Developing Secure, Multi-lateral Peer to Peer SIP Applications

1
Developing Secure, Multi-lateralPeer to Peer SIP
Applications
Jim.Dalton_at_TransNexus.com
2
Market Problem
Terminating Domain ?
Routing
Access Control
Accounting
Originating Domain
PSTN
Settlement
call
Ethernet Switch
Router
PSTN
Internet or IP Network
PSTN
PSTN
Service Provider POP
3
Current Status of Peering

• Ad hoc bilateral peering arrangements
• ENUM provides a solution for peer to peer route
  discovery But how to handle?
• Inter-domain Access control
• Accounting
• Settlement disputes
• Backwards compatibility with Operations and
  Billing Support Systems for H.323 networks
• Evolution to new services

4
Benefits of secure multi-lateral peering

• Efficient peer to peer communications eliminates
  signaling bottlenecks
• Access control is greatly simplified
• IP access lists are eliminated
• Asymmetric key management is simpler and more
  secure than shared secrets
• Eliminates costly overhead of managing many
  bilateral interconnect agreements

5
Solution Open Settlement Protocol

• Open Settlement Protocol (OSP)
• Global standard for inter-domain transaction
  authorization and usage reporting.
• Developed by ETSI in 1998, now in version 4.1.1
• Based on existing standards
• Uses Asymmetric Public Key Infrastructure (PKI)
  services for non-repudiation of transactions
• Broad support Asterisk, SER, Cisco, Alcatel,
  Radvision, UTStarcom, Mediaring, ISDN
  Communications, Veraz, Vovida, Teles
• Protocol Independent
• Works with SIP, H.323, SMS, MMS, IAX

6
Overview I - How OSP Works

• Route discovery
• Inter-domain access control

7
Overview II - How OSP Works

• CDR collection

8
The Basics of Public-key Cryptosystems
Security services between parties rely on
exchange of public keys and security of private
keys.

• Critical Points
• Public / Private keys used for encryption /
  decryption and digital signatures
• Public keys are public easy to distribute
• A digital certificate signed by a trusted 3rd
  party ensures the public-key is legitimate
• Digital signatures provide data integrity,
  authentication and non-repudiation
• Certificates may be chained from a root authority

9
Establishing PKI Security Services
SIP Device
Certificate Authority (CA) for Peer to
Peer Authorization (OSP Server)
Client Device requests public-key and certificate
from CA
CA sends its public key and its certificate
Client Device sends certificate request to CA
CA returns signed certificate
10
Source Peer Authentication
OSP Server
IP Network
Carrier A

• Routing request to OSP Server is digitally signed
  with VoIP devices private key.
• OSP server verifies client signature with
  clients public key to authenticate routing
  request.

11
Inter-Domain Access Control
OSP Server
Authorization Response with Token
IP Network
Domain A
Domain B

• OSP Server digitally signs authorization token
• Authorization token included in SIP Invite
• Domain B has no trusted relationship with Domain
  A, but verifies digital signature with CA public
  key
• Carrier can retain digital signature for
  non-repudiation

12
Authorization Token

• Destination
• IP address, domain name, sip uri, tel uri, E164,
  trunk group
• Destination Protocol
• SIP, Q931, H323-LRQ, IAX, other
• Transaction ID
• Service Type, Bandwidth, Number of Channels
• Call ID, Session ID, MultiSession ID
• Valid after Valid Until
• Authorized amount
• Seconds, packets, bytes, pages, call, session,
  price, currency
• Authority URL

13
Secure Accounting

• Domains A and B encrypt CDRs with CA public key
• OSP Server decrypts CDR with CA private key
• For auditing, OSP Server can request in real time
  that a domain digitally sign a batch of CDRs

14
Capabilities Pricing Messages

• OSP enables clients to update OSP server database
  in real time.
• Capabilities Exchange messages can be used
• To indicate service features available
• To indicate bandwidth or channel available
• To indicate presence
• Pricing Indication is used to provide rate
  changes
• for services (voice, fax, message, video )
• based on seconds, pages, bytes, packets and
  currency

15
Examples of OSP Peering

• Enterprise VoIP VPN
• Wholesale Inter-Carrier VoIP Services
• Tiered Peering
• Dundi Settlement Clearinghouse

16
Enterprise VoIP Network

• Requirements

1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation 5. Minimum bandwidth
1. Centralized routing
1. Centralized routing 2. Secure inter-office
access control
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation
2. Secure inter-office access control
4. Autonomous local operation
3. Centralized accounting
5. Minimum bandwidth
1. Centralized routing


Branch Office
Internet
Headquarters
Manufacturing
Sales Office
Call Center
17
Enterprise VoIP VPN

• OSP peering architecture provides secure VoIP VPN

1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation 5. Minimum bandwidth
1. Centralized routing
1. Centralized routing 2. Secure inter-office
access control
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation
Branch Office
Internet
Headquarters
Manufacturing
Sales Office
Call Center
18
Wholesale Inter-Carrier Services

• Challenge How to manage interconnect access and
  billing among thousands of ITSP peers

Internet
19
Wholesale Inter-Carrier Services

• Conventional solution is to route all calls via a
  softswitch or session border controller.

