Session I5 Creating Secure Services for Internet Telephony

About This Presentation

Title:

Session I5 Creating Secure Services for Internet Telephony

Description:

call conference participants when all are online and not busy. IM conference alerts ... sharing of resources (SIP proxies, gateways) March 28, 2002 17 ... – PowerPoint PPT presentation

Number of Views:233

Avg rating:3.0/5.0

Slides: 96

Provided by: amruthurn

Learn more at: http://www.cs.columbia.edu

Category:

more less

Transcript and Presenter's Notes

Title: Session I5 Creating Secure Services for Internet Telephony

1
Session I5Creating Secure Services for Internet
Telephony

Henning Schulzrinne
Columbia University
hgs_at_cs.columbia.edu

2
Overview

What are IP telephony services?
Where do services reside?
How to create services?
basic fixed services (call forwarding, follow
me, ...)
registration-based services caller preferences
sip-cgi model
Call Processing Language (CPL)
sip servlets JAIN
Event notification and presence
Example of an enterprise IP telephony platform
Billing in IP telephony

3
Overview

Security in IP telephony
dealing with NATs and firewalls
differences to classical PSTN networks
threats
theft of service
registration impersonation
denial of service
privacy
current SIP approaches
Summary and conclusion

4
Aside evolution of SIP

Not quite what we had in mind
initially, SIP for initiating multicast
conferencing
in progress since 1992
still small niche
even the IAB and IESG meet by POTS conference
then VoIP
written-off equipment (circuit-switched) vs. new
equipment (VoIP)
bandwidth is (mostly) not the problem
cant get new services if other end is POTS ??
why use VoIP if I cant get new services

5
Evolution of SIP

VoIP avoiding the installed base issue
cable modems lifeline service
3GPP vaporware?
Finally, IM/presence and events
probably, first major application
offers real advantage interoperable IM
also, new service

6
VoIP at Home

Lifeline (power)
Multiple phones per household
expensive to do over PNA or 802.11
BlueTooth range too short
need wireless SIP base station handsets
PDAs with 802.11 and GSM? (Treo)
Incentives
SMS IM services

7
SIP phones

Hard to build really basic phones
need real multitasking OS
need large set of protocols
IP, DNS, DHCP, maybe IPsec, SNTP and SNMP
UDP, TCP, maybe TLS
HTTP (configuration), RTP, SIP
user-interface for entering URLs is a pain
see success of Internet appliances
PCs with handset cost 500 and still have a
Palm-size display
thus, offer services
Java-programmable
XML forms input

8
Example SIP phones
9
What are IP telephony services?

Services (features) modify basic call behavior
Can be
invoked by user
pre-programmed into network elements (e.g., SIP
proxies)
programmable feature logic
PSTN CLASS (Custom local area signaling
services) features
call waiting
call forwarding
caller ID (calling number delivery)
distinctive ringing
selective call rejection
three-way calling, ...
PSTN pre-subscribed for feature access codes
(e.g., 66)

10
IP telephony services

Call routing services pre-call, one party
speed dial
click-to-dial
call forwarding
follow me
call filtering/blocking (in/out)
do not disturb
distinctive ringing
call prioritization
feature-based agent selection
call return
Call handling features
hotline
autoanswer
intercom

Multi-party features
call waiting
whispered call waiting
blind transfer no confirmation of success
attended transfer
consultative transfer three-party conference ?
transfer
conference call
call park
call pickup
music on hold
call monitoring
barge-in
speakerphone paging
single-line extension

11
IP telephony features Internet-specific

Presence-enabled calls
place call only if callee is available
Presence-enabled conferencing
call conference participants when all are online
and not busy
IM conference alerts
receive IM when someone joins a conference
Unified messaging
receive email with new voice message
IM alert for voicemails

12
Voice-enabled features

Interactive Voice Response (IVR)
VoiceXML
voice browser

13
Voice-enabled features VoiceXML

lt?xml version"1.0"?gt
ltvxml version"2.0"gt
ltform id"basic"gt
ltfield name"acctnum" type"digits"gt
ltpromptgt What is your account number? lt/promptgt
lt/fieldgt
ltfield name"acctphone" type"phone"gt
ltpromptgt What is your home telephone number?
lt/promptgt
ltfilledgt
lt!-- The values obtained by the two fields
are supplied to the calling dialog by the
"return" element. --gt
ltreturn namelist"acctnum acctphone"/gt
lt/filledgt
lt/fieldgt
lt/formgt
lt/vxmlgt

