SIP security in IP telephony
Download as PPTX, PDF8 likes4,229 views
Session Initiation Protocol (SIP) is an application layer protocol for setting up and managing multimedia communication sessions over IP networks. It allows users to initiate, modify and terminate multimedia sessions that include voice, video and messaging applications. SIP supports mobility through proxy servers that can forward calls to a user's current location. Common security threats to SIP include registration hijacking, message modification and denial of service attacks. Recommended security mechanisms include TLS for hop-by-hop security, S/MIME for end-to-end encryption, and digest authentication.
SIP security in IP telephony
- 2. INTRODUCTION • Session Initiation Protocol (SIP) is a Requests For Comments (RFC) of the Internet Engineering Task Force (IETF) • First standardized in March 1999 in RFC 2543 (Obsolete) • A second version in 2002 in RFC 3261
- 3. INTRODUCTION • Today, the session initiation protocol (SIP) is the predominant protocol for IP Telephony Signalling. This paper addresses IP Telephony security issues - both current and future – focusing on SIP. • We summarize current activities regarding SIP security, including recent developments in the research community and standardization efforts within the IETF.
- 4. SIP OVERVIEW (1) • ASCII based, signaling protocol • Analogous to HTTP messages, SIP is a text base protocol. • Works independent of the underlying network transmission protocol and indifferent to media
- 5. SIP OVERVIEW (1) It provides mechanisms to: • Establish a session • Maintain a session • Modify and Terminate a session • Session Initiation Protocol (SIP) is an application layer protocol, which is used to establish, maintain and terminate multimedia session. • These sessions may include voice, video, instant messaging.
- 6. SIP Components System using SIP can be viewed in two Dimensions: • Client/Server • Individual Network Elements
- 7. SIP Components Client : : A client is any network element that sends SIP requests and receives SIP responses. Server: A server is a network element that receives requests in order to service them and sends back responses to those requests. • Example of Servers: Proxies, user agent servers, redirect servers, and registrars.
- 8. SIP Components (2) Two general categories of SIP are User Agent (UA): Resides in every SIP end station SIP Servers
- 9. SIP Components (2) User Agent (UA) Has two roles: SIP User Agent Client(UAC): Issues SIP requests. SIP User Agent Server (UAS): Receives SIP requests, and Generates a response that accepts, rejects, or redirects the request.
- 10. SIP Components (2) SIP Servers • Proxy Server: The proxy server is an intermediary entity that acts as both a server and a client for the purpose of making requests on behalf of other clients. A proxy server primarily plays the role of routing, meaning that its job is to ensure that a request is sent to another entity closer to the targeted user. • Redirect Server: Used during session initiation, Determine the address of the called device, Returns this information to the calling device. • Registrar Server: A registrar is a server that accepts REGISTER requests and places the information it receives (the SIP address and associated IP address of the registering device) in those requests into the location service for the domain it handles.
- 11. SIP Functions Scalability Functionality such as proxying, redirection, location, or registration can reside in different physical servers. Distributed functionality allows new processes to be added without affecting other components. Interoperability An open standard Can implement to communicate with other SIP based products
- 12. SIP Functions (2) Mobility • Supports user mobility by proxying and redirecting requests to a user’s current location. • The user can be using a PC at work, PC at home, wireless phone, IP phone, or regular phone. • Users must register their current location. • Proxy servers will forward calls to the user’s current location. • Example mobility applications include presence and call forking.
- 13. RELATED PROTOCOL SIP IPv4 / IPv6 TCP UDP SDP MGCP RTSP RTCP RTP RSVP Signaling Gateway control QoS
- 14. SIP CAPABILITIES • Determine location of target points – Support address resolution, name mapping, call redirection • Determine media capabilities – SIP uses Session Description Protocol (SDP) for this • Determine availability – returns a message why the remote party cannot be contacted • Establish a session between end points – also support mid call changes, changes of media characteristics or codec • Handles termination of calls – transfer of calls • Permits interaction between devices via signalling messages
- 15. SIP CAPABILITIES • INVITE: Invite a user to join a call • ACK: Confirm that a client has received a final response to an invite • BYE: Terminates the call between two of the users on a call • OPTIONS: Request information on the capabilities of a Server • CANCEL: Ends a pending Request , but doesn’t end the call • REGISTER: Provide the map of address resolution that lets the server know the location of the users.
