IT-Symposium B07 - Welche verschiedenen Szenarien sind beim Einsatz von VoIP möglich (IP PBX, IP Centrex usw.)

(1)

global capability. personal accountability.

VoIP

–

was ist m

ö

glich ?

3B07 - Welche verschiedenen Szenarien sind beim Einsatz von

VoIP möglich (IP PBX, IP Centrex usw.)

Andreas Aurand Sales Engineer April 19th, 2007

Verizon Communications Inc.

Revenue

• 2006 Revenue: $88.1 billion (+26.8% compared to 2005) • World’s second biggest

telecommunications provider* • 50th on Fortune Global 500

Profit

• One of the world’s most profitable telecommunications providers* • 36th on Fortune Global 500

(2)

3

Verizon Business

• Customers include 94% of the

Fortune 500

• Over 30,000 employees

• Operations in 75 countries

• Customers in 2,700 cities in 152

countries

• Most expansive IP network

worldwide (based upon PoPs)

• Most connected backbone

according to TeleGeography

About Verizon

4

Verizon Business

’

Portfolio

Managed Network Services

WAN Management

Professional Services

LAN Management Managed Telephony

(3)

5

Agenda

• SIP Signalling

• VoIP Services

• VoIP Security

• Unified Messaging

• Verizon Business VoIP solutions

SIP Signalling

(4)

7

Traditional Voice Services

-

Circuit Switched

PBX

Signaling • QSIG • ISDN PRI • …

Signalling between phone and PBX or telephone switch

• Digital: ISDN BRI - Q.931

• Analogue: E&M, Loop Start, Ground Start

Signaling between PBX and CO • ISDN PRI - Q.931 (digital) • analog (usually obsolete)

Signaling (using a separate network) • SS7 (digital)

Voice circuit

• analogue: dedicated circuit • digital: fixed TDM slot

8

VoIP

Services

–

Packet Switched

PBX

Signaling

• QSIG • ISDN PRI • E&M

Signaling between phone and PBX

• Digital: ISDN BRI - Q.931

• Analogue: E&M, Loop Start, Ground Start

IP voice circuit • RTP or SRTP

VV

VV VoIP Signalling • ITU H.323 protocol • IETF SIP protocol • Cisco Skinny protocol

• Asterisk IAX2 (InterAsterisk eXchange)

• IETF MGCP or MeGaCo

(5)

9

VoIP Signaling

–

SIP and H.323

• IETF SIP protocol (RFC3261)

– A flexible, scalable, text-based call control protocol (similar to HTTP and SMTP) – Besides signalling, SIP also supports presenceand instant messageapplications.

» Conferencing (e.g. Microsoft Live Meeting)

» Presence and Instant Messaging (e.g. Microsoft Communicator)

– Robust security mechanisms

» Authentication using HTTP Digest, TLS or S/MIME » Encryption using TLS or S/MIME

» Message Integrity using TLS or S/MIME

• ITU H.323 protocol

– Based on ISDN, uses binary-encoded ASN.1 messages – Is exclusively a signalling protocol

– Widely deployed in small PSTN replacement networks for handling simple phone calls – Dominates the IP videoconferencing market

SIP

Protocol

• Call control or signalling protocol that

establishes and terminates

media sessions

.

– Individual voice or conference calls

– Videoconferences and point-to-point video-enabled calls – Web collaboration and chat sessions

– Instant messaging sessions

• Open standard protocol; specifies the basic and supplementary services

to create, modify and delete multimedia sessions or calls.

– Client-server based peer-to-peer protocol, not an IP-to-PSTN gateway control protocol such as MGCP, MEGACO or H.248.

• Integrates with other Internet services, such as e-mail, Web, voice mail,

instant messaging, multiparty conferencing, and multimedia collaboration.

