SIP DNS SIP Authentication SIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham mailto:Stephen.Kingham@aarnet.edu.au sip:Stephen.Kingham@aarnet.edu.au

Copyright Stephen.Kingham@aarnet.edu.au 2006 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. ©Stephen Kingham@aarnet.edu.au

Outline and Objectives Demonstrations DNS Authentication Routing ENUM Security QoS ©Stephen Kingham@aarnet.edu.au

SIP is PBX/Centrex ready boss/admin features call waiting/multiple calls RFC 3261 hold RFC 3264 transfer RFC 3515/Replaces conference RFC 3261/callee caps message waiting message summary package call forward call park call pickup Replaces do not disturb call blast simultaneous ringing (forking) RFC 3261 basic shared lines dialog/reg. package barge-in Join “Take” Replaces Shared-line “privacy” dialog package divert to admin intercom URI convention auto attendant RFC 3261/2833 attendant console night service centrex-style features Generally, these are the advanced functions in traditional PSTN networks which can only be supported by IN (intelligent network). However, with SIP, most of them become standard functions which are supported in RFC 3261 by almost every SIP VoIP system. attendant features from Rohan Mahy’s VON Fall 2003 talk Courteous of Quincy.Wu

SIP “PROXY” Server call flow ©Stephen Kingham@aarnet.edu.au ©Stephen Kingham@aarnet.edu.au

SIP “REDIRECT” Server call flow ©Stephen Kingham@aarnet.edu.au

SIP and DNS DNS is integral to SIP routing. DNS is used to find a priority list of SIP servers for a domain using in SIP specific SRV records into the DNS. Just like MX records in DNS for mail. So it turns out it is easy to have backup servers in SIP. Good description found on the MIT Internet2 sip.edu project cookbook: http://mit.edu/sip/sip.edu/dns.shtml ©Stephen Kingham@aarnet.edu.au ©Stephen Kingham@aarnet.edu.au

SIP and DNS Specific SRV records added to your DNS for SIP, eg IN A 192.94.63.28 ;If we place the SRV record above the next line it fails to load $ORIGIN aarnet.edu.au. _sip._udp SRV 0 1 5060 ser.yarralumla.aarnet.edu.au. _sip._udp SRV 1 1 5060 ser.nsw.aarnet.edu.au. ser.yarrulumla.aarnet..edu.au. IN A 192.94.63.28 ser.nsw.aarnet..edu.au. IN A 138.44.16.90 ©Stephen Kingham@aarnet.edu.au

SIP and DNS TEST On a unix host use the dig command: dig -t SRV _sip._udp.aarnet.edu.au You should get a response that has this in it: ;; QUESTION SECTION: ;_sip._udp.aarnet.edu.au. IN SRV ;; ANSWER SECTION: _sip._udp.aarnet.edu.au. 333 IN SRV 1 1 5060 ser.yarralumla.aarnet.edu.au. ©Stephen Kingham@aarnet.edu.au

Outline and Objectives SIP Authentication Who are you? SIP Authorisation What are you allowed to do? SIP Presence and Instant Messaging (the SIMPLE protocol) I am available! Buddy lists. ©Stephen Kingham@aarnet.edu.au

Authentication in SIP Both ends must know the same secret password (key). The password is used to encrypt certain information such as the user’s password. Originated from HTTP (WWW) and often called HTTP digest, Digest Authentication is described by RFC 2671. RFC 3261 (SIP) describes how Digest Authentication is applied to SIP. ©Stephen Kingham@aarnet.edu.au

SIP REGISTER with Digest Authentication UA Proxy Server REGISTER bruce@uni.edu.au (with out credentials) 407 Proxy Authentication Required ask user for a password REGISTER bruce@uni.edu.au (password encrypted with key) 200 OK ©Stephen Kingham@aarnet.edu.au

