陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 所 TEL: # 340

Advanced Issues

Advanced Issues-- Wireless VoIP,

Wireless VoIP,

IPv6 and Security

IPv6 and Security

陳懷恩 博士

助理教授兼計算機中心資訊網路組組長 國立宜蘭大學資工所

Email: [email protected] TEL: 03-9357400 # 340

Outline

Outline

„ Wireless VoIP

„ IPv6 Solutions and Transition „ SIP Security

„ SIP Security

Wireless VoIP

Wireless VoIP

Introduction to wireless VoIP

Introduction to wireless VoIP

„ Voice over Wireless LAN expands the capability of p p y

Wireless LANs

„ Wireless VoIP is a natural extension of VolP „ Wireless VoIP is a natural extension of VolP „ Wireliess VoIP is the added feature which will

enable users to make phone calls using this mobile enable users to make phone calls using this mobile internet access

Introduction to wireless VoIP

Introduction to wireless VoIP

„ VoIP and Wireless LAN

„ VoIP „ SIP RTP H 323 „ SIP, RTP, H.323 „ Wireless LAN WiFi 802 11 /b/ „ WiFi : 802.11a/b/g „ WiMAX : 802.16 802 20 „ 802.20

Introduction to wireless VoIP

Introduction to wireless VoIP

„ Wireless VoIP Protocol stack

Why wireless VoIP?

Why wireless VoIP?

y

y

„ Low cost

„ Free Charge of ISM Band

„ ISM band : free (2.4-2.4835 GHz) „ 3G band : NTD 10 Billion

„ Inexpensive network deployment

„ Reuse of existing network, and easy to setup

Why wireless VoIP?

Why wireless VoIP?

y

y

„ Low complexityp y

„ Centralized architecture in cellular network

„ PBX contains most intelligence of the network „ Hard to maintain the proprietary system

„ Decentralized architecture in VoIP network

„ Intelligence are implemented in User Agent „ Easy for maintenance

Why wireless VoIP?

Why wireless VoIP?

y

y

„ Low transmission powerp

„ Small coverage of the AP, small transmission power

needed

„ GSM: 500mW ~ 2W

„ WLAN: < 100mW

„ Easy for providing value-added service

„ Voice and data service is integrated into VoIP „ Voice and data service is integrated into VoIP „ Flexibility of SIP protocol

Why wireless VoIP?

Why wireless VoIP?

y

y

„ Market trend

„ Voice over WLAN market will reach $507 million

(end user revenue) by 2007 (In Stat/MDR) (end user revenue) by 2007 (In Stat/MDR)

„ Voice over WLAN handset will grow by more than 89

percent annually until 2007 when there will be more than

p y

653,000 (On world)

Requirements of wireless VoIP

Requirements of wireless VoIP

q

q

„ Performance

„ Voice quality must be as well as wired network

„ Delay >100 ms is sensible by human

„ Low latency : <50 ms latency is recommended

„ Reliable transmission over wireless channel

„ Low packet lost rate

„ User mobility management

Requirements of wireless VoIP

Requirements of wireless VoIP

q

q

„ Capacity managementp y g

„ Heavy traffic load increase packet lost rate and latency „ Number of Users must be controlledNumber of Users must be controlled

„ Channel assignment

„ 11 channels in 802 11b „ 11 channels in 802.11b

„ Manage operating channel among adjacent Access Point

Requirements of wireless VoIP

Requirements of wireless VoIP

q

q

„ Securityy

„ Data ciphering

„ Wireless channel is insecure

„ Data over wireless should be protected

„ AAA

„ Authentication : legal user identification „ Authorization : different service levels

A ti billi t ti ti

„ Accounting : billing statistics

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Due to the requirements of wireless VoIP, several q ,

issue should be solved

„ User Mobility Issuey

„ Power Consumption Issue „ Security IssueSecurity Issue

„ QoS Issue

„ Capacity Issue „ Capacity Issue

„ Other Related Issue

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ User mobilityy

„ User mobility is an important feature of wireless VoIP „ Concern on two factors