(6)

11

SIP

Protocol

• SIP uses

Uniform Resource Locators

(URL)

that can look like e-mail

address or may contain phone numbers:

– sip:henry@verizonbusiness.com – sip:+19725551212@gateway.com

– The names are resolved to an IP address by using SIP proxy serverand DNS lookups at the time of the call.

• SIP is an application-layer protocol

– Utilizes Session Description Protocol(SDP) for call setup – Supported transport protocols

» UDP (Port 5060) » TCP (Port 5060)

» Stream Control Transmission Protocol (SCTP, Port 5060) » TLS (Port 5061)

12

SIP Entities

•User Agent (UA)

– End devices

– Initiate and terminate media sessions » Client (UAC): initiates a request » Server (UAS): responds to a request

•SIP Server

– Assist in session setup » Registrar

» Location Server » Proxy Server » Redirect Server » Presence Server

•Back-to-Back User Agent (B2BUA)

– Intermediary device

– Appears as an endpoint to the two endpoints

Registrar Proxy Server Redirect Server User Agent Server Location Service •SIP URIto IP address mapping • Updated by UA REGISTER requests

User Agent Client

REGISTER request INVITE request DNS Server V V V V Gateway (B2BUA)

Updates the „URI to IP address binding“ in the Location Service database.

(7)

13

SIP Entities

–

User Agents

• User agents

– Applications in SIP endpoints (such as a SIP phone) that interface between the user and the SIP network.

– An agent can act as either a client or a server.

» When making a call it acts as an User Agent Client(UAC)

» when receiving a call it acts as an User Agent Server(UAS)

• A Back-to-Back User Agent (B2BUA)

– An application that acts as an intermediary between two parties, but appears as an endpoint to both parties.

» It serves as both an UAS/UAC simultaneously to process session requests. » For example a SIP Analogue Telephone Adapter(ATA) might work as a B2BUA

• SIP devices can communicate directly with each other if they know the other’s URL, but in practice SIP servers are often used in the network to provide an infrastructure for routing, registration, and the authentication/authorization services.

SIP Entities

–

SIP Server #1

• Registrar Server

– Registers users when they come on-line and stores information on the users logical identity, and the associated device or devices they will allow for communications. – Accepts REGISTER requests and places the information it receives in those requests

into the location service for the domain it handles.

• Location Server

– A database that keeps track of users and the URL bindings that are "closer" to them. » Contains a list of bindings of address-of-record keys to zero or more contact addresses. – The location service gets its input from the registrar server and provides key information

for the proxy and redirect servers.

– Used by a SIP redirect or proxy server to obtain information about a callee's possible location(s).

•

Redirect Server

– Maps a SIP request destined for a user to the URL of the device "closest" to the user. » Accepts SIP INVITE request from the calling user agent,

» Obtains the correct SIP address of the called user agent (from a location service) » Replies to the calling user agent with the correct SIP address using 3xx responses

(8)

15

SIP Entities

–

SIP Server #2

• Proxy Server

– Services SIP requests by processing them and passing them along to other SIP servers.

» Routing: ensures that a request is sent to another entity "closer" to the targeted user. » Enforcing policies; for example, making sure a user is allowed to make a call.

– A proxy server may act as both a server and a client, and can modify a SIP request before passing it along.

» Interprets, and rewrites specific parts of a request message before forwarding it. – A proxy is involved only in the set-up and teardown of communications.

» Once a session is established, communications occur directly between the parties.

• Presence Server

– Accepts, stores, and distributes presence information.

»Presentitiesclients(producers of information) provide presence information to the server to be stored and distributed.

»Watchersclients(consumers of information) receive presence information from the server.

16

SIP Messages

• SIP Requests

(called „methods“) – Client to Server

– Six base ones: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER

• SIP Response

– Server to Client

– SIP Requests generate responses with a numerical response codes » Borrowed from the HTTP protocol

– 1xx Informational – 2xx Final – 3xx Redirection – 4xx Client Error – 5xx Server Error – 6xx Global Failure

(9)

17

SIP Message Format

• SIP Header

– Required Headers: To, From, Via, Call-ID, CSeq

– Optional Headers: Subject, Date, Authenticationand many others » Used for invoking various types of services and features.

