VoIP –was ist m öglich - decus.de XX/07 global capability. personal accountability. VoIP –was...

IT-Symposium 2007 19.04.2007

www.it-symposium2007.de 1

© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07

global capability. personal accountability.

VoIP VoIP –– was ist mwas ist mööglich ?glich ?

3B07 - Welche verschiedenen Szenarien sind beim Einsatz von

VoIP möglich (IP PBX, IP Centrex usw.)

Andreas AurandSales EngineerApril 19th, 2007

2

Verizon Communications Inc.Verizon Communications Inc.

Revenue• 2006 Revenue: $88.1 billion(+26.8% compared to 2005)

• World’s second biggest telecommunications provider*

• 50th on Fortune Global 500

Profit• One of the world’s most profitable telecommunications providers*

• 36th on Fortune Global 500

* Source: Fortune Global 500, CNN Money, 2006

About Verizon

IT-Symposium 2007 19.04.2007


3

Verizon BusinessVerizon Business

• Customers include 94% of the Fortune 500

• Over 30,000 employees

• Operations in 75 countries

• Customers in 2,700 cities in 152 countries

• Most expansive IP network worldwide (based upon PoPs)

• Most connected backbone according to TeleGeography

About Verizon

4

Verizon BusinessVerizon Business’’ PortfolioPortfolio

Managed Network Services

WAN Management

Professional Services

LAN Management Managed Telephony

CPE

IT-Symposium 2007 19.04.2007


5

AgendaAgenda

• SIP Signalling

• VoIP Services

• VoIP Security

• Unified Messaging

• Verizon Business VoIP solutions



SIP SignallingSIP Signalling

IT-Symposium 2007 19.04.2007


7

Traditional Voice Services Traditional Voice Services -- Circuit SwitchedCircuit Switched

PBX

Signaling

• QSIG

• ISDN PRI

• …

Signalling between phone and PBX

or telephone switch

• Digital: ISDN BRI - Q.931

• Analogue: E&M, Loop Start, Ground Start

Signaling between PBX and CO

• ISDN PRI - Q.931 (digital)

• analog (usually obsolete)

Signaling (using a separate network)

• SS7 (digital)

Voice circuit

• analogue: dedicated circuit

• digital: fixed TDM slot

8

VoIP VoIP Services Services –– Packet SwitchedPacket Switched

PBX

Signaling

• QSIG

• ISDN PRI

• E&M

Signaling between phone and PBX

• Digital: ISDN BRI - Q.931

• Analogue: E&M, Loop Start, Ground Start

IP voice circuit

• RTP or SRTP

VVVV

VoIP Signalling

• ITU H.323 protocol

• IETF SIP protocol

• Cisco Skinny protocol

• Asterisk IAX2 (InterAsterisk eXchange)

• IETF MGCP or MeGaCo

IP PBX

IT-Symposium 2007 19.04.2007


9

VoIP Signaling VoIP Signaling –– SIP and H.323SIP and H.323

• IETF SIP protocol (RFC3261)

– A flexible, scalable, text-based call control protocol (similar to HTTP and SMTP)

– Besides signalling, SIP also supports presence and instant message applications.

» Conferencing (e.g. Microsoft Live Meeting)

» Presence and Instant Messaging (e.g. Microsoft Communicator)

– Robust security mechanisms

» Authentication using HTTP Digest, TLS or S/MIME

» Encryption using TLS or S/MIME

» Message Integrity using TLS or S/MIME

• ITU H.323 protocol

– Based on ISDN, uses binary-encoded ASN.1 messages

– Is exclusively a signalling protocol

– Widely deployed in small PSTN replacement networks for handling simple phone calls

– Dominates the IP videoconferencing market

10

SIP SIP ProtocolProtocol

• Call control or signalling protocol that establishes and terminates media sessions. – Individual voice or conference calls

– Videoconferences and point-to-point video-enabled calls

– Web collaboration and chat sessions

– Instant messaging sessions

• Open standard protocol; specifies the basic and supplementary services

to create, modify and delete multimedia sessions or calls. – Client-server based peer-to-peer protocol, not an IP-to-PSTN gateway control protocol

such as MGCP, MEGACO or H.248.

• Integrates with other Internet services, such as e-mail, Web, voice mail, instant messaging, multiparty conferencing, and multimedia collaboration.

