Developing secure multi lateral peer to peer sip applications
Download
1 / 31

Developing Secure, Multi-lateral Peer to Peer SIP Applications - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

Developing Secure, Multi-lateral Peer to Peer SIP Applications. [email protected] V. V. Market Problem. Terminating Domain ?. Routing. Access Control. Accounting. Originating Domain. PSTN. Settlement. €£¥$ call. Ethernet Switch. Router. PSTN. Internet or IP Network.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Developing Secure, Multi-lateral Peer to Peer SIP Applications' - ira


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Developing secure multi lateral peer to peer sip applications

Developing Secure, Multi-lateralPeer to Peer SIP Applications

[email protected]


Market problem

V

V

Market Problem

Terminating

Domain

?

Routing

Access Control

Accounting

Originating

Domain

PSTN

Settlement

€£¥$ call

Ethernet

Switch

Router

PSTN

Internet or

IP Network

PSTN

PSTN

Service Provider POP


Current status of peering
Current Status of Peering

  • Ad hoc bilateral peering arrangements

  • ENUM provides a solution for peer to peer route discovery But how to handle?

    • Inter-domain Access control

    • Accounting

    • Settlement disputes

    • Backwards compatibility with Operations and Billing Support Systems for H.323 networks

    • Evolution to new services


Benefits of secure multi lateral peering
Benefits of secure multi-lateral peering

  • Efficient peer to peer communications eliminates signaling bottlenecks

  • Access control is greatly simplified

    • IP access lists are eliminated

    • Asymmetric key management is simpler and more secure than shared secrets

  • Eliminates costly overhead of managing many bilateral interconnect agreements


Solution open settlement protocol
Solution: Open Settlement Protocol

  • Open Settlement Protocol (OSP):

    • Global standard for inter-domain transaction authorization and usage reporting.

    • Developed by ETSI in 1998, now in version 4.1.1

    • Based on existing standards

    • Uses Asymmetric Public Key Infrastructure (PKI) services for non-repudiation of transactions

    • Broad support: Asterisk, SER, Cisco, Alcatel, Radvision, UTStarcom, Mediaring, ISDN Communications, Veraz, Vovida, Teles

    • Protocol Independent

      • Works with SIP, H.323, SMS, MMS, IAX …


Overview i how osp works

OSP Server

Authentication

Authorization

Token

IP Network

Domain A

Domain B

SIP INVITE with Token

RTP

Overview I - How OSP Works

  • Route discovery

  • Inter-domain access control


Overview ii how osp works

OSP Server

Accounting:

Encrypted CDR

Accounting:

Encrypted CDR

IP Network

Domain A

Domain B

Overview II - How OSP Works

  • CDR collection


The basics of public key cryptosystems
The Basics of Public-key Cryptosystems

Security services between parties rely on exchange of public keys and security of private keys.

Critical Points:

  • Public / Private keys used for encryption / decryption and digital signatures

  • Public keys are public – easy to distribute

  • A digital certificate signed by a trusted 3rd party ensures the public-key is legitimate

  • Digital signatures provide data integrity, authentication and non-repudiation

  • Certificates may be chained from a root authority


Establishing pki security services

Sign with

CA private

key

Certificate

VoIP Device

Information

VoIP Device

Public Key

Certified by

Cert. Authority

CA Signature

Establishing PKI Security Services

SIP Device

Certificate Authority (CA)

for Peer to Peer

Authorization

(OSP Server)

Client Device requests public-key and

certificate from CA

CA sends its public key

and its certificate

Client Device sends certificate

request to CA

CA returns signed certificate


Source peer authentication

Authorization

Request

Source Peer Authentication

OSP Server

  • Routing request to OSP Server is digitally signed with VoIP device’s private key.

  • OSP server verifies client signature with client’s public key to authenticate routing request.