» In most cases, it will be the type of voice traffic, speech, data or FAX

• SIP Message Body

– Similar to an attachment in an email message

– SIP body in an INVITE requestcontains a description of the media session using another protocol:

» Usually SDP (Session Description Protocol – RFC …)

– SIP body can be encrypted using S/MIME for end-to-end security

SAP Call Flow

•Direct Session Establishment (example from RFC 3665)

•SIP Invite Request INVITE b@example.com SIP/2.0

Via: SIP/2.0/UDP 10.185.224.28 Call-ID: 12555-915546774@10.185.224.28 From: sip:a@example.com To: sip:b@example.com Content-type: application/sdp Content-length: 276 v=0

o=andreas .. … IN IP4 10.185.224.28 s=test on unix

i=Group Chat e=a@example.com c=IN IP4 239.255.232.123/15 t=1038556894 1038557194 a=tool:sdr v2.4a6 a=type:meeting m=audio 23376 RTP/AVP 0 c=IN IP4 239.255.232.123/15 a= ptime:40

•SIP Response – 180 Ringing SIP/2.0 150 Ringing

Via: SIP/2.0/UDP 10.185.224.28 Call-ID: 12555-915546774@10.185.224.28 From: sip:a@example.com

To: sip:b@example.com Contact-host:192.168.224.68

•SIP-Response – 200 OK SIP/2.0 200 OK

Via: SIP/2.0/UDP 10.185.224.28 Call-ID:12555-915546774@10.185.224.28 From: sip:a@example.com

To: sip:b@example.com Contact-host:192.168.224.68

User Agent A a@example.com

User Agent B b@example.com

INVITE (1)

ACK (4) 180 Ringing (2)

200 OK (3)

BYE (5) 200 OK (6) RTP Media Session

off-hook

(10)

19

SIP Call Flow

•Session Establishment through a SIP Proxies (RFC 3665)

– The initial INVITE (1) contains a pre-loaded Route header with the address of the Proxy Server (configured as a default outbound proxy for UA A).

– The Proxy Server inserts a Record-Route header into the INVITE message to ensure that it is present in all subsequent message exchanges.

User Agent A Proxy Server User Agent B

INVITE (1) 100 Trying (3)

200 OK (6)

RTP Media Session

INVITE (2) 180 Ringing (4) 180 Ringing (5)

200 OK (7) ACK (8)

Location Service

(SIP URIto IP address mapping)

20

SIP Call Flow

•Session via Redirect and Proxy Servers (example from RFC 3665)

– The INVITE message is first sent to the Redirect Server (1).

– The Server returns a 302 Moved Temporarily response (2) containing a Contact header with UA B's current SIP address – UA A then generates a new INVITE (3) and sends to UA B via the Proxy Server and the call proceeds normally

User Agent B User Agent A

200 OK (9) INVITE (5) 180 Ringing (7) Redirect Server Proxy Server

RTP Media Session INVITE (4)

100 Trying (6)

180 Ringing (8) 200 OK (10)

ACK (8) INVITE (1)

302Moved Temp.(2)

ACK (3)

Location Service

(SIP URIto IP address mapping)

(11)

21

ENUM

-

(

E.164 Number Mapping, RFC 3716)

• Mapping between an E.164 number and other services

• DNS used to identify the services bound to the E.164 number

– Format: <reverse phone number> .e164.arpa

– Example: “+130355553031” becomes “1.3.0.3.5.5.5.53.0.3.1.e164.arpa”

• One NAPTR entry in the DNS database for each available service

– E.g. SIP, H.323, Web, Email, PSTN

» IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:joe@vzb.com!" » IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:joe@vzb.com!“ » IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:joe@vzb.com!”