„ Handoff latency „ Packet lost rate

„ Seamless handoff „ Seamless handoff

„ Fast handover : reducing handoff latency

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Power consumption issuep

„ Limited battery power available at mobile device „ SystemSystem

„ CPU, Memory, LCD, DSP/Codec

„ WLAN

„ Physical Layer: Radio Frequency

„ MAC Layer: 802.11a/b/g, 802.16, and 802.20… „ Network Layer: TCP/IP

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Security issue „ Security issue

„ Data ciphering

„ WEP 802 11i „ WEP, 802.11i

„ AAA (Authentication, Authorization, Accounting)

„ 802 1x RADIUS DIAMETER „ 802.1x, RADIUS, DIAMETER

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ QoS issueQ

„ Voice quality is depend on the delay and loss rate of

packets

„ No QoS guarantee in legacy 802.11 DCF, since each

mobile device contends for the channel by using CSMA/CA

„ There are some proprietary QoS schemes proposed, but

Q S i ill i

QoS is still an open issue

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Capacity Issuep y

„ Voice quality is a key component of voice service

(real-time, high throughput)

„ CSMA/CA mechanism limits the max number of

subscribers under the AP

„ A VoIP streams typically requires less than 10Kbps „ A VoIP streams typically requires less than 10Kbps

„ Ideally, the number of simultaneously VoWLAN sessions is

„ 11M / (10K * 2) = 550

H th i b f V IP i i b t 12 if

„ However, the maximum number of VoIP sessions is about 12 if

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Other Related Issue

„ Codec Compression

„ The ability to maximize the wireless bandwidth for voice,

intelligent use of compression codec is important.

„ Often require hardware assist, the target device is hardware

dependent and needs to be specially designed dependent and needs to be specially designed

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Other Related Issue

„ Combine WLAN and Cellular

„ WLAN

„ High bandwidth, Low Cost, Multimedia „ Service, Video Phone

Cellular

„ Cellular

„ Large Coverage, High Mobility, Mature „ Billing System, Popularity

Challenges of wireless VoIP

Challenges of wireless VoIP

g

g

„ Other Related Issue

„ Combine WLAN and Cellular

Summary for Wireless VoIP

Summary for Wireless VoIP

y

y

„ The existing wireless VoIP solutions may not be g y

robust and reliable enough to support deployment for a large base of usersg

„ QoS of wireless VoIP is always an open issue

„ Security and Capabilities for fast handoff between „ Security and Capabilities for fast handoff between

IPv6 Solutions and Transition

IPv6 Solutions and Transition

IP Header [1/2]

IP Header [1/2]

„ Version 4 „ Header Length „ Type of Serviceyp „ Total Length

„ Identification, Flags, and Fragment Offset, g , g

„ A datagram can be split into fragments „ Identify data fragments

„ Flags

„ a datagram can be fragmented or not „ Indicate the last fragment

„ Indicate the last fragment

„ TTL

IP Header [2/2]

IP Header [2/2]

„ Protocol

„ The higher-layer protocol „ TCP (6); UDP (17)

„ Source and Destination IP Addresses „ Source and Destination IP Addresses

IP Version 6

IP Version 6

„ The explosive growth of the Internetp g

„ IPv4 address space, 32-bit

„ Real-time and interactive applications

„ Expanded address space, 128 bits „ Simplified header format

„ Enabling easier processing of IP datagrams

„ Improved support for headers and extensions

„ Enabling greater flexibility for the introduction of new options

„ Flow-labeling capability

B tt t t th IP l l f l ti

„ Better support at the IP level for real-time app.

IPv6 Header [1/3]

IPv6 Header [1/3]

IPv6 Header [2/3]

IPv6 Header [2/3]

„ Version „ Version

„ 6

„ Traffic Class 8 bit „ Traffic Class, 8-bit

„ For the quality of service

Fl L b l 20 bit

„ Flow Label, 20-bit

„ Label sequences of packets that belong to a single flow „ A flow := source address, destination address, flow

IPv6 Header [3/3]

IPv6 Header [3/3]

„ Payload Length, 16-bit unsigned integer „ Payload Length, 16 bit unsigned integer

„ The length of payload in octets

„ Header extensions are part of the payload „ Header extensions are part of the payload

„ Next Header, 8-bit

Th t hi h l t l

„ The next higher-layer protocol

„ Same as the IPv4

„ The existence of IPv6 header extensions „ The existence of IPv6 header extensions

