SIP, Session Initiation Protocol used in VoIP Page 1 of 9
Secure Computer Systems IDT658, HT2005 Karin Tybring Petra Wahlund Zhu Yunyun Table of Contents SIP, Session Initiation Protocol...1 used in VoIP...1 Karin Tybring...2 Table of Contents...2 1Introduction...4 2What is the Session Initiation Protocol and how is it used?...4 3Features in SIP...6 4Security in SIP...8 5Conclusion and future possibilities of SIP...8 6References...10 Page 2 of 9
1 Introduction Voice over IP (VOIP) is a very popular topic today and most people with interest in new technology have or are using Voice over IP to communicate with other people. The Session Initiation Protocol is a part of VOIP that is responsible for the initiation set up for the connection. The purpose of this PM is to investigate how the Session Initiation Protocol works in the call set up phase and which features that this protocol supports. We have also described some security issues with the protocol. Session Initiation Protocol could also be used in video connections, but this feature is outside the scope of this PM. 2 What is the Session Initiation Protocol and how is it used? The Session Initiation Protocol is a signalling protocol, responsible for setting up, controlling and tearing down session s connections over Internet. The Session Initiation Protocol is defined in RFC 3261 and is since the year 2000 a permanent protocol in IP multimedia subsystems architecture 1. The idea behind this protocol was to make it look similar as when you using a regular phone, i.e. enter the number you would like to call, hear the phone ringing or a busy signal. The main difference according to a regular phone s protocol is that when using the Internet as device for transporting the call, no actually circuit in the network is established. 1 http://en.wikipedia.org/wiki/session_initiation_protocol Page 3 of 9
2 SIP uses four entities in a connection, a User Agent, SIP Proxy Server, Location Server and registry. A SIP Proxy Server is a middle element between a client and a server which functions as routers that forward SIP messages. The register keeps track of the users that are currently registered within the domain. The Session Initiation Protocol is a request response protocol, which means that all messages that are sent needs to be acknowledged, it can therefore run over UDP (User Datagram Protocol) or TCP (Transmission Control protocol). However, since UDP is a non reliable protocol, the fragmentation of packages could be a problem. Due to this, it is preferable that the entire SIP message fits into one single UDP fragment. If a message is fragmented into multiple datagram s, there is a bigger risk of loosing the entire message 3. Messages sent and received by the Session Initiation Protocol are in plain text (ACSII readable) and using port number 5060. This is not the same port as the sending and receiving media connection, which is stated in the invite message for the session (see below). For a user to call another user over VoIP, the application uses the SIP software, to set up the connection. This software is called the User Agent (UA in the picture) and could be any software that supports SIP. First an INVITE message will be sent to the location server. This server will look for mappings for the requested URI through user registration for the new destination. User agents can register periodically dependent on which device they are using. The location server then sends the address back to the user agent, whom acknowledges this with an ACK. Now the user agent has the address to the second user agent, whom he likes to call. By sending an INIVITE message to the user agent he invites him to start a conversation. The INVITE message contains information on which port number the user agent wants the connection to run on and also what codec should be used for the media content used for the session. This information (port number and codec) for the session actually belongs to another protocol, namely the description session protocol (DSP), which Session Initiation Protocol is a carrier for. 2 Picture from Security considerations for Voice over IP Systems, D. Richard Kuhn, Thomas J. Walsh, Steffan Fries, NIST special publication 800 58. January 2005, p. 39 45. 3 Session Initiation Protocol, KK Tan and HL Goh. P.1310 1314 Vol. 2, ICIT, IEEE dec. 2002. Page 4 of 9
4 The user agent response this message with an OK message, which contains information on port number and codec s for the second user agent that should be used during the session. It is not needed that the two user agents are using the same audio encoding mechanisms. They can be different, as long as you have the codec to encode the audio it will work 5. Finally the first user agent send an ACK back to confirm that he got the information needed. All the messages up to now have been sent on the port number 5060, but now the media session will open on the port numbers that have been agreed on during the set up face. Also the path the SIP message is routed on Internet could be complete different from the path for the media exchange. The VoIP session that now takes part after the initiation session is handled by another protocol called the Real Time Transporting Protocol (RTP). The two users behind the user agents can now communicate with each other. To end the conversation, the user that wants to finish sends a BYE message to the location server, which forwards the message to the other user. This user sends an OK back to the location server, which forwards this message to the first user and hence the connection is tore down. 3 Features in SIP There are no real standards for the protocols used in IP telephony, however two protocols have emerged that are most commonly used, SIP and H.323. One difference between SIP and the H.323 protocol is that SIP is a single component protocol. H.323 is a complete more 4 Picture from: Design and Implementation of a SIP based VoIP architecture, S. Zeadally and F. Siddiquini IEEE AINA 2004 5 Computing Networking, a top down approach featuring the Internet. James F. Kurose and Keith W. Ross. Addison Wesley 2003 Page 5 of 9