– SIP t

ranslates E.164 numbers into URIs

» Resolved to an IP address using the SIP redirect and/or location service

ENUM Queries and SIP

(12)

23

ENUM

-

Query Example

$ORIGIN 1.3.0.3.5.5.5.3.0.3.1.e164.arpa. (Query)

IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:joe@vzb.com!" IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:joe@vzb.com!“ IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:joe@vzb.com!”

• IN – Internet Class

– class of record – this is always IN

• NAPTR – Naming Authority Pointer Record

– Type of DNS resource record (RR)

• 1xx – Order

– first arbiter of preference (Lower is better)

• 10 – Preference

– Weight for how the user would like to be contacted, used when orders match

• "u" "tel+E2U" - Flag

– indicates service field and resolution service.

• Text after this reflects regular expression matching of URIs (1 per line).

VoIP Services

(13)

25

Self

-

provided VoIP

• No provider (like Skype, T-Online etc.) is used to provide the voice

service

– The end-users install a dedicated VoIP product on their systems

» The IP address of the called party must be known to the caller before placing a call

Instant Message and Presence service can solve this problem » Example: Microsoft NetMeeting

– The VoIP infrastructure is installed within a company’s local network

» Voice routing can be done manual or using SIP Proxies, H.323 Gateways, IP PBX …

Example: Manual voice routing between two PBX systems with E1 interfaces Voice port

1/0:15

Voice port 1/0:15

Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default

PRI Signaling

Self

-

provided VoIP

–

Manual Voice Routing

isdn switch-type primary-net5

!

controller E1 1/0 pri-group timeslots 1-30

!

interface Serial1/0:15 isdn switch-type primary-net5 isdn incoming-voice voice interface serial 0/0

ip address 172.16.1.123 !

dial-peer voice 1 pots

destination-pattern 555.... port 1/0:15

dial-peer voice 3 voip

destination-pattern 119.... session target ipv4:172.16.65.182

(session protocol cisco)

isdn switch-type primary-net5

!

controller E1 1/0 pri-group timeslots 1-30

!

interface Serial1/0:15 isdn switch-type primary-net5 isdn incoming-voice voice interface serial 0/0

ip address 172.16.65.182 !

dial-peer voice 1 pots

destination-pattern 119.... port 1/0:15

dial-peer voice 3 voip

destination-pattern 555.... session target ipv4:172.16.1.123

(session protocol cisco)

Voice port 1/0:15

Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default

PRI Signaling

(14)

27

Self

-

Provided VoIP

-

IP PBX

IP Backbone

V

PSTN

IP voice circuit • RTP or SRTP

Voice Signalling

• SIP • H.323 • Cisco Skinny • Asterisk IAX2 • MGCP • MeGaCo / H.248

28

Self

-

Provided VoIP

-

IP PBX

• IP PBX systems will be installed by a company without using a

voice service provider

• Various implementations using different vendors are possible

– Cisco, Avaya, Siemens, Nortel, Asterisk (Open Source) …

– Outsourcing of the management and maintenance of these IP PBX systems

• PSTN outbreak using separate gateways

– Controlled via H.323, SIP, MGCP or MeGaCo / H.248

• Problem: Interconnection between IP PBX systems from different

vendors could be a nightmare

– Often only a very limited subset of subscriber features are possible (e.g. if H.323 is used for the interconnection)

(15)

29

Centrex

-

based Solutions

• Only SIP phones at location; PBX is located in provider network

–Survivability: Additional IP access or a local PSTN outbreak

–Emergency Services: Local PSTN outbreak or provider maintains a mapping database between phone number and location

» Problem with mobile users (WLAN VoIP phones, VoIP soft clients …) » Database must be manually kept up-to-date

SIP Signalling

Traditional PBX with VoIP Interface

IP Backbone

Provider‘s SIP-based VoIP

infrastructure PSTN

RTP

V V V V

IP Trunking

–

Toll Bypass

• Trunk connection between PBX systems located in different sites

– Kind of connection depends on the vendor (e.g. H.323, SIP or other protocols) – Not very scalable

