© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
VoIP
VoIP
–
–
was ist m
was ist m
ö
ö
glich ?
glich ?
3B07 - Welche verschiedenen Szenarien sind beim Einsatz von
VoIP möglich (IP PBX, IP Centrex usw.)
Andreas Aurand Sales Engineer April 19th, 2007
Verizon Communications Inc.
Verizon Communications Inc.
Revenue
• 2006 Revenue: $88.1 billion (+26.8% compared to 2005) • World’s second biggest
telecommunications provider* • 50th on Fortune Global 500
Profit
• One of the world’s most profitable telecommunications providers* • 36th on Fortune Global 500
3
Verizon Business
Verizon Business
•
Customers include 94% of the
Fortune 500
•
Over 30,000 employees
•
Operations in 75 countries
•
Customers in 2,700 cities in 152
countries
•
Most expansive IP network
worldwide (based upon PoPs)
•
Most connected backbone
according to TeleGeography
About Verizon
4
Verizon Business
Verizon Business
’
’
Portfolio
Portfolio
Managed Network Services
WAN Management
Professional Services
LAN Management Managed Telephony
5
Agenda
Agenda
•
SIP Signalling
•
VoIP Services
•
VoIP Security
•
Unified Messaging
•
Verizon Business VoIP solutions
SIP Signalling
7
Traditional Voice Services
Traditional Voice Services
-
-
Circuit Switched
Circuit Switched
PBX
Signaling • QSIG • ISDN PRI • …
Signalling between phone and PBX or telephone switch
• Digital: ISDN BRI - Q.931
• Analogue: E&M, Loop Start, Ground Start
Signaling between PBX and CO • ISDN PRI - Q.931 (digital) • analog (usually obsolete)
Signaling (using a separate network) • SS7 (digital)
Voice circuit
• analogue: dedicated circuit • digital: fixed TDM slot
8
VoIP
VoIP
Services
Services
–
–
Packet Switched
Packet Switched
PBX
Signaling
• QSIG • ISDN PRI • E&M
Signaling between phone and PBX
• Digital: ISDN BRI - Q.931
• Analogue: E&M, Loop Start, Ground Start
IP voice circuit • RTP or SRTP
VV
VV VoIP Signalling • ITU H.323 protocol • IETF SIP protocol • Cisco Skinny protocol
• Asterisk IAX2 (InterAsterisk eXchange)
• IETF MGCP or MeGaCo
9
VoIP Signaling
VoIP Signaling
–
–
SIP and H.323
SIP and H.323
•
IETF SIP protocol (RFC3261)
– A flexible, scalable, text-based call control protocol (similar to HTTP and SMTP) – Besides signalling, SIP also supports presenceand instant messageapplications.
» Conferencing (e.g. Microsoft Live Meeting)
» Presence and Instant Messaging (e.g. Microsoft Communicator)
– Robust security mechanisms
» Authentication using HTTP Digest, TLS or S/MIME » Encryption using TLS or S/MIME
» Message Integrity using TLS or S/MIME
•
ITU H.323 protocol
– Based on ISDN, uses binary-encoded ASN.1 messages – Is exclusively a signalling protocol
– Widely deployed in small PSTN replacement networks for handling simple phone calls – Dominates the IP videoconferencing market
SIP
SIP
Protocol
Protocol
• Call control or signalling protocol that
establishes and terminates
media sessions
.
– Individual voice or conference calls
– Videoconferences and point-to-point video-enabled calls – Web collaboration and chat sessions
– Instant messaging sessions
• Open standard protocol; specifies the basic and supplementary services
to create, modify and delete multimedia sessions or calls.
– Client-server based peer-to-peer protocol, not an IP-to-PSTN gateway control protocol such as MGCP, MEGACO or H.248.
• Integrates with other Internet services, such as e-mail, Web, voice mail,
instant messaging, multiparty conferencing, and multimedia collaboration.
11
SIP
SIP
Protocol
Protocol
• SIP uses
Uniform Resource Locators
(URL)
that can look like e-mail
address or may contain phone numbers:
– sip:henry@verizonbusiness.com – sip:+19725551212@gateway.com
– The names are resolved to an IP address by using SIP proxy serverand DNS lookups at the time of the call.