complex suite of protocols that supports multimedia conferencing. However, SIP was developed with consideration to DNS, Internet email and the web. Hence there are many features and applications that could be used together with DNS to achieve the features that are already a part of the H.323 protocol. SIP also uses existing features in other protocol to enhance security. An important feature of SIP is that it supports mobility and dynamically issued IP addresses. In order to have a functioning application, the user must be able to move between different networks. By using a location server that registers the current IP address of the user, the user may roam between different networks. When the user sign in to the service, the list at the location server is updated with the current IP address and once the user has disconnected from the service, the IP address is purged from the list. SIP also supports fork process which means that the SIP server could send one incoming requests to two or more different destinations. This could be used to develop call forwarding to voice mail or functionality where you have two different numbers connected to the user name (e.g. both at home and in the office). The message body in a SIP message is using the MIME mechanisms; hence a message may carry binary or text objects. By using this, a SIP message may contain information from a webpage, an email address or even an IRC chat channel. Page 6 of 9
4 Security in SIP Authentication in SIP is the most important security issue, since no trusted third party (Telephony Company) makes sure that the information in the setup connection is reliable. Authentication in SIP should not only be used to identify the sender of the message but also to ensure that some critical information was not altered in transit. For authentication, the SIP protocol uses a digest authentication, which is based on the HTTP digest authentication. The response contains a checksum encrypted by MD5, containing the user name, password, a given nonce value, the HTTP method and the requested URL. This prevents the password from being sent in clear text. However, the security is not that strong in HTTP basic authentication and this is not a fully satisfied solution 6. For integrity and confidentiality SIP uses data encryption. There are two different ways of encryption that are supported, end to end (i.e. between two users) and hop to hop (i.e. between two successive SIP entities). End to end confidentiality requires that all information that is not to be read by passing routing servers is encrypted and this is performed by S/MIME. Hop to hop is useful to protect the information that the intermediate SIP entity needs. This encryption is performed by external mechanisms, such as IPsec or TLS (Transport Layer Security). When it comes to voice applications, it is very important that each package arrives. Since SIP can be used over UDP, which is a non reliable transportation protocol, this has to be considered in SIP. This is handled in a way that both the client and the server transmit the requests until a response arrives. For the INVITE request, there could be a quite long delay before the callee picks up the phone; hence this is handled in a separate way to avoid unnecessary overhead. While UDP has lack of reliability it is still preferred in SIP since the handshaking process that takes place in TCP creates a lot of overhead. 5 Conclusion and future possibilities of SIP As a person sitting behind the computer you will never actually see the Session Initiation Protocol, but if you are curious have a look in your VOIP application and we guarantee you that it is in there. Today there exist both commercial and open source implementation of Session Initiation Protocol, hardware and software based. 6 Security considerations for voice over IP systems, D. Richard Kuhn, Thomas J. Walsh, Steffan Fries, National Institute of Standards and Technologies. NIST special publication 800 58. January 2005, p. 39 45. http://csrc.nist.gov/publications/nistpubs/800 58/SP800 58 final.pdf Page 7 of 9
Voice over IP is becoming more and more popular and new features and application are being added all the time. The protocol is still under development and new features are being added. The focus from the beginning was to provide a new dynamic protocol that was powerful but still simple. Now it is important to enhance the protocol with adequate security as well. The simplicity of the handshaking process in SIP makes it good to use for development of new IP telephony applications. There are already several applications available for VoIP calls, instant messaging, telephone conferences and multimedia sessions running with SIP and new services are being added. More applications will attract even more users. In order to keep these users and to continue to attract new ones, it is important that the developers of new applications consider the security aspects as well. SIP could also be used to develop the smart home concept where you can connect home appliances to a computer. By using a SIP/PSTN server and a Bluetooth controller, the voice could be digitalized and speech recognition could be used to turn on the oven just so that is warm when you enter the house 7. It is not only the applications that attract new users, it is also cheaper to make phone calls over the Internet than using the stationary phone. Many companies invest in IP telephone solutions that are connected to the PSTN. This solution is not only a very flexible solution, but it also makes it possible to cut costs. Not only companies takes advantage of this opportunity to save money, private persons are now using Skype and other applications where you can call friends over the Internet for free. With new user friendly applications and a bigger variety of phones, both traditional phones and soft phones, the IP telephony will convince more people to call over the Internet. 7 Session Initiation Protocol, KK Tan and HL Goh. P.1310 1314 Vol. 2, ICIT, IEEE dec. 2002. Page 8 of 9
6 References 1. Computer networking, a top down approach featuring the Internet, James F. Kurose and Keith W. Ross, p.558 565 Addison Wesley 2003. 2. Security considerations for voice over IP systems, D. Richard Kuhn, Thomas J. Walsh, Steffan Fries, National Institute of Standards and Technologies. NIST special publication 800 58. January 2005, p. 39 45. http://csrc.nist.gov/publications/nistpubs/800 58/SP800 58 final.pdf 3. Session Initiation Protocol, definition, wikipedia