Download presentation
1
SIP DNS SIP Authentication SIP Peering
SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham
2
Copyright Stephen.Kingham@aarnet.edu.au 2006
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. ©Stephen
3
Outline and Objectives
Demonstrations DNS Authentication Routing ENUM Security QoS ©Stephen
4
SIP is PBX/Centrex ready
boss/admin features call waiting/multiple calls RFC 3261 hold RFC 3264 transfer RFC 3515/Replaces conference RFC 3261/callee caps message waiting message summary package call forward call park call pickup Replaces do not disturb call blast simultaneous ringing (forking) RFC 3261 basic shared lines dialog/reg. package barge-in Join “Take” Replaces Shared-line “privacy” dialog package divert to admin intercom URI convention auto attendant RFC 3261/2833 attendant console night service centrex-style features Generally, these are the advanced functions in traditional PSTN networks which can only be supported by IN (intelligent network). However, with SIP, most of them become standard functions which are supported in RFC 3261 by almost every SIP VoIP system. attendant features from Rohan Mahy’s VON Fall 2003 talk Courteous of Quincy.Wu
5
SIP “PROXY” Server call flow
©Stephen ©Stephen
6
SIP “REDIRECT” Server call flow
©Stephen
7
SIP and DNS DNS is integral to SIP routing.
DNS is used to find a priority list of SIP servers for a domain using in SIP specific SRV records into the DNS. Just like MX records in DNS for mail. So it turns out it is easy to have backup servers in SIP. Good description found on the MIT Internet2 sip.edu project cookbook: ©Stephen ©Stephen
8
SIP and DNS Specific SRV records added to your DNS for SIP, eg IN A ;If we place the SRV record above the next line it fails to load $ORIGIN aarnet.edu.au. _sip._udp SRV ser.yarralumla.aarnet.edu.au. _sip._udp SRV ser.nsw.aarnet.edu.au. ser.yarrulumla.aarnet..edu.au. IN A ser.nsw.aarnet..edu.au IN A ©Stephen
9
SIP and DNS TEST On a unix host use the dig command: dig -t SRV _sip._udp.aarnet.edu.au You should get a response that has this in it: ;; QUESTION SECTION: ;_sip._udp.aarnet.edu.au. IN SRV ;; ANSWER SECTION: _sip._udp.aarnet.edu.au. 333 IN SRV ser.yarralumla.aarnet.edu.au. ©Stephen
10
Outline and Objectives
SIP Authentication Who are you? SIP Authorisation What are you allowed to do? SIP Presence and Instant Messaging (the SIMPLE protocol) I am available! Buddy lists. ©Stephen
11
Authentication in SIP Both ends must know the same secret password (key). The password is used to encrypt certain information such as the user’s password. Originated from HTTP (WWW) and often called HTTP digest, Digest Authentication is described by RFC 2671. RFC 3261 (SIP) describes how Digest Authentication is applied to SIP. ©Stephen
12
SIP REGISTER with Digest Authentication
UA Proxy Server REGISTER (with out credentials) 407 Proxy Authentication Required ask user for a password REGISTER (password encrypted with key) 200 OK ©Stephen
13
SIP INVITE with Digest Authentication
UA Proxy Server UA INVITE (with out credentials) 407 Proxy Authentication Required ACK ask user for a password INVITE (with encrypted password) 100 TRYING INVITE (password removed) ©Stephen
14
Protect Gateways from un-authorised use
Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP control is via Proxy. Configure gateways so that they only respond to SIP from your SIP Proxy. Filter TCP and UDP traffic to port 5060 on the Gateway. Also do the same for H.323, TCP traffic to port 1720 on the gateway. ©Stephen
15
Secure SIP SIPS, a close cousin of SIP, is a good and low cost means of encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks and is the same technology used for SSL. This means a SIPS call will fail rather than complete insecurely. Open SER now supports TLS. Microsoft Messenger supports TLS ©Stephen
16
Two interesting drafts (related to SPAM and SPIT)
Abstract The existing security mechanisms in the Session Initiation Protocol are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document recommends practices and conventions for identifying end users in SIP messages, and proposes a way to distribute cryptographically-secure authenticated identities. This document provides an overview of the concept of identity in Internet messaging systems as a means of preventing impersonation. It describes the architectural roles necessary to provide identity, and details some approaches to the generation of identity assertions and the transmission of such assertions within messages. The trade-offs of various design decisions are explained. ©Stephen