„ Hop Limit, 8-bit unsigned integer

Th TTL fi ld f h IP 4 h d

„ The TTL field of the IPv4 header

„ Source and Destination Addresses, 128-bit

IPv6 addresses

IPv6 addresses

„ XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XX „ XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XX XX:XXXX „ X is a hexadecimal character „ X is a hexadecimal character „ E.g., 1511:1:0:0:0:FA22:45:11 Th b l “ ” b d b f

„ The symbol “::” can be used to represent a number of

contiguous fields with zero values. 1511 1 FA22 45 11

„ = 1511:1::FA22:45:11

„ 0:0:0:0:AA11:50:22:F77 = ::AA11:50:22:F77

IPv6 special addresses

IPv6 special addresses

p

p

„ The all-zeros address, ::

„ An unspecified address; a node does not yet know its address

„ The loopback address, ::1

On a virtual internal interface

„ On a virtual internal interface

„ IPv6 address with embedded IPv4 address (type 1)

„ 96-bit zeros + 32-bit IPv4 address „ ::140.113.17.5

„ Used by IPv6 hosts and routers that tunnel IPv6 packets

through an IPv4 infrastructure through an IPv4 infrastructure

„ IPv6 address with embedded IPv4 address (type 2)

„ 80-bit zeros + FFFF + 32-bit IPv4 address „ 0:0:0:0:0:FFFF:140.113.17.5

„ ::FFFF:140.113.17.5

„ Applied to nodes that do not support IPv6

32

IPv6 Header Extensions

IPv6 Header Extensions

„ To be placed between the fixed header and the actual p

data payload

„ Next Header „ Next Header

„ The type of payload carried in the IP datagram „ The type of header extension

„ The type of header extension

Header extension

Header extension

„ Use the next header field

UDP Client/Server Programming

UDP Client/Server Programming

g

g

g

g

UDP Client UDP Server

UDP Client socket socket d t bind sendto recvfrom recvfrom sendto data data recvfrom close/ sendto close/ l k closesocket closesocket

IPv4/IPv6 Socket Parameter Mapping

IPv4/IPv6 Socket Parameter Mapping

pp g

pp g

„ Socket參數名稱轉換 IPv4 IPv6 AF_INET AF_INET6 PF INET PF INET6 PF_INET PF_INET6 IN_ADDR_ANY inaddr6_any 36

IPv4/IPv6 Data Structure Mapping

IPv4/IPv6 Data Structure Mapping

pp g

pp g

„ 資料結構轉換

IPv4 IPv6

in_addr in6_addr

sockaddr sockaddr_in6

IPv4/IPv6 Data Structure Mapping

IPv4/IPv6 Data Structure Mapping

pp g

pp g

„ 資料結構參數轉換

IPv4 IPv6

sin_len sin6_len

sin family sin6 family sin_family sin6_family sin_port _{sin6_port} sin_addr sin6_addr s addr s6 addr s_addr s6_addr 38

Domain Name and IP Conversion APIs

Domain Name and IP Conversion APIs

„ 函式轉換 IPv4 IPv6 Name-to-address Functions inet_aton() inet_addr() inet_pton() inet_ntoa() inet_ntop() Address conversion Functions gethostbyname() gethostbyaddr() getipnodebyname() getipnodebyaddr() getnameinfo() t dd i f () getaddrinfo()

Results of Using Checkv4.exe

Results of Using Checkv4.exe

g

g

IPv4 SIP User Agent

IPv4 SIP User Agent

g

g

„ Provided by CCL/ITRI and NTPOy

„ SIP-based VoIP phone running on Windows „ Support H 263 Video codec

„ Support H.263 Video codec

„ Support G.711u/G.711a/G.723/G.729 Audio codecs „ Support registration

GUI Problem

GUI Problem

„ IP Address Control

„ IPv4 specified

„ Do not accept domain

(A)

Do not accept domain name and IPv6

Th V i bl l th

„ The Variable-length

Input Component _(B)

Get Local Address

Get Local Address

„ SIP User Agent should provide the IPv4 and IPv6 address of g p

the local host.

