Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007.

Similar presentations


Presentation on theme: "© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007."— Presentation transcript:

1 © 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007

2 © 2006 Solegy LLC Internal Use Only This Session will Cover: Why VoIP Calls are Being Blocked How VoIP Calls are Being Blocked Technical Approaches to Avoid SIP Blocking What You Can do to Leverage Development Efforts

3 © 2006 Solegy LLC Internal Use Only This Session is Not About: Authentication (Identity Verification) Privacy/Confidentiality Intrusion Protection Denial of Service Attacks SPIT

4 © 2006 Solegy LLC Internal Use Only What is VoIP Blocking? Denial of Service Degradation of Service Encourage Aura of Inconsistency Project Image of Poor Quality

5 © 2006 Solegy LLC Internal Use Only Why are VoIP Calls Being Blocked? Net Neutrality Avoiding Competition Differentiate Own Services Protecting Legacy Services Security Control Communications Protection from Unknown

6 © 2006 Solegy LLC Internal Use Only From Cingular Data Subscriber Agreement: Data Service sessions may only be conducted for the following purposes: (i) Internet browsing; (ii) e-mail; and (iii) corporate intranet access (including access to corporate e-mail, customer relationship management, sales force automation, and field service automation applications). The Services cannot be used with server devices or host computer applications. Prohibited uses include, but are not limited to, telemetry applications, automated data feeds, continuous jpeg file transfers, Web camera posts or broadcasts, other machine-to-machine applications, and voice over IP.

7 © 2006 Solegy LLC Internal Use Only How are VoIP Calls Being Blocked? IP Address Blocking DNS Blocking Port Blocking Default SIP Port 5060 RTP Buffers Packet Inspection Commercial Solutions Available SIP-Aware ALG SIP Message Transfiguration Registration Hijacking Exploit VIA Header

8 © 2006 Solegy LLC Internal Use Only Reminder: Basic Topology Alice AtlantaBiloxi Bob INVITE OK RTP SIP and RTP follow different paths –SIP: Signaling path –RTP: Media path Media path is often faster (fewer hops) X X X

9 © 2006 Solegy LLC Internal Use Only SIP Is Easy To Detect SIP/SDP Headers are ASCII Text Layer IPSEC TLS or DTLS for SIP/SDP SRTP for Media ZRTP (ZPhone) for Media Application Layer S/MIME (treat SIP like email)

10 © 2006 Solegy LLC Internal Use Only Using Encryption to Avoid SIP Blocking Considerations: Divergent Objectives Security by Obscurity? Ease of Implementation Ease of Use Who’s in the Ecosystem? ATA/Device Vendors Proxy Vendors Service Providers

11 © 2006 Solegy LLC Internal Use Only Common Approaches to Encryption: Transport Layer IPSEC TLS or DTLS for SIP/SDP SRTP for Media ZRTP (ZPhone) for Media Application Layer S/MIME (treat SIP like email)

12 © 2006 Solegy LLC Internal Use Only IPSEC: ProCon Easy to ImplementPoint-to-Point Solution; does not Support Mobility Supported by Many ATA/Router Combos Usually Requires New CPE Widely Known and UnderstoodRequires Tunnel to Proxy Protects all Communication (not just SIP) Always Requires Media Proxy

13 © 2006 Solegy LLC Internal Use Only TLS/DTLS: ProCon Standard; TLS - RFC 2246 DTLS - draft-jennings-sip-dtls-03 Does not Protect Media; RTP Encryption Optional TLS uses TCP – looks like web traffic Requires PKI, Server Certificates Addresses Privacy and Authentication Issues Difficult to Implement Gaining Support from Solution Providers Easy to Use

14 © 2006 Solegy LLC Internal Use Only SRTP: ProCon Standard – RFC 3711Requires PKI, MIKEY or DTLS Gaining Adoption among Solution Providers Networks Can Block Access to PKI Does Not Require Media ProxyRequires Handshake; Can Increase Call Setup Time Does Not Address SIP/SDP Encryption

15 © 2006 Solegy LLC Internal Use Only ZRTP: ProCon SRTP without PKIDoes Not Address SIP/SDP Encryption Easy to Use SDKNot Widely Supported Zimmerman Pedigree Addresses Privacy and Authentication Issues Does Not Require Media Proxy

16 © 2006 Solegy LLC Internal Use Only Design Choices Handshake in signaling channel –MIKEY, Security Descriptions –Already written up and implemented –Problems with forking and media-before-SDP-answer Handshake in media channel –ZRTP, EKT, RTP/DTLS –Internet Drafts only –Work well with forking and media-before-SDP-answer

17 © 2006 Solegy LLC Internal Use Only Uncommon Approaches to Encryption: Security by Obscurity Why Skype Thrived Changing VoIP Signature Simple Ciphers Applied to SIP/SDP Only Applied to Media

18 © 2006 Solegy LLC Internal Use Only Simple Ciphers: ProCon Easy to ImplementRequires Support Through Ecosystem Easy to UseNot Difficult to Detect Can Apply to Signaling and MediaDoes not Address Privacy or Authentication

19 © 2006 Solegy LLC Internal Use Only Lessons from the Field: Control all you can – DNS, Proxy Always use non-standard ports DNS-SRV for IP Address flexibility Simple ciphers work best if you can get support from ecosystem Engineer flexibility into the solution Plan to proxy media

20 © 2006 Solegy LLC Internal Use Only Questions?


Download ppt "© 2006 Solegy LLC Internal Use Only Getting Connected with SIP Encryption _______________________________ By Eric Hernaez Solegy LLC May 16, 2007."

Similar presentations


Ads by Google