Transcript SECURITY FEATURES OF SIP

ANALYSIS OF SIP
Team Members:
Jayanthi Jayaraman
Jyoti Bhayana
Malavika Gowda
Subha Keshavaraj
Vinaya Damle
WHAT IS SIP?





Session Initiation Protocol
Application layer signaling protocol
Session management of applications such as VoIP,
video conferencing, interactive gaming over IP
networks
Independent of the transport layer protocol (can
work with TCP, UDP, SCTP, etc)
Peer-to-peer protocol
WHAT IS IT USED FOR?






Establishment of user location
Feature negotiation – participants agree on the
lowest level common services
Call management - adding, dropping, transferring
participants.
Changing features of a session while it is in
progress.
Determine the availability of the target endpoint
Handle the transfer and termination of calls
FEATURES




Reuses existing protocols – e.g.: modeled after
HTTP, uses URLs for addressing and SDP (session
description protocol) to convey session information,
RTP for carrying video content
Maximizes Interoperability - Enables service
providers to integrate basic IP telephony services
with Web, e-mail, and chat services
Offers services such as user mobility, time-of-day
routing, call forwarding based on the geographical
location
Provides user authentication, redirect and
registration services
SIP Components
User Agent Client (UAC) – Initiates SIP
Request
 User Agent Server (UAS) – Responds to
the request
 Proxy Server – Provides services like
authentication,authorization,routing etc
 Redirect Server – Informs to client about
next server hop
 Registrar Server – Registers user location
information

SIP Components
HOW SIP WORKS?





Text-based protocol.
Follows request/response transaction model like
HTTP.
Each user is associated with unique address in the
form sip:[email protected].
All SIP messages follow a general format that
contains a start line, header field(s), and an optionl
body.
Each line terminates with CRLF.
SIP REQUESTS






INVITE: Used to invite an user to take part in a
conference.
ACK: Sent by the caller to callee to confirm the
final response to the INVITE request has received.
BYE: Used to terminate a call. It can be sent either
by the caller or the callee.
CANCEL: Used to cancel pending requests if any.
But it doesn’t terminate the accepted call.
OPTIONS: Used to query the server about its
capabilities.
REGISTER: Registers with a SIP server using the
address specified in the header.
SIP RESPONSES






SIP 1xx – used to send informational responses
such as the request is being processed.
SIP 2xx – used to send successful responses.
SIP 3xx – used to send redirection responses
indicating further actions are required to complete
the request.
SIP 4xx – used to send failure responses on client
side.
SIP 5xx – used to send failure responses from
server side.
SIP 6xx – used to send any global failure responses
such as the request cannot be processed by any
server.
SIP REGISTRATION PROCESS
SIP CALL SETUP PROCESS
SECURITY FEATURES OF SIP
Two kinds of threats to a SIP-based
network
External:
Launched by a non- participant in the message
flow
Internal:
Launched by SIP Call Participant
Network Security Issues and Their Solutions
Issues
Solution
Denial-of-service (DoS) attacks:
Prevention of access to a network
service by bombarding SIP proxy
servers or voice-gateway devices on
the Internet with inauthentic packets
Configure devices to prevent such
attacks
Eavesdropping:
Encrypt transmitted data using
encryption mechanisms like Secure
RTP.
Unauthorized interception of voice
packets or Real-Time Transport
Protocol (RTP) media stream and
decoding of signaling messages
Packet spoofing:
Impersonation of a legitimate user
transmitting data
Send address authentication (for
example, endpoint IP addresses)
between call participants.
Continued…
Issues
Solution
Replay: The retransmission of a
genuine message so that the
Encrypt and sequence messages; in
SIP this is offered at the
device receiving the message
reprocesses it
application-protocol level by using
Message integrity:
Authenticate messages by using
HTTP Digest, an option supported
on Cisco SIP-enabled phones and the
Cisco SIP Proxy Server
Ensuring that the message received
is the same as the message that was
sent
CSeq and Call-ID headers.
SIP Security Mechanisms
1. Authentication:
SIP supports 3 types of authentication
User to user authentication
Proxy to user authentication
Digest authentication
2. Secure MIME Type authentication:
base support for
TLS_RSA_WITH_AES_128_CBC_SHA
SHA1 digital signature algorithm
Triple DES encryption algorithm
Continued…
3. Support for SRTP:
SIP used for audio and video streaming
security enhanced by supporting secure
SRTP rather than RTP
Usage of SRTP is negotiated during
INVITE messages for secure streaming
Continued….
4. Tunneling SIP
Encapsulate SIP messages in MIME headers, so as o
benefits from S/MIME security to maintain message
integrity and confidentiality.
Confidentiality – encrypted MIME message are the
inner message body, Outer message has the MIME
headers for s/MIME body.
REFERENCES



http://www.faqs.org/rfcs/rfc3261.html
http://www.cisco.com/web/about/ac123/
ac147/archived_issues/ipj_6-1/sip.html.
http://www.ietf.org/rfc/rfc3261.txt.
THANK YOU