Transcript Protection: Securing Your Converged Network

SIP Explained
Gary Audin
Delphi, Inc.
[email protected]
Sponsored by
www.telecomreseller.com
GoToWebinar Tips
Click to hide or display the
control panel on your screen
Type your question into the
Question and Answer Panel.
The moderator will notify the
presenter of submitted
questions
Speaker Background
• Communications and security consultant for 34 years
• Speaker at Enterprise Connect, ITExpo and 100s of user
conferences
• Article and blog sites:
o www.nojitter.com
o www.webtorials.com
o www.telecomreseller.com
o www.acuta.org
o www.searchunifiedcommunications.com
3
Session Initiation Protocol
• A protocol is an information exchange
procedure, a set of rules.
• SIP is a protocol to establish , manage,
and terminate a connection (session) that
is media independent.
• SIP is not specifically designed for digital
voice.
• SIP operates over an IP network.
4
SIP Does This
• It locates the user and determines which end system will
be used in the proposed session.
• It then learns the user's availability (is the user busy;
can he/she be disturbed?).
• It determines the capabilities available at the user end
system for the session such as what media is supported.
• It establishes the session.
• It manages the session, handling call termination, call
transfer, changes to session parameters, and so forth.
• It is a peer-to-peer protocol running over UDP and TCP.
5
SIP Features
• User location can determine the end system to be used
for communication
• User availability determines the willingness of the called
endpoint to engage in communications
• User capabilities can determine the media and media
parameters to be used
• Session setup endpoint ringing, establishment of session
parameters at both called and calling endpoints
• Session management including session transfer and
termination, changing session parameters, and invoking
services
6
H.323 vs. SIP
FACTOR
H.323
SIP
Design
Complex
(736-page spec)
Simplex
(128-page spec)
Number of Elements
100's
37
Messages
Based on ASN.1
HTTP and RTSP
Call Setup
Multiple Requests
Single Request
Extensibility
Non Standard
Use Session
Description Protocol
Large-Number
Domains
Designed for LAN
Designed for IP
Networks
Server Processing
"Hold" state for all
calls
Pass Through
Conferencing
Limited
Open to all sizes
Feedback
H.245 does not work
in Multicast
RTCP
Firewall Support
Difficult
Easier
I n t er o p er ab i l i t y
N o t C o mm o n
B ec o mi n g C o mm o n
7
What’s in a SIP Session
• “Session” = exchange of data between an association of
participants
• Users can move among endpoints
• Users may have multiple names and addresses
• Users may communicate in different media
• SIP enables internet endpoints:
o To discover each other
o To characterize the session
• The location infrastructure supports name mapping and
redirection services
• Endpoints can add/remove participants from session
• Endpoints can add/remove media from session
8
Not Part of SIP
• SIP is not a vertically integrated communications
system. It is ONLY a component.
• SIP is independent of the services offered.
o SIP provides mechanisms that can be used to
implement different services.
o SIP can locate a user and deliver content to
the user’s current location.
• SIP does not offer conference control services
nor prescribe how a conference is to be
managed.
9
SIP Does Not
• SIP does not define the media carried (voice,
video, IM, data, games, graphics, photos…)
• SIPPING 19 defines a minimum set of telephony
features not SIP
• SIP trunks are not able to provide
interoperability between different vendors’ IP
PBXs
10
SIP Components
• SIP is built upon a client/server architecture
• User Agents (SIP Phones, SIP PCs, other endpoints)
• Servers (Used to locate SIP users or to forward
messages)
• SIP Gateways:
To PSTN for telephony interworking
To H.323 for IP Telephony interworking
• Client - originates message
• Server - responds to or forwards message
11
Multimedia Protocol Stack
Signaling
Media
SDP
Application Layer H.323
Transport Layer
SIP
Media Coding
RTP
TCP
DNS
DHCP
UDP
Internet Layer
Physical/Link Layer
Utility
IP
AALx
PPP
ATM
V.90
Ethernet
MPLS
12
SIP Applications
•
•
•
•
•
•
•
•
•
•
•