– Phone numbers are just another URL

IT-Symposium 2007 19.04.2007


11

SIP SIP ProtocolProtocol

• SIP uses Uniform Resource Locators (URL) that can look like e-mail address or may contain phone numbers:

– sip:[email protected]

– sip:[email protected]

– The names are resolved to an IP address by using SIP proxy server and

DNS lookups at the time of the call.

• SIP is an application-layer protocol

– Utilizes Session Description Protocol (SDP) for call setup

– Supported transport protocols

» UDP (Port 5060)

» TCP (Port 5060)

» Stream Control Transmission Protocol (SCTP, Port 5060)

» TLS (Port 5061)

12

SIP EntitiesSIP Entities

• User Agent (UA)– End devices– Initiate and terminate media sessions

» Client (UAC): initiates a request

» Server (UAS): responds to a request

• SIP Server– Assist in session setup

» Registrar

» Location Server

» Proxy Server

» Redirect Server

» Presence Server

• Back-to-Back User Agent (B2BUA)

– Intermediary device

– Appears as an endpoint to the two endpoints

Registrar

ProxyServerRedirect

Server

User Agent Server

Location Service

• SIP URI to IP address mapping

• Updated by UA REGISTER requests

User Agent Client

REGISTER request INVITE request

DNS Server

VVVV

Gateway (B2BUA)

Updates the „URI to IP address binding“ in the

Location Service database.

IT-Symposium 2007 19.04.2007


13

SIP Entities SIP Entities –– User AgentsUser Agents

• User agents– Applications in SIP endpoints (such as a SIP phone) that interface between the user and the SIP network.

– An agent can act as either a client or a server.

» When making a call it acts as an User Agent Client (UAC)

» when receiving a call it acts as an User Agent Server (UAS)

• A Back-to-Back User Agent (B2BUA) – An application that acts as an intermediary between two parties, but appears as an endpoint to both parties.

» It serves as both an UAS/UAC simultaneously to process session requests.

» For example a SIP Analogue Telephone Adapter (ATA) might work as a B2BUA

• SIP devices can communicate directly with each other if they know the other’s

URL, but in practice SIP servers are often used in the network to provide an

infrastructure for routing, registration, and the authentication/authorization

services.

14

SIP Entities SIP Entities –– SIP Server #1SIP Server #1

• Registrar Server– Registers users when they come on-line and stores information on the users logical identity, and the associated device or devices they will allow for communications.

– Accepts REGISTER requests and places the information it receives in those requests into the location service for the domain it handles.

• Location Server– A database that keeps track of users and the URL bindings that are "closer" to them.

» Contains a list of bindings of address-of-record keys to zero or more contact addresses.

– The location service gets its input from the registrar server and provides key information for the proxy and redirect servers.

– Used by a SIP redirect or proxy server to obtain information about a callee's possible location(s).

• Redirect Server– Maps a SIP request destined for a user to the URL of the device "closest" to the user.

» Accepts SIP INVITE request from the calling user agent,

» Obtains the correct SIP address of the called user agent (from a location service)

» Replies to the calling user agent with the correct SIP address using 3xx responses

IT-Symposium 2007 19.04.2007


15

SIP Entities SIP Entities –– SIP Server #2SIP Server #2

• Proxy Server– Services SIP requests by processing them and passing them along to other SIP

servers.

» Routing: ensures that a request is sent to another entity "closer" to the targeted user.

» Enforcing policies; for example, making sure a user is allowed to make a call.

– A proxy server may act as both a server and a client, and can modify a SIP request

before passing it along.

» Interprets, and rewrites specific parts of a request message before forwarding it.

– A proxy is involved only in the set-up and teardown of communications.

» Once a session is established, communications occur directly between the parties.

• Presence Server– Accepts, stores, and distributes presence information.

» Presentities clients (producers of information) provide presence information to the server to be

stored and distributed.

» Watchers clients (consumers of information) receive presence information from the server.

16

SIP MessagesSIP Messages

• SIP Requests (called „methods“) – Client to Server

– Six base ones: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER

• SIP Response – Server to Client

– SIP Requests generate responses with a numerical response codes

» Borrowed from the HTTP protocol

– 1xx Informational

– 2xx Final

– 3xx Redirection

– 4xx Client Error

– 5xx Server Error

– 6xx Global Failure

IT-Symposium 2007 19.04.2007


17

SIP Message FormatSIP Message Format

• SIP Header

– Required Headers: To, From, Via, Call-ID, CSeq

– Optional Headers: Subject, Date, Authentication and many others

» Used for invoking various types of services and features.