14
PSTN vs. Internet Telephony
Internet Telephony end system
PSTN
Number of lines or pending calls is virtually
unlimited
More intelligence, PCs can be considered to be
end-user devices
Single line, 12 buttons and hook flash to signal
15
PSTN vs. Internet Telephony
PSTN
Signaling Media
Signaling Media
Internet telephony
Signaling
Signaling
Media
16
Service provider architectures

Models of providing services
IP PBX
IP Centrex (and cable/DSL)
Carrier / 3G
Similar equipment (logically), but
different trust models
sharing of resources (SIP proxies, gateways)

17
IP PBX
18
IP Centrex
19
IP Carrier
20
3G Architecture (Registration)
mobility management
signaling
serving
interrogating
interrogating
CSCF
proxy
home IM domain
registration signaling (SIP)_
visited IM domain
21
Service models protocols

Master-slave protocols (MGCP, Megaco)
feature logic in media gateway controller (MGC)
send detailed behavioral commands to MG
send ring tone
expect dialed digit string
play announcement
MG can only guess what is meant
assembly-language instructions
Peer-to-peer protocols (SIP, H.323)
more like function calls
methods (SIP method, H.323 request) and
parameters (SIP headers, H.323 ASN.1 variables)
H.323 per-feature specification (H.450.x)
SIP building blocks (Headers, REFER, JOIN, ...)

22
Combining peer-to-peer and master-slave
23
CLASS services Caller-ID

SIP To/From headers ( Organization)
Also Call-Info
Call-Info http//alice.com/photo.jpg
purposeicon,
lthttp//alice.com/gt purposeinfo
Can be anonymous
Cannot necessarily be trusted, since inserted by
user
Remote-Party-ID "John Doe" ltsipjdoe_at_foo.comgt
partycalling idtypesubscriberprivacyfull
screenyes

24
CLASS services call forwarding, follow-me

Built into core SIP
Call forwarding
either at proxy or at end system
302 Contact temporary forwarding
301 Contact permanent forwarding
Follow me
REGISTER using single identifier
with different temporary IP addresses
adopt different hardware via (e.g.,) i-button

25
SIP personal mobility
26
Call filtering (in/out)

Outbound call filtering done by outbound proxy
Often, outbound proxy controls firewall
Inbound call filtering at any of the stages
e.g., sipalice_at_bigcorp.com ? sipalice_at_paris.eng.
bigcorp.com
proxies can do filtering at
bigcorp.com
eng.bigcorp.com
paris.eng.bigcorp.com
Fixed or programmable rules (later)

27
Call routing -- forking
28
Call routing -- ENUM

Translation between E.164 telephone numbers and
URIs (e.g., SIP URIs)
RFC 2916
46-8-9761234 becomes 4.3.2.1.6.7.9.8.6.4.e164.arp
a
Look up using (new) NAPTR DNS record
Example ? contact 1st using SIP, 2nd using email
ORIGIN 4.3.2.1.6.7.9.8.6.4.e164.arpa.
IN NAPTR 100 10 "u" "sipE2U" "!.!sipinfo_at_te
le2.se!" .
IN NAPTR 102 10 "u" "mailtoE2U"
"!.!mailtoinfo_at_tele2.se!" .

29
Call routing TRIP and SLP

TRIP (RFC 3219) allows routing of SIP requests to
the best IP telephony gateway
Based on BGP model of route propagation

30
Do not disturb distinctive ringing

End system or proxy features
Distinctive ringing inserted by proxy
Alert-Info http//www.example.com/sounds/moo.wav
Do not disturb
600 (Busy)
603 (Decline)
with Retry-After

31
Call prioritization

SIP Priority header
Subject A tornado is heading our way!
Priority emergency
Can be inserted or removed by proxy
Useful for call routing

