Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

Transcription

1 Spirent Abacus SIP over TLS Test 编 号 版 本 修 改 时 间 说 明 1

2 1. TLS Interview (Transport Layer Security Protocol) (1) TLS Feature Introduction: 1. TLS is a successor of Secure Sockets Layer (SSL), a cryptographic protocol which provides transport-layer security over connection-oriented protocols (e.g., TCP) 2. TLS provides endpoint authentication and communications privacy over the Internet using cryptography, to Provide Security for SIP Signaling. 3. TLS is most suited to architectures in which hop-by-hop security is required between hosts with no pre-existing trust association 4. In typical use, only the server is authenticated (i.e. its identity is ensured), while the client remains unauthenticated; mutual authentication requires public key infrastructure (PKI) deployment to clients. 5. The protocol allows client/server applications to communicate in a way designed to prevent eavesdropping, tampering, and message forgery. 6. Based on RFC 2246: The TLS Protocol Version 1.0, specify the requirements and procedures to set up a secure channel before the actual transport is conducted (2) TLS involves a number of basic phases: 1. Peer negotiation for algorithm support 2. Public key encryption-based key exchange and certificate-based authentication 3. Symmetric cipher-based traffic encryption (3) 3 Main Algorithms Defined in TLS Security (Together they form the Cipher Suites in TLS) 1. Key Exchange 2. Encryption Algorithm (Cipher): For Encryption of the Message 3. Hash: For Message Integrity (4) Many Cipher Suites Described in the RFC Mandatory Cipher Suite (Implemented in Abacus), for example: TLS_DHE_DSS-WITH_3DES-EDE-CBC-SHA (5) Consists of two Layers: 1. TLS Handshake Layer: Allows Server and Client to authenticate each other and negotiate on the encryption algorithm and communication of Cipher Suite 2. TLS Record Layer: Encapsulation of Data from Higher Level Layers (6) Define two Entities: 1. Client: The entity which initiates Security Requests In a SIP Environment, SIP Phone can be a TLS client, which initiates the request for secure channel for SIP signaling. A SIP Proxy can also be a TLS client, if it requests the terminating end to initiate a secure SIP signaling using TLS 2. Server: The entity which responds to the Client. A SIP Proxy can be a TLS Server if it receives a Secure SIP signaling request from a SIP Phone (or from another SIP Proxy) A SIP Phone can be a TLS Server if it receives a Secure SIP signaling request from another SIP Phone or SIP Proxy. (7) SIP Related TLS Information: The Header Designation SIPS is used to signify the requirement of Secure SIP and Default Port Number is TCP

3 (8) TLS Handshaking (For initiation of a secure communication channels between a client and a server). 2. Implementation in Abacus (1) Support SIP only and SWF-3133 TLS option is needed. (2) Two configurations for TLS feature in Abacus GUI: Step1. Mainly in SUT, Need to choose the TLS to allow the rest of the configuration works. 3

4 Note: 1. Validate Any Certificate: When this box is checked, the incoming host certificate will always be approved. 2. TRM emulates TLS Server: When this box is checked, all terminate phones will act as TLS servers, even if a proxy is used. (If this box is not checked, terminate phones will act as TLS clients when a proxy is used.) 3. Certificate Chain Depth: This field defines the depth that an engine will consider legal in a certificate chain to which it is presented. Default is 5. To change this number, type in the box, or use the up/down arrows to move to the desired number. 4. Supported Version: This pull-down list selects the version of the security protocol the SUT supports (TLS 1.0, SSL 2.0, or SSL 3.0). Default is TLS 1.0. Step2. Open Call sequence/ Partition and Timing/ Phones& endpoints Panel, choose corresponding CA Certificate. Note: 1. If TLS transport is chosen and proxy server is used, calling parties (originating) and Called (terminating) parties will behave as TLS clients. 2. If not using proxy, and transport method is TLS, Calling parties will behave as TLS clients, Called parties will behave as TLS servers and Abacus uses it s own hardcoded certificate in this scenario. 4

5 3. DEMO on Abacus. (1) In this demo one SIP endpoint will act as TLS client (originating endpoint) and TLS server (terminating endpoint). (2) Demo Configure Steps: Step1: Make configurations in Configure/protocol selection Window: 5

6 Step2: Make configurations in Configure/Channels/Path Confirm Panel: Step3: Make Configurations in Call Sequence / Partition & Timing. 6

7 Set call load and pick your script for originator and terminator. Configure the endpoint for originator and terminator and choose the CA Certificate Here. 7

8 Step4: Choose TLS / UDP and TRM emulates TLS Server in this Demo. Note: you don t have to enable Proxy or Registrar if you are not testing Proxy Servers. If you are testing Proxy servers, then Proxy can be TLS server. In this Demo, we don t need to enable Proxy. Step5: Run this Demo Test. 8

9 (3) Test Result: 1. Error message in Abacus if TLS fails to set up. 2. Variance, Statistics and Channel Status result, as follow: 9

10 3. Signal Trace Monitor result: 10