SIP INVITE with Digest Authentication UA Proxy Server UA INVITE fred@uni.edu.au (with out credentials) 407 Proxy Authentication Required ACK ask user for a password INVITE fred@uni.edu.au (with encrypted password) 100 TRYING INVITE fred@uni.edu.au (password removed) ©Stephen Kingham@aarnet.edu.au

Protect Gateways from un-authorised use Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP control is via Proxy. Configure gateways so that they only respond to SIP from your SIP Proxy. Filter TCP and UDP traffic to port 5060 on the Gateway. Also do the same for H.323, TCP traffic to port 1720 on the gateway. ©Stephen Kingham@aarnet.edu.au

Secure SIP SIPS, a close cousin of SIP, is a good and low cost means of encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks and is the same technology used for SSL. This means a SIPS call will fail rather than complete insecurely. Open SER now supports TLS. Microsoft Messenger supports TLS ©Stephen Kingham@aarnet.edu.au

Two interesting drafts (related to SPAM and SPIT) http://www.ietf.org/internet-drafts/draft-ietf-sip-identity-03.txt Abstract The existing security mechanisms in the Session Initiation Protocol are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document recommends practices and conventions for identifying end users in SIP messages, and proposes a way to distribute cryptographically-secure authenticated identities. http://www.ietf.org/internet-drafts/draft-peterson-message-identity-00.txt This document provides an overview of the concept of identity in Internet messaging systems as a means of preventing impersonation. It describes the architectural roles necessary to provide identity, and details some approaches to the generation of identity assertions and the transmission of such assertions within messages. The trade-offs of various design decisions are explained. ©Stephen Kingham@aarnet.edu.au

SIP FORKING (native to SIP) Never need to forward phones to other phones again!!!! This is a big mindset change for the user. ©Stephen Kingham@aarnet.edu.au

SIP Forking: Introduction SIP natively does forking: Make several phones and UAs ring all at the same time. The SIP Server recieves an INVITE, and generates many INVITEs to all the phones the user has defined. In “SER” that is done by creating static entries in the “location” database with this command: serctl ul add Stephen.Kingham sip:61419417471@gw1.aarnet.edu.au You may want to add entries to the aliase table to point telphone numbers to a user. serctl alias add +61262223575 sip:Stephen.Kingham@aarnet.edu.au ©Stephen Kingham@aarnet.edu.au

Presence and Instant Messaging SIP is not just Voice and Video, It also has Presence and Instant Messaging. ©Stephen Kingham@aarnet.edu.au

Case Study from Edith Cowan University SIP Enabled their core. SIP integrated Voice, PABX, Room based Video, Desktop Video, mobile SIP phones on campus, Instant Messaging and Presence. Unexpected demand was the Presence and Instant Messaging. Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrustructure EDU May 2005

Case Study from Edith Cowan University Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrastructure Edith Cowan Uni May 2005

The “SIMPLE” protocol for presence SUBSCRIBE NOTIFY SER Presence module, ref to Internet2 PIC Working Group. ©Stephen Kingham@aarnet.edu.au

SIP History H.323 SIP ITU-T protocol IETF protocol May 1995 Became “proposed standard” in March 1999. Study Group 16 Working Groups: SIP, SIPPING, and SIMPLE Now V.5 Now RFC 3261 from Quincy Wu’s talk, http://www.apan.net Cairns 2004 ©Stephen Kingham@aarnet.edu.au

H323-SIP Comparison of Components End Station Terminal SIP UA Network Server Gatekeeper Registrar, Redirect Server, Proxy Server MCU Conference Server PSTN Gateway from Quincy Wu’s talk, http://www.apan.net Cairns 2004

H323-SIP Comparison of Protocols Signaling RAS/Q.931 Capacity Negotiation H.245 SDP Codecs Any Real-time Communication RTP/RTCP from Quincy Wu’s talk, http://www.apan.net Cairns 2004