32
Caller preferences

One SIP address ? many destinations
home vs. office
cell phone vs. landline
PC video phone vs. black phone
Callees proxy decides, but caller preferences
mechanism allows caller to influence choices
Can influence
whether to proxy or redirect
which URI to proxy or redirect to
whether to fork or not
whether to search recursively or not
whether to search in parallel or sequentially

33
Caller preferences

Adds parameters to Contact headers describing
properties of location
Carol speaks English, Spanish and German and can
send/receive audio video, but only wants this
address to be used for urgent calls
Contact Carol ltsipcarol_at_example.comgt
language"en,es,de"
media"audio/,video/,application/chat"
duplex"full"
priority"urgent
INVITE request then contains headers
Accept-Contact sipuser_at_hostfeature"voicemail
attendant"
Accept-Contact sipuser_at_foo.edumobility"!fixe
d"

34
Using URIs for SIP Service Control

RFC 3087
User part is left to local configuration
Voice mail services
siprjs_at_vm.wcom.commodedeposit
sip670002_at_vm.wcom.com
Ad-hoc conferences
Invoke VoiceXML scripts
sipdialog.vxml.http3a//dialogs.server.com/scrip
t32.vxml_at_vxmlservers.com

35
Using SIP events for services

Many telecom services generate asynchronous
events
participant joined or left conference
message waiting
call leg completed or terminated
SIP defines event notification requests
SUBSCRIBE and NOTIFY
Event packages for call legs, conferences,
message waiting, IM, DTMF, ...
NOTIFY siprohan_at_rmahy-phone.cisco.com SIP/2.0
To ltsiprohan_at_cisco.comgttag78923
From ltsiprohan_at_cisco.comgttag4442
Event message-summary
Content-Type application/simple-message-summary
Messages-Waiting yes
Voicemail 4/8 (1/2)

36
Call waiting
no notion of lines ? unlimited number of line
presences
A
B
C
37
Call waiting
A
Hold on line 1
C
B
38
Call transfer (unsupervised)
39
Multi-party features

Permanently or temporarily mixing multiple media
streams
Generally, combinations of
adding conference servers (ad-hoc conferences)
transfer use REFER to ask other party to do
something
combinations of who asks whom to do what ?
recipient just follows instructions

40
Third-party call control

Separate signaling and media endpoints
Also sometimes called back-to-back UA (B2BUA)
but some B2BUAs handle media, too

41
End system vs. Network server
End system Temporary IP address Powered off so
often (Users address always changed and can not
be reached sometime) Limited computational
capacity Low bandwidth (One to one or small size
conf.) Direct user interaction Signal and media
converge (easier to deal with human interaction,
easier to deal with interaction with media)
Network server Permanent IP address Always
on (User can have unique address and can always
be reached) Ample computational capacity High
bandwidth (Conference) Indirect user
interaction Usually only deals with
signaling (Based on predefined mechanisms, or
indirect user interaction, like through web page)
42
End system vs. Network server
Network server Information hiding Logical call
distribution Gateway
End system Busy handling Call
transfer Distinctive ringing
43
Service location examples
Service End system Network (proxy) Network with Media (UA)
Distinctive ringing Yes Can assist Can assist
Visual call id Yes Can assist Can assist
Call waiting Yes No Yes()
CF busy Yes Yes() Yes()
CF no answer Yes Yes Yes
CF no device No Yes Yes
Location hiding No Yes Yes
Transfer Yes No No
Conference bridge Yes No Yes
Gateway to PSTN No No Yes
Firewall control No No Yes
Voicemail Yes No Yes
() with information provided by end system

44
Service architectureProgramming language model
45
Programmable service creation

Cant win by (just) recreating PSTN services
Programmable services
equipment vendors, operators JAIN
local sysadmin, vertical markets sip-cgi
proxy-based call routing CPL
voice-based control VoiceXML

46
Programmable service creation
API servlets sip-cgi CPL
language-independent no Java only yes own
secure no mostly can be yes
end user service creation no yes power users yes
GUI tools no no no yes
Multimedia some yes yes yes
call creation yes no no no
47
APIs (e.g., JAIN)

Tradition of TAPI, JTAPI, ...
Typically, call model
Treat calls as objects to be manipulated
e.g., JAIN
bearer independent (PSTN, IP, ATM)
protocol-independent (ISUP, SIP, H.323, BICC,
...)
protocol APIs and application APIs