» In most cases, it will be the type of voice traffic, speech, data or FAX

• SIP Message Body

– Similar to an attachment in an email message

– SIP body in an INVITE request contains a description of the media session

using another protocol:

» Usually SDP (Session Description Protocol – RFC …)

– SIP body can be encrypted using S/MIME for end-to-end security

18

SAP Call FlowSAP Call Flow

• Direct Session Establishment (example from RFC 3665)

• SIP Invite RequestINVITE [email protected] SIP/2.0Via: SIP/2.0/UDP 10.185.224.28Call-ID: [email protected]: sip:[email protected]: sip:[email protected]: application/sdpContent-length: 276

v=0o=andreas .. … IN IP4 10.185.224.28s=test on unixi=Group [email protected]=IN IP4 239.255.232.123/15t=1038556894 1038557194a=tool:sdr v2.4a6a=type:meetingm=audio 23376 RTP/AVP 0c=IN IP4 239.255.232.123/15a= ptime:40

• SIP Response – 180 RingingSIP/2.0 150 RingingVia: SIP/2.0/UDP 10.185.224.28Call-ID: [email protected]: sip:[email protected]: sip:[email protected]:192.168.224.68

• SIP-Response – 200 OKSIP/2.0 200 OKVia: SIP/2.0/UDP 10.185.224.28Call-ID:[email protected]: sip:[email protected]: sip:[email protected]:192.168.224.68

User Agent [email protected]

User Agent [email protected]

INVITE (1)

ACK (4)

180 Ringing (2)

200 OK (3)

BYE (5)

200 OK (6)

RTP Media Session

off-hook

on-hook

IT-Symposium 2007 19.04.2007


19

SIP Call FlowSIP Call Flow

• Session Establishment through a SIP Proxies (RFC 3665)– The initial INVITE (1) contains a pre-loaded Route header with the address of the Proxy

Server (configured as a default outbound proxy for UA A).

– The Proxy Server inserts a Record-Route header into the INVITE message to ensure that it

is present in all subsequent message exchanges.

User Agent A Proxy Server User Agent B

INVITE (1)

100 Trying (3)

200 OK (6)

RTP Media Session

INVITE (2)

180 Ringing (4)

180 Ringing (5)

200 OK (7)

ACK (8)

Location Service(SIP URI to IP address mapping)

20

SIP Call FlowSIP Call Flow

• Session via Redirect and Proxy Servers (example from RFC 3665)– The INVITE message is first sent to the Redirect Server (1).

– The Server returns a 302 Moved Temporarily response (2) containing a Contact header with UA B's current SIP address

– UA A then generates a new INVITE (3) and sends to UA B via the Proxy Server and the call proceeds normally

User Agent BUser Agent A

200 OK (9)

INVITE (5)

180 Ringing (7)

Redirect Server Proxy Server

RTP Media Session

INVITE (4)

100 Trying (6)

180 Ringing (8)

200 OK (10)

ACK (8)

INVITE (1)

302 Moved Temp.(2)

ACK (3)

Location Service(SIP URI to IP

address mapping)

IT-Symposium 2007 19.04.2007


21

ENUM ENUM -- ((E.164 Number Mapping, RFC 3716)E.164 Number Mapping, RFC 3716)

• Mapping between an E.164 number and other services

• DNS used to identify the services bound to the E.164 number

– Format: <reverse phone number> .e164.arpa

– Example: “+130355553031” becomes “1.3.0.3.5.5.5.53.0.3.1.e164.arpa”

• One NAPTR entry in the DNS database for each available service

– E.g. SIP, H.323, Web, Email, PSTN

» IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:[email protected]!"

» IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:[email protected]!“

» IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:[email protected]!”

– SIP translates E.164 numbers into URIs

» Resolved to an IP address using the SIP redirect and/or location service

22

ENUM Queries and SIPENUM Queries and SIP

Gateway

IT-Symposium 2007 19.04.2007


23

ENUM ENUM -- Query ExampleQuery Example

$ORIGIN 1.3.0.3.5.5.5.3.0.3.1.e164.arpa. (Query)

IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:[email protected]!"

IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:[email protected]!“

IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:[email protected]!”

• IN – Internet Class – class of record – this is always IN

• NAPTR – Naming Authority Pointer Record – Type of DNS resource record (RR)

• 1xx – Order – first arbiter of preference (Lower is better)

• 10 – Preference – Weight for how the user would like to be contacted, used when orders match

• "u" "tel+E2U" - Flag – indicates service field and resolution service.

• Text after this reflects regular expression matching of URIs (1 per line).



VoIP ServicesVoIP Services

IT-Symposium 2007 19.04.2007


25

SelfSelf--provided VoIPprovided VoIP

• No provider (like Skype, T-Online etc.) is used to provide the voice

service– The end-users install a dedicated VoIP product on their systems

» The IP address of the called party must be known to the caller before placing a call

� Instant Message and Presence service can solve this problem

» Example: Microsoft NetMeeting

– The VoIP infrastructure is installed within a company’s local network

» Voice routing can be done manual or using SIP Proxies, H.323 Gateways, IP PBX …

� Example: Manual voice routing between two PBX systems with E1 interfaces

Voice port1/0:15

Voice port1/0:15

Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default

PRISignaling

PRISignaling

26

SelfSelf--provided VoIP provided VoIP –– Manual Voice RoutingManual Voice Routing

isdn switch-type primary-net5!

controller E1 1/0pri-group timeslots 1-30

!

interface Serial1/0:15isdn switch-type primary-net5isdn incoming-voice voice

interface serial 0/0ip address 172.16.1.123

!

dial-peer voice 1 potsdestination-pattern 555....port 1/0:15

dial-peer voice 3 voipdestination-pattern 119....session target ipv4:172.16.65.182(session protocol cisco)

isdn switch-type primary-net5!

controller E1 1/0pri-group timeslots 1-30

!

interface Serial1/0:15isdn switch-type primary-net5isdn incoming-voice voice

interface serial 0/0ip address 172.16.65.182

!

dial-peer voice 1 potsdestination-pattern 119....port 1/0:15

dial-peer voice 3 voipdestination-pattern 555....session target ipv4:172.16.1.123(session protocol cisco)

Voice port1/0:15

Voice port1/0:15

Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default

PRISignaling

PRISignaling

IT-Symposium 2007 19.04.2007


27

SelfSelf--Provided VoIP Provided VoIP -- IP PBXIP PBX

IP Backbone

VVVV

PSTN

IP voice circuit

• RTP or SRTP

Voice Signalling

• SIP

• H.323

• Cisco Skinny

• Asterisk IAX2

• MGCP

• MeGaCo / H.248

28

SelfSelf--Provided VoIP Provided VoIP -- IP PBXIP PBX

• IP PBX systems will be installed by a company without using a

voice service provider

• Various implementations using different vendors are possible

– Cisco, Avaya, Siemens, Nortel, Asterisk (Open Source) …

– Outsourcing of the management and maintenance of these IP PBX systems

• PSTN outbreak using separate gateways

– Controlled via H.323, SIP, MGCP or MeGaCo / H.248

• Problem: Interconnection between IP PBX systems from different

vendors could be a nightmare

– Often only a very limited subset of subscriber features are possible (e.g. if

H.323 is used for the interconnection)

IT-Symposium 2007 19.04.2007


29

CentrexCentrex--based Solutionsbased Solutions

• Only SIP phones at location; PBX is located in provider network– Survivability: Additional IP access or a local PSTN outbreak

– Emergency Services: Local PSTN outbreak or provider maintains a mapping

database between phone number and location

» Problem with mobile users (WLAN VoIP phones, VoIP soft clients …)

» Database must be manually kept up-to-date

SIP Signalling

Traditional PBX withVoIP Interface

IP Backbone

Provider‘s SIP-based VoIP infrastructure PSTN

RTP

VVVV

30

IP Trunking IP Trunking –– Toll BypassToll Bypass

• Trunk connection between PBX systems located in different sites– Kind of connection depends on the vendor (e.g. H.323, SIP or other protocols)

– Not very scalable

– Usually a PSTN outbreak in every site (for emergency numbers)

IP Trunk: SIP, H.323 or any vendor proprietary protocol


Traditional PBX withVoIP InterfacePSTN

IP Backbone

IT-Symposium 2007 19.04.2007


31

IP Trunking IP Trunking –– PBX InterconnectionPBX Interconnection

• SIP trunk connection between different IP PBX systems and a central Soft PBX within the provider network

