OSSIR, November 2010 emil.ivov@sip-communicator.org 1/45

Similar documents
NAT and Firewall Traversal. VoIP and MultiMedia /77

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Voice over IP (SIP) Milan Milinković

VoIP and NAT/Firewalls: Issues, Traversal Techniques, and a Real-World Solution

Adaptation of TURN protocol to SIP protocol

VoIP LAB. 陳 懷 恩 博 士 助 理 教 授 兼 所 長 國 立 宜 蘭 大 學 資 訊 工 程 研 究 所 TEL: # 255

NAT Traversal in SIP. Baruch Sterman, Ph.D. Chief Scientist David Schwartz Director, Telephony Research

NTP VoIP Platform: A SIP VoIP Platform and Its Services

SIP: Session Initiation Protocol. Copyright by Elliot Eichen. All rights reserved.

SIP OVER NAT. Pavel Segeč. University of Žilina, Faculty of Management Science and Informatics, Slovak Republic

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

IP Office Technical Tip

An outline of the security threats that face SIP based VoIP and other real-time applications

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

SIP ALG - Session Initiated Protocol Applications- Level Gateway

Media Gateway Controller RTP

Configuring SIP Support for SRTP

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

Three-Way Calling using the Conferencing-URI

The SIP School- 'Mitel Style'

Denial of Services on SIP VoIP infrastructures

Mobicents 2.0 The Open Source Communication Platform. DERUELLE Jean JBoss, by Red Hat 138

VoIP Security. Seminar: Cryptography and Security Michael Muncan

SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University

Application Note. Onsight Connect Network Requirements V6.1

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Voice over IP Communications

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

Application Note. Onsight Connect Network Requirements v6.3

NAT Traversal for VoIP

QuickSpecs. Models. Features and benefits Configuration. HP VCX x3250m2 IP Telecommuting Module. HP VCX x3250m2 IP Telecommuting Module Overview

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

Transparent weaknesses in VoIP

NAT Traversal for VoIP. Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University

Cisco Expressway Series

Network Convergence and the NAT/Firewall Problems

Internet Voice, Video and Telepresence Harvard University, CSCI E-139. Lecture #5

How To Use Sip On A Pc Or Mac Or Ipod (For A Premium) For Free On A Sim Sims Or Ipo (For Free) For A Long Distance Connection (For Psp) For Your Ipo Or Ipos

Overview of VoIP Systems

TECHNICAL CHALLENGES OF VoIP BYPASS

Technical Bulletin 25751

Internet Working 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005

ENUM: Migrating to VoIP. P2P Voice Applications

Session Initiation Protocol (SIP)

Cisco EXAM Implementing Cisco IP Telephony and Video, Part 2 (CIPTV2) Buy Full Product.

VoIP. What s Voice over IP?

SIP and ENUM. Overview DENIC. Introduction to SIP. Addresses and Address Resolution in SIP ENUM & SIP

SIP Session Initiation Protocol Nicolas Montavont

IP-Telephony SIP & MEGACO

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

SIP Security Controllers. Product Overview

Kommunikationsdienste im Internet Möglichkeiten und Risiken

AGILE SIP TRUNK IP-PBX Connection Manual (Asterisk)

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Application Notes for IDT Net2Phone SIP Trunking Service with Avaya IP Office Issue 1.0

Firewall Support for SIP

Session Initiation Protocol (SIP) Vulnerabilities. Mark D. Collier Chief Technology Officer SecureLogix Corporation

EE4607 Session Initiation Protocol

Mobile P2PSIP. Peer-to-Peer SIP Communication in Mobile Communities

Based on the VoIP Example 1(Basic Configuration and Registration), we will introduce how to dial the VoIP call through an encrypted VPN tunnel.

Dial91 iphone User Guide

A Comparative Study of Signalling Protocols Used In VoIP

Multimedia & Protocols in the Internet - Introduction to SIP

How To Implement A Cisco Vip From Scratch

NAT and Firewall Traversal with STUN / TURN / ICE

Internet Engineering Task Force (IETF) Request for Comments: 7088 Category: Informational February 2014 ISSN:

Session Initiation Protocol (SIP) 陳 懷 恩 博 士 助 理 教 授 兼 計 算 機 中 心 資 訊 網 路 組 組 長 國 立 宜 蘭 大 學 資 工 系 TEL: # 340

Formación en Tecnologías Avanzadas

SIP Trunk 2 IP-PBX User Guide Asterisk. Ver /08/01 Ver /09/17 Ver /10/07 Ver /10/15 Ver1.0.

