Transcript the #=ain
An introduction to SIP Simon Millard Professional Services Manager Aculab January 23-26, 2007• Ft. Lauderdale, Florida An introduction to SIP • Agenda – – – – – SIP concepts Media SIP signalling NAT traversal Security January 23-26, 2007• Ft. Lauderdale, Florida SIP concepts • SIP is the Session Initiation Protocol – Its job is to set up a session (maybe a phone call) between two or more users January 23-26, 2007• Ft. Lauderdale, Florida SIP concepts • SIP’s view of the network is the same as the Internet’s – Intelligence at the edge – Re-use of proven devices and concepts • There is the ability to negotiate supported features – Can set up any type of media • SIP separates media from signalling January 23-26, 2007• Ft. Lauderdale, Florida Media For IP telephony we are concerned with RTP RTP CODECs RTCP UDP IP Ethernet, optical, radio, … January 23-26, 2007• Ft. Lauderdale, Florida Media • More data is sent than in a TDM call ETH IP UDP RTP AUDIO CHK • Silence elimination – CNG – VAD January 23-26, 2007• Ft. Lauderdale, Florida Media compression • The rain in Spain falls mainly on the plain – Lossless • $ r# in Sp# falls m#ly on $ pl# – $ = the #=ain – Lossy • Th rn n Spn flls mnly n th pln January 23-26, 2007• Ft. Lauderdale, Florida SIP signalling • Coded in ASCII • Verbs (methods) and responses – – – – – – INVITE ACK BYE CANCEL REGISTER ++ initiate a session confirm session established terminate a session cancel a pending INVITE bind an address to a location January 23-26, 2007• Ft. Lauderdale, Florida SIP signalling • Responses – as per HTTP • 1xx information – 100 trying, 180 ringing • 2xx success – 200 OK • 3xx redirection – 300 multiple choices • 4xx client error – 404 not found • 5xx server failure • 6xx global failure January 23-26, 2007• Ft. Lauderdale, Florida SIP signalling • Media for the session is described by the SDP (session description protocol) January 23-26, 2007• Ft. Lauderdale, Florida Signalling – UAs • SIP based on UAs (User Agents) – UAC initiates requests – UAS responds to requests sip:[email protected] response UAC UAS January 23-26, 2007• Ft. Lauderdale, Florida Signalling – Proxies • Route signalling – Do not initiate requests or responses – Pass through unknown messages unchanged – Stateless or stateful sip:simon@work Aculab Proxy January 23-26, 2007• Ft. Lauderdale, Florida Signalling – Registrars • Allow a SIP device to dynamically register a location – This allows them to be contactable when mobile REGISTER sip:[email protected] 192.168.0.102 Aculab Registrar Location database January 23-26, 2007• Ft. Lauderdale, Florida Signalling – Redirect Servers • Respond to a request by redirecting it to another device request for sip:[email protected] Aculab Redirect Server moved to sip:[email protected] 192.168.0.102 request for sip:[email protected] sip:[email protected] registered from xx.xx.xx.xx January 23-26, 2007• Ft. Lauderdale, Florida Signalling – B2BUA • A back-to-back User Agent is somewhat similar to a Proxy, but terminates and initiates SIP signalling UA B2BUA UA January 23-26, 2007• Ft. Lauderdale, Florida Putting it all together location server DNS server simon? SIP SRV b.com [email protected]:5060 proxy.b.com INVITE INVITE proxy.b.com proxy.a.com INVITE RTP BYE January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • Network Address Translation – IP-Masquerading • Source and/or destination addresses re-written • Most widely used to allow multiple hosts on a private network to access the Internet from a single public IP address • Solved the IP address shortage of IPv4 January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • NAT binding is created by the NAT to map a private to a public address • Binding lifetime – Period of time for which the binding remains open – Binding will be closed if there is no traffic for a period of time January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • Full cone Server A Client NAT Server B • Internal IP address and port mapped one-to-one to external IP address and port • External host can reach internal by sending to IP:port January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • Restricted cone Server A Client NAT Server B • Internal IP:port mapped one-to-one to external IP:port • External host can reach internal client only if traffic has already been sent to it January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • Port restricted Server A Client NAT Server B • External host can reach internal port only if traffic has already been sent to it from that port January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • Symmetric Server A Client NAT Server B • Requests from an internal IP:port are mapped to a unique external IP:port • Only a host which receives a packet can send packets back January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • STUN STUN server Client NAT • STUN is a client/server protocol • Client sends request to STUN server which responds with the IP address of the NAT and the port which was opened for the request January 23-26, 2007• Ft. Lauderdale, Florida NAT traversal • STUN works with full cone, restricted cone and port restricted NATs • Will not work with symmetric NAT – IP address of the STUN server is different to that of the destination endpoint • Peers communicate discovered IP:port information – In a full cone, any endpoint can initiate the session January 23-26, 2007• Ft. Lauderdale, Florida Security • SIP signalling – Digest authentication, based on knowledge of a shared secret Callee Proxy Caller INVITE w/o credentials 407 proxy authentication required INVITE w/ credentials 100 trying INVITE w/ credentials January 23-26, 2007• Ft. Lauderdale, Florida Security • SIP signalling – TLS – Transport Layer Security – Based on public key cryptography • • • • • Client requests TLS session Server responds with public certificate Client verifies certificate Mutual exchange of session keys Send/receive application data using keys – Can be used hop-by-hop – SIPS requires TLS used end-to-end January 23-26, 2007• Ft. Lauderdale, Florida Security • Media – Uses SRTP (secure RTP) – AES encryption typically using 128 bit keys – Assumes secure key exchange prior to the session running • Most commonly used are Mikey and SDES (SDES within SDP so need to secure the SIP session) January 23-26, 2007• Ft. Lauderdale, Florida Summary • Session Initiation Protocol leverages Internet technologies • Signalling and media paths • Other devices • NAT traversal issues • Security January 23-26, 2007• Ft. Lauderdale, Florida Thank you [email protected] Visit Aculab on booth 1217 January 23-26, 2007• Ft. Lauderdale, Florida