• Service Provider provides external PSTN long-distance and local access, handled through their SIP network– Emergency services are an issue: The number of traditional local trunks needed in the branches

can be reduced to just the number required for survivability or emergency services

SIP Signalling

Traditional PBX withE1 Interface

IP Backbone

SIP-based VoIP infrastructure of the

provider

PSTN

RTP


VVVV

32

Emergency Services for VoIPEmergency Services for VoIP

• Usually not a problem for fixed phone.– The location details of the phones are entered in a database

» This information will be transferred to the emergency service answering points

» Must be ensured that the location details for each phone is up-to-date

• A big issue with mobile phones like PC soft phones or WLAN IP phones

• IETF ECRIT (Emergency Context Resolution with Internet Technologies) concept:– IP phones have to know their actual location

» GPS

» Information from a DHCP server

» Manual

– Global available geographical mapping database

» Contains the Internet address for the local responsible Emergency Service

Answering Points (police, fire department etc.)

– http://www.ietf.org/html.charters/ecrit-charter.html

IT-Symposium 2007 19.04.2007


33

VoIP in VoIP in thethe Provider Provider CoreCore

• Next Generation network (NGN)

– Transmission von voice and data over a common IP-based network

– Connection between the different types networks (PSTN, Mobile, DSL etc.)

– Can provide intelligent services like presence or instant messaging

ProviderIP Backbone

Mobile (GSM & UMTS)

PSTN

VVVVP-CSCF

Private IP networks(MPLS based)

Router

IMS (IP Multimedia Subsystem)

Media Gateway

34

VoIP in VoIP in thethe Provider Provider CoreCore –– IMS (IP Multimedia IMS (IP Multimedia Subsystem)Subsystem)

• Defined by the 3rd Generation Partnership Project (3GPP) – 3GPP is a collaboration agreement that brings together a number of telecommunications standards bodies (like ETSI)

– A reference service delivery platform architecture for the provision of IP Multimedia services within a mobile all-IP network environment, such as UMTS Release 5.

• Provides signalling to control of real time multi media services– Based on SIP signalling

• Uses the packet-switched domain instead of the circuit-switching one

– Smooth integration of new IP based services (e.g. Voice over IP).

– Interworking with devices with no access to the mobile domain is trivial

– Packet-switched technology is usually more efficient than circuit-switched

• Represents an overlay architecture– Not limited to the mobile domain only (WLAN, WIMAX, xDSL access also possible)

• Does not mandate any particular business mode

– Service providers can charge a more service oriented way.

IT-Symposium 2007 19.04.2007




VoIP SecurityVoIP Security

• Vulnerabilities

• SIP Security

• Securing the Audio Stream

36

VulnerabilitiesVulnerabilities

• DDoS attacks– Bad phone quality if the Internet connection is congested

» DDoS protection within the provider network

– SIP server flooding (INVITE, REGISTER, SUBSCRIBE messages)

» Block all SIP messages except the ones to and from trusted networks.

• Phreaking (Telephone Fraud)– Fraudulent usage of the VoIP equipment to get toll free calls or let someone else pay for the call

» Different kind of attacks possible (e.g. SIP spoofing, errors in the devices and so on)

– Example: Telephone systems hackers have established a black market in

reselling stolen VoIP minutes. These telephone phreakers steal 200m minutes

a month, worth $26m

» http://www.theregister.co.uk/2007/03/22/voip_fraud/

– Careful design of the network, use firewall and filters and secured SIP and

RTP connections wherever possible

IT-Symposium 2007 19.04.2007


37

VulnerabilitiesVulnerabilities

• Spam over Internet Telephony (SPIT)

– E-Mail spam is transferred into the telephone world. E.g. advertising material

will be directly offered over the phone

– Often automated dialer are used to force the user to call back a toll number

like 0900 or 0137.

» The provider usually have Internet connections with a VoIP flat rate.

» No further cost apply, only for the Internet connection.