Session Initiation Protocol and Services

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

A P2P SIP Architecture - Two Layer Approach - draft-sipping-shim-p2p-arch-00.txt

ABC SBC: Mobile Subscriber Support. FRAFOS GmbH

Security Issues of SIP

Solving the Firewall/NAT Traversal Issue of SIP:

Adding Multi-Homing and Dual-Stack Support to the Session Initiation Protocol

What I am going to talk about. NAT IPSec and NAT Proxy, Reverse proxy P2P Firewall

NAT and Firewall Traversal with STUN / TURN / ICE

Manual. ABTO Software

FOSDEM 2007 Brussels, Belgium. Daniel Pocock B.CompSc(Melbourne)

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

internet technologies and standards

Request for Comments: August 2006

Avaya IP Office SIP Configuration Guide

SIP A Technology Deep Dive

Cisco CallManager configuration for BLU-103

Transcription:

OSSIR, November 2010 emil.ivov@sip-communicator.org 1/45

Real-time Communication Applications OSSIR, November 2010 emil.ivov@sip-communicator.org 2/45

Protocols sip & xmpp OSSIR, November 2010 emil.ivov@sip-communicator.org 3/45

The basics of IP telephony Registration network core (registrars, proxies, ) Address: B Port: Pb Authentication uses http-style digest MD5 challenges Content can protected with TLS but SIP often uses plain UDP XMPP almost always OK Address: A Port: Pa OSSIR, November 2010 emil.ivov@sip-communicator.org 4/45

Inter-Server Communication SIP: SMTP-like (no real limitation) inter-server communication XMPP: Requires TLS and use of certificates end-to-end encryption for IM uses OTR (Off The Record messaging) Address: B Port: Pb Address: A Port: Pa OSSIR, November 2010 emil.ivov@sip-communicator.org 5/45

The basics of IP telephony A sample call network core (registrars, proxies, ) Address: B Port: Pb Address: A Port: Pa OSSIR, November 2010 emil.ivov@sip-communicator.org 6/45

The basics of IP telephony A sample call network core (registrars, proxies, ) Address: B Port: Pb Address: A Port: Pa OSSIR, November 2010 emil.ivov@sip-communicator.org 7/45

The basics of IP telephony. network core (registrars, proxies, ) MEDIA over (S)RTP Address: B Port: Pb Address: A Port: Pa OSSIR, November 2010 emil.ivov@sip-communicator.org 8/45

Encrypting RTP SRTP provides tools for encrypting RTP flows Key management was commonly based on PKIs until ZRTP arrived with an alternative OSSIR, November 2010 emil.ivov@sip-communicator.org 9/45

Reality check! Are we forgetting something? OSSIR, November 2010 emil.ivov@sip-communicator.org 10/45

Standard use OSSIR, November 2010 emil.ivov@sip-communicator.org 11/45

Less standard usage: End to end services? OSSIR, November 2010 emil.ivov@sip-communicator.org 12/45

Session initialization with SIP and XMPP INVITE sip:barbara@b.com SIP/2.0 Via: SIP/2.0/UDP 10.43.122.3;branch=1 From: sip:alice@a.com;tag=4ad340f To: sip:barbara@b.com Contact: <sip:alice@10.43.122.3> Call-ID: 1874630@10.43.122.3 Cseq: 12442 INVITE v=0 o=user 14341433 14341433 IP4 10.43.122.3 s=. t=0 0 c=in IP4 10.43.122.3 m=audio 13222 RTP/AVP 0 a=rtpmap:0 PCMU/8000 <iq from='juliet@capulet.lit/balcony' id='hs81w639' to='romeo@montague.lit/orchard' type='set'> <jingle xmlns='urn:xmpp:jingle:1' action='session-accept' initiator='romeo@montague.lit/orchard' responder='juliet@capulet.lit/balcony' sid='a73sjjvkla37jfea'> <content creator='initiator' name='voice'> <description xmlns='urn:xmpp:jingle:apps:rtp:1' media='audio'> <payload-type id='18' name='g729'/> </description> <transport xmlns='urn:xmpp:jingle:transports:raw-udp:1'> <candidate component='1' generation='0' id='z7sdjb01hf' ip='208.68.163.214' port='9876'/> <candidate component='2' generation='0' id='hg92lsn10b' ip='208.68.163.214' port='9877'/> </transport> </content> </jingle> </iq> OSSIR, November 2010 emil.ivov@sip-communicator.org 13/45