48
SIP servlets

Servlet runs in SIP server
Receives SIP objects and processes them
Example call rejection application
import org.ietf.sip.
public class RejectServlet extends
SipServletAdapter
protected int statusCode
protected String reasonPhrase
public void init(ServletConfig config)
super.init(config)
try
statusCode Integer.parseInt(getInitParam
eter("status-code"))
reasonPhrase getInitParameter("reason-ph
rase")
catch (Exception _) ...
public boolean doInvite(SipRequest req)
SipResponse res req.createResponse()
res.setStatus(statusCode, reasonPhrase)
res.send()
return true

49
sip-cgi

web common gateway interface (cgi)
oldest (and still most commonly used) interface
for dynamic content generation
web server invokes process and passes HTTP
request via
stdin (POST body)
environment variables ? HTTP headers, URL
arguments as POST body or GET headers
(?arg1var1arg2var2)
new process for each request ? not very efficient
but easy to learn, robust (no state)
support from just about any programming language
(C, Perl, Tcl, Python, VisualBasic, ...)
Adapt cgi model to SIP ? sip-cgi
RFC 3050

50
sip-cgi

Designed for SIP proxies and end systems
call routing
controlling forking
call rejection
call modification (Priority, Call-Info,
Alert-Info)
cgi once per HTTP request
sip-cgi maintain state via an opaque token
script gets body of request on stdin
script gets SIP headers via environment variables
initiates actions via stdout
proxy request
return response
generate request
generate response

51
sip-cgi examples

Block _at_vinylsiding.com
if (defined ENVSIP_FROM ENVSIP_FROM
"sip_at_vinylsiding.com")
print "SIP/2.0 600 I can't talk right
now\n\n"
Make calls from boss urgent
if (defined ENVSIP_FROM ENVSIP_FROM
/sipboss_at_mycompany.com/)
foreach reg (get_regs())
print "CGI-PROXY-REQUEST reg SIP/2.0\n"
print "Priority urgent\n\n"

52
Call Processing Language (CPL)

XML-based language for processing requests
intentionally restricted to branching and
subroutines
no variables, no loops
thus, easily represented graphically
mostly used for SIP, but protocol-independent
integrates notion of calendaring (time ranges)
structured tree describing actions performed on
call setup event
top-level events incoming and outgoing

53
CPL

Location set stored as implicit global variable
operations can add, filter and delete entries
Switches
address
language
time, using CALSCH notation (e.g., exported from
Outlook)
priority
Proxy node proxies request and then branches on
response (busy, redirection, noanswer, ...)
Reject and redirect perform corresponding
protocol actions
Supports abstract logging and email operation

54
CPL example
55
CPL example

lt?xml version"1.0" ?gt
lt!DOCTYPE call SYSTEM "cpl.dtd"gt
ltcplgt
ltincominggt
ltlookup source"http//www.example.com/cgi-bin
/locate.cgi?userjones"
timeout"8"gt
ltsuccessgt
ltproxy /gt
lt/successgt
ltfailuregt
ltmail url"mailtojones_at_example.comSubjec
tlookup20failed" /gt
lt/failuregt
lt/lookupgt
lt/incominggt
lt/cplgt

56
CPL example anonymous call screening

ltcplgt
ltincominggt
ltaddress-switch field"origin" subfield"user"gt
ltaddress is"anonymous"gt
ltreject status"reject"
reason"I don't accept anonymous calls" /gt
lt/addressgt
lt/address-switchgt
lt/incominggt
lt/cplgt

57
Billing

PSTN evolution from distance/time-sensitive
per-minute billing
bucket of minutes
flat-rate plans (all you can eat) Canada, ATT
Per-minute billing doesnt fit well
SIP sessions can remain open for months, without
sending a single packet
voice silence suppression ? unfair to charge for
both directions for large conferences
incremental value is
non-linear
thus, video unlikely

utility
bit rate
58
Billing and charging

What are we billing for?
infrastructure
services
unlikely to be able to charge for call forwarding
for corporate users
but Yahoo might for residential users
traffic
but network cost depends on peak usage, not
average usage
treat all traffic the same?
3G charge more for data traffic than voice
traffic?
escalation of traffic cloaking and detection
A simple billing model
bill per-minute for calls gatewayed into the PSTN
bill for services on a subscription basis (e.g.,
as part of ISP service)
bill for traffic
independent of traffic type
by volume, 95th percentile, congestion pricing