– Usually a PSTN outbreak in every site (for emergency numbers)

PSTN

(16)

31

IP Trunking

–

PBX Interconnection

• SIP trunk connection between different IP PBX systems and a central Soft PBX within the provider network

• Service Provider provides external PSTN long-distance and local access, handled through their SIP network

– Emergency servicesare an issue: The number of traditional local trunks needed in the branches can be reduced to just the number required for survivability or emergency services

SIP Signalling

Traditional PBX with E1 Interface

IP Backbone

SIP-based VoIP infrastructure of the

provider

PSTN

RTP

V V V V

32

Emergency Services for VoIP

• Usually not a problem for fixed phone.

– The location details of the phones are entered in a database

» This information will be transferred to the emergency service answering points » Must be ensured that the location details for each phone is up-to-date

• A big issue with mobile phones like PC soft phones or WLAN IP phones

• IETF ECRIT

(

Emergency Context Resolution with Internet Technologies

)

concept:

– IP phones have to know their actual location

» GPS

» Information from a DHCP server » Manual

– Global available geographical mapping database

» Contains the Internet address for the local responsible Emergency Service Answering Points(police, fire department etc.)

(17)

33

VoIP in

the

Provider

Core

• Next Generation network (NGN)

– Transmission von voice and data over a common IP-based network – Connection between the different types networks (PSTN, Mobile, DSL etc.) – Can provide intelligent services like presence or instant messaging

Provider IP Backbone

Mobile (GSM & UMTS)

PSTN V V V V

P-CSCF

Private IP networks (MPLS based)

Router IMS

(IP Multimedia Subsystem)

Media Gateway

VoIP in

the

Provider

Core

–

IMS (IP Multimedia

Subsystem)

• Defined by the3rd Generation Partnership Project(3GPP)

– 3GPP is a collaboration agreement that brings together a number of telecommunications standards bodies (like ETSI)

– A reference service delivery platform architecture for the provision of IP Multimedia services within a mobile all-IP network environment, such as UMTS Release 5.

• Provides signalling to control of real time multi media services

– Based on SIP signalling

• Uses the packet-switched domaininstead of the circuit-switching one

– Smooth integration of new IP based services (e.g. Voice over IP). – Interworking with devices with no access to the mobile domain is trivial – Packet-switched technology is usually more efficient than circuit-switched

• Represents anoverlay architecture

– Not limited to the mobile domain only (WLAN, WIMAX, xDSL access also possible)

• Does not mandate any particular business mode

(18)

VoIP Security

• Vulnerabilities

• SIP Security

• Securing the Audio Stream

36

Vulnerabilities

• DDoS attacks

– Bad phone quality if the Internet connection is congested

» DDoS protection within the provider network

– SIP server flooding (INVITE, REGISTER, SUBSCRIBE messages)

» Block all SIP messages except the ones to and from trusted networks.

•Phreaking (Telephone Fraud)

– Fraudulent usage of the VoIP equipment to get toll free calls or let someone else pay for the call

» Different kind of attacks possible (e.g. SIP spoofing, errors in the devices and so on)

– Example: Telephone systems hackers have established a black market in reselling stolen VoIP minutes. These telephone phreakers steal 200m minutes a month, worth $26m

»http://www.theregister.co.uk/2007/03/22/voip_fraud/

– Careful design of the network, use firewall and filters and secured SIP and RTP connections wherever possible

(19)

37

Vulnerabilities

• Spam over Internet Telephony (SPIT)

– E-Mail spam is transferred into the telephone world. E.g. advertising material will be directly offered over the phone

– Often automated dialer are used to force the user to call back a toll number like 0900 or 0137.

» The provider usually have Internet connections with a VoIP flat rate. » No further cost apply, only for the Internet connection.