• SIP is an application-layer protocol
– Utilizes Session Description Protocol(SDP) for call setup – Supported transport protocols
» UDP (Port 5060) » TCP (Port 5060)
» Stream Control Transmission Protocol (SCTP, Port 5060) » TLS (Port 5061)
12
SIP Entities
SIP Entities
•User Agent (UA)
– End devices
– Initiate and terminate media sessions » Client (UAC): initiates a request » Server (UAS): responds to a request
•SIP Server
– Assist in session setup » Registrar
» Location Server » Proxy Server » Redirect Server » Presence Server
•Back-to-Back User Agent (B2BUA)
– Intermediary device
– Appears as an endpoint to the two endpoints
Registrar Proxy Server Redirect Server User Agent Server Location Service •SIP URIto IP address mapping • Updated by UA REGISTER requests
User Agent Client
REGISTER request INVITE request DNS Server V V V V Gateway (B2BUA)
Updates the „URI to IP address binding“ in the Location Service database.
13
SIP Entities
SIP Entities
–
–
User Agents
User Agents
•
User agents
– Applications in SIP endpoints (such as a SIP phone) that interface between the user and the SIP network.
– An agent can act as either a client or a server.
» When making a call it acts as an User Agent Client(UAC)
» when receiving a call it acts as an User Agent Server(UAS)
•
A Back-to-Back User Agent (B2BUA)
– An application that acts as an intermediary between two parties, but appears as an endpoint to both parties.
» It serves as both an UAS/UAC simultaneously to process session requests. » For example a SIP Analogue Telephone Adapter(ATA) might work as a B2BUA
• SIP devices can communicate directly with each other if they know the other’s URL, but in practice SIP servers are often used in the network to provide an infrastructure for routing, registration, and the authentication/authorization services.
SIP Entities
SIP Entities
–
–
SIP Server #1
SIP Server #1
•
Registrar Server
– Registers users when they come on-line and stores information on the users logical identity, and the associated device or devices they will allow for communications. – Accepts REGISTER requests and places the information it receives in those requests
into the location service for the domain it handles.
•
Location Server
– A database that keeps track of users and the URL bindings that are "closer" to them. » Contains a list of bindings of address-of-record keys to zero or more contact addresses. – The location service gets its input from the registrar server and provides key information
for the proxy and redirect servers.
– Used by a SIP redirect or proxy server to obtain information about a callee's possible location(s).
•
Redirect Server
– Maps a SIP request destined for a user to the URL of the device "closest" to the user. » Accepts SIP INVITE request from the calling user agent,
» Obtains the correct SIP address of the called user agent (from a location service) » Replies to the calling user agent with the correct SIP address using 3xx responses
15
SIP Entities
SIP Entities
–
–
SIP Server #2
SIP Server #2
•
Proxy Server
– Services SIP requests by processing them and passing them along to other SIP servers.
» Routing: ensures that a request is sent to another entity "closer" to the targeted user. » Enforcing policies; for example, making sure a user is allowed to make a call.
– A proxy server may act as both a server and a client, and can modify a SIP request before passing it along.
» Interprets, and rewrites specific parts of a request message before forwarding it. – A proxy is involved only in the set-up and teardown of communications.
» Once a session is established, communications occur directly between the parties.
•
Presence Server
– Accepts, stores, and distributes presence information.
»Presentitiesclients(producers of information) provide presence information to the server to be stored and distributed.
»Watchersclients(consumers of information) receive presence information from the server.
16
SIP Messages
SIP Messages
•
SIP Requests
(called „methods“) – Client to Server
– Six base ones: INVITE, ACK, OPTIONS, BYE, CANCEL, REGISTER
•
SIP Response
– Server to Client
– SIP Requests generate responses with a numerical response codes » Borrowed from the HTTP protocol
– 1xx Informational – 2xx Final – 3xx Redirection – 4xx Client Error – 5xx Server Error – 6xx Global Failure
17
SIP Message Format
SIP Message Format
•
SIP Header
– Required Headers: To, From, Via, Call-ID, CSeq
– Optional Headers: Subject, Date, Authenticationand many others » Used for invoking various types of services and features.
» In most cases, it will be the type of voice traffic, speech, data or FAX
•
SIP Message Body
– Similar to an attachment in an email message
– SIP body in an INVITE requestcontains a description of the media session using another protocol:
» Usually SDP (Session Description Protocol – RFC …)
– SIP body can be encrypted using S/MIME for end-to-end security
SAP Call Flow
SAP Call Flow
•Direct Session Establishment (example from RFC 3665)
•SIP Invite Request INVITE b@example.com SIP/2.0
Via: SIP/2.0/UDP 10.185.224.28 Call-ID: 12555-915546774@10.185.224.28 From: sip:a@example.com To: sip:b@example.com Content-type: application/sdp Content-length: 276 v=0
o=andreas .. … IN IP4 10.185.224.28 s=test on unix
i=Group Chat e=a@example.com c=IN IP4 239.255.232.123/15 t=1038556894 1038557194 a=tool:sdr v2.4a6 a=type:meeting m=audio 23376 RTP/AVP 0 c=IN IP4 239.255.232.123/15 a= ptime:40
•SIP Response – 180 Ringing SIP/2.0 150 Ringing
Via: SIP/2.0/UDP 10.185.224.28 Call-ID: 12555-915546774@10.185.224.28 From: sip:a@example.com
To: sip:b@example.com Contact-host:192.168.224.68
•SIP-Response – 200 OK SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.185.224.28 Call-ID:12555-915546774@10.185.224.28 From: sip:a@example.com
To: sip:b@example.com Contact-host:192.168.224.68
User Agent A a@example.com
User Agent B b@example.com
INVITE (1)
ACK (4) 180 Ringing (2)
200 OK (3)
BYE (5) 200 OK (6) RTP Media Session
off-hook
19
SIP Call Flow
SIP Call Flow
•Session Establishment through a SIP Proxies (RFC 3665)
– The initial INVITE (1) contains a pre-loaded Route header with the address of the Proxy Server (configured as a default outbound proxy for UA A).
– The Proxy Server inserts a Record-Route header into the INVITE message to ensure that it is present in all subsequent message exchanges.
User Agent A Proxy Server User Agent B
INVITE (1) 100 Trying (3)
200 OK (6)
RTP Media Session
INVITE (2) 180 Ringing (4) 180 Ringing (5)
200 OK (7) ACK (8)
Location Service
(SIP URIto IP address mapping)
20
SIP Call Flow
SIP Call Flow
•Session via Redirect and Proxy Servers (example from RFC 3665)
– The INVITE message is first sent to the Redirect Server (1).
– The Server returns a 302 Moved Temporarily response (2) containing a Contact header with UA B's current SIP address – UA A then generates a new INVITE (3) and sends to UA B via the Proxy Server and the call proceeds normally
User Agent B User Agent A
200 OK (9) INVITE (5) 180 Ringing (7) Redirect Server Proxy Server
RTP Media Session INVITE (4)
100 Trying (6)
180 Ringing (8) 200 OK (10)
ACK (8) INVITE (1)
302Moved Temp.(2)
ACK (3)
Location Service
(SIP URIto IP address mapping)
21
ENUM
ENUM
-
-
(
(
E.164 Number Mapping, RFC 3716)
E.164 Number Mapping, RFC 3716)
•
Mapping between an E.164 number and other services
•
DNS used to identify the services bound to the E.164 number
– Format: <reverse phone number> .e164.arpa
– Example: “+130355553031” becomes “1.3.0.3.5.5.5.53.0.3.1.e164.arpa”
•
One NAPTR entry in the DNS database for each available service
– E.g. SIP, H.323, Web, Email, PSTN
» IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:joe@vzb.com!" » IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:joe@vzb.com!“ » IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:joe@vzb.com!”
– SIP t
ranslates E.164 numbers into URIs
» Resolved to an IP address using the SIP redirect and/or location service
ENUM Queries and SIP
ENUM Queries and SIP
23
ENUM
ENUM
-
-
Query Example
Query Example
$ORIGIN 1.3.0.3.5.5.5.3.0.3.1.e164.arpa. (Query)
IN NAPTR 100 10 "u" "sip+E2U" "!^.*$!sip:joe@vzb.com!" IN NAPTR 102 15 "u" "mailto+E2U" "!^.*$!mailto:joe@vzb.com!“ IN NAPTR 100 20 "u" "tel+E2U" “!^.*$!tel:joe@vzb.com!”
