Download presentation
Presentation is loading. Please wait.
1
SIP AAI a possibility for TF-EMC2 and TF-ECS cooperation
Jan Růžička CESNET Florence
2
SIP Signaling not only for VoIP&VC
creates, modifies and terminates session RFC 3261 textual (HTTP style) easy to extend No more simple SIP URI
3
Architecture User Agent Server registrar redirect proxy B2BUA
stateless statefull B2BUA Gateway (UA) MCU (UA) Outbound proxy SIP enabled firewall with NAT functionality – not transparent SBC (B2BUA)
4
Request INVITE sip:mamut@iptel.org SIP/2.0. Max-Forwards: 10.
Record-Route: <sip: ;ftag=5DAA94E7;lr=on>. Via: SIP/2.0/UDP ;branch=z9hG4bK0a5d.90580ee2.0. Via: SIP/2.0/UDP :5062;branch=z9hG4bK2E1FD348. CSeq: 262 INVITE. To: Proxy-Authorization: Digest username="bbb", realm="ces.net", nonce="43788e d66364fced4dc e81", cnonce="abcdefghi", nc=00001, response="aaaaa" Content-Type: application/sdp. From: "Franta Vomacka" Call-ID: Subject: Content-Length: 234. User-Agent: kphone/4.2. Contact: "Franta Vomacka" Remote-Party-ID: "Franta Vomacka" screen=yes. . v=0. o=username 0 0 IN IP s=The Funky Flow. c=IN IP t=0 0. m=audio RTP/AVP 0 97. a=rtpmap:0 PCMU/8000. a=rtpmap:97 iLBC/8000.
5
Locationg SIP Servers domain part of URI ENUM Telephone number to uri transformation e164.arpa IN NAPTR 1 1 "u" "E2U+sip" . “service” NAPTR records IN NAPTR "s" "SIPS+D2T" "" _sips._tcp.dom.cz. IN NAPTR "s" "SIP+D2T" "" _sip._tcp.dom.cz. IN NAPTR "s" "SIP+D2U" "" _sip._udp.dom.cz. SRV records (_sip._udp, _sip._tcp, _sips._tcp) _sip._tcp.cesnet.cz IN SRV ser1.dom.cz _sip._tcp.cesnet.cz IN SRV ser2.dom.cz A, AAAA records DNSSec ?
6
Record routing The way to stay in signaling part
Outbound proxy is not enough (if not first in way, requests from other side) Add Record-Route in request, Response delivers RR set Subsequent requests of the call are routed according to record route set (Route header)
7
SIP „trapeziod“ Domain alfa Domain beta sip01.alfa sip01.beta
Local policy, ENUM, SRV Outbound proxy and RR User A User B
8
Authentication HTTP Digest
User-to-user (401 Unauthorized, WWW- Authenticate,Authorization) User-to proxy (407 - Proxy authentication required, Proxy-Authenticate, Proxy-Authorization) Local HTTP digest Obtain connectivity and establish VPN to the home network (Firewall issues) TLS – minimum of clients use client cert, TLS + HTTP Digest
9
Authentication II Interdomain – opening of closed islands and interconnecting of them, anti-spit HTTP digest -weak and uncomfortable TLS Hop-by-hop identity assertions signed headers SIP-identity RFC4474 SAML
10
Domain identity INVITE SIP/2.0 Via: SIP/2.0/TLS pc33.atlanta.example.com;branch=z9hG4bKnashds8 To: Bob From: Alice Call-ID: a84b4c76e66710 CSeq: INVITE Max-Forwards: 70 Date: Thu, 21 Feb :02:03 GMT Contact: Content-Type: application/sdp Content-Length: 147 v=0 o=UserA IN IP4 pc33.atlanta.example.com s=Session SDP c=IN IP4 pc33.atlanta.example.com t=0 0 m=audio RTP/AVP 0 a=rtpmap:0 PCMU/8000
11
Domain identity II Interesting headers Identity signature
INVITE|Thu, 21 Feb :02:03 o=UserA IN IP4 pc33.atlanta.example.com s=Session SDP c=IN IP4 pc33.atlanta.example.com t=0 0 m=audio RTP/AVP 0 a=rtpmap:0 PCMU/8000 Identity signature Identity:"kjOP4YVZXmF0X3/4RUfAG6ffwbVQepNGRBz58b3dJq3prEV4h5Gn S4F6udDRCI4/rSK9cl+TFv45nu0Qu2d/0WPPOvvc3JWwuUmHrCwG wC+tW7fOWnC07QKgQn40uwg57WaXixQev5N0JfoLXnO3UDoum 89JRhXPAIp2vffJbD4=" Identity-Info: <
12
SIP „trapeziod“ II Transport depends on client capab. UDP,TCP,TLS
Domain alfa sip01.alfa Domain beta sip01.beta TLS (?) + HTTP Digest TLS ?, domain identity domain identity Local policy, ENUM, SRV Outbound proxy and RR User A User B
13
Service – Server relationship
Additional information in certificate Autoritative server for service within domain Outbound and inbound servers could be different
14
Discussion Thank you
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.