched domain instead of the circuit-switching one
– Smooth integration of new IP based services (e.g. Voice over IP).
– Interworking with devices with no access to the mobile domain is trivial
– Packet-switched technology is usually more efficient than circuit-switched
• Represents an overlay architecture– Not limited to the mobile domain only (WLAN, WIMAX, xDSL access also possible)
• Does not mandate any particular business mode
– Service providers can charge a more service oriented way.
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 18
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
VoIP SecurityVoIP Security
• Vulnerabilities
• SIP Security
• Securing the Audio Stream
36
VulnerabilitiesVulnerabilities
• DDoS attacks– Bad phone quality if the Internet connection is congested
» DDoS protection within the provider network
– SIP server flooding (INVITE, REGISTER, SUBSCRIBE messages)
» Block all SIP messages except the ones to and from trusted networks.
• Phreaking (Telephone Fraud)– Fraudulent usage of the VoIP equipment to get toll free calls or let someone else pay for the call
» Different kind of attacks possible (e.g. SIP spoofing, errors in the devices and so on)
– Example: Telephone systems hackers have established a black market in
reselling stolen VoIP minutes. These telephone phreakers steal 200m minutes
a month, worth $26m
» http://www.theregister.co.uk/2007/03/22/voip_fraud/
– Careful design of the network, use firewall and filters and secured SIP and
RTP connections wherever possible
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 19
37
VulnerabilitiesVulnerabilities
• Spam over Internet Telephony (SPIT)
– E-Mail spam is transferred into the telephone world. E.g. advertising material
will be directly offered over the phone
– Often automated dialer are used to force the user to call back a toll number
like 0900 or 0137.
» The provider usually have Internet connections with a VoIP flat rate.
» No further cost apply, only for the Internet connection.
– Possible mitigations are still under investigation. Normal E-mail filter
mechanisms do not work for SPIT
»Only allow specific inbound numbers (white list)
» Block specific inbound numbers (black list)
» Block all calls without an CLI (Calling Line Identification)
38
SIP Security MechanismsSIP Security Mechanisms
• HTTP/SIP digest authentication
– Simple challenge/response mechanism using a shared secret (like CHAP)
– Replay protection and one-way authentication
» User Agent to User Agent or User Agent to Proxy Server
– Vulnerable to brute force or dictionary attacks
• Basic authentication scheme (RFC 2543) has been deprecated
– Client authentication mechanism with user ID and a password (like PAP)
• IPSec-based security
– Provides hop-by-hop mutual authentication, encryption, and/or message integrity
– No Integration with the SIP applications required
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 20
39
Example: Example: SIP Digest AuthenticationSIP Digest Authentication
• F1 REGISTER Bob -> SIP ServerREGISTER sips:ss2.biloxi.example.com SIP/2.0
Via: SIP/2.0/TCP client.biloxi.example.com:5060
;branch=z9hG4bKnashds7
Max-Forwards: 70
From: Bob <sip:[email protected]>;tag=a73kszlfl
To: Bob <sip:[email protected]>
Call-ID: [email protected]
CSeq: 1 REGISTER
Contact: <sip:[email protected]>
Content-Length: 0
• F2 401 Unauthorized SIP Server -> BobSIP/2.0 401 Unauthorized
Via: SIP/2.0/TCP client.biloxi.example.com:5060
;branch=z9hG4bKnashds7; received=192.0.2.201
From: Bob <sip:[email protected]>;tag=a73kszlfl
To: Bob <sip:[email protected]>;tag=1410948204
Call-ID: [email protected]
CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="atlanta.example.com", qop="auth",
nonce="ea9c8e88df84f1cec4341ae6cbe5a359",
opaque="", stale=FALSE, algorithm=MD5
Content-Length: 0
User Agent Proxy Server
F1: REGISTER
F2: 401 Unauthorized
F3: REGISTER
F4: 200 OK
40
• F3 REGISTER Bob -> SIP ServerREGISTER sips:ss2.biloxi.example.com SIP/2.0
Via: SIP/2.0/TCP client.biloxi.example.com:5060 …
Max-Forwards: 70
From: Bob <sip:[email protected]>;tag=…lH
To: Bob <sip:[email protected]>
Call-ID: [email protected]
CSeq: 2 REGISTER
Contact: <sip:[email protected]>
Authorization: Digest username="bob„
, realm="atlanta.example.com"
nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="",
uri="sip:ss2.biloxi.example.com",