Internet
20
Wholesale Inter-Carrier Services

• Direct peering with OSP is more scalable, more
  reliable, better QoS, less bandwidth, lower cost.

Route Lookup
Internet
21
Wholesale Inter-Carrier Services

• Call Detail Collection from both the source and
  destination eliminates settlement disputes

Internet
22
Tiered Peering

• OSP enables secure peering among multiple peering
  networks.

Internet
Purple Peering Network
Yellow Peering Network
23
Tiered Peering CDR Reporting

• Top tier peering networks receive Call Detail
  Records from both source and destination peers.

Internet
Purple Peering Network
Yellow Peering Network
24
DUNDi

• Distributed Universal Number Discovery
• Based on General Peering Agreement
• No Settlement

25
DUNDi Clearinghouse

• DUNDi nodes enroll with CA

• DUNDi nodes enroll with CA
• Route and rate discovery with DUNDi

• DUNDi nodes enroll with CA
• Route and rate discovery with DUNDi
• Source submits route rate to clearinghouse for
  digitally signed token

rate / minute?
2 / minute!
26
DUNDi Clearinghouse

• SIP INVITE includes signed token
• Destination validates rate in token
• CDRs sent to clearinghouse

SIP INVITE with token
27
DUNDi Clearinghouse
CDR
CDR

• Clearinghouse performs settlement billing

28
Details of OSP

• An OSP server is a web server
• Message Formats
• Multipurpose Internet Mail Extensions (MIME)
• eXtensible Markup Language (XML)
• Secure MIME
• Communication Protocols

29
OSP Message Example
HTTP/1.1 200 OK Server IP address of OSP
server Date Thu, 12 May 2005 183259
GMT Connection Keep-Alive Keep-Alive
timeout3600, max5000 Content-Length
1996 Content-Type text/plain lt?xml
version'1.0'?gt ltMessage messageId'11703738491'
random'21655'gt ltAuthorizationResponse
componentId'11703738490'gt ltTimestampgt2005-05-12T1
83259Zlt/Timestampgt ltTransactionIdgt47850982870685
43017lt/TransactionIdgt ltDestinationgt ltCallId
encoding'base64'gtMTExNTkxOTE3Ny45lt/CallIdgt
ltDestinationInfo type'e164'gtCalled
Numberlt/DestinationInfogt ltDestinationSignalAddr
essgtIP AddressPortlt/DestinationSignalAddressgt
HTTP Header
OSP Message
30
OSP Message Example (cont.)
Unique Transaction ID per call
ltAuthorizationResponse componentId'11703738490'gt
ltTimestampgt2005-05-12T183259Zlt/Timestampgt ltTrans
actionIdgt4785098287068543017lt/TransactionIdgt ltDest
inationgt ltCallId encoding'base64'gtMTExNTkxOTE3
Ny45lt/CallIdgt ltDestinationInfo
type'e164'gtCalled Numberlt/DestinationInfogt
ltDestinationSignalAddressgtIP Address
Portlt/DestinationSignalAddressgt
ltUsageDetailgt ltAmountgt14400lt/Amountgt
ltUnitgtslt/Unitgt lt/UsageDetailgt
ltValidAftergt2005-05-12T182759Zlt/ValidAftergt
ltValidUntilgt2005-05-12T183759Zlt/ValidUntilgt
ltDestinationProtocolgtsiplt/DestinationProtocolgt
ltSourceInfo type'e164'gtCalling
Numberlt/SourceInfogt ltToken encoding'base64'gt
Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5U
a3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCn
U9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz
Call ID from source device
Called Number may be translated
Call authorized for 14440 seconds
IP Address of Called Number
Call authorized to start in 10 minute window
Protocol may be SIP, H323, IAX,
Digital signature of token ensures non-repudiation
31
Open Source Tools

• www.SIPfoundry.org
• OSP Toolkit (client)
• OpenOSP Server (based on Apache)
• RAMS OSP Server
• www.Asterisk.org
• Asterisk includes OSP client
• OSP Module for SIP Express Router
• http//osp-module.berlios.de
• www.voxgratia.org
• OSP enabled H323 proxy (future support for SIP)
• www.TransNexus.com
• OSPrey free OSP server