– Possible mitigations are still under investigation. Normal E-mail filter mechanisms do not work for SPIT

» Only allow specific inbound numbers (white list) » Block specific inbound numbers (black list)

» Block all calls without an CLI (Calling Line Identification)

SIP Security Mechanisms

• HTTP/SIP digest authentication

– Simple challenge/response mechanism using a shared secret (like CHAP) – Replay protection and one-way authentication

» User Agent to User Agent or User Agent to Proxy Server

– Vulnerable to brute force or dictionary attacks

•Basic authentication scheme(RFC 2543) has been deprecated

– Client authentication mechanism with user ID and a password (like PAP)

• IPSec-based security

– Provides hop-by-hop mutual authentication, encryption, and/or message integrity – No Integration with the SIP applications required

(20)

39

Example:

SIP Digest Authentication

•F1REGISTER Bob -> SIP Server

REGISTER sips:ss2.biloxi.example.com SIP/2.0 Via: SIP/2.0/TCP client.biloxi.example.com:5060 ;branch=z9hG4bKnashds7

Max-Forwards: 70

From: Bob <sip:bob@biloxi.example.com>;tag=a73kszlfl To: Bob <sip:bob@biloxi.example.com>

Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 1 REGISTER

Contact: <sip:bob@client.biloxi.example.com> Content-Length: 0

•F2401 Unauthorized SIP Server -> Bob

SIP/2.0 401 Unauthorized

Via: SIP/2.0/TCP client.biloxi.example.com:5060 ;branch=z9hG4bKnashds7; received=192.0.2.201 From: Bob <sip:bob@biloxi.example.com>;tag=a73kszlfl To: Bob <sip:bob@biloxi.example.com>;tag=1410948204 Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 1 REGISTER

WWW-Authenticate: Digest realm="atlanta.example.com", qop="auth", nonce="ea9c8e88df84f1cec4341ae6cbe5a359",

opaque="", stale=FALSE, algorithm=MD5 Content-Length: 0

User Agent Proxy Server

F1: REGISTER F2: 401 Unauthorized

F3: REGISTER F4: 200 OK

40

•F3REGISTER Bob -> SIP Server

REGISTER sips:ss2.biloxi.example.comSIP/2.0 Via: SIP/2.0/TCP client.biloxi.example.com:5060 … Max-Forwards: 70

From: Bob <sip:bob@biloxi.example.com>;tag=…lH To: Bob <sip:bob@biloxi.example.com>

Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 2 REGISTER

Contact: <sip:bob@client.biloxi.example.com> Authorization:Digest username="bob„ , realm="atlanta.example.com"

nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.biloxi.example.com",

response="dfe56131d1958046689d83306477ecc" Content-Length: 0

•F4200 OK SIP Server -> Bob

SIP/2.0 200 OK

Via: SIP/2.0/TCP client.biloxi.example.com:5060;branch=z9h…d92;received=192.0.2.201 From: Bob <sip:bob@biloxi.example.com>;tag=ja743ks76zlflH

To: Bob <sip:bob@biloxi.example.com>;tag=37GkEhwl6 Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 2 REGISTER

Contact: <sip:bob@client.biloxi.example.com>;expires=3600 Content-Length: 0

Example: SIP Digest Authentication

User Agent Proxy Server

F1: REGISTER F2: 401 Unauthorized

F3: REGISTER F4: 200 OK

(21)

41

SIP Security Mechanisms

• TLS (sips)

– Hop-by-hop encryption, authentication and message integrity

• S/MIME

– End-to-end encryption, authentication and integrity for message body

SIP Phones

Proxy Server TLS (sips)

SIP using S/MIME

SIP Security Mechanisms

• IPSec:

– Hop-by-hop encryption, authentication and message integrity

SIP Phones

Proxy Server SIP

(22)

43

SIP Security Mechanisms

• TLS (

sips

)

– Hop-by-hop encryption, message integrity and mutual authentication using certificates