H323-SIP Comparison of Protocols (cont.) Message Encoding Binary ASCII Transport UDP and TCP Mostly TCP Most UDP Data Conference T.120 Instant Message RFC 3428 Inter-Domain Routing Annex G DNS from Quincy Wu’s talk, http://www.apan.net Cairns 2004

SIP Workshop AARNet By Stephen Kingham Stephen.Kingham@aarnet.edu.au Other Security stuff SIP Workshop AARNet By Stephen Kingham Stephen.Kingham@aarnet.edu.au

IP Phones: VLAN, POE, QoS Put IP phones into a separate VLAN IP Phones need power. Either from a power pack, or from the Ethernet switch using POE (Power Over Ethernet). Put “power fail” phones in strategic locations, these phones are analogue phones connected to a ATA (Analogue Telephone Adaptor) which is powered with a PABX grade UPS. QoS: The LAN must police the use of QoS at the “edge” (as close as possible to the users). Only VLANs with IP Phone (VoIP) can have DSCP = 46 (ToS=5). All other traffic should be marked with DSCP=0. ©Stephen Kingham@aarnet.edu.au

Quality of Service Only relevant for IP Telephone and VoIP to replace existing Telephone Service such as PABX or some home situations. At the outgoing edge: Classify the traffic (Voice, Data, Video, ..) Mark the traffic (DSCP) Shape (how much everyone should have) At the incoming edge Policy incoming traffic from the outside (make sure it is within contract) Configure WAN routers to prioritise. A common thread for all successful VoIP and IP Telephony is the Voice expertise. The same can be said for the Video. ©Stephen Kingham@aarnet.edu.au

WAN QoS: AARNet3 hands policy control back to University

VoIP Monitor used in AARNet Distributed monitoring WITH Feeds QoS availability into VoIP routing. If a user wants QoS and the monitoring indicates that QoS is not working then the calls gets “congestion” message. See http://noc.aarnet.edu.au points to http://lattice.act.aarnet.net.au/VoIPMonitor/

AARNet SIP & H.323 network ©Stephen Kingham@aarnet.edu.au

Other relevant talks at APAN Tokyo 2006 Monday 23 Jan SIP User Agents Configuration and Fault Finding Speaker: Quincy Wu SER Configuration and SIP Peering including ENUM Speaker: Stephen Kingham From Taiwan SIP Mobility in IPV4/IPV6 Network Speaker: Using Radius and LDAP with SER SIP Proxy for user Authentication Speaker: Nimal Ratnayake 9:30 Wednesday 25 Jan Global SIP Dialling Plans (Ben Teitelbaum and Dennis Barron) 16:00 Wednesday 25 Jan APAN SIP-H.323 Working Group BoF ©Stephen Kingham@aarnet.edu.au

SIP Routing and VoIP Peering SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham mailto:Stephen.Kingham@aarnet.edu.au sip:Stephen.Kingham@aarnet.edu.au

Routing Telephone numbers! WWW and email work by using the Domain Name Service (DNS). DNS turns human addresses into Internet addresses, DNS on it’s own is very uninteresting or useful! The ENUM standard teaches DNS about Telephone numbers! VoIP users can discover that they can make VoIP calls to a number without routing it first to the PSTN! Traditional Carriers around the world do not like ENUM. Join the ACMA’s ENUM Trial, ref: enum.edu.au ©Stephen Kingham@aarnet.edu.au

International H.323 routing Telephone numbers Uses a common dial-plan called the Global Dialling Scheme (GDS), based on E.164 with 00 in front. AARNet runs one of the four International Root Gatekeepers. Although in Australia we use the International dialplan. http://www.aarnet.edu.au/engineering/projects/voip/gds/ 27 Country Gatekeepers. More than 156 advance voice and video networks. A community of Higher Education, some industry, K-12 and Research Organisations. Enabler for international and national collaboration. Plans to migrate to DNS (ENUM) Routing. 4 duplicated International Directory Gatekeepers 27 Country Gatekeepers 156 advance voice and video networks

