Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt.

Published byRhoda Montgomery Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt."— Presentation transcript:

1 1 Media Session Authorization Dan Wing dwing@cisco.com draft-wing-session-auth-00.txt

2 2 IPR Declaration Cisco will be declaring IPR on draft-wing-session-auth-00.txt

3 3 Session Authorization Overview Authorize UDP Media Sessions –Uses username/passwords of ICE –Authority comes from call controller Natural packet routing –No NAT, no SBC –Allows multihomed networks No topology awareness No topology constraints

4 4 ICE Overview Interactive Connectivity Establishment –Useful for traversing NATs Per-flow usernames (and passwords) are exchanged in ICE signaling To verify connectivity, ICE endpoints send the username in media path –STUN Request / Reply (RFC3489)

5 5 Media Session Authorization Per-call username is seen by SIP proxy SIP proxy gives policy server call info. Firewall identifies STUN Request Firewall asks policy server to authorize flow Firewall opens pinhole Result: secure authorization of a legitimate flow

6 6 ICE with Policy Authorization, Slide 1 Alice Bob FW-BFW-A Bob's Call Controller Alice's Call Controller STUN Request 2 5 INVITE From: Alice To: Bob IP=X, UDP=x, Token=A1 1 79 8 11 12 X, x Alice’s Policy Server Bob’s Policy Server 3 4 610 informational

7 7 ICE with Policy Authorization, Slide 2 Alice Bob FW-BFW-A 13 14 16 SIP 183 or 200 From: Bob To: Alice IP=Z, UDP=z, Token=B1 15 STUN Response Bob's Call Controller Alice's Call Controller No external authorization check is necessary because the same STUN transaction-id and (flipped) 5-tuple are in STUN Request and Response

8 8 Asymmetric Routing: Problem Firewall can’t learn about bi-directional flow, because it only sees one direction –Thus, can’t use transaction-id and 5-tuple to authorize STUN Response message Firewall-AtlantaFirewall-Dallas Gateway

9 9 Asymmetric Routing: Approach A Firewall asks policy server about STUN Responses, too –Continue using same protocol –Solution A causes additional STUN Request/Response delay

10 10 Approach A (slide 1) Alice Bob FW-B-1FW-A Bob's Call Controller Alice's Call Controller STUN Request 2 5 INVITE From: Alice To: Bob IP=X, UDP=x, Token=A1 1 79 8 11 12 X, x Alice’s Policy Server Bob’s Policy Server 3 4 610 FW-B-2 informational

11 11 FW-B-2 Approach A (slide 2) Alice Bob FW-B-1FW-A Bob's Call Controller Alice's Call Controller Alice’s Policy Server Bob’s Policy Server 183 or 200 From: Bob To: Alice IP=Z, UDP=z, Token=B1 13 17 14 15 1618 19 Z, z STUN Response informational

12 12 Asymmetric Routing: Approach B Tell other firewalls about every valid STUN transaction-id –Example: secure multicast protocol (GDOI?) –Optimization 1: tell firewalls that might need to know (but how do you know?) –Optimization 2: firewalls only need to remember authorized STUN transaction-id for a short time (5-10 seconds) –Solution B adds more state to firewalls

13 13 Approach B Alice Bob FW-B-1FW-A Bob's Call Controller Alice's Call Controller STUN Request 2 5 INVITE From: Alice To: Bob IP=X, UDP=x, Token=A1 1 79 8 11 12 X, x Alice’s Policy Server Bob’s Policy Server 3 4 610 FW-B-2 6a FW-B-3 FW-B-4 informational

14 14 FW-B-2 Solution B: Tell Firewall (slide 2) Alice Bob FW-B-1FW-A Bob's Call Controller Alice's Call Controller Alice’s Policy Server Bob’s Policy Server 183 or 200 From: Bob To: Alice IP=Z, UDP=z, Token=B1 13 17 14 15 16 19 STUN Response FW-B-2 needs no external authorization check because the same STUN transaction-id and (flipped) 5-tuple are in STUN Request and Response FW-B-3 FW-B-4 FW-B-3 and FW- B-4 time out the STUN transaction-id aggressively (5- 10 seconds) informational

15 15 Features No topology awareness Supports multi-homed networks –Including asymmetric routing

16 16 Drawbacks Endpoints must cooperate in the scheme ICE-capable endpoints cooperate as a side-effect of their normal ICE operation –Note well: Only a portion of ICE is needed -- only the exchange of tokens in signaling and the STUN Request/Response in media

17 17 Going Forward Standardize interfaces –SIP proxy to Policy Server –Policy Server to Firewall Decide on approach A or B for multihomed asymmetric routing

Download ppt "1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt."

Similar presentations

The leader in session border control for trusted, first class interactive communications.

The leader in session border control for trusted, first class interactive communications.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Interactive Connectivity Establishment: ICE

Interactive Connectivity Establishment: ICE
Configuring Internet Access for a Network. Overview Options for Connecting a Network to the Internet Configuring Internet Access by Using a Router Configuring.

Configuring Internet Access for a Network. Overview Options for Connecting a Network to the Internet Configuring Internet Access by Using a Router Configuring.
Interconnection Networks: Flow Control and Microarchitecture.

Interconnection Networks: Flow Control and Microarchitecture.
RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-
MVTS & PortaBilling Integration between MVTS (Mera VoIP Transit Softswitch) and PortaBilling100 Vancouver, BC July 2004 Porta Software

MVTS & PortaBilling Integration between MVTS (Mera VoIP Transit Softswitch) and PortaBilling100 Vancouver, BC July 2004 Porta Software
Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.
Voice over IP Fundamentals

Voice over IP Fundamentals
SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.
1 Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan Wing Jonathan Rosenberg.

1 Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan Wing Jonathan Rosenberg.
NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)

SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
NAT Traversal for P2PSIP Philip Matthews Avaya. Peer X Peer Y Peer W 2. P2PSIP Network Establishing new Peer Protocol connection Peer Protocol messages.

NAT Traversal for P2PSIP Philip Matthews Avaya. Peer X Peer Y Peer W 2. P2PSIP Network Establishing new Peer Protocol connection Peer Protocol messages.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

Similar presentations

Ads by Google