» Between UA and Proxy Server or between two Proxy Server » Other authentication mechanism can also be used

Allows mutual authentication if certificate is missing

For example using HTTP Digest authentication

»Whole SIP message will be encryptedand authenticated

SIP-enabled Firewalls can not look into the SIP messages to open the necessary UDP ports for RTP and RTCP

Message fields (Request-URI, Route, and Via) need to be visible to SIP proxies in most architectures to route SIP requests correctly

– Integration with SIP applications required

• TLS Proxy with the Firewall

– Future: Firewall will act as a TLS Proxyto be able to control TLS encrypted SIP signaling (for example Cisco ASA or Juniper NetScreen)

44

SIP Security Mechanisms

• S/MIME

– End-to-end encryption, message integrity and mutual authentication using certificates

»Encrypts MIME bodieswithin a SIP message between two User Agents

Bodies are secured end-to-end without affecting the SIP header

Transparent to any intermediate Firewalls, NAT devices or SIP proxy

• S/MIME with SIP Message Tunneling

– Provides a form of integrity and confidentiality for SIP header fields

• PGP mechanism for encrypting the header fields and bodies

(23)

45

Securing the Audio Stream

• IPSec VPN

– Mostly used for connections running over the Backbone – Cisco GET VPNcan be used to build an Any-to-Any IPSec VPN

– Independent of the SIP User Agents capabilities

SIP Phones

Proxy Server

IPSec tunnel RTP stream

Securing the Audio Stream

• RFC 3711-Secure Real Time Transport Protocol(SRTP)

– Secures end-to-end RTP and RTCP traffic

– Encryption, authentication and message integrity using symmetric AES keys – SIP User Agents must support SRTP

SIP Phones

Proxy Server SRTP stream

SRTP stream

(24)

47

Securing the Audio Stream

• SRTP Key Management

– SRTP does not define a key management mechanism but refers to other key management standards

» RFC 3547: "The Group Domain of Interpretation » RFC 3830: "MIKEY: Multimedia Internet KEYing"

» RFC 4430: "Kerberized Internet Negotiation of Keys (KINK)" » RFC 4567: "Key Management Extensions for SDP and RTSP" » RFC 4568: “SDP Security Descriptions for Media Streams"

– These protocols will be used to establish a SRTP master key

• SRTP derives six different keys are from this single

master key

in a

cryptographically secure way

– SRTP and SRTCP encryption keys and salts – SRTP and SRTCP authentication keys

48

Securing the Audio Stream

•SRTP packet format

E n c yr p te d p a rt A u th e n ti ca te d p a rt o f th e R T P m e s s a g e V=2

V=2 PPXX CCCC MM Payload TypePayload Type Sequence NumberSequence Number

Timestamp Timestamp

Synchronization Source Identifier (SSRC) Synchronization Source Identifier (SSRC)

0 4 8 12 16 20 24 28 31

Contributed Source Identifiers (CSRC) – optional …. ….

RTP Header Extensions (optional) RTP Header Extensions (optional)

Payload (Audio and Video)Payload Type Payload (Audio and Video)Payload Type

RTP Padding RTP Pad Count

SRTP MKI (Master Key Identifier) - optional SRTP MKI (Master Key Identifier) - optional

Authentication Tag Authentication Tag

(25)

Unified Messaging

Verizon Business

-

Instant Meeting incorporated

into Microsoft Office Live Communication Server

(26)

51

Verizon Business

-

Instant Meeting incorporated

into Microsoft Office Live Communication Server

52

Verizon Business

-

Instant Meeting

integration into Microsoft

(27)

Verizon Business VoIP

Solutions

4 Different Products based on SIP

Verizon Business VoIP Service

Portfolio

Strategy

•Build world-class VoIP infrastructure with scalability and flexibility to meet business and wholesale customer needs

