SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen...

SIP DNSSIP Authentication

SIP Peering

SIP WorkshopAPAN Tokyo Japan 22 January 2005

By Stephen Kinghammailto:[email protected]

sip:[email protected]

2

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Copyright [email protected] 2006

©Stephen [email protected]

3

Outline and Objectives

• Demonstrations

• DNS• Authentication• Routing• ENUM• Security• QoS


4

SIP is PBX/Centrex readycall waiting/multiple calls RFC 3261

hold RFC 3264

transfer RFC 3515/Replaces

conference RFC 3261/callee caps

message waiting message summary package

call forward RFC 3261

call park RFC 3515/Replaces

call pickup Replaces

do not disturb RFC 3261

call blast RFC 3261

from Rohan Mahy’s VON Fall 2003 talkCourteous of Quincy.Wu

simultaneous ringing (forking) RFC 3261

basic shared lines dialog/reg. package

barge-in Join

“Take” Replaces

Shared-line “privacy” dialog package

divert to admin RFC 3261

intercom URI convention

auto attendant RFC 3261/2833

attendant console dialog package

night service RFC 3261

centr

ex-s

tyle

featu

res

boss/admin features

attendant features

5

SIP UA SIP UA

SIP Location Server

Call Control

Call Control andAudio and Video

SIP Proxy Server

DNS

Audio and VideoRTP UDP

Flinders University

SIP “PROXY” Server call flow

SIP UA SIP UA

SIP Location Server

Call Control


SIP Proxy Server

DNS

Flinders University

SIP UA SIP UA

SIP Location Server

Call Control


SIP Proxy Server

DNS

Flinders University

SIP UA SIP UA

SIP Location Server

Call Control


SIP Proxy Server

DNS

Flinders University

©Stephen [email protected]©Stephen [email protected]

6

SIP “REDIRECT” Server call flow

SIP UA SIP UA

SIP Location Server

Call Control


SIP Redirect Server

DNS

3. [email protected]

Flinders University



7

• DNS is integral to SIP routing.• DNS is used to find a priority list of SIP servers for a

domain using in SIP specific SRV records into the DNS.– Just like MX records in DNS for mail.

• So it turns out it is easy to have backup servers in SIP.

• Good description found on the MIT Internet2 sip.edu project cookbook: http://mit.edu/sip/sip.edu/dns.shtml

SIP and DNS


http://mit.edu/sip/sip.edu/dns.shtml

http://mit.edu/sip/sip.edu/dns.shtml

8

• Specific SRV records added to your DNS for SIP,eg

IN A 192.94.63.28

;If we place the SRV record above the next line it fails to load

$ORIGIN aarnet.edu.au.

_sip._udp SRV 0 1 5060 ser.yarralumla.aarnet.edu.au._sip._udp SRV 1 1 5060 ser.nsw.aarnet.edu.au.

ser.yarrulumla.aarnet..edu.au. IN A 192.94.63.28ser.nsw.aarnet..edu.au. IN A 138.44.16.90

SIP and DNS


9

• On a unix host use the dig command:dig -t SRV _sip._udp.aarnet.edu.au

• You should get a response that has this in it:

;; QUESTION SECTION:;_sip._udp.aarnet.edu.au. IN SRV

;; ANSWER SECTION:_sip._udp.aarnet.edu.au. 333 IN SRV 1 1 5060 ser.yarralumla.aarnet.edu.au.

SIP and DNS TEST


10

Outline and Objectives

• SIP Authentication– Who are you?

• SIP Authorisation– What are you allowed to do?

• SIP Presence and Instant Messaging(the SIMPLE protocol)– I am available!– Buddy lists.


11

• Both ends must know the same secret password (key).• The password is used to encrypt certain information such as the

user’s password.• Originated from HTTP (WWW) and often called HTTP digest, Digest

Authentication is described by RFC 2671.• RFC 3261 (SIP) describes how Digest Authentication is applied to

SIP.

Authentication in SIP


12

SIP REGISTER with Digest Authentication

REGISTER [email protected] (with out credentials)

UA Proxy Server

407 Proxy Authentication Required

REGISTER [email protected] (password encrypted with key)

200 OK

ask user for a password


mailto:[email protected]


13

SIP INVITE with Digest Authentication

INVITE [email protected] (with out credentials)

UA Proxy Server

407 Proxy Authentication Required

ACK

100 TRYING

UA

INVITE [email protected] (with encrypted password)

INVITE [email protected] (password removed)

ask user for a password


14

Protect Gateways from un-authorised use• Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP

control is via Proxy.• Configure gateways so that they only respond to SIP from your SIP Proxy.