IP Network

Carrier A


Inter domain access control

SIP INVITE with Token

Inter-Domain Access Control

OSP Server

Authorization

Response with

Token

  • OSP Server digitally signs authorization token

  • Authorization token included in SIP Invite

  • Domain B has no trusted relationship with Domain A, but verifies digital signature with CA public key

  • Carrier can retain digital signature for non-repudiation

IP Network

Domain A

Domain B


Authorization token
Authorization Token

  • Destination

    • IP address, domain name, sip uri, tel uri, E164, trunk group

  • Destination Protocol

    • SIP, Q931, H323-LRQ, IAX, other

  • Transaction ID

  • Service Type, Bandwidth, Number of Channels

  • Call ID, Session ID, MultiSession ID

  • Valid after – Valid Until

  • Authorized amount

    • Seconds, packets, bytes, pages, call, session, price, currency

  • Authority URL


Secure accounting

OSP Server

Usage Indication:

Encrypted CDR

Usage Indication:

Encrypted CDR

IP Network

Domain A

Domain B

Secure Accounting

  • Domains A and B encrypt CDRs with CA public key

  • OSP Server decrypts CDR with CA private key

  • For auditing, OSP Server can request in real time that a domain digitally sign a batch of CDRs


Capabilities pricing messages
Capabilities & Pricing Messages

  • OSP enables clients to update OSP server database in real time.

  • Capabilities Exchange messages can be used

    • To indicate service features available

    • To indicate bandwidth or channel available

    • To indicate presence

  • Pricing Indication is used to provide rate changes

    • for services (voice, fax, message, video …)

    • based on seconds, pages, bytes, packets and currency


Examples of osp peering
Examples of OSP Peering

  • Enterprise VoIP VPN

  • Wholesale Inter-Carrier VoIP Services

  • Tiered Peering

  • Dundi Settlement Clearinghouse


Enterprise voip network
Enterprise VoIP Network

1. Centralized routing

2. Secure inter-office access control

1. Centralized routing

2. Secure inter-office access control

3. Centralized accounting

4. Autonomous local operation

5. Minimum bandwidth

1. Centralized routing

2. Secure inter-office access control

3. Centralized accounting

4. Autonomous local operation

1. Centralized routing

2. Secure inter-office access control

3. Centralized accounting

1. Centralized routing

  • Requirements:

2. Secure inter-office access control

4. Autonomous local operation

3. Centralized accounting

5. Minimum bandwidth

1. Centralized routing

Branch

Office

Internet

Headquarters

Manufacturing

Sales

Office

Call

Center


Enterprise voip vpn

OSP

Server

Internet

VoIP VPN

Enterprise VoIP VPN

1. Centralized routing

2. Secure inter-office access control

3. Centralized accounting

4. Autonomous local operation

5. Minimum bandwidth

1. Centralized routing

2. Secure inter-office access control

1. Centralized routing

2. Secure inter-office access control

3. Centralized accounting

4. Autonomous local operation

1. Centralized routing

2. Secure inter-office access control

3. Centralized accounting

1. Centralized routing

  • OSP peering architecture provides secure VoIP VPN

Branch

Office

Internet

Headquarters

Manufacturing

Sales

Office

Call

Center


Wholesale inter carrier services
Wholesale Inter-Carrier Services

  • Challenge: How to manage interconnect access and billing among thousands of ITSP peers

Internet


Wholesale inter carrier services1
Wholesale Inter-Carrier Services

  • Conventional solution is to route all calls via a softswitch or session border controller.

Internet


Wholesale inter carrier services2

OSP

Server

OSP

Server

OSP

Server

Wholesale Inter-Carrier Services

  • Direct peering with OSP is more scalable, more reliable, better QoS, less bandwidth, lower cost.

Route

Lookup

Internet


Wholesale inter carrier services3

OSP

Server

OSP

Server

OSP

Server

Dest.

CDR

Source

CDR

Wholesale Inter-Carrier Services

  • Call Detail Collection from both the source and destination eliminates settlement disputes

Internet


Tiered peering

OSP

Server

OSP

Server

OSP

Server

OSP

Server

OSP

Server

OSP

Server

4. Auth.

Response

2. Auth.

Request

3. Auth.

Response

SIP INVITE with token

for Purple network

1. Auth.

Request

Tiered Peering

  • OSP enables secure peering among multiple peering networks.

Internet

Purple

Peering

Network

Yellow

Peering

Network


Tiered peering cdr reporting

OSP

Server

OSP

Server

OSP

Server

OSP

Server

OSP

Server

OSP

Server

Dest.

