InteleCardExpo Conference VoIP: A Technology Coming of Age

1
Intele-CardExpo ConferenceVoIP A Technology
Coming of Age
Inter-domain VoIP Security Authentication Authori
zation Accounting
Jim.Dalton_at_TransNexus.com 404-526-6053
2
Agenda

• Circuit Switched Interconnection
• Next Generation VoIP Interconnection
• The Basics of Public-key Infrastructure security
• Certificate Authority Trusted 3rd party
• Authentication, Authorization, Accounting
• Benefits
• Carrier Implementation Examples

3
Circuit-Switched Interconnection

• Business Policy Interconnect Routing and Tariffs
• Enforcement Physical Authentication,
  Authorization and Accounting by Switch

4
Next Generation VoIP Interconnection

• Business Policy Interconnect Routing and Tariffs
• Enforcement Policy server with cryptographic
  services supporting Authentication, Authorization
  Accounting

5
Next Generation VoIP Interconnection

• Business Policy Interconnect Routing and Tariffs
• Enforcement Policy server with cryptographic
  services supporting Authentication, Authorization
  Accounting

6
Interconnect Policy Server

• What is it?
• Stateless Routing Policy Server
• Uses Public-key Infrastructure (PKI) Services for
  inter-domain security over non-secure networks
• Certificate authority
• Issues X.509 digital certificates to clients
• Digitally signs authorization tokens
• All messages encrypted using SSL
• Uses Open Settlement Protocol standard for both
  H.323 and SIP networks

7
The Basics of Public-key Cryptosystems
Security services between parties rely on the
exchange of public keys and secure secrecy of
corresponding private keys.

• Critical Points
• Public / Private keys used for encryption /
  decryption and digital signatures
• Public keys are public easy to distribute
• A digital certificate signed by a trusted 3rd
  party ensures the public-key is legitimate
• Digital signatures provide data integrity,
  authentication and non-repudiation
• Certificates may be chained from a root authority

8
Establishing a Trusted Relationship
IXC Interconnect Policy Server (Certificate
Authority)
VoIP Device
Client Device requests public-key and
certificate from IXC
IXC sends its public key and its certificate
Client Device sends its public key and
certificate request to IXC
IXC returns signed client certificate
9
Authentication
Interconnect Policy Server
Inter-Exchange Carrier (IXC) IP Network or Public
Internet
Carrier A

• Routing request to IXC is digitally signed with
  VoIP devices private key.
• Policy server verifies client signature with
  clients public key to authenticate routing
  request.

10
Authorization
Interconnect Policy Server
Authorization Token
Inter-Exchange Carrier (IXC) IP Network or Public
Internet
Carrier A
Carrier B

• IXC digitally signs authorization token with call
  details
• time/date, IP address, called number, call length
• Carrier B has no trusted relationship with
  Carrier A, but verifies digital signature of with
  IXC public key
• Carrier can retain digital signature for
  non-repudiation

11
Secure Accounting

• Carriers A and B encrypt CDRs with IXC public key
• IXC decrypts CDR with its private key
• For auditing, IXC can request in real time that a
  carrier digitally sign a batch of CDRs

12
Benefits

• Advantages of Next Generation Interconnection
• No change in business processes
• Free of circuit connection constraints
• fast provisioning, software driven, flexible
• Leverages low cost, non-secure networks
• Entirely based on well defined standards
• Public-key infrastructure services
• Open Settlement Protocol (OSP)
• Supports H.323 and SIP
• Broad vendor support
• Alcatel, Cisco, Commworks, Lucent, MediaRing,
  RADVISION, SS8 others

13
ATT OSP Implementation
Source ATT Global Clearinghouse
14
NTT OSP Implementation
Source NTT 8 Oct 2002