SIP trunks
SIP IP phones
IP PBX-to-IP PBX trunks
Computer Telephony Integration (CTI) connection;
CSTA over SIP
Alarms systems
Pagers
Doorphone
Audio Alerter
Callbox
Multimedia Intercom
Process control devices
13
User Agent and Proxy Server
Client/Server Interaction
User Agent
Client
Server
Proxy Server
Server
Server
User Agent
Client
Server
14
SIP Signaling Paths
Server/DNS/DHCP/TFTP
Phone
Analog
FAX
IP LAN / WAN
Modem
PRI
P
S
T
N
Trunk
Gate way
Access / Media
Gateway
IP Phone
T1/E1
Softphone
15
SIP in WebRTC
SIP
Signaling
SIP
Signaling
Web Server
Application
Peer-to-Peer (audio, video, data)
SIP Signaling
Browser A
running HTML5
Browser M running
HTML5
16
SIP User Agent, Server, and
Location Service Interaction
Redirect or
Registration
Server
Location
Service or
Database
SIP
SIP
User Agent
SIP
Proxy
Server
User Agent
RTP Media
17
SIP Registration Example
Registrar
Server
Russell
Register
200 OK
18
SIP Call Example, Proxy Server
Russell
Audin
Proxy Server
INVITE
INVITE
180 Ringing
180 Ringing
200 OK
200 OK
ACK
Media Session
BYE
OK
19
SIP Trunk Benefits
• Flexible provisioning
• Provider competition and enterprise
leverage
• Eliminate VoIP gateways
• Reduced conferencing costs
• Low cost or free international calling
• On-Net free calling
20
SIP Trunk Connections
Legacy PBX
VoIP Gateway
SBC
SIP Service
Provider
T1/E1/PRI
Connections
SBC
IP PBX
PSTN
21
SIP Trunk Providers
• Can connect using vendor specific versions of SIP trunk
software
• Standard SIP trunk connection is via SIPconnect (not a
standard but an agreed upon recommendation from the
SIP Forum http://www.sipforum.org/sipconnect)
• SIPconnect version 1.1 is the latest one
• May limit the media carried:
o
o
o
o
o
Voice only
Video maybe
Secure connections maybe
Fax maybe
911 and E911 information maybe
22
Session Border Controllers
• A firewall rule set while also map layer 5 to layer 7
addresses
• Intrusion detection and prevention
• Denial-of-service (DoS) attack prevention
• VPN separation for shared resources
• SIP-Transport Layer Security (TLS) handshaking for
authentication and encryption of SIP signaling
• Secure Real Time Protocol (RTP) support
• Support for IPsec tunnels
• Transcoding, or conversion between different VoIP codec
technologies
23
SIP Voice Bandwidth
Many providers recommend 20% extra for other overhead and control traffic
24
SIP Licenses for Trunking
• Needed for IP PBX and SBC
• Not required for provider trunks
• One license (session) can be one voice call or one video
call
• Once purchased they are perpetual
• Cannot be reduced once purchased
• Some high end SBCs come with unlimited licenses
• Upper limit is usually hardware based
• Call establishment rate, calls/second usually not
specified in licenses agreement
25
Where Are the Problems?
“The SIP Survey 2012” by The SIP School, 2013 Survey Due In June
26
SIP Trunk Issues
Firewall Problems:
– Can block SIP packets
– Cannot translate IP packet addresses
TCP may be used instead of UDP
One way audio
Dropped connections
Call transfer failure
Registration failure
27
State of SIP
• Relatively easy to implement
• Has gained considerable vendor and provider
acceptance
• Allows flexible service creation
• Extensible and scalable
• Wide range of supporting products and services
• Does not make PSTN interworking easy
• Will not solve all IP Telephony issues such as
QoS
28
Resources
•
•
•
•
•
•
Online education and certification www.thesipschool.com
IAUG Converge2013 sessions
o “Sizing SIP Trunks” Tuesday, June 4 ,3:30 PM
o “SIP Trunk Implementation Problems and Resolutions” Wednesday,
June 5, 2 PM
“Ten SIP Trunk Equipment License Issues That Can Ruin Your Day (or
Month)” http://www.webtorials.com/content/2013/03/ten-sip-trunkequipment-license-issues-that-can-ruin-your-day-or-month.html
“Avoiding SIP Trunking Equipment Problems”
http://www.webtorials.com/content/2013/02/avoiding-sip-trunkingequipment-problems.html
“How to avoid SIP Trunk Implementation Problems”
http://www.webtorials.com/content/2013/01/how-to-avoid-sip-trunkimplementation-problems-1.html
“Easy SIP Trunking; No Yet”,
http://www.telecomreseller.com/2011/09/19/easy-sip-trunking-not-yet/
29
FINI
Gary Audin
[email protected]
VN 703 908 0965
www.telecomreseller.com
30