• IN – Internet Class
– class of record – this is always IN
• NAPTR – Naming Authority Pointer Record
– Type of DNS resource record (RR)
• 1xx – Order
– first arbiter of preference (Lower is better)
• 10 – Preference
– Weight for how the user would like to be contacted, used when orders match
• "u" "tel+E2U" - Flag
– indicates service field and resolution service.
• Text after this reflects regular expression matching of URIs (1 per line).
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
VoIP Services
25
Self
Self
-
-
provided VoIP
provided VoIP
•
No provider (like Skype, T-Online etc.) is used to provide the voice
service
– The end-users install a dedicated VoIP product on their systems
» The IP address of the called party must be known to the caller before placing a call
Instant Message and Presence service can solve this problem » Example: Microsoft NetMeeting
– The VoIP infrastructure is installed within a company’s local network
» Voice routing can be done manual or using SIP Proxies, H.323 Gateways, IP PBX …
Example: Manual voice routing between two PBX systems with E1 interfaces Voice port
1/0:15
Voice port 1/0:15
Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default
PRI Signaling
PRI Signaling
Self
Self
-
-
provided VoIP
provided VoIP
–
–
Manual Voice Routing
Manual Voice Routing
isdn switch-type primary-net5
!
controller E1 1/0 pri-group timeslots 1-30
!
interface Serial1/0:15 isdn switch-type primary-net5 isdn incoming-voice voice interface serial 0/0
ip address 172.16.1.123 !
dial-peer voice 1 pots
destination-pattern 555.... port 1/0:15
dial-peer voice 3 voip
destination-pattern 119.... session target ipv4:172.16.65.182
(session protocol cisco)
isdn switch-type primary-net5
!
controller E1 1/0 pri-group timeslots 1-30
!
interface Serial1/0:15 isdn switch-type primary-net5 isdn incoming-voice voice interface serial 0/0
ip address 172.16.65.182 !
dial-peer voice 1 pots
destination-pattern 119.... port 1/0:15
dial-peer voice 3 voip
destination-pattern 555.... session target ipv4:172.16.1.123
(session protocol cisco)
Voice port 1/0:15
Voice port 1/0:15
Cisco uses a proprietary H.323 protocol for voice signaling between the routers as default
PRI Signaling
PRI Signaling
27
Self
Self
-
-
Provided VoIP
Provided VoIP
-
-
IP PBX
IP PBX
IP Backbone
V
V
V
V
PSTN
IP voice circuit • RTP or SRTP
Voice Signalling
• SIP • H.323 • Cisco Skinny • Asterisk IAX2 • MGCP • MeGaCo / H.248
28
Self
Self
-
-
Provided VoIP
Provided VoIP
-
-
IP PBX
IP PBX
•
IP PBX systems will be installed by a company without using a
voice service provider
•
Various implementations using different vendors are possible
– Cisco, Avaya, Siemens, Nortel, Asterisk (Open Source) …
– Outsourcing of the management and maintenance of these IP PBX systems
•
PSTN outbreak using separate gateways
– Controlled via H.323, SIP, MGCP or MeGaCo / H.248
•
Problem: Interconnection between IP PBX systems from different
vendors could be a nightmare
– Often only a very limited subset of subscriber features are possible (e.g. if H.323 is used for the interconnection)
29
Centrex
Centrex
-
-
based Solutions
based Solutions
•
Only SIP phones at location; PBX is located in provider network
–Survivability: Additional IP access or a local PSTN outbreak
–Emergency Services: Local PSTN outbreak or provider maintains a mapping database between phone number and location
» Problem with mobile users (WLAN VoIP phones, VoIP soft clients …) » Database must be manually kept up-to-date
SIP Signalling
Traditional PBX with VoIP Interface
IP Backbone
Provider‘s SIP-based VoIP
infrastructure PSTN
RTP
V V V V
IP Trunking
IP Trunking
–
–
Toll Bypass
Toll Bypass
• Trunk connection between PBX systems located in different sites
– Kind of connection depends on the vendor (e.g. H.323, SIP or other protocols) – Not very scalable
– Usually a PSTN outbreak in every site (for emergency numbers)
Traditional PBX with VoIP Interface
Traditional PBX with VoIP Interface
PSTN
31
IP Trunking
IP Trunking
–
–
PBX Interconnection
PBX Interconnection
• SIP trunk connection between different IP PBX systems and a central Soft PBX within the provider network
• Service Provider provides external PSTN long-distance and local access, handled through their SIP network
– Emergency servicesare an issue: The number of traditional local trunks needed in the branches can be reduced to just the number required for survivability or emergency services
SIP Signalling
Traditional PBX with E1 Interface
IP Backbone
SIP-based VoIP infrastructure of the
provider
PSTN
RTP
Traditional PBX with VoIP Interface
V V V V
32
Emergency Services for VoIP
Emergency Services for VoIP
• Usually not a problem for fixed phone.