17
SIP FORKING (native to SIP)
Never need to forward phones to other phones again!!!! This is a big mindset change for the user. ©Stephen
18
SIP Forking: Introduction
SIP natively does forking: Make several phones and UAs ring all at the same time. The SIP Server recieves an INVITE, and generates many INVITEs to all the phones the user has defined. In “SER” that is done by creating static entries in the “location” database with this command: serctl ul add Stephen.Kingham You may want to add entries to the aliase table to point telphone numbers to a user. serctl alias add ©Stephen
19
Presence and Instant Messaging
SIP is not just Voice and Video, It also has Presence and Instant Messaging. ©Stephen
20
Case Study from Edith Cowan University
SIP Enabled their core. SIP integrated Voice, PABX, Room based Video, Desktop Video, mobile SIP phones on campus, Instant Messaging and Presence. Unexpected demand was the Presence and Instant Messaging. Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrustructure EDU May 2005
21
Case Study from Edith Cowan University
Source: APAN 2005 and Questnet 2005, Steve Johnson Manager IT Infrastructure Edith Cowan Uni May 2005
22
The “SIMPLE” protocol for presence
SUBSCRIBE NOTIFY SER Presence module, ref to Internet2 PIC Working Group. ©Stephen
23
SIP History H.323 SIP ITU-T protocol IETF protocol May 1995
Became “proposed standard” in March 1999. Study Group 16 Working Groups: SIP, SIPPING, and SIMPLE Now V.5 Now RFC 3261 from Quincy Wu’s talk, Cairns 2004 ©Stephen
24
H323-SIP Comparison of Components
End Station Terminal SIP UA Network Server Gatekeeper Registrar, Redirect Server, Proxy Server MCU Conference Server PSTN Gateway from Quincy Wu’s talk, Cairns 2004
25
H323-SIP Comparison of Protocols
Signaling RAS/Q.931 Capacity Negotiation H.245 SDP Codecs Any Real-time Communication RTP/RTCP from Quincy Wu’s talk, Cairns 2004
26
H323-SIP Comparison of Protocols (cont.)
Message Encoding Binary ASCII Transport UDP and TCP Mostly TCP Most UDP Data Conference T.120 Instant Message RFC 3428 Inter-Domain Routing Annex G DNS from Quincy Wu’s talk, Cairns 2004
27
SIP Workshop AARNet By Stephen Kingham Stephen.Kingham@aarnet.edu.au
Other Security stuff SIP Workshop AARNet By Stephen Kingham
28
IP Phones: VLAN, POE, QoS Put IP phones into a separate VLAN
IP Phones need power. Either from a power pack, or from the Ethernet switch using POE (Power Over Ethernet). Put “power fail” phones in strategic locations, these phones are analogue phones connected to a ATA (Analogue Telephone Adaptor) which is powered with a PABX grade UPS. QoS: The LAN must police the use of QoS at the “edge” (as close as possible to the users). Only VLANs with IP Phone (VoIP) can have DSCP = 46 (ToS=5). All other traffic should be marked with DSCP=0. ©Stephen
29
Quality of Service Only relevant for IP Telephone and VoIP to replace existing Telephone Service such as PABX or some home situations. At the outgoing edge: Classify the traffic (Voice, Data, Video, ..) Mark the traffic (DSCP) Shape (how much everyone should have) At the incoming edge Policy incoming traffic from the outside (make sure it is within contract) Configure WAN routers to prioritise. A common thread for all successful VoIP and IP Telephony is the Voice expertise. The same can be said for the Video. ©Stephen
30
WAN QoS: AARNet3 hands policy control back to University
31
VoIP Monitor used in AARNet
Distributed monitoring WITH Feeds QoS availability into VoIP routing. If a user wants QoS and the monitoring indicates that QoS is not working then the calls gets “congestion” message. See points to
32
AARNet SIP & H.323 network ©Stephen
33
Other relevant talks at APAN Tokyo 2006
Monday 23 Jan SIP User Agents Configuration and Fault Finding Speaker: Quincy Wu SER Configuration and SIP Peering including ENUM Speaker: Stephen Kingham From Taiwan SIP Mobility in IPV4/IPV6 Network Speaker: Using Radius and LDAP with SER SIP Proxy for user Authentication Speaker: Nimal Ratnayake 9:30 Wednesday 25 Jan Global SIP Dialling Plans (Ben Teitelbaum and Dennis Barron) 16:00 Wednesday 25 Jan APAN SIP-H.323 Working Group BoF ©Stephen
34
SIP Routing and VoIP Peering
SIP Workshop APAN Tokyo Japan 22 January 2005 By Stephen Kingham
35
Routing Telephone numbers!
