Elin Sundby Boysen Lars Strand Norwegian Defence Research Establishment (FFI) Norwegian Computing...
15
Elin Sundby Boysen Lars Strand Norwegian Defence Research Establishment (FFI) Norwegian Computing Center (NR) University Graduate Center (UNIK) November 24, 2009 SIP Handover Extension -security issues and possible solutions
-
Upload
isabel-potter -
Category
Documents
-
view
222 -
download
1
Transcript of Elin Sundby Boysen Lars Strand Norwegian Defence Research Establishment (FFI) Norwegian Computing...
Elin Sundby Boysen
Lars StrandNorwegian Defence Research
Establishment (FFI)
Norwegian Computing Center (NR)
University Graduate Center (UNIK)
November 24, 2009
SIP Handover Extension-security issues and possible solutions
2
This presentation will introduce the SIP Handover Extension and discuss some security issues
Introduction to SIP
Session handover using the SIP Handover Extension
INVITE100 Trying
180 Ringing200 OK
ACKRTP / RTCP
BYE200 OK
INVITEINVITE100 Trying100 Trying
180 Ringing180 Ringing200 OK200 OK
ACKACKRTP / RTCPRTP / RTCP
BYEBYE200 OK200 OK
Security issues
AP1
MN
CN
AP2
3
People are connected through voice and data,everywhere, all the time
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:[email protected]> From: Alice <sip:[email protected]>;tag=1928301774 Call-ID: [email protected] CSeq: 314159 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 142
SIP is an application-layer protocol used to set up, modify and terminate sessions
INVITE100 Trying
180 Ringing200 OK
ACKRTP / RTCP
BYE200 OK
The handover time is too long, resulting in poor user experience
The handover time is too long, resulting in poor user experience
7
The suggested SIP extension—the Handover Extension–will eliminate packet loss during handover
Access network
AP1
Access network
Home network
MN
CN
AP2
INVITE / 200 OK / ACKINVITE / 200 OK / ACK
INVITE (Handover)/ 200 OK / ACK
BYE / 200OK
8
The SIP Handover Extension with various degrees of help from an intermediary node in the MN’s home network
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2
9
The SIP Handover Extension with various degrees of help from an intermediary node in the MN’s home network
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2
10
The SIP Handover Extension with various degrees of help from an intermediary node in the MN’s home network
AP1
MN
CN
AP2
AP1
MN
CN
AP2
AP1
MN
CN
AP2 AP1
MN
CN
AP2
AP1
MN
CN
AP2
INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP pc33.atlanta.com;branch=z9hG4bK776asdhds Max-Forwards: 70 To: Bob <sip:[email protected]> From: Alice <sip:[email protected]>;tag=1928301774 Call-ID: [email protected]: [email protected];
To-tag=5f7b910a; From-tag=as14ff55c1 CSeq: 314159 INVITE Contact: <sip:[email protected]> Content-Type: application/sdp Content-Length: 142
The main security issue introduced by the Handover Extension is forged Handover INVITE-messages
The main security issue introduced by the Handover Extension is forged Handover INVITE-messages
Access network
AP1
Home network
MNCN
The main security issue introduced by the Handover Extension is forged Handover INVITE-messages
Access network
AP1
Home network
MNCN
SIP already supports different types of security mechanisms.
SIPS, TLS and IPSec Hop-by Hop security between proxies
Authentication using Digest Access Authentication (DAA)
Requires re-sending messages.
Authentication and intergrityusing S/MIME
Hides vital headers. Shows headers needed in proxies.
15
In summary, we propose the SIP Handover Extension to support seamless handover in heterogeneous networks
Among the current security solutions supported by SIP, S/MIME is currently the only method that provides integrity and authentication
Questions?
We have looked at security issues particular to the extension
AP1
MN
CN
AP2