– The location details of the phones are entered in a database
» This information will be transferred to the emergency service answering points » Must be ensured that the location details for each phone is up-to-date
• A big issue with mobile phones like PC soft phones or WLAN IP phones
•
IETF ECRIT
(
Emergency Context Resolution with Internet Technologies
)
concept:
– IP phones have to know their actual location
» GPS
» Information from a DHCP server » Manual
– Global available geographical mapping database
» Contains the Internet address for the local responsible Emergency Service Answering Points(police, fire department etc.)
33
VoIP in
VoIP in
the
the
Provider
Provider
Core
Core
•
Next Generation network (NGN)
– Transmission von voice and data over a common IP-based network – Connection between the different types networks (PSTN, Mobile, DSL etc.) – Can provide intelligent services like presence or instant messaging
Provider IP Backbone
Mobile (GSM & UMTS)
PSTN V V V V
P-CSCF
Private IP networks (MPLS based)
Router IMS
(IP Multimedia Subsystem)
Media Gateway
VoIP in
VoIP in
the
the
Provider
Provider
Core
Core
–
–
IMS (IP Multimedia
IMS (IP Multimedia
Subsystem)
Subsystem)
• Defined by the3rd Generation Partnership Project(3GPP)
– 3GPP is a collaboration agreement that brings together a number of telecommunications standards bodies (like ETSI)
– A reference service delivery platform architecture for the provision of IP Multimedia services within a mobile all-IP network environment, such as UMTS Release 5.
• Provides signalling to control of real time multi media services
– Based on SIP signalling
• Uses the packet-switched domaininstead of the circuit-switching one
– Smooth integration of new IP based services (e.g. Voice over IP). – Interworking with devices with no access to the mobile domain is trivial – Packet-switched technology is usually more efficient than circuit-switched
• Represents anoverlay architecture
– Not limited to the mobile domain only (WLAN, WIMAX, xDSL access also possible)
• Does not mandate any particular business mode
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
VoIP Security
VoIP Security
•
Vulnerabilities
•
SIP Security
•
Securing the Audio Stream
36
Vulnerabilities
Vulnerabilities
•
DDoS attacks
– Bad phone quality if the Internet connection is congested
» DDoS protection within the provider network
– SIP server flooding (INVITE, REGISTER, SUBSCRIBE messages)
» Block all SIP messages except the ones to and from trusted networks.
•Phreaking (Telephone Fraud)
– Fraudulent usage of the VoIP equipment to get toll free calls or let someone else pay for the call
» Different kind of attacks possible (e.g. SIP spoofing, errors in the devices and so on)
– Example: Telephone systems hackers have established a black market in reselling stolen VoIP minutes. These telephone phreakers steal 200m minutes a month, worth $26m
»http://www.theregister.co.uk/2007/03/22/voip_fraud/
– Careful design of the network, use firewall and filters and secured SIP and RTP connections wherever possible
37
Vulnerabilities
Vulnerabilities
•
Spam over Internet Telephony (SPIT)
– E-Mail spam is transferred into the telephone world. E.g. advertising material will be directly offered over the phone
– Often automated dialer are used to force the user to call back a toll number like 0900 or 0137.
» The provider usually have Internet connections with a VoIP flat rate. » No further cost apply, only for the Internet connection.