„ The IPHelperIPHelper functions

„ Microsoft Windows system provides this function from Windows 98 „ This solution works on both Windows XP and 2003

I ’ Wi d l l i

„ It’s a Windows-only solution

Parsing IPv6 URI in SIP and SDP

Parsing IPv6 URI in SIP and SDP

g

g

„ IPv4 SIP URI sip:[email protected]:[email protected]:5060:5060

„ IPv6 SIP URI sip:wechen@[sip:wechen@[3ffe:1345:5643::33ffe:1345:5643::3]:5060]:5060 „ IPv4 parser assumes that p semicolonsemicolon is used to separate p

the IP address and port number, and the SIP parser in

SIP and SDP

SIP and SDP protocol stacks should be modified to process IPv6 address and port number

process IPv6 address and port number.

„

„ IP6 address typeIP6 address type and IPv6 address in Session

Description Protocol (SDP) Description Protocol (SDP)

„

„ c=IN IP6 FE80:60::2c=IN IP6 FE80:60::2

IPv6 Link

IPv6 Link--local Address Problem

local Address Problem

„ Link-local IPv6 address with scope-id p

„ E.g. fe80::201:2ff:fe85:37ed%3 „ Used by link-local addressUsed by link local address

„ Identify the same address on different interface

„ Scope-id must be specified when connecting to sites „ Scope-id must be specified when connecting to sites

using link-local address

„ An extra parameter should be added in the data structure „ An extra parameter should be added in the data structure

Porting IPv4 SIP UA to IPv6 Results

Porting IPv4 SIP UA to IPv6 Results

g

g

„ IPv4 SIP UA contains about 100,000-line codes in 150 files. „ We change about 600-line codes in 39 files.

„ About 300-line codes are not identified by checkv4.exe „ SIPv6 UA supports

„ IPv4 or IPv6 communication „ IPv6 address in SIP and SDP „ IPv6 address in GUI

Result: A SIPv6 User Agent

Result: A SIPv6 User Agent

4.Video

Using IPv6 Addresses Using IPv6 Addresses

1 Configuration _2.Dialing

4 Vid 1.Configuration

SIP Signaling (IPv6) SIP Signaling (Tunnel)

圖例： 4.Video 3.1 INVITE 3.3 INVITE 3.4 200 OK 3 6 200 OK SIPv6 UA SIPv6 UA Tunneling IP 6 N k IP 6 N k 3.2 INVITE 3.6 200 OK 3.7 ACK _{3.5 200 OK} 3.8 ACK 3.9 ACK 4. RTP 4. RTP SIPv6 UA g IPv6 Network IPv6 Network

Why we need to modify our applications?

Why we need to modify our applications?

y

y

y

y

pp

pp

IPv4 APP IPv6 APP v4/v6 Protocol-independent _Application

IPv4 APP. IPv6 APP. _Application

WinSock WinSock

IPv4 IPv6

TCP/UDP TCP/UDPv6

IPv4 IPv6

TCP/UDP TCP/UDPv6 _{Dual StackDual Stack}

Host Host

PHY & MAC PHY & MAC

AF_INET6 AF_INET6 AF_INET

AF_INET

Some Socket APIs parameters and data structures of IPv6 are different from Some Socket APIs parameters and data structures of IPv6 are different from

48

Some Socket APIs, parameters and data structures of IPv6 are different from Some Socket APIs, parameters and data structures of IPv6 are different from that of IPv4 and should be modified.

Socket

Socket--layer Translator (SLT)

layer Translator (SLT)

y

y

(

(

)

)

IPv4 Applications IPv4 Applications IPv4 Applications IPv4 Applications Function Mapper Address Mapper Name Resolver

Address Translation Example: Originator

Address Translation Example: Originator

p

p

g

g

Dual Stack Host6 DNS

IPv4

app. ExtensionName Resolver

Address

Mapper Translator

IPv6

Resolve an IPv4 address for “host6”f

Query ‘A’ Query ‘A’ and ‘AAAA’ for host6

Reply only with‘AAAA’

Request one IPv4 address (internal IPv4 address allocation)

Send an IPv4 packet to Host6

Request one IPv4 address (internal IPv4 address allocation) Reply with the IPv4 address