•Deliver high-quality VoIP experience

•Enable customers to migrate to VoIP at own pace, path leveraging

•

•Use with an existing premise IP PBX Use with an existing premise IP PBX

•

•Eliminates the need for expensive TDM premises Eliminates the need for expensive TDM premises gateway equipment

gateway equipment •

•Ideal for large locations with more than 200 usersIdeal for large locations with more than 200 users

•

•Use with existing PBX, Key SystemUse with existing PBX, Key System •

•Ideal for smallIdeal for small--to mediumto medium--size locationssize locations •

•Not ready to rip/replaceNot ready to rip/replace •

•Avoid reAvoid re--trainingtraining

IP Integrated Access/IP Flexible T1 IP Trunking

•

•Full suite of subscriber and administrative Full suite of subscriber and administrative

features reside in the network

features reside in the network •

•Uses IP phones Uses IP phones •

•Enhances user mobility and productivity Enhances user mobility and productivity •

•Easily scales with business demandsEasily scales with business demands •

•Ideal for new locationsIdeal for new locations

•

•Designed for enterprises with >200 usersDesigned for enterprises with >200 users

•

•Prefers premisesPrefers premises--based solution without the based solution without the

internal support challenges

Managed IP PBX

(28)

55

Verizon Business

VoIP

Architecture

Customer Premises

Customer Premises ––NO PBX!NO PBX!

LAN SIP Phones SIP Feature Servers Redirect Servers SIP Infrastructure Voice Mail Servers Customer Premises Customer Premises PBX Phone PBX Phone Key System or PBX SIP Phone SIP Phone PSTN Network Gateway Phone Phone Public Switched Public Switched Telephone Network Telephone Network Verizon Business Verizon Business

Private IP or Public IP

Network

56

Verizon VoIP

-

IP Integrated Access

LAN Client redundant Firewall Enterprise Gateway Modem PSTN IP router PBX

Verizon IP network

Network Features

PSTN

Non inter-site traffic routed via Verizon

Voice network

Phones

Inter-site traffic routed via Verizon

(29)

57

Verizon VoIP

-

IP

Trunking

CE Router Firewall Ethernet switch Verizon VoIP Probe PSTN Support Modem IP Network PSTN Network Features Analogue Gateway SIP phones traditional phones IP PBX Managed IP PBX (optional)

Non inter-site traffic routed via Verizon

Voice network Inter-site traffic routed via Verizon

IP network

Verizon VoIP

–

Hosted IP Centrex

CE Router Firewall Ethernet switch PSTN Support Modem IP Network PSTN Network Features Analogue Gateway SIP phones traditional phones

Non inter-site traffic routed via Verizon Inter-site traffic routed via Verizon

IP network

(30)

59

Verizon VoIP

–

Security

• Redundant NetScreen firewalls protect the SIP proxy servers in the

Verizon VoIP network

• Customer sites must use a SIP-aware firewalls.

– Only SIP messages that originate from Verizon's proxies are allowed to reach the IP phones.

• SIP Signalling:

– IP phones and analogue interfaces use SIP Digest Authentication

» Passwords on the IP phones are set before they are shipped.

– Enterprise gateways for IP Integrated Accessuse IPSec AH

» IPSec tunnel between gateways and the NetScreen Firewalls on the VzB VoIP network

60

Verizon VoIP

–

Security

Access Network (Internet or MPLS)

SIP-aware FW (Cisco PIX)

Enterprise Gateway

PSTN

SIP Signaling with Digest Authentication

IPSec AH Tunnel

NetScreen Firewall

(31)

61

Thank

You

Any Questions?

Thank

You

About Verizon Business

Verizon Business, a unit of Verizon Communications (NYSE:VZ) is a leading provider of advanced communications and information technology (IT) solutions to large business and government customers worldwide. Combining unsurpassed global network reach with advanced technology and professional service capabilities, Verizon Business delivers innovative and seamless business solutions to customers around the world.

For more information, visit www.verizonbusiness.com

Global Capability. Personal Accountability.

(32)