– Possible mitigations are still under investigation. Normal E-mail filter

mechanisms do not work for SPIT

»Only allow specific inbound numbers (white list)

» Block specific inbound numbers (black list)

» Block all calls without an CLI (Calling Line Identification)

38

SIP Security MechanismsSIP Security Mechanisms

• HTTP/SIP digest authentication

– Simple challenge/response mechanism using a shared secret (like CHAP)

– Replay protection and one-way authentication

» User Agent to User Agent or User Agent to Proxy Server

– Vulnerable to brute force or dictionary attacks

• Basic authentication scheme (RFC 2543) has been deprecated

– Client authentication mechanism with user ID and a password (like PAP)

• IPSec-based security

– Provides hop-by-hop mutual authentication, encryption, and/or message integrity

– No Integration with the SIP applications required

IT-Symposium 2007 19.04.2007


39

Example: Example: SIP Digest AuthenticationSIP Digest Authentication

• F1 REGISTER Bob -> SIP ServerREGISTER sips:ss2.biloxi.example.com SIP/2.0

Via: SIP/2.0/TCP client.biloxi.example.com:5060

;branch=z9hG4bKnashds7

Max-Forwards: 70

From: Bob <sip:[email protected]>;tag=a73kszlfl

To: Bob <sip:[email protected]>

Call-ID: [email protected]

CSeq: 1 REGISTER

Contact: <sip:[email protected]>

Content-Length: 0

• F2 401 Unauthorized SIP Server -> BobSIP/2.0 401 Unauthorized

Via: SIP/2.0/TCP client.biloxi.example.com:5060

;branch=z9hG4bKnashds7; received=192.0.2.201

From: Bob <sip:[email protected]>;tag=a73kszlfl

To: Bob <sip:[email protected]>;tag=1410948204


CSeq: 1 REGISTER

WWW-Authenticate: Digest realm="atlanta.example.com", qop="auth",

nonce="ea9c8e88df84f1cec4341ae6cbe5a359",

opaque="", stale=FALSE, algorithm=MD5

Content-Length: 0

User Agent Proxy Server

F1: REGISTER

F2: 401 Unauthorized

F3: REGISTER

F4: 200 OK

40

• F3 REGISTER Bob -> SIP ServerREGISTER sips:ss2.biloxi.example.com SIP/2.0

Via: SIP/2.0/TCP client.biloxi.example.com:5060 …

Max-Forwards: 70

From: Bob <sip:[email protected]>;tag=…lH

To: Bob <sip:[email protected]>


CSeq: 2 REGISTER

Contact: <sip:[email protected]>

Authorization: Digest username="bob„

, realm="atlanta.example.com"

nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="",

uri="sip:ss2.biloxi.example.com",

response="dfe56131d1958046689d83306477ecc"

Content-Length: 0

• F4 200 OK SIP Server -> BobSIP/2.0 200 OK

Via: SIP/2.0/TCP client.biloxi.example.com:5060;branch=z9h…d92;received=192.0.2.201

From: Bob <sip:[email protected]>;tag=ja743ks76zlflH

To: Bob <sip:[email protected]>;tag=37GkEhwl6


CSeq: 2 REGISTER

Contact: <sip:[email protected]>;expires=3600

Content-Length: 0

Example: SIP Digest AuthenticationExample: SIP Digest Authentication

User Agent Proxy Server

F1: REGISTER

F2: 401 Unauthorized

F3: REGISTER

F4: 200 OK

IT-Symposium 2007 19.04.2007


41


• TLS (sips)– Hop-by-hop encryption, authentication and message integrity

• S/MIME– End-to-end encryption, authentication and integrity for message body

SIP Phones

Proxy Server

TLS (sips)

SIP usingS/MIME

42


• IPSec:

– Hop-by-hop encryption, authentication and message integrity

SIP Phones

Proxy Server

SIP

IPSec tunnels

IT-Symposium 2007 19.04.2007


43


• TLS (sips)– Hop-by-hop encryption, message integrity and mutual authentication using

certificates

» Between UA and Proxy Server or between two Proxy Server

» Other authentication mechanism can also be used� Allows mutual authentication if certificate is missing

� For example using HTTP Digest authentication

» Whole SIP message will be encrypted and authenticated� SIP-enabled Firewalls can not look into the SIP messages to open the necessary UDP ports for RTP and RTCP

� Message fields (Request-URI, Route, and Via) need to be visible to SIP proxies in most architectures to route SIP requests correctly

– Integration with SIP applications required

• TLS Proxy with the Firewall

– Future: Firewall will act as a TLS Proxy to be able to control TLS encrypted

SIP signaling (for example Cisco ASA or Juniper NetScreen)

44


• S/MIME

– End-to-end encryption, message integrity and mutual authentication using

certificates

» Encrypts MIME bodies within a SIP message between two User Agents

� Bodies are secured end-to-end without affecting the SIP header

� Transparent to any intermediate Firewalls, NAT devices or SIP proxy

• S/MIME with SIP Message Tunneling

– Provides a form of integrity and confidentiality for SIP header fields

• PGP mechanism for encrypting the header fields and bodies

– Has been deprecated.