H.323 routing (all static configuration)

SIP.edu Architecture (Phase 1) Links the sip address to a plain old telephone Cheap and easy to do SIP User Agent Hear from Dennis at APAN Tokyo 2006 On Wednesday morning. INVITE (sip:bob@bigu.edu) DNS SRV query sip.udp.bigu.edu bigu.edu DNS SIP Proxy SIP-PBX Gateway PRI / CAS INVITE (sip:12345@gw.bigu.edu) PBX telephoneNumber where mail=”bob”, What is returned is 12345 Campus Directory Bob's Phone Dennis Baron, June 5, 2005 np128

SIP.edu Reachable Users Dennis Baron, June 5, 2005

SIP Addressing in the future will be the preferred address, in addition to Telephone numbers Hear from Ben at APAN Tokyo 2006 On Wednesday morning. A. G. Bell did not say: “+61-2-6222 3575, come here. I need you!” © Ben Teitelbaum @ Internet2 I will prefer to call people using sip:Stephen.Kingham@aarnet.edu.au Within the next year you will see this on the bottom of email footers and on business cards of Australian Universities. Source Ben Teitelbaum@internet2.edu

SIP and E.164 routing Remember H.323 is static routing for everything. SIP can use the existing DNS to find people: sip:stephen.kingham@aarnet.edu.au, or variations of E.164 plus domain: sip:3575@aarnet.edu.au Dial a number on a UA, eg 3575 = 3575@local domain. SIP we still need to have static routing  just like H.323…….BUT WAIT….. TRIP (rfc 3219) does for telephone numbers that BGP does for the entire Internet. Dynamic routing. and ENUM (rfc 2916) uses the DNS to find the full SIP address using a telephone number. ACA might have ENUM Tier 1 into Australia soon http://www.aca.gov.au/telcomm/telephone_numbering/enum_nsg2/.

Peering SIP Networks Easy to peer using sip addresses with domain name. Everyone can call Bruce@aarnet.edu.au, or even 3590@aarnet.edu.au But routing E.164 (telephone) numbers is much harder. ENUM ISN/ITAD TRIP

SIP peering using sip: address ©Stephen Kingham@aarnet.edu.au

ENUM (SIP and H.323 Routing) ©Stephen Kingham@aarnet.edu.au

SIP and TRIP (Telephone Routing over IP) TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement! More research and experimentation needed here. – for example perhaps a simpler form of TRIP (STRIP?) by encapsulating in MIME and sending it using SIP? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004]. But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006. ©Stephen Kingham@aarnet.edu.au ©Stephen Kingham@aarnet.edu.au

VoIP routing using ENUM DNS-Server SIP-Server “ENUM” SIP-Server Forked SIP call Gateway Gateway Adapted from: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva ©Stephen Kingham@aarnet.edu.au

ENUM in a nutshell take phone number +46 86859131 turn into domain name 1.3.1.9.5.8.6.8.6.4.e164.arpa. ask the DNS mailto:paf@cisco.com return list of URI’s (NAPTR records) sip:paf@cisco.com Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva ©Stephen Kingham@aarnet.edu.au

2. Today, many addresses tel:+61 2 6222 3535 mailto:Stephen.Kingham@aarnet.edu.au tel:+61 2 6222 3575 sip:Stephen.Kingham@aarnet.edu.au Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva

2. With ENUM, only one ENUM returns all of these for the caller to choose from: tel:+61 2 6222 3535 mailto:Stephen.Kingham@aarnet.edu.au tel:+61 2 6222 3575 sip:Stephen.Kingham@aarnet.edu.au Hand out enum enabled number +61 2 6222 3575 Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva

SIP and TRIP (Telephone Routing over IP) TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement! More research and experimentation needed here. – perhaps a simpler form of TRIP (STRIP?) encapsulated in MIME? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004]. But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006. ©Stephen Kingham@aarnet.edu.au ©Stephen Kingham@aarnet.edu.au