Reply with the ‘A’ record

Send an IPv4 packet to Host6

An IPv4 packet

Request IPv6 address

Reply with the IPv6 address

Translation (v4->v6)

Translate IPv4 to IPv6 An IPv6 Packet An IPv6 packet ( Reply)

Request IPv4 address

50 Request IPv4 address

Reply with the IPv4 address Translate IPv6 into IPv4 An IPv4 packet

Translation (v6->v4)

Address Translation Example: Recipient

Address Translation Example: Recipient

p

p

p

p

Dual Stack Host6

IPv4

app. ExtensionName Resolver

Address

Mapper Translator IPv6

Receive a data from “host6”

An IPv6 packet

Request IPv4 address from table Translation

Request IPv4 address from table Reply with the IPv4 address Translate IPv6 to IPv4 header An IPv4 packet

Translation (v6->v4)

Reply an IPv4 data to “host6”

An IPv4 reply packet

Request IPv6 address from table Reply with the IPv6 address Translate v4 packet to v6

An IPv6 packet

Translation (v4->v6)

SIPv6 Translator

SIPv6 Translator

„ Through g manual modification and Socket-layer Translatory , we have ,

IPv6 SIP UAs (SIPv6 UAsSIPv6 UAs).

„ However, only using SIPv6 UAs, which can utilize rich IPv6

addresses, does NOTNOT solve the IP address shortage problem in

VoIP deployment, because a SIPv6 UA cannot communicate with a SIPv4 UA (e.g. CISCO7960).( g )

„ To solve this problem, we develop a SIPv6 TranslatorSIPv6 Translator based on the

architecture proposed in IETF RFC 2766 (p p (Network Address Translation and Protocol Translation, NAT-PT).

„ The SIPv6 Translator is a gateway between IPv6 and IPv4

networks. The SIPv6 Translator can translate not only the IP

headers but also the application-layer headers (e.g. SIP and SDP).

NAT

NAT--PT with DNS

PT with DNS--ALG

ALG

DNS1 DNS DNS-ALG DNS 3ffe:3600:1::2 DNS2 140.113.87.1 IPv4 Network Translator Translator IPv6 Network UA1 UA2

3ffe:3600:1::3 The NATThe NAT--PT translator configuration_{•Address Pool: 140.113.87.51-60}PT translator configuration _140.113.87.2 •NAT-PT Prefix: 3ffe:3600:2::/96 _{ua2 ipv4 nctu edu tw} ua1.ipv6.nctu.edu.tw _{NAT PT Prefix: 3ffe:3600:2::/96}

NAT

NAT--PT operations with DNS

PT operations with DNS--ALG

ALG

(IPv6

(IPv6ÆÆIPv4)IPv4)

DNS ALG

IPv6 Network IPv4 Network

UA1 DNS1 DNS2 UA2

DNS Query (AAAA) DNS Query (AAAA)

DNS-ALG + NAT-PT 1.1 1.2 _{1 3} DNS Query (A) DNS Response (A) 1.1 1.2 1.4 1.5 1.3

DNS Response (AAAA) DNS Response (AAAA) ICMPv6 Message (MAC Address Query)

1.7 1.8

1.9

1.6

ICMPv6 Message (MAC Address Query)

ARP Message (MAC Address Query) ICMPv6 Message (MAC Address Response)

IPv6 Packet

1.10

1.11 1.12

ARP Message (MAC Address Response) IPv4 Packet

1.13 1.14

NAT

NAT--PT operations with DNS

PT operations with DNS--ALG

ALG

(IPv4

(IPv4ÆÆIPv6)IPv6)

IPv4 Network IPv6 Network UA1 DNS-ALG + NAT-PT DNS2 UA2 DNS1 DNS Query (A) DNS Query (A) 2.2 2.1 2.3 DNS Query (AAAA) DNS Response (AAAA) 2.4 2.5 DNS Response (A) 2.6

ARP Message (MAC Address Query) DNS Response (A) p ( )

2.7 2.8

2 9

ICMPv6 Message (MAC Address Query)

ARP Message (MAC Address Query) ARP Message (MAC Address Response)

IPv4 Packet

2.9 2.10 2 11 2.12

ICMPv6 Message (MAC Address Response)

ICMPv6 Message (MAC Address Query) IPv4 Packet

IPv6 Packet

2.11 2.13

2.14 _{IPv6 Packet} 2.14

System Architecture of SIPv6 Translator

System Architecture of SIPv6 Translator

y

y

SIIT IPv6-IPv4 SIIT Component Address Mapping

ALG: Application Level Gateway DNS: Domain Name Service

DNS: Domain Name Service SIP: Session Initiation Protocol NIC: Network Interface Controller

SIIT: Simple IP and ICMP Translation; see IETF RFC 2765

56

SIIT: Simple IP and ICMP Translation; see IETF RFC 2765

IPv4/IPv6 Translation for Registration

IPv4/IPv6 Translation for Registration

g

g

UA3 SIP-ALG SIPv4 Server

3.1 REGISTER sip.ipv4.nctu.edu.tw Via: SIP/2.0/UDP [3ffe:3600:1::4]:5060 To: <sip:[email protected]> From:<sip:[email protected]> Contact:<sip:1234@ [3ffe:3600:1::3]:5060> 3.2 REGISTER sip.ipv4.nctu.edu.tw Via: SIP/2.0/UDP 140.113.87.53:5061 To: <sip:[email protected]> From:<sip:[email protected]> Contact:<sip:1234@ 140.113.87.52:5061> 3.3 200 OK Via: SIP/2.0/UDP 140.113.87.53:5061 T i 1234@i 4 t d t 3 4 200 OK _{To: <sip:[email protected]>} From:<sip:[email protected]> Contact:<sip:1234@ 140.113.87.52:5061> 3.4 200 OK

Via: SIP/2.0/UDP [3ffe:3600:1::4]:5060 To: <sip:[email protected]> From:<sip:[email protected]>

Contact:<sip:1234@ [3ffe:3600:1::3]:5060>

IPv4 Network IPv6 Network

IPv4/IPv6 Translation for INVITE Transaction

IPv4/IPv6 Translation for INVITE Transaction

(IPv4

(IPv4-->IPv6)>IPv6)

UA1

SIP-ALG

NAT PT _{SIP 4 S UA2}

IPv6 Network IPv4 Network

UA1 NAT-PT SIPv4 Server UA2

4.1 INVITE sip:[email protected] Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:[email protected]> c=IN IP4 140.113.87.2 m=Audio 9000 RTP/AVP 0 4 8 4.2 INVITE sip:[email protected]:5061 Via: SIP/2.0/UDP 140.113.87.40:5060 Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:[email protected]> c=IN IP4 140.113.87.2 d / 4.3 INVITE sip:1234@[3ffe:3600:1::3]:5060

Via: SIP/2.0/UDP [3ffe:3600:2::140.113.87.40]:5060 Via: SIP/2.0/UDP 140.113.87.2:5060

C t t i 5678@ i i 4 t d t m=Audio 9000 RTP/AVP 0 4 8 Contact: <sip:[email protected]>

c=IN IP6 3ffe:3600:2::140.113.87.2 m=Audio 9000 RTP/AVP 0 4 8

4.4 200 OK

Via: SIP/2.0/UDP [3ffe:3600:2::140.113.87.40]:5060

4 5 200 OK

/ / [ ]

Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: sip:[email protected] c=IN IP6 3ffe:3600:1::3

m=Audio 9000 RTP/AVP 0 4.5 200 OK Via: SIP/2.0/UDP 140.113.87.40:5060 Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:[email protected]> c=IN IP4 140.113.87.52 m=Audio 9002 RTP/AVP 0 4.6 200 OK Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:[email protected]> c=IN IP4 140.113.87.52 m=Audio 9002 RTP/AVP 0 m=Audio 9002 RTP/AVP 0 4.7 ACK sip:[email protected] Via: SIP/2.0/UDP 140.113.87.2:5060 C i 5678@ i i 4 d 4.8 ACK sip:[email protected]:5061

Via: SIP/2 0/UDP 140 113 87 40:5060

58 Contact: <sip:[email protected]> Via: SIP/2.0/UDP 140.113.87.40:5060 Via: SIP/2.0/UDP 140.113.87.2:5060 Contact: <sip:[email protected]> 4.9 ACK sip:1234@[3ffe:3600:1::3]:5060

Via: SIP/2.0/UDP [3ffe:3600:2::140.113.87.40]:5060 Via: SIP/2.0/UDP 140.113.87.2:5060

SIPv6 Analyzer

SIPv6 Analyzer

y

y

Control Panel Control Panel Packet List Packet List Protocol Parser Protocol Parser (using

(using EtherealEthereal parser)parser)

( g

SIP Viewer

SIP Viewer

SIP Flowchart SIP Flowchart Call

Call--IDID FromFrom ToTo

SIP Flowchart SIP Flowchart

SIP Dialog Collection SIP Dialog Collection

SIP Viewer automatically collect SIP messages. SIP Viewer automatically collect SIP messages.

60

SIP Flowchart from Headers SIP Flowchart from Headers

RTP Viewer

RTP Viewer

RTP Viewer can play back Video and Voice! RTP Viewer can play back Video and Voice! RTP Viewer can play back Video and Voice! RTP Viewer can play back Video and Voice!

RTP Session List RTP Session List Yueh-Hsin Sung Video Playback Video Playback Video Playback Video Playback

Video and Voice Control Panel Video and Voice Control Panel

The IPv6 SIP

The IPv6 SIP--based VoIP Deployment

based VoIP Deployment

p y

p y

•0944006XXX is assign to IPv6 network. 0944004XXX i i t IP 4 t k

62

•0944004XXX is assign to IPv4 network.

The IPv6 and IPv4 SIP Environment

The IPv6 and IPv4 SIP Environment

PSTN Speaker

Ph (PSTN) Snom 200 CISCO 7940 Pingtel Phone (PSTN) Snom 200 CISCO 7940 Pingtel

Windows Messenger SIPv6 Translator

& SIP 6 A l SIPv6 UA (implemented by g

The PSTN Gateways

The PSTN Gateways

y

y

CISCO 2621XM Gateway

Vontel Gateway (implemented by ITRI/CCL Taiwan)

The Interoperability Test Results

The Interoperability Test Results

p

p

y

y

SIP M SDP M SIP Message SDP Message Request URI Contact Via From To c m o

IP Soft Phone CCL Skin UA Windows Messenger

4.7.2009 IP Hard Phone PingTel 2.1.10

snom 200 Cisco IP Phone 7940 Series PSTN Gateway Vontel PSTN Gateway Vontel PSTN Gateway Cisco PSTN Gateway

•The SIPv6 UA developed by NCTU can communicate with all of the commercial IPv4 SIP UAs through the SIPv6 Translator. g

SIP Security

SIP Security

SIP Security

SIP Security

y

y

„ SIP communications are susceptible to several types p yp

of attacks.

„ The simplest attack in SIP is snooping, which

permits an attacker to gain information on users’ permits an attacker to gain information on users

identities, services, media, network topology, and so on

SIP Security

SIP Security

y

y

„ SIP messages may contain information a user or g y

server wishes to keep private.

„ The headers can reveal information about the

communication patterns and content of individuals, or other confidential information.

„ The SIP message body may also contain user information

(media type, codec, addresses and ports, etc.) that should

t b l d

not be revealed.

SIP Security

SIP Security

y

y

„ Securing SIP header and body information can be g y

motivated by two different reasons:

„ Maintain private user and network information in order to p

guarantee a certain level of privacy

„ Avoiding SIP sessions being set up or changed by g g p g y

SIP Security

SIP Security

y

y

„ The mechanisms that provide security in SIP can be p y

classified as end-to-end or hop-by-hop protection.

E d t d h i i l th ll d/ ll

„ End-to-end mechanisms involve the caller and/or callee

SIP user agents and are realized by features of the SIP protocol specifically designed for this purpose (e g SIP protocol specifically designed for this purpose (e.g., SIP authentication and SIP message body encryption).

„ Hop-by-hop mechanisms secure the communication p y p

between two successive SIP entities in the path of signaling messages.

SIP Security

SIP Security

y

y

„ SIP does not provide specific features for hop-by-p p p y

hop protection and relies on network-level (IPsec) or transport-level security (TLS).p y ( )

„ Hop by hop mechanisms are needed because „ Hop-by-hop mechanisms are needed because

intermediate elements may play an active role in SIP processing by reading and/or writing some parts of processing by reading and/or writing some parts of the SIP messages.

SIP Security

SIP Security

y

y

„ End-to-end security cannot apply to these parts of y pp y p

messages that are read/written by intermediate SIP entities.

SIP Security

SIP Security

y

y

„ Two main security mechanisms are used with SIP: y

„ Authentication „ Data encryptionData encryption

SIP Security

SIP Security

y

y

„ Data authentication is used to authenticate the sender

of the message, and to ensure that some critical message information was unmodified in transit. g

„ This is to prevent an attacker from modifying and/or „ This is to prevent an attacker from modifying and/or

replaying SIP requests and responses.

SIP Security

SIP Security

y

y

„ SIP makes use of Proxy-Authenticatey , , Proxy-y

Authorization, Authorization, and

WWW-Authenticate header fields, similar to those of HTTP, , , for authentication of the end system by means of a digital signature.g g

„ Instead, hop-by-hop authentication can be performed

using transport- or network-layer authentication using transport or network layer authentication protocols such as TLS or IPsec.

SIP Security

SIP Security

y

y

„ Data encryption is used to ensure confidentiality of yp y

SIP communications, letting only the intended recipient decrypt and read the data.p yp

„ This is usually done using encryption algorithms „ This is usually done using encryption algorithms

such as Data Encryption Standard (DES) and Advanced Encryption Standard (AES)

Advanced Encryption Standard (AES).

SIP Security

SIP Security

y

y

„ SIP supports two forms of encryption:pp yp

„ end-to-end „ hop-by-hophop by hop

SIP Security

SIP Security

y

y

„ End-to-end encryption provides confidentially for all yp p y

information (some SIP headers and the message

body) that does not need to be read by intermediate y) y proxy servers.

„ End-to-end encryption is performed by S/MIME

mechanisms mechanisms.

SIP Security

SIP Security

y

y

„ Hop-by-hop encryption of whole SIP messages can p y p yp g

be used in order to protect the information that

should be accessed by intermediate entities, such us y ,

From, To, and Via headers.

„ Encryption of such information can prevent

malicious users from determining who calls who or malicious users from determining who calls who, or accessing route information.

SIP Security

SIP Security

y

y

„ Hop-by-hop encryption can be performed by security p y p yp p y y

mechanisms external to SIP (IPsec or TLS).

SIP Security

SIP Security

y

y

„ IPsec is a network layer mechanism that can be used y

to introduce security directly at the IP layer.

„ Usually IPsec is used to provide security based on

network node identity and this is done network node identity, and this is done independently by the SIP architecture.

SIP Security

SIP Security

y

y

„ For this reason, IPsec can be used in SIP mainly , y

between SIP entities that have a preconfigured and quite static security association (e.g., servers within

q y ( g ,

the same IP telephony provider).

SIP Security

SIP Security

y

y

„ TLS provides transport-layer security over p p y y

connection-oriented protocols (TCP), and it is suited to architectures in which hop-by-hop security is p y p y

required between hosts with a more dynamic security association.

SIP Security

SIP Security

y

y

„ Note that if a user agent uses IPsec or TLS to send g

SIP requests to a proxy server (hop by hop), this

does not guarantee that secure transport will be used g p on the rest of the end-to-end path.

SIP Security

SIP Security

y

y

„ The most recent version of the SIP specification p

includes a way to specify that a resource (e.g., a

server or user) should be reached securely using TLS.) y g

„ In particular, the address of a user is normally

defined in SIP using a SIP uniform resource defined in SIP using a SIP uniform resource

SIP Security

SIP Security

y

y

„ If a user address is expressed using a new type of p g yp

URI, a SIP Secure (SIPS) URI

(sips:[email protected]), it means that the use of

( p @ ),

TLS is requested.

„ The security mechanisms must be combined

properly to obtain a trusted network scenario properly to obtain a trusted network scenario.

SIP Security

SIP Security

y

y

SIP Security

SIP Security

y

y

„ The Authentication Procedure in SIP:

„ The SIP authentication procedure is derived from HTTP

Digest authentication

„ It is a challenge-based mechanism

„ when a server receives a request, it may challenge the initiator of

the request to provide assurance of its identity.

SIP Security

SIP Security

y

y