– Possible mitigations are still under investigation. Normal E-mail filter mechanisms do not work for SPIT
» Only allow specific inbound numbers (white list) » Block specific inbound numbers (black list)
» Block all calls without an CLI (Calling Line Identification)
SIP Security Mechanisms
SIP Security Mechanisms
•
HTTP/SIP digest authentication
– Simple challenge/response mechanism using a shared secret (like CHAP) – Replay protection and one-way authentication
» User Agent to User Agent or User Agent to Proxy Server
– Vulnerable to brute force or dictionary attacks
•Basic authentication scheme(RFC 2543) has been deprecated
– Client authentication mechanism with user ID and a password (like PAP)
•
IPSec-based security
– Provides hop-by-hop mutual authentication, encryption, and/or message integrity – No Integration with the SIP applications required
39
Example:
Example:
SIP Digest Authentication
SIP Digest Authentication
•F1REGISTER Bob -> SIP Server
REGISTER sips:ss2.biloxi.example.com SIP/2.0 Via: SIP/2.0/TCP client.biloxi.example.com:5060 ;branch=z9hG4bKnashds7
Max-Forwards: 70
From: Bob <sip:bob@biloxi.example.com>;tag=a73kszlfl To: Bob <sip:bob@biloxi.example.com>
Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 1 REGISTER
Contact: <sip:bob@client.biloxi.example.com> Content-Length: 0
•F2401 Unauthorized SIP Server -> Bob
SIP/2.0 401 Unauthorized
Via: SIP/2.0/TCP client.biloxi.example.com:5060 ;branch=z9hG4bKnashds7; received=192.0.2.201 From: Bob <sip:bob@biloxi.example.com>;tag=a73kszlfl To: Bob <sip:bob@biloxi.example.com>;tag=1410948204 Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 1 REGISTER
WWW-Authenticate: Digest realm="atlanta.example.com", qop="auth", nonce="ea9c8e88df84f1cec4341ae6cbe5a359",
opaque="", stale=FALSE, algorithm=MD5 Content-Length: 0
User Agent Proxy Server
F1: REGISTER F2: 401 Unauthorized
F3: REGISTER F4: 200 OK
40
•F3REGISTER Bob -> SIP Server
REGISTER sips:ss2.biloxi.example.comSIP/2.0 Via: SIP/2.0/TCP client.biloxi.example.com:5060 … Max-Forwards: 70
From: Bob <sip:bob@biloxi.example.com>;tag=…lH To: Bob <sip:bob@biloxi.example.com>
Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 2 REGISTER
Contact: <sip:bob@client.biloxi.example.com> Authorization:Digest username="bob„ , realm="atlanta.example.com"
nonce="ea9c8e88df84f1cec4341ae6cbe5a359", opaque="", uri="sip:ss2.biloxi.example.com",
response="dfe56131d1958046689d83306477ecc" Content-Length: 0
•F4200 OK SIP Server -> Bob
SIP/2.0 200 OK
Via: SIP/2.0/TCP client.biloxi.example.com:5060;branch=z9h…d92;received=192.0.2.201 From: Bob <sip:bob@biloxi.example.com>;tag=ja743ks76zlflH
To: Bob <sip:bob@biloxi.example.com>;tag=37GkEhwl6 Call-ID: 1j9FpLxk3uxtm8tn@biloxi.example.com CSeq: 2 REGISTER
Contact: <sip:bob@client.biloxi.example.com>;expires=3600 Content-Length: 0
Example: SIP Digest Authentication
Example: SIP Digest Authentication
User Agent Proxy Server
F1: REGISTER F2: 401 Unauthorized
F3: REGISTER F4: 200 OK
41
SIP Security Mechanisms
SIP Security Mechanisms
• TLS (sips)
– Hop-by-hop encryption, authentication and message integrity
• S/MIME
– End-to-end encryption, authentication and integrity for message body
SIP Phones
Proxy Server TLS (sips)
SIP using S/MIME
SIP Security Mechanisms
SIP Security Mechanisms
• IPSec:
– Hop-by-hop encryption, authentication and message integrity
SIP Phones
Proxy Server SIP
43
SIP Security Mechanisms
SIP Security Mechanisms
•
TLS (
sips
)
– Hop-by-hop encryption, message integrity and mutual authentication using certificates
» Between UA and Proxy Server or between two Proxy Server » Other authentication mechanism can also be used
Allows mutual authentication if certificate is missing