WWW and work by using the Domain Name Service (DNS). DNS turns human addresses into Internet addresses, DNS on it’s own is very uninteresting or useful! The ENUM standard teaches DNS about Telephone numbers! VoIP users can discover that they can make VoIP calls to a number without routing it first to the PSTN! Traditional Carriers around the world do not like ENUM. Join the ACMA’s ENUM Trial, ref: enum.edu.au ©Stephen
36
International H.323 routing Telephone numbers
Uses a common dial-plan called the Global Dialling Scheme (GDS), based on E.164 with 00 in front. AARNet runs one of the four International Root Gatekeepers. Although in Australia we use the International dialplan. 27 Country Gatekeepers. More than 156 advance voice and video networks. A community of Higher Education, some industry, K-12 and Research Organisations. Enabler for international and national collaboration. Plans to migrate to DNS (ENUM) Routing. 4 duplicated International Directory Gatekeepers 27 Country Gatekeepers 156 advance voice and video networks
37
H.323 routing (all static configuration)
38
SIP.edu Architecture (Phase 1)
Links the sip address to a plain old telephone Cheap and easy to do SIP User Agent Hear from Dennis at APAN Tokyo 2006 On Wednesday morning. INVITE DNS SRV query sip.udp.bigu.edu bigu.edu DNS SIP Proxy SIP-PBX Gateway PRI / CAS INVITE PBX telephoneNumber where mail=”bob”, What is returned is 12345 Campus Directory Bob's Phone Dennis Baron, June 5, 2005 np128
39
SIP.edu Reachable Users
Dennis Baron, June 5, 2005
40
SIP Addressing in the future will be the preferred address, in addition to Telephone numbers
Hear from Ben at APAN Tokyo 2006 On Wednesday morning. A. G. Bell did not say: “ , come here. I need you!” © Ben Internet2 I will prefer to call people using Within the next year you will see this on the bottom of footers and on business cards of Australian Universities. Source Ben
41
SIP and E.164 routing Remember H.323 is static routing for everything.
SIP can use the existing DNS to find people: or variations of E.164 plus domain: Dial a number on a UA, eg 3575 = domain. SIP we still need to have static routing just like H.323…….BUT WAIT….. TRIP (rfc 3219) does for telephone numbers that BGP does for the entire Internet. Dynamic routing. and ENUM (rfc 2916) uses the DNS to find the full SIP address using a telephone number. ACA might have ENUM Tier 1 into Australia soon
42
Peering SIP Networks Easy to peer using sip addresses with domain name. Everyone can call or even But routing E.164 (telephone) numbers is much harder. ENUM ISN/ITAD TRIP
43
SIP peering using sip: address
©Stephen
44
ENUM (SIP and H.323 Routing)
©Stephen
45
SIP and TRIP (Telephone Routing over IP)
TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement! More research and experimentation needed here. – for example perhaps a simpler form of TRIP (STRIP?) by encapsulating in MIME and sending it using SIP? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004]. But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006. ©Stephen ©Stephen
46
VoIP routing using ENUM
DNS-Server SIP-Server “ENUM” SIP-Server Forked SIP call Gateway Gateway Adapted from: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva ©Stephen
47
ENUM in a nutshell take phone number +46 86859131
turn into domain name e164.arpa. ask the DNS return list of URI’s (NAPTR records) Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva ©Stephen
48
2. Today, many addresses tel:+61 2 6222 3535
tel: Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva
49
2. With ENUM, only one ENUM returns all of these for the caller to choose from: tel: tel: Hand out enum enabled number Source: Patrik Fältström, Area Director Applications Area IETF, from ITU Tutorial Workshop on ENUM 8 Feb 2002 Geneva
50
SIP and TRIP (Telephone Routing over IP)
TRIP (rfc 3219 not passed) does for telephone numbers that BGP does for the entire Internet. Dynamic routing by advertisement! More research and experimentation needed here. – perhaps a simpler form of TRIP (STRIP?) encapsulated in MIME? [Source: Discussions between Randy Bush, Andrew Rutherford and Stephen Kingham 3 Feb 2004]. But look at ITAD and ISN from Internet2 Working Group. Hear from Ben and Dennis on Wednesday morning at APAN Tokyo 2006. ©Stephen ©Stephen
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.