- 16. Status Codes 1xxInformational • 100 Trying • 180 Ringing (ringing tone played locally) • 181 Call is Being Forwarded • 182 Queued • 183 Session progress 2xxSuccess • 200 ok 3xx Redirection • 300 Multiple Choices • 301 Moved Permanently • 302 Moved Temporarily • 380 Alternative server 4xxClient error • 400 Bad Request • 401 Unauthorized • 403 Forbidden • 404 Not Found • 405 Bad Method • 415 Unsupported Content • 420 Bad Extensions • 482 Detected • 486 Busy Here 5xxServer failure • 500 Server Internal Error • 501 Not Implemented • 503 Unavailable • 504 Timeout 6xxGlobal Failure • 600 Busy Everywhere • 603 Decline • 604 Doesn’t Exist • 606 Not Acceptable
- 17. SIP Basic Call Setup
- 18. SIP Headers • Session Initiation Protocol (RFC3261) for call signaling • Header format is similar to HTTPS • UDP Port 5060 used (recommended) • TCP is also allowed (required for SIPS) • Responsible for connection setup and release: INVITE, OK, ACK, BYE, CANCEL • Registration service for mobile user agents: REGISTER • Uses DNS for routing (RFC3263;)
- 19. SIP Headers • Session Description Protocol (RFC 2327) for parameter exchange • Body of SIP-Messages • Looks (a little bit) like sendmail mail queue format • Contact address (ip address, port #) c=IN IP4 172.16.1.127 • Codec m=audio 7078 RTP/AVP 8 0 2 102 100 97 101 • (Master)Key for SRTP k=clear:geheim
- 20. SIP Headers (2) INVITE sip:09611000038@202.4.97.11 SIP/2.0 Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1--- d8754z-;rport Max-Forwards: 70 Contact: <sip:09611301525@172.16.1.127:6256> To: <sip:09611000038@202.4.97.11> From: "09611301525"<sip:09611301525@202.4.97.11>;tag=015ccc4a Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: PortGo v6.8, Build 07112011 Content-Length: 474
- 21. Breakdown of Header INVITE : message type Address of called party SIP version used by caller Semicolon indicates start of URI parameters Eg:- user=phone indicates call is for a phone number and not a SIP IP address INVITE sip:09611000038@202.4.97.11 SIP/2.0 Via: History of message’s path through network(s) Helps to prevent looping and ensures replies route back to originator Indicates the used transport protocol, ip address and port of sender Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1--- d8754z-;rport
- 22. SDP Headers • Describes components of communication channel under negotiation • Includes information about : – Codecs – Ports – Streaming protocols • Usually sent with INVITE and 200 OK in SIP based devices • Describes how data stream is going to be support via Real Time Transport Protocol (RTP, RFC 1889)
- 23. SIP & SDP Header Analysis For INVITE sip:09611000038@202.4.97.11 SIP/2.0 details message looks like this: 202.4.100.35:6256 202.4.97.11:5060 INVITE sip:09611000038@202.4.97.11 SIP/2.0 Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport Max-Forwards: 70 Contact: <sip:09611301525@172.16.1.127:6256> To: <sip:09611000038@202.4.97.11> From: "09611301525"<sip:09611301525@202.4.97.11>;tag=015ccc4a Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: PortGo v6.8, Build 07112011 Content-Length: 474 v=0 o=- 59935706 59935706 IN IP4 172.16.1.127 s=http://www.portsip.com c=IN IP4 172.16.1.127 t=0 0 m=audio 21006 RTP/AVP 8 0 3 121 100 9 97 101 a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:3 GSM/8000 a=rtpmap:121 G7221/16000 a=rtpmap:100 SPEEX/16000 a=rtpmap:9 G722/8000 a=rtpmap:97 iLBC/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20 a=sendrecv m=video 40180 RTP/AVP 34 a=rtpmap:34 H263/90000 a=fmtp:34 CIF=1 QCIF=1 a=sendrecv
- 24. Security Attacks Signaling Layer Attacks • SIP Registration Hijacking: Attacker impersonates a valid UA to a registrar himself as a valid user agent. so attacker can receive calls for a valid user. • Impersonating a Server: When an attacker impersonates a remote server and user agent request are served by the attacker machine.
- 25. Security Attacks Signaling Layer Attacks • SIP Message Modification: If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system. • SIP Cancel / SIP BYE attack • SIP DOS attack: In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.
- 26. Security Solutions Two types of security solutions End-to End security: • In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could be protected using S/MIME. • Media is transferred directly, so end-to-end security is achieved by SRTP. Hop-by-hop security • TLS, IPSec.
- 27. SIP Security Mechanisms The SIP standard, as specified in RFC 3261 , includes several security mechanisms: • S/MIME: Because SIP is using MIME for message bodies, S/MIME can be used to send authenticated and encrypted messages between user agents. • Digest Authentication: SIP entities sharing a secret (e.g. a password) can authenticate each other with a challenge-response mechanism. • TLS & IPSec: Hop-by-hop security for SIP signaling can be achieved either on the transport layer (TLS) or on the network layer (IP sec).
- 28. SIP-Secure over TLS • SIPS is like HTTPS: Is set on top of TCP only • Signaling over sips URI: sips:user@example.de;transport=tc p, Demands for TLS along the (signaling)path. • Server authentication via Certificate • Client authentication (mostly) via username/digest. • Client authentication via Certificate possible • Only Hop by Hop Security • S/MIME − secure SDP • Data format based on S/MIME mail. • Encryption of the SDP portion of the SIP message • End-to-End or Hop by Hop allowed: Tunneled (and S/MIME encrypted) SDP also allowed • Supports UDP or TCP: TCP is recommended because of UDP fragmentation. S/MIME − secure SDP
- 29. CONCLUSION The SIP is such a protocol, which does not have any built-in security. This makes it more vulnerable to common VoIP attacks. In this implementation of the SIP security threats and countermeasures, the SIP secure model is designed to provide security mechanisms by following the best practices for securing a SIP based VOIP system.
- 30. CONCLUSION The intention of this paper has been to present an overview of important challenges and current activities on SIP security. SIP is used to initiate IP Telephony communications. Thus, SIP security will remain an active and interesting research area in the near future.
- 31. THANK YOU Muhammad Yeasir Arafat Systems Engineer Email: yeasir@dhakacom.com yeasir08@yahoo.com Dhakacom Limited Dhaka, Bangladesh