59
Open Settlement Protocol (OSP)

clearing-house model

60
AAA Authentication, Authorization, Accounting

separate SIP protocol elements from making
authentication/authorization decisions
allow visited proxy to ask home proxy of visitor
whether visitor is legit
accounting
resource dimensioning
apportionment of charges
commercial billing
three primary protocols
RADIUS used for dial-up servers, popular with
ISPs
can lose data (UDP)
DIAMETER successor of RADIUS
will be used in 3G for AAA

61
Challenges Security

Classical model of restricted access systems ?
cryptographic security
Objectives
identification for access control billing
phone/IM spam control (black/white lists)
call routing
privacy

62
SIP security

Bar is higher than for email telephone
expectations (albeit wrong)
SIP carries media encryption keys
Potential for nuisance phone spam at 2 am
Safety prevent emergency calls

63
System model
outbound proxy
SIP trapezoid
a_at_foo.com 128.59.16.1
registrar
64
Threats

Bogus requests (e.g., fake From)
Modification of content
REGISTER Contact
SDP to redirect media
Insertion of requests into existing dialogs BYE,
re-INVITE
Bid-down attacks attacker gets to pick algorithm
Denial of service (DoS) attacks
Privacy SDP may include media session keys
Inside vs. outside threats
Trust domains can proxies be trusted?

65
Threats

third-party
not on path
can generate requests
passive man-in-middle (MIM)
listen, but not modify
active man-in-middle
replay
cut-and-paste

66
L3/L4 security options

IPsec
Provides keying mechanism
but IKE is complex and has interop problems
works for all transport protocol (TCP, SCTP, UDP,
)
no credential-fetching API
TLS
provides keying mechanism
good credential binding mechanism
no support for UDP SCTP in progress

67
Hop-by-hop security TLS

Server certificates well-established for web
servers
Per-user certificates less so
email return-address (class 1) certificate not
difficult (Thawte, Verisign)
Server can challenge client for certificate ?
last-hop challenge

68
HTTP Digest authentication

Allows user-to-user (registrar) authentication
mostly client-to-server
but also server-to-client (Authentication-Info)
Also, Proxy-Authenticate and Proxy-Authorization
May be stacked for multiple proxies on path

69
HTTP Digest authentication
REGISTER To sipalice_at_example.com
401 Unauthorized WWW-Authenticate Digest
realm"alice_at_example.com", qopauth,
nonce"dcd9"
REGISTER To sipalice_at_example.com Authorization
Digest username"alice", nc00000001,
cnonce"defg", response"9f01"
REGISTER To sipalice_at_example.com Authorization
Digest username"alice", nc00000002,
cnonce"abcd", response"6629"
70
End-to-end authentication

What do we need to prove?
Person sending BYE is same as sending INVITE
Person calling today is same as yesterday
Person is indeed "Alice Wonder, working for
Deutsche Bank"
Person is somebody with account at MCI Worldcom

71
End-to-end authentication

Why end-to-end authentication?
prevent phone/IM spam
nuisance callers
trust is this really somebody from my company
asking about the new widget?
Problem generic identities are cheap
filtering bozo_at_aol.com doesn't prevent calls from
jerk_at_yahoo.com (new day, sam person)

72
End-to-end authentication and confidentiality

Shared secrets
only scales (N2) to very small groups
OpenPGP chain of trust
S/MIME-like encapsulation
CA-signed (Verisign, Thawte)
every end point needs to have list of Cas
need CRL checking
ssh-style

73
Ssh-style authentication

Self-signed (or unsigned) certificate
Allows active man-in-middle to replace with own
certificate
always need secure (against modification) way to
convey public key
However, safe once established

74
DOS attacks

CPU complexity get SIP entity to perform work
Memory exhaustion SIP entity keeps state (TCP
SYN flood)
Amplification single message triggers group of
message to target
even easier in SIP, since Via not subject to
address filtering