And then s were born Call: To: B Media: Ap Call: To: B Media: Ap ERROR Private Address: Ap /Firewall Address: F Address: B OSSIR, November 2010 emil.ivov@sip-communicator.org 14/45

Internal host:port How do s work port 192.168.0.12 : 2368 8632 MSG: Dst: 130.79.200.22 : 80 Src: 192.168.0.12 : 2368 MSG: Dst: 130.79.200.22 : 80 Src: 212.50.2.18 : 8632 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 15/45

Internal host:port How do s work port 192.168.0.12 : 2368 8632 MSG: Dst: 192.168.0.12 : 2368 Src: 130.79.200.22 : 80 MSG: Dst: 212.50.4.18 : 8632 Src: 130.79.200.22 : 80 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 16/45

Internal host:port How do s work port 192.168.0.12 : 2368 8632 Endpoint-Independent Mapping Endpoint-Independent Filtering Address: 60.55.68.53 MSG: Dst: 192.168.0.12 : 2368 Src: 60.55.68.53 : 9595 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 17/45

Basic Firewall and Traversal STUN What are my address and port? Address: F Port: Pf STUN Server Address: Ap Port: Pa Address: F Address: B Call: To: B Media: F:Pf STUN Server Address: Ap Port: Pa Answer: To: A Media: B Address: B OSSIR, November 2010 emil.ivov@sip-communicator.org 18/45

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 130.79.200.22 : 80 Src: 192.168.0.12 : 2368 MSG: Dst: 130.79.200.22 : 80 Src: 212.50.2.18 : 8632 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 19/45

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 192.168.0.12 : 2368 Src: 130.79.200.22 : 80 MSG: Dst: 212.50.4.18 : 8632 Src: 130.79.200.22 : 80 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 20/45

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) Endpoint-Independent Mapping Endpoint-Dependent Filtering Address: 60.55.68.53 STOP 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 21/45

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) 60.55.68.53 (: 80) Address: 60.55.68.53 MSG: Dst: 60.55.68.53 : 80 Src: 192.168.0.12 : 2368 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 22/45

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) Endpoint-Independent Mapping Endpoint-Dependent Filtering 60.55.68.53 (: 80) Address: 60.55.68.53 MSG: Dst: 192.168.0.12 : 2368 Src: 60.55.68.53 : 80 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 23/45

How do s work Endpoint dependent mapping Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 130.79.200.22 : 80 Src: 192.168.0.12 : 2368 MSG: Dst: 130.79.200.22 : 80 Src: 212.50.2.18 : 8632 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 24/45

How do s work Endpoint dependent mapping Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 192.168.0.12 : 2368 Src: 130.79.200.22 : 80 MSG: Dst: 212.50.4.18 : 8632 Src: 130.79.200.22 : 80 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 25/45

How do s work Endpoint dependent mapping Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) 192.168.0.12 : 2368 9391 60.55.68.53 (: 80) Address: 60.55.68.53 MSG: Dst: 60.55.68.53 : 80 Src: 192.168.0.12 : 2368 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 26/45

Internal host:port How do s work Endpoint dependent mapping port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) 192.168.0.12 : 2368 9391 60.55.68.53 (: 80) Endpoint-Dependent Mapping Endpoint-Dependent Filtering MSG: Dst: 192.168.0.12 : 2368 Src: 60.55.68.53 : 80 Address: 60.55.68.53 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 OSSIR, November 2010 emil.ivov@sip-communicator.org 27/45

Universal Plug and Play (UPnP) Designed for zero-configuration networking and to allow devices to: dynamically join a network and obtain an IP address announce its name advertise capabilities discover other devices and their capabilities Makes it easy to: www.upnp.org Learn the external (public) address of an internet gateway Enumerate existing port mappings Add and remove port mappings Assign lease times to mappings Standardized as a 73-part International Standard, ISO/IEC 29341, in December, 2008. OSSIR, November 2010 emil.ivov@sip-communicator.org 28/45