For example using HTTP Digest authentication
»Whole SIP message will be encryptedand authenticated
SIP-enabled Firewalls can not look into the SIP messages to open the necessary UDP ports for RTP and RTCP
Message fields (Request-URI, Route, and Via) need to be visible to SIP proxies in most architectures to route SIP requests correctly
– Integration with SIP applications required
•
TLS Proxy with the Firewall
– Future: Firewall will act as a TLS Proxyto be able to control TLS encrypted SIP signaling (for example Cisco ASA or Juniper NetScreen)
44
SIP Security Mechanisms
SIP Security Mechanisms
•
S/MIME
– End-to-end encryption, message integrity and mutual authentication using certificates
»Encrypts MIME bodieswithin a SIP message between two User Agents
Bodies are secured end-to-end without affecting the SIP header
Transparent to any intermediate Firewalls, NAT devices or SIP proxy
•
S/MIME with SIP Message Tunneling
– Provides a form of integrity and confidentiality for SIP header fields
•
PGP mechanism for encrypting the header fields and bodies
45
Securing the Audio Stream
Securing the Audio Stream
• IPSec VPN
– Mostly used for connections running over the Backbone – Cisco GET VPNcan be used to build an Any-to-Any IPSec VPN
– Independent of the SIP User Agents capabilities
SIP Phones
Proxy Server
IPSec tunnel RTP stream
Securing the Audio Stream
Securing the Audio Stream
• RFC 3711-Secure Real Time Transport Protocol(SRTP)
– Secures end-to-end RTP and RTCP traffic
– Encryption, authentication and message integrity using symmetric AES keys – SIP User Agents must support SRTP
SIP Phones
Proxy Server SRTP stream
SRTP stream
47
Securing the Audio Stream
Securing the Audio Stream
•
SRTP Key Management
– SRTP does not define a key management mechanism but refers to other key management standards
» RFC 3547: "The Group Domain of Interpretation » RFC 3830: "MIKEY: Multimedia Internet KEYing"
» RFC 4430: "Kerberized Internet Negotiation of Keys (KINK)" » RFC 4567: "Key Management Extensions for SDP and RTSP" » RFC 4568: “SDP Security Descriptions for Media Streams"
– These protocols will be used to establish a SRTP master key
• SRTP derives six different keys are from this single
master key
in a
cryptographically secure way
– SRTP and SRTCP encryption keys and salts – SRTP and SRTCP authentication keys
48
Securing the Audio Stream
Securing the Audio Stream
•SRTP packet format
E n c yr p te d p a rt A u th e n ti ca te d p a rt o f th e R T P m e s s a g e V=2
V=2 PPXX CCCC MM Payload TypePayload Type Sequence NumberSequence Number
Timestamp Timestamp
Synchronization Source Identifier (SSRC) Synchronization Source Identifier (SSRC)
0 4 8 12 16 20 24 28 31
Contributed Source Identifiers (CSRC) – optional …. ….
Contributed Source Identifiers (CSRC) – optional …. ….
RTP Header Extensions (optional) RTP Header Extensions (optional)
Payload (Audio and Video)Payload Type Payload (Audio and Video)Payload Type
RTP Padding RTP Pad Count
SRTP MKI (Master Key Identifier) - optional SRTP MKI (Master Key Identifier) - optional
Authentication Tag Authentication Tag
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
Unified Messaging
Unified Messaging
Verizon Business
Verizon Business
-
-
Instant Meeting incorporated
Instant Meeting incorporated
into Microsoft Office Live Communication Server
51
Verizon Business
-
Instant Meeting incorporated
into Microsoft Office Live Communication Server
into Microsoft Office Live Communication Server
52
Verizon Business
Verizon Business
-
-
Instant Meeting
Instant Meeting
integration into Microsoft
© 2007 Verizon. All Rights Reserved. PTEXXXXX XX/07
global capability. personal accountability.