CDR

Source

CDR

Dest.

CDR

Source

CDR

Tiered Peering CDR Reporting

  • Top tier peering networks receive Call Detail Records from both source and destination peers.

Internet

Purple

Peering

Network

Yellow

Peering

Network


Dundi
DUNDi

  • Distributed Universal Number Discovery

  • Based on General Peering Agreement

  • No Settlement


Dundi clearinghouse

Token

Request

OSP

Server

DUNDi Clearinghouse

  • DUNDi nodes enroll with CA

  • Route and rate discovery with DUNDi

  • Source submits route & rate to clearinghouse for digitally signed token

  • DUNDi nodes enroll with CA

  • DUNDi nodes enroll with CA

  • Route and rate discovery with DUNDi

rate / minute?

2¢ / minute!


Dundi clearinghouse1

CDR

CDR

OSP

Server

DUNDi Clearinghouse

  • SIP INVITE includes signed token

  • Destination validates rate in token

  • CDRs sent to clearinghouse

SIP INVITE with token


Dundi clearinghouse2

OSP

Server

DUNDi Clearinghouse

CDR

CDR

  • Clearinghouse performs settlement billing

$


Details of osp

Open Settlement Protocol

XML Presentation

HTTP V1.0

SSL / TLS

TCP port 80

TCP port 443

IP

Details of OSP

  • An OSP server is a web server

  • Message Formats

    • Multipurpose Internet Mail Extensions (MIME)

    • eXtensible Markup Language (XML)

    • Secure MIME

  • Communication Protocols


  • Osp message example
    OSP Message Example

    HTTP/1.1 200 OK

    Server: IP address of OSP server

    Date: Thu, 12 May 2005 18:32:59 GMT

    Connection: Keep-Alive

    Keep-Alive: timeout=3600, max=5000

    Content-Length: 1996

    Content-Type: text/plain

    <?xml version='1.0'?>

    <Message messageId='11703738491' random='21655'>

    <AuthorizationResponse componentId='11703738490'>

    <Timestamp>2005-05-12T18:32:59Z</Timestamp>

    <TransactionId>4785098287068543017</TransactionId>

    <Destination>

    <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId>

    <DestinationInfo type='e164'>Called Number</DestinationInfo>

    <DestinationSignalAddress>[IP Address:Port]</DestinationSignalAddress>

    HTTP Header

    OSP Message


    Osp message example cont
    OSP Message Example (cont.)

    Unique Transaction ID per call

    <AuthorizationResponse componentId='11703738490'>

    <Timestamp>2005-05-12T18:32:59Z</Timestamp>

    <TransactionId>4785098287068543017</TransactionId>

    <Destination>

    <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId>

    <DestinationInfo type='e164'>Called Number</DestinationInfo>

    <DestinationSignalAddress>[IP Address: Port]</DestinationSignalAddress>

    <UsageDetail>

    <Amount>14400</Amount>

    <Unit>s</Unit>

    </UsageDetail>

    <ValidAfter>2005-05-12T18:27:59Z</ValidAfter>

    <ValidUntil>2005-05-12T18:37:59Z</ValidUntil>

    <DestinationProtocol>sip</DestinationProtocol>

    <SourceInfo type='e164'>Calling Number</SourceInfo>

    <Token encoding='base64'>

    Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5Ua3hPVEUzTnk0NQphPT

    IwMDUtMDUtMTJUMTg6Mjc6NTlaCnU9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz

    Call ID from source device

    Called Number may be translated

    Call authorized for 14440 seconds

    IP Address of Called Number

    Call authorized to start in 10 minute window

    Protocol may be SIP, H323, IAX, …

    Digital signature of token ensures non-repudiation


    Open source tools
    Open Source Tools

    • www.SIPfoundry.org

      • OSP Toolkit (client)

      • OpenOSP Server (based on Apache)

      • RAMS OSP Server

    • www.Asterisk.org

      • Asterisk includes OSP client

    • OSP Module for SIP Express Router

      • http://osp-module.berlios.de

    • www.voxgratia.org

      • OSP enabled H323 proxy (future support for SIP)

    • www.TransNexus.com

      • OSPrey – free OSP server


    ad