Relaying Media Symmetric /Firewall F1:P1 TURN Server Address: T Port: Pt Address: Ap Port: Pa Call: To: B Media: T:Pt Symmetric /Firewall F1:p2 Address: B OSSIR, November 2010 emil.ivov@sip-communicator.org 29/45

Relaying Media Symmetric /Firewall F1:P1 TURN Server Address: T Port: Pt Address: B Address: Ap Port: Pa Symmetric /Firewall F1:p2 OSSIR, November 2010 emil.ivov@sip-communicator.org 30/45

Relaying Media The SIP Way Latching /Firewall SIP Server Address: T Port: Pt Address: Ap Port: Pa Address: B OSSIR, November 2010 emil.ivov@sip-communicator.org 31/45

Relaying Media The SIP Way Latching /Firewall SIP Server Address: T Port: Pt Address: Ap Port: Pa Address: B OSSIR, November 2010 emil.ivov@sip-communicator.org 32/45

Relaying Media SIP clients behind a symmetric /firewall non-scalable expensive complex symmetric firewall Relay Server SIP clients behind a symmetric / firewall symmetric /firewall OSSIR, November 2010 emil.ivov@sip-communicator.org 33/45

Using P2P networks for Traversal p2p Custom P2P network p2p p2p symmetric firewall p2p p2p custom p2p relay clients p2p Skype among the first to implement the technique p2p P2PSIP set off to imitate Skype. No conclusive results after four years p2p symmetric firewall Jingle Nodes an interesting alternative that is worth keeping an eye on custom p2p clients OSSIR, November 2010 emil.ivov@sip-communicator.org 34/45

Could we please have IPv6 now? ok, it s probably high time we moved to IPv6 OSSIR, November 2010 emil.ivov@sip-communicator.org 35/45

Could we please have IPv6 now? this should simplify VoIP shouldn t it? OSSIR, November 2010 emil.ivov@sip-communicator.org 36/45

VoIP and IPv6 demo version network core (registrars, proxies, ) 2001:660::1 2001:660::2 OSSIR, November 2010 emil.ivov@sip-communicator.org 37/45

VoIP and IPv6 demo version network core (registrars, proxies, ) 2001:660::1 2001:660::2 OSSIR, November 2010 emil.ivov@sip-communicator.org 38/45

VoIP and IPv6 demo version network core (registrars, proxies, ) MEDIA 2001:660::1 2001:660::2 OSSIR, November 2010 emil.ivov@sip-communicator.org 39/45

Reality check! Reality check! OSSIR, November 2010 emil.ivov@sip-communicator.org 40/45

Reality check! VPN Priv: 172.16.0.0 Pub: 64.233.187.99 Stun Relay Server 212.50.4.12 2001:660::2 192.168.0.6 130.79.12.64 SIP network 216.109.112.135 s list of addresses: 2001:660::2 192.168.0.6 172.16.0.9 130.79.12.64 64.233.187.99 OSSIR, 212.50.4.12 November 2010 emil.ivov@sip-communicator.org 41/45

How to avoid relaying? Interactive Connectivity Establishment (ICE) An IETF RFC brought to you by Cisco s Jonathan Rosenberg OSSIR, November 2010 emil.ivov@sip-communicator.org 42/45

Address management with ICE VPN Priv: 172.16.0.0 Pub: 64.233.187.99 Stun Relay Server 212.50.4.12 192.168.0.6 130.79.12.64 SIP network 216.109.112.135 Please try me on any of s list of addresses: the following: 2001:660::2 2001:660::2 192.168.0.6 192.168.0.6 172.16.0.9 172.16.0.9 130.79.12.64 130.79.12.64 64.233.187.99 64.233.187.99 OSSIR, 212.50.4.12 November 2010 emil.ivov@sip-communicator.org 212.50.4.12 43/45

Address management with ICE ERROR ERROR VPN Priv: 172.16.0.0 Pub: 64.233.187.99 Stun Relay Server 212.50.4.12 172.16.0.9 192.168.0.6 130.79.12.64 SIP network 216.109.112.135 ERROR s list of addresses: 2001:660::2 192.168.0.6 ERROR 172.16.0.9 ERROR 130.79.12.64 64.233.187.99 2001:660::2 192.168.0.6 OSSIR, 212.50.4.12 November 2010 emil.ivov@sip-communicator.org 44/45

and Firewall Traversal OSSIR, November 2010 emil.ivov@sip-communicator.org 45/45

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information