response="dfe56131d1958046689d83306477ecc"
Content-Length: 0
• F4 200 OK SIP Server -> BobSIP/2.0 200 OK
Via: SIP/2.0/TCP client.biloxi.example.com:5060;branch=z9h…d92;received=192.0.2.201
From: Bob <sip:[email protected]>;tag=ja743ks76zlflH
To: Bob <sip:[email protected]>;tag=37GkEhwl6
Call-ID: [email protected]
CSeq: 2 REGISTER
Contact: <sip:[email protected]>;expires=3600
Content-Length: 0
Example: SIP Digest AuthenticationExample: SIP Digest Authentication
User Agent Proxy Server
F1: REGISTER
F2: 401 Unauthorized
F3: REGISTER
F4: 200 OK
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 21
41
SIP Security MechanismsSIP Security Mechanisms
• TLS (sips)– Hop-by-hop encryption, authentication and message integrity
• S/MIME– End-to-end encryption, authentication and integrity for message body
SIP Phones
Proxy Server
TLS (sips)
SIP usingS/MIME
42
SIP Security MechanismsSIP Security Mechanisms
• IPSec:
– Hop-by-hop encryption, authentication and message integrity
SIP Phones
Proxy Server
SIP
IPSec tunnels
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 22
43
SIP Security MechanismsSIP Security Mechanisms
• TLS (sips)– Hop-by-hop encryption, message integrity and mutual authentication using
certificates
» Between UA and Proxy Server or between two Proxy Server
» Other authentication mechanism can also be used� Allows mutual authentication if certificate is missing
� For example using HTTP Digest authentication
» Whole SIP message will be encrypted and authenticated� SIP-enabled Firewalls can not look into the SIP messages to open the necessary UDP ports for RTP and RTCP
� Message fields (Request-URI, Route, and Via) need to be visible to SIP proxies in most architectures to route SIP requests correctly
– Integration with SIP applications required
• TLS Proxy with the Firewall
– Future: Firewall will act as a TLS Proxy to be able to control TLS encrypted
SIP signaling (for example Cisco ASA or Juniper NetScreen)
44
SIP Security MechanismsSIP Security Mechanisms
• S/MIME
– End-to-end encryption, message integrity and mutual authentication using
certificates
» Encrypts MIME bodies within a SIP message between two User Agents
� Bodies are secured end-to-end without affecting the SIP header
� Transparent to any intermediate Firewalls, NAT devices or SIP proxy
• S/MIME with SIP Message Tunneling
– Provides a form of integrity and confidentiality for SIP header fields
• PGP mechanism for encrypting the header fields and bodies
– Has been deprecated.
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 23
45
Securing the Audio StreamSecuring the Audio Stream
• IPSec VPN
– Mostly used for connections running over the Backbone
– Cisco GET VPN can be used to build an Any-to-Any IPSec VPN
– Independent of the SIP User Agents capabilities
SIP Phones
Proxy Server
IPSec tunnel
RTP stream
46
Securing the Audio StreamSecuring the Audio Stream
• RFC 3711 - Secure Real Time Transport Protocol (SRTP)– Secures end-to-end RTP and RTCP traffic
– Encryption, authentication and message integrity using symmetric AES keys
– SIP User Agents must support SRTP
SIP Phones
Proxy Server
SRTP stream
SRTP stream
SRTP stream
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 24
47
Securing the Audio StreamSecuring the Audio Stream
• SRTP Key Management
– SRTP does not define a key management mechanism but refers to other key
management standards
» RFC 3547: "The Group Domain of Interpretation
» RFC 3830: "MIKEY: Multimedia Internet KEYing"
» RFC 4430: "Kerberized Internet Negotiation of Keys (KINK)"
» RFC 4567: "Key Management Extensions for SDP and RTSP"
» RFC 4568: “SDP Security Descriptions for Media Streams"
– These protocols will be used to establish a SRTP master key
• SRTP derives six different keys are from this single master key in a
cryptographically secure way
– SRTP and SRTCP encryption keys and salts
– SRTP and SRTCP authentication keys
48
Securing the Audio StreamSecuring the Audio Stream
• SRTP packet format
Encyrpted
part
Authenticated part of the
RTP m
essage
V=2V=2 PP XX CCCC MM Payload TypePayload Type Sequence NumberSequence Number
TimestampTimestamp
Synchronization Source Identifier (SSRC)Synchronization Source Identifier (SSRC)
0 4 8 12 16 20 24 28 31
Contributed Source Identifiers (CSRC) – optional
…. ….
Contributed Source Identifiers (CSRC) – optional
…. ….