– Filter TCP and UDP traffic to port 5060 on the Gateway.– Also do the same for H.323, TCP traffic to port 1720 on the gateway.

PSTNGatewaySIP Proxy(record Route)

Process Authentication and Authorisation as required

SIP UA


15

Secure SIP• SIPS, a close cousin of SIP, is a good and low cost means of

encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks and is the same technology used for SSL. This means a SIPS call will fail rather than complete insecurely.

• Open SER now supports TLS.• Microsoft Messenger supports TLS


16

Two interesting drafts (related to SPAM and SPIT)• http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt

Abstract The existing security mechanisms in the Session Initiation Protocol are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document recommends practices and conventions for identifying end users in SIP messages, and proposes a way to distribute cryptographically-secure authenticated identities.

• http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txtThis document provides an overview of the concept of identity in Internet messaging systems as a means of preventing impersonation. It describes the architectural roles necessary to provide identity, and details some approaches to the generation of identity assertions and the transmission of such assertions within messages. The trade-offs of various design decisions are explained. ©Stephen [email protected]

http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt

http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt

17 SIP UA

SIP Proxy Server

PABX

PSTNCarrier

Voice GATEWAY

Voice Mail

PSTNCarrier

Voice GATEWAY

Someone calls 02 6222 3575

SIP FORKING (native to SIP)Never need to forward phones to other phones again!!!!

This is a big mindset change for the user.


18

SIP Forking: IntroductionSIP natively does forking: Make several phones and UAsring all at the same time.

The SIP Server recieves an INVITE, and generates manyINVITEs to all the phones the user has defined.

In “SER” that is done by creating static entries in the “location” database with this command:

serctl ul add Stephen.Kingham sip:[email protected]

You may want to add entries to the aliase table to point telphone numbers to a user.

serctl alias add +61262223575 sip:[email protected]


19

Presence and Instant Messaging• SIP is not just Voice and Video,

It also has Presence and Instant Messaging.


20

Case Study from Edith Cowan University• SIP Enabled their core.• SIP integrated Voice, PABX, Room based Video, Desktop Video,

mobile SIP phones on campus, Instant Messaging and Presence.• Unexpected demand was the Presence and Instant

Messaging.

Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrustructure EDU May 2005

21

Case Study from Edith Cowan University

Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrastructure Edith Cowan Uni May 2005

NAT Device

NAT Device

ERICSSON PABX

Jasomi Device

DMZ

2X E1

External Virtual Firewall

Internal Virtual Firewall

SIP Phone Users

Soft Phone Users

Soft Phone Users

Service Provider NAT

Soft Phone Users

SIP Phone Users2 xE1

Digital & AnalogLegacy phone Users

ECU 802.11 Wireless Network

Windows Messenger

Users

Internet

ADSLHome User

H323 (or SIP) Video Endpoints

PSTN

Microsoft Live

Communications Server

Front End Server

Home Server Home Server

ASTERISK SERVER

SIP Proxy

SIP Proxy

`

Mirial H323 (or SIP) Video Endpoints

139.230.225.30

Radvision INVISION 108

MCU

Radvision H320 to H323Gateway

SIP Proxy

SIP Proxy

139.230.225.31

139.230.225.32

139.230.225.33 139.230.225.34

H323 Gatekeeper

RadvisioniVIEW

Network Manager

RadvisionECS / VCS

Server

ExternalLegacy phone

Users

ExternalH320 ISDN

Video Endpoint

Radjo1 Radjo2

22

The “SIMPLE” protocol for presence• SUBSCRIBE• NOTIFY

• SER Presence module, ref to Internet2 PIC Working Group.


23

SIP HistoryH.323 SIP

ITU-T protocol IETF protocol

May 1995 Became “proposed standard” in March 1999.

Study Group 16 Working Groups: SIP, SIPPING, and SIMPLE

Now V.5 Now RFC 3261

from Quincy Wu’s talk, http://www.apan.net Cairns 2004


http://www.apan.net/

24

H323-SIP Comparison of ComponentsH.323 SIP

End Station Terminal SIP UA

Network Server Gatekeeper Registrar, Redirect Server, Proxy Server

MCU Conference Server

PSTN Gateway PSTN Gateway



25

H323-SIP Comparison of ProtocolsH.323 SIP

Signaling RAS/Q.931 SIP

Capacity Negotiation H.245 SDP

Codecs Any Any

Real-time Communication

RTP/RTCP RTP/RTCP



26

H323-SIP Comparison of Protocols (cont.)H.323 SIP

Message Encoding Binary ASCII

Transport UDP and TCPMostly TCP

UDP and TCPMost UDP

Data Conference T.120

Instant Message RFC 3428

Inter-Domain Routing Annex G DNS



Other Security stuff

SIP WorkshopAARNet

By Stephen [email protected]

28

IP Phones: VLAN, POE, QoS• Put IP phones into a separate VLAN

• IP Phones need power. Either from a power pack, or from the Ethernet switch using POE (Power Over Ethernet).