Verizon Business VoIP
Verizon Business VoIP
Solutions
Solutions
4 Different Products based on SIP
Verizon Business VoIP Service
Verizon Business VoIP Service
Portfolio
Portfolio
Strategy
•Build world-class VoIP infrastructure with scalability and flexibility to meet business and wholesale customer needs
•Deliver high-quality VoIP experience
•Enable customers to migrate to VoIP at own pace, path leveraging
•
•Use with an existing premise IP PBX Use with an existing premise IP PBX
•
•Eliminates the need for expensive TDM premises Eliminates the need for expensive TDM premises gateway equipment
gateway equipment •
•Ideal for large locations with more than 200 usersIdeal for large locations with more than 200 users
•
•Use with existing PBX, Key SystemUse with existing PBX, Key System •
•Ideal for smallIdeal for small--to mediumto medium--size locationssize locations •
•Not ready to rip/replaceNot ready to rip/replace •
•Avoid reAvoid re--trainingtraining
IP Integrated Access/IP Flexible T1 IP Trunking
•
•Full suite of subscriber and administrative Full suite of subscriber and administrative
features reside in the network
features reside in the network •
•Uses IP phones Uses IP phones •
•Enhances user mobility and productivity Enhances user mobility and productivity •
•Easily scales with business demandsEasily scales with business demands •
•Ideal for new locationsIdeal for new locations
•
•Designed for enterprises with >200 usersDesigned for enterprises with >200 users
•
•Prefers premisesPrefers premises--based solution without the based solution without the
internal support challenges
internal support challenges
Managed IP PBX
55
Verizon Business
Verizon Business
VoIP
VoIP
Architecture
Architecture
Customer Premises
Customer Premises ––NO PBX!NO PBX!
LAN SIP Phones SIP Feature Servers Redirect Servers SIP Infrastructure Voice Mail Servers Customer Premises Customer Premises PBX Phone PBX Phone Key System or PBX SIP Phone SIP Phone PSTN Network Gateway Phone Phone Public Switched Public Switched Telephone Network Telephone Network Verizon Business Verizon Business
Private IP or Public IP
Private IP or Public IP
Network
Network
56
Verizon VoIP
Verizon VoIP
-
-
IP Integrated Access
IP Integrated Access
LAN Client redundant Firewall Enterprise Gateway Modem PSTN IP router PBX
Verizon IP network
Network Features
PSTN
Non inter-site traffic routed via Verizon
Voice network
Phones
Inter-site traffic routed via Verizon
57
Verizon VoIP
Verizon VoIP
-
-
IP
IP
Trunking
Trunking
CE Router Firewall Ethernet switch Verizon VoIP Probe PSTN Support Modem IP Network PSTN Network Features Analogue Gateway SIP phones traditional phones IP PBX Managed IP PBX (optional)
Non inter-site traffic routed via Verizon
Voice network Inter-site traffic routed via Verizon
IP network
Verizon VoIP
Verizon VoIP
–
–
Hosted IP Centrex
Hosted IP Centrex
CE Router Firewall Ethernet switch PSTN Support Modem IP Network PSTN Network Features Analogue Gateway SIP phones traditional phones
Non inter-site traffic routed via Verizon Inter-site traffic routed via Verizon
IP network
59
Verizon VoIP
Verizon VoIP
–
–
Security
Security
•
Redundant NetScreen firewalls protect the SIP proxy servers in the
Verizon VoIP network
•
Customer sites must use a SIP-aware firewalls.
– Only SIP messages that originate from Verizon's proxies are allowed to reach the IP phones.
•
SIP Signalling:
– IP phones and analogue interfaces use SIP Digest Authentication
» Passwords on the IP phones are set before they are shipped.
– Enterprise gateways for IP Integrated Accessuse IPSec AH
» IPSec tunnel between gateways and the NetScreen Firewalls on the VzB VoIP network
60
Verizon VoIP
Verizon VoIP
–
–
Security
Security
Access Network (Internet or MPLS)
SIP-aware FW (Cisco PIX)
Enterprise Gateway
PSTN
SIP Signaling with Digest Authentication
IPSec AH Tunnel
NetScreen Firewall
61
Thank
Thank
You
You
Any Questions?
Any Questions?
Any Questions?
Thank
Thank
You
You
About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE:VZ) is a leading provider of advanced communications and information technology (IT) solutions to large business and government customers worldwide. Combining unsurpassed global network reach with advanced technology and professional service capabilities, Verizon Business delivers innovative and seamless business solutions to customers around the world.
For more information, visit www.verizonbusiness.com