RTP Header Extensions (optional)RTP Header Extensions (optional)
Payload (Audio and Video)Payload TypePayload (Audio and Video)Payload Type
RTP Padding RTP Pad Count
SRTP MKI (Master Key Identifier) - optionalSRTP MKI (Master Key Identifier) - optional
Authentication TagAuthentication Tag
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 25
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
Unified MessagingUnified Messaging
50
Verizon Business Verizon Business -- Instant Meeting incorporated Instant Meeting incorporated
into Microsoft Office Live Communication Serverinto Microsoft Office Live Communication Server
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 26
51
Verizon Business Verizon Business -- Instant Meeting incorporated Instant Meeting incorporated
into Microsoft Office Live Communication Serverinto Microsoft Office Live Communication Server
52
Verizon Business Verizon Business -- Instant Meeting Instant Meeting
integration into Microsoft integration into Microsoft LiveMeetingLiveMeeting
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 27
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
Verizon Business VoIP Verizon Business VoIP SolutionsSolutions
4 Different Products based on SIP
54
Verizon Business VoIP Service Verizon Business VoIP Service Portfolio Portfolio
Strategy
• Build world-class VoIP infrastructure with scalability and flexibility to meet business and wholesale customer needs
• Deliver high-quality VoIP experience
• Enable customers to migrate to VoIP at own pace, path leveragingVerizon Business’s extensive portfolio
•• Use with an existing premise IP PBX Use with an existing premise IP PBX
•• Eliminates the need for expensive TDM premises Eliminates the need for expensive TDM premises gateway equipment gateway equipment
•• Ideal for large locations with more than 200 usersIdeal for large locations with more than 200 users
•• Use with existing PBX, Key SystemUse with existing PBX, Key System
•• Ideal for smallIdeal for small-- to mediumto medium--size locationssize locations
•• Not ready to rip/replaceNot ready to rip/replace
•• Avoid reAvoid re--trainingtraining
IP Integrated Access/IP Flexible T1 IP Trunking
•• Full suite of subscriber and administrative Full suite of subscriber and administrative features reside in the networkfeatures reside in the network
•• Uses IP phones Uses IP phones
•• Enhances user mobility and productivity Enhances user mobility and productivity
•• Easily scales with business demandsEasily scales with business demands
•• Ideal for new locationsIdeal for new locations
•• Designed for enterprises with >200 usersDesigned for enterprises with >200 users
•• Prefers premisesPrefers premises--based solution without the based solution without the internal support challengesinternal support challenges
Managed IP PBXHosted IP CentrexVoIP
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 28
55
Verizon Business Verizon Business VoIP VoIP ArchitectureArchitecture
Customer Premises Customer Premises –– NO PBX!NO PBX!
LAN
SIP Phones
SIPFeatureServers
RedirectServers
SIP Infrastructure
Voice MailServers
Customer PremisesCustomer Premises
PBXPhone
PBXPhone
Key System or PBX
SIP Phone
SIP Phone
PSTN NetworkGateway
Phone
Phone
Public SwitchedPublic SwitchedTelephone NetworkTelephone NetworkVerizon Business Verizon Business
Private IP or Public IPPrivate IP or Public IPNetworkNetwork
56
Verizon VoIP Verizon VoIP -- IP Integrated AccessIP Integrated Access
LAN Client
redundant
Firewall
EnterpriseGateway
Modem
PSTN
IP router
PBX
Verizon IP network
Network Features
PSTN
Non inter-site trafficrouted via Verizon Voice network
Phones
Inter-site trafficrouted via Verizon IP network
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 29
57
Verizon VoIP Verizon VoIP -- IP IP TrunkingTrunking
CE Router
FirewallEthernet switch
Verizon VoIP Probe
PSTN
SupportModem
IP Network
PSTN
NetworkFeatures
Analogue Gateway
SIPphones
traditionalphones
IP PBX
Managed IP PBX(optional)
Non inter-site trafficrouted via Verizon Voice network
Inter-site trafficrouted via Verizon IP network
58
Verizon VoIP Verizon VoIP –– Hosted IP CentrexHosted IP Centrex
CE Router
FirewallEthernet switch
PSTN
SupportModem
IP Network
PSTN
NetworkFeatures
Analogue Gateway
SIPphones
traditionalphones
Non inter-site trafficrouted via Verizon Voice network
Inter-site trafficrouted via Verizon IP network
Verizon VoIP Probe
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 30
59
Verizon VoIP Verizon VoIP –– SecuritySecurity
• Redundant NetScreen firewalls protect the SIP proxy servers in the
Verizon VoIP network
• Customer sites must use a SIP-aware firewalls.
– Only SIP messages that originate from Verizon's proxies are allowed to reach
the IP phones.
• SIP Signalling:
– IP phones and analogue interfaces use SIP Digest Authentication
» Passwords on the IP phones are set before they are shipped.
– Enterprise gateways for IP Integrated Access use IPSec AH
» IPSec tunnel between gateways and the NetScreen Firewalls on the VzB VoIP
network
60
Verizon VoIP Verizon VoIP –– SecuritySecurity
Access Network(Internet or MPLS)
SIP-aware FW(Cisco PIX)
Enterprise Gateway
PSTN
SIP Signaling with Digest Authentication
IPSec AH Tunnel
NetScreen Firewall
IT-Symposium 2007 19.04.2007
www.it-symposium2007.de 31
61
Thank Thank YouYou
Any Questions?Any Questions?Any Questions?
62
Thank Thank YouYou
About Verizon Business Verizon Business, a unit of Verizon Communications (NYSE:VZ) is a leading provider of advanced communications and information technology (IT) solutions to large business and government customers worldwide. Combining unsurpassed global network reach with advanced technology and professional service capabilities, Verizon Business delivers innovative and seamless business solutions to customers around the world.
For more information, visit www.verizonbusiness.com
Global Capability. Personal Accountability.Global Capability. Personal Accountability.