• Put “power fail” phones in strategic locations, these phones are analogue phones connected to a ATA (Analogue Telephone Adaptor) which is powered with a PABX grade UPS.

• QoS: The LAN must police the use of QoS at the “edge” (as close as possible to the users). Only VLANs with IP Phone (VoIP) can have DSCP = 46 (ToS=5). All other traffic should be marked with DSCP=0.


29

Quality of Service

• Only relevant for IP Telephone and VoIP to replace existing Telephone Service such as PABX or some home situations.

• At the outgoing edge:– Classify the traffic (Voice, Data, Video, ..)– Mark the traffic (DSCP)– Shape (how much everyone should have)

• At the incoming edge– Policy incoming traffic from the outside (make sure it is within contract)

• Configure WAN routers to prioritise.


30

PBX withVoIP

Gateway

CORE NETWORKwith QoS queuing only

Policing of QoS

H.323Terminal

IngressRouter

IngressRouter

IngressRouter

IP Telephone

Policing of QoS

Policing of QoS

Policing of QoS

QoS Queueing

QoS Queueing

QoS Queueing

VoIPGateway

PublicTelephone

Carrier

WAN QoS: AARNet3 hands policy control back to University

31

VoIP Monitor used in AARNet– Distributed monitoring WITH– Feeds QoS availability into VoIP routing. If a user wants QoS and the monitoring

indicates that QoS is not working then the calls gets “congestion” message.

– See http://noc.aarnet.edu.au points to http://lattice.act.aarnet.net.au/VoIPMonitor/

TEST

TEST

TEST

TEST POP

POP

POP

Member

Member

Member

Member

http://noc.aarnet.edu.au/

http://lattice.act.aarnet.net.au/VoIPMonitor/

32

SIP & H.323 MCU

QoS Monitor,

AARNet SIP & H.323 network

QoS Monitor,QoS admission control

SIP UA (IP Telephone)

PABX

SIP ServerTranslate telephone numbers to IP

addresses Otheradvanced IP

network

ISDNCarrier

SIP & H323 VIDEO

GATEWAY

SIP b2bua

SIP & H323 Voice

GATEWAY

AARNetInternet with

QoS bandwidth SIP & H323 Voice

GATEWAY

PABX


33

Other relevant talks at APAN Tokyo 2006• Monday 23 Jan

– SIP User Agents Configuration and Fault FindingSpeaker: Quincy Wu

– SER Configuration and SIP Peering including ENUMSpeaker: Stephen Kingham

– From Taiwan SIP Mobility in IPV4/IPV6 NetworkSpeaker:

– Using Radius and LDAP with SER SIP Proxy for user Authentication Speaker: Nimal Ratnayake

• 9:30 Wednesday 25 Jan– Global SIP Dialling Plans (Ben Teitelbaum and Dennis Barron)

• 16:00 Wednesday 25 Jan– APAN SIP-H.323 Working Group BoF


SIP Routing and VoIP Peering

SIP WorkshopAPAN Tokyo Japan 22 January 2005

By Stephen Kinghammailto:[email protected]


35

Routing Telephone numbers!• WWW and email work by using the Domain Name Service

(DNS).– DNS turns human addresses into Internet addresses,– DNS on it’s own is very uninteresting or useful!

• The ENUM standard teaches DNS about Telephone numbers!– VoIP users can discover that they can make VoIP calls to a

number without routing it first to the PSTN!– Traditional Carriers around the world do not like ENUM.

Join the ACMA’s ENUM Trial, ref: enum.edu.au


36

• Uses a common dial-plan called the Global Dialling Scheme (GDS), based on E.164 with 00 in front. AARNet runs one of the four International Root Gatekeepers. Although in Australia we use the International dialplan. http://www.aarnet.edu.au/engineering/projects/voip/gds/

• 27 Country Gatekeepers.• More than 156 advance voice and video networks.• A community of Higher Education, some industry, K-12 and

Research Organisations.• Enabler for international and national collaboration.