IT-Symposium 2007 19.04.2007


45

Securing the Audio StreamSecuring the Audio Stream

• IPSec VPN

– Mostly used for connections running over the Backbone

– Cisco GET VPN can be used to build an Any-to-Any IPSec VPN

– Independent of the SIP User Agents capabilities

SIP Phones

Proxy Server

IPSec tunnel

RTP stream

46


• RFC 3711 - Secure Real Time Transport Protocol (SRTP)– Secures end-to-end RTP and RTCP traffic

– Encryption, authentication and message integrity using symmetric AES keys

– SIP User Agents must support SRTP

SIP Phones

Proxy Server

SRTP stream

SRTP stream

SRTP stream

IT-Symposium 2007 19.04.2007


47


• SRTP Key Management

– SRTP does not define a key management mechanism but refers to other key

management standards

» RFC 3547: "The Group Domain of Interpretation

» RFC 3830: "MIKEY: Multimedia Internet KEYing"

» RFC 4430: "Kerberized Internet Negotiation of Keys (KINK)"

» RFC 4567: "Key Management Extensions for SDP and RTSP"

» RFC 4568: “SDP Security Descriptions for Media Streams"

– These protocols will be used to establish a SRTP master key

• SRTP derives six different keys are from this single master key in a

cryptographically secure way

– SRTP and SRTCP encryption keys and salts

– SRTP and SRTCP authentication keys

48


• SRTP packet format

Encyrpted

part

Authenticated part of the

RTP m

essage

V=2V=2 PP XX CCCC MM Payload TypePayload Type Sequence NumberSequence Number

TimestampTimestamp

Synchronization Source Identifier (SSRC)Synchronization Source Identifier (SSRC)

0 4 8 12 16 20 24 28 31

Contributed Source Identifiers (CSRC) – optional

…. ….

Contributed Source Identifiers (CSRC) – optional

…. ….

RTP Header Extensions (optional)RTP Header Extensions (optional)

Payload (Audio and Video)Payload TypePayload (Audio and Video)Payload Type

RTP Padding RTP Pad Count

SRTP MKI (Master Key Identifier) - optionalSRTP MKI (Master Key Identifier) - optional

Authentication TagAuthentication Tag

IT-Symposium 2007 19.04.2007




Unified MessagingUnified Messaging

50

Verizon Business Verizon Business -- Instant Meeting incorporated Instant Meeting incorporated

into Microsoft Office Live Communication Serverinto Microsoft Office Live Communication Server

IT-Symposium 2007 19.04.2007


51

Verizon Business Verizon Business -- Instant Meeting incorporated Instant Meeting incorporated

into Microsoft Office Live Communication Serverinto Microsoft Office Live Communication Server

52

Verizon Business Verizon Business -- Instant Meeting Instant Meeting

integration into Microsoft integration into Microsoft LiveMeetingLiveMeeting

IT-Symposium 2007 19.04.2007




Verizon Business VoIP Verizon Business VoIP SolutionsSolutions

4 Different Products based on SIP

54

Verizon Business VoIP Service Verizon Business VoIP Service Portfolio Portfolio

Strategy

• Build world-class VoIP infrastructure with scalability and flexibility to meet business and wholesale customer needs

• Deliver high-quality VoIP experience

• Enable customers to migrate to VoIP at own pace, path leveragingVerizon Business’s extensive portfolio

•• Use with an existing premise IP PBX Use with an existing premise IP PBX

•• Eliminates the need for expensive TDM premises Eliminates the need for expensive TDM premises gateway equipment gateway equipment

•• Ideal for large locations with more than 200 usersIdeal for large locations with more than 200 users

•• Use with existing PBX, Key SystemUse with existing PBX, Key System

•• Ideal for smallIdeal for small-- to mediumto medium--size locationssize locations

•• Not ready to rip/replaceNot ready to rip/replace

•• Avoid reAvoid re--trainingtraining

IP Integrated Access/IP Flexible T1 IP Trunking

•• Full suite of subscriber and administrative Full suite of subscriber and administrative features reside in the networkfeatures reside in the network

•• Uses IP phones Uses IP phones

•• Enhances user mobility and productivity Enhances user mobility and productivity

•• Easily scales with business demandsEasily scales with business demands

•• Ideal for new locationsIdeal for new locations

•• Designed for enterprises with >200 usersDesigned for enterprises with >200 users

•• Prefers premisesPrefers premises--based solution without the based solution without the internal support challengesinternal support challenges

Managed IP PBXHosted IP CentrexVoIP

IT-Symposium 2007 19.04.2007


55

Verizon Business Verizon Business VoIP VoIP ArchitectureArchitecture

Customer Premises Customer Premises –– NO PBX!NO PBX!

LAN

SIP Phones

SIPFeatureServers

RedirectServers

SIP Infrastructure

Voice MailServers

Customer PremisesCustomer Premises

PBXPhone

PBXPhone

Key System or PBX

SIP Phone

SIP Phone

PSTN NetworkGateway

Phone

Phone

Public SwitchedPublic SwitchedTelephone NetworkTelephone NetworkVerizon Business Verizon Business

Private IP or Public IPPrivate IP or Public IPNetworkNetwork

56

Verizon VoIP Verizon VoIP -- IP Integrated AccessIP Integrated Access

LAN Client

redundant

Firewall

EnterpriseGateway

Modem

PSTN

IP router

PBX

Verizon IP network

Network Features

PSTN

Non inter-site trafficrouted via Verizon Voice network

Phones

Inter-site trafficrouted via Verizon IP network

IT-Symposium 2007 19.04.2007


57

Verizon VoIP Verizon VoIP -- IP IP TrunkingTrunking

CE Router

FirewallEthernet switch

Verizon VoIP Probe

PSTN

SupportModem

IP Network

PSTN

NetworkFeatures

Analogue Gateway

SIPphones

traditionalphones

IP PBX

Managed IP PBX(optional)



58

Verizon VoIP Verizon VoIP –– Hosted IP CentrexHosted IP Centrex

CE Router

FirewallEthernet switch

PSTN

SupportModem

IP Network

PSTN

NetworkFeatures

Analogue Gateway

SIPphones

traditionalphones



Verizon VoIP Probe

IT-Symposium 2007 19.04.2007


59

Verizon VoIP Verizon VoIP –– SecuritySecurity

• Redundant NetScreen firewalls protect the SIP proxy servers in the

Verizon VoIP network

• Customer sites must use a SIP-aware firewalls.

– Only SIP messages that originate from Verizon's proxies are allowed to reach

the IP phones.

• SIP Signalling:

– IP phones and analogue interfaces use SIP Digest Authentication

» Passwords on the IP phones are set before they are shipped.

– Enterprise gateways for IP Integrated Access use IPSec AH

» IPSec tunnel between gateways and the NetScreen Firewalls on the VzB VoIP

network

60

Verizon VoIP Verizon VoIP –– SecuritySecurity

Access Network(Internet or MPLS)

SIP-aware FW(Cisco PIX)

Enterprise Gateway

PSTN

SIP Signaling with Digest Authentication

IPSec AH Tunnel

NetScreen Firewall

IT-Symposium 2007 19.04.2007


61

Thank Thank YouYou

Any Questions?Any Questions?Any Questions?

62

Thank Thank YouYou

About Verizon Business Verizon Business, a unit of Verizon Communications (NYSE:VZ) is a leading provider of advanced communications and information technology (IT) solutions to large business and government customers worldwide. Combining unsurpassed global network reach with advanced technology and professional service capabilities, Verizon Business delivers innovative and seamless business solutions to customers around the world.

For more information, visit www.verizonbusiness.com

Global Capability. Personal Accountability.Global Capability. Personal Accountability.

IT-Symposium 2007 19.04.2007


63

VoIP –was ist m öglich - decus.de XX/07 global capability. personal accountability. VoIP –was...

Documents

Transcript of VoIP –was ist m öglich - decus.de XX/07 global capability. personal accountability. VoIP –was...