75
DOS attacks amplification

Normal SIP UDP operation
one INVITE with fake Via
retransmit 401/407 (to target) 8 times
Modified procedure
only send one 401/407 for each INVITE
Suggestion have null authentication
prevents amplification of other responses
E.g., user "anonymous", password empty

76
DOS attacks memory

SIP vulnerable if state kept after INVITE
Same solution challenge with 401
Server does not need to keep challenge nonce, but
needs to check nonce freshness

77
Challenges NATs and firewalls

NATs and firewalls reduce Internet to web and
email service
firewall, NAT no inbound connections
NAT no externally usable address
NAT many different versions -gt binding duration
lack of permanent address (e.g., DHCP) not a
problem -gt SIP address binding
misperception NAT security

78
Challenges NAT and firewalls

Solutions
longer term IPv6
longer term MIDCOM for firewall control?
control by border proxy?
short term
NAT STUN and SHIPWORM
send packet to external server
server returns external address, port
use that address for inbound UDP packets

79
Emergency calls

Opportunity for enhanced services
video, biometrics, IM
Finding the right emergency call center (PSAP)
VoIP admin domain may span multiple 911 calling
areas
Common emergency address
User location
GPS doesnt work indoors
phones can move easily IP address does not help

80
Emergency calls
common emergency identifier sos_at_domain
EPAD
REGISTER sipsos Location 07605
302 Moved Contact sipsos_at_psap.leonia.nj.us Conta
ct tel1-201-911-1234
SIP proxy
INVITE sipsos Location 07605
INVITE sipsos_at_psap.leonia.nj.us Location 07605
81
Scaling and redundancy

Single host can handle ?10-100 calls
registrations/second ? 18,000-180,000 users
1 call, 1 registration/hour
Conference server about 50 small conferences or
large conference with 100 users
For larger system and redundancy, replicate proxy
server

82
Scaling and redundancy

DNS SRV records allow static load balancing and
fail-over
but failed systems increase call setup delay
can also use IP address stealing to mask failed
systems, as long as load lt 50
Still need common database
can separate REGISTER
make rest read-only

83
Large system
stateless proxies
a1.example.com
sip1.example.com
a2.example.com
sip2.example.com
sipbob_at_example.com
b1.example.com
sipbob_at_b.example.com
sip3.example.com
b2.example.com
_sip._udp SRV 0 0 b1.example.com 0
0 b2.example.com
_sip._udp SRV 0 0 sip1.example.com
0 0 sip2.example.com 0 0
sip3.example.com
84
Enterprise VoIP

Allow migration of enterprises to IP multimedia
communication
Add capacity to existing PBX, without upgrade
Allow both
IP centrex hosted by carrier
PBX-style locally hosted
Unlike classical centrex, transition can be done
transparently

85
Motivation

Not cheaper phone calls
Single number, follow-me even for analog phone
users
Integration of presence
person already busy better than callback
physical environment (IR sensors)
Integration of IM
no need to look up IM address
missed calls become IMs
move immediately to voice if IM too tedious

86
Migration strategy

Add IP phones to existing PBX or Centrex system
PBX as gateway
Initial investment ?2k for gateway
Add multimedia capabilities PCs, dedicated video
servers
Reverse PBX replace PSTN connection with
SIP/IP connection to carrier
Retire PSTN phones

87
Example Columbia Dept. of CS

About 100 analog phones on small PBX
DID
no voicemail
T1 to local carrier
Added small gateway and T1 trunk
Call to 7134 becomes sip7134_at_cs
Ethernet phones, soft phones and conference room
CINEMA set of servers, running on 1U rackmount
server

88
CINEMA components
Cisco 7960
MySQL
rtspd
sipconf
user database
LDAP server
plug'n'sip
RTSP
conferencing
media
server
server
(MCU)
wireless
sipd
802.11b
RTSP
proxy/redirect server
unified
messaging
server
Pingtel
sipum
Cisco
Nortel
2600
Meridian
VoiceXML
PBX
server
T1
T1
SIP
sipvxml
PhoneJack interface
sipc
SIP-H.323
converter
sip-h323
89
Experiences