• Plans to migrate to DNS (ENUM) Routing.

International H.323 routing Telephone numbers

http://www.aarnet.edu.au/engineering/projects/voip/gds/



37

H.323 routing (all static configuration)

H.323 GatekeeperAustralian Root

H.323 GatekeeperInternational Roots World Gatekeeper.

Multiple resilient gatekeepers distributed across the world

27 National Gatekeepers

Single or resilient cluster

H.323 GatekeeperUK Root

H.323 GatekeeperNth America Root

156+ Organisation Gatekeepers

Single or resilient cluster

Endpoints register to the organisation’s gatekeepers

H.323 GatekeeperACU

H.323 GatekeeperUSQ

38

SIPProxy

DNSSIP-PBXGateway

PBX

INVITE (sip:[email protected])

INVITE(sip:[email protected])

DNS SRV query sip.udp.bigu.edu

telephoneNumberwhere mail=”bob”,What is returned is 12345

PRI / CASbigu.edu

CampusDirectory

SIP User Agent

Bob's Phone

SIP.edu Architecture (Phase 1)

Dennis Baron, June 5, 2005np128

Links the sip address to a plain old telephoneCheap and easy to do

Hear from Dennis at APAN Tokyo 2006On Wednesday morning.

39

SIP.edu Reachable Users

Dennis Baron, June 5, 2005

40

SIP Addressing in the future will be the preferred address, in addition to Telephone numbers

“+61-2-6222 3575, come here. I need you!”

A. G. Bell did not say:

I will prefer to call people using sip:[email protected] the next year you will see this on the bottom of email footers and on business cards of Australian Universities.

© Ben Teitelbaum @ Internet2

Source Ben [email protected]

Hear from Ben at APAN Tokyo 2006On Wednesday morning.

41

SIP and E.164 routing• Remember H.323 is static routing for everything.• SIP can use the existing DNS to find people:

sip:[email protected], or variations of E.164 plus domain: sip:[email protected]

• Dial a number on a UA, eg 3575 = 3575@local domain.• SIP we still need to have static routing

just like H.323…….BUT WAIT…..• TRIP (rfc 3219) does for telephone numbers that BGP does for the

entire Internet. Dynamic routing.• and ENUM (rfc 2916) uses the DNS to find the full SIP address using

a telephone number. ACA might have ENUM Tier 1 into Australia soon http://www.aca.gov.au/telcomm/telephone_numbering/enum_nsg2/.

42

Peering SIP Networks• Easy to peer using sip addresses with domain name.

Everyone can call [email protected], or even [email protected]

• But routing E.164 (telephone) numbers is much harder.– ENUM– ISN/ITAD– TRIP



43

SIP peering using sip: address

SIP UA SIP UA

SIP Location Server

Call Control


SIP Redirect Server

DNS

3. [email protected]

Flinders University



44

ENUM (SIP and H.323 Routing)

02 6222 3575

VoIP network

DNS

ENU

Mlo

okup

02 6222 3575

VoIP network

Telephone network

02 6222 3575 02 6

222

3575

VoIP network

02 6222 3575

02 6222 3575

VoIP network

Telephone network

02 6222 3575 02 6

222

3575

VoIP network

02 6222 3575

VoIP network

VoIP network

02 6222 3575

DNS

ENU

M L

ooku

p

+612

6222

3575

02 6222 3575


45

• TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement!

• More research and experimentation needed here. – for example perhaps a simpler form of TRIP (STRIP?) by encapsulating in MIME and sending it using SIP? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004].

• But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006.

SIP and TRIP (Telephone Routing over IP)


46

VoIP routing using ENUMDNS-Server

“ENUM”

SIP-Server

SIP-Server

Gateway

Gateway

Adapted from: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva

Forked SIP call


47

ENUM in a nutshell• take phone number +46 86859131

• turn into domain name1.3.1.9.5.8.6.8.6.4.e164.arpa.

• return list of URI’s (NAPTR records) sip:[email protected]

• ask the DNS


Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva


48

2. Today, many addresses


tel:+61 2 6222 3535


tel:+61 2 6222 3575


49

2. With ENUM, only one

Hand out enum enabled number +61 2 6222 3575



tel:+61 2 6222 3535


tel:+61 2 6222 3575

ENUM returns all of these for the caller to choose from:

50

• TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement!

• More research and experimentation needed here. – perhaps a simpler form of TRIP (STRIP?) encapsulated in MIME? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004].

• But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006.

SIP and TRIP (Telephone Routing over IP)


SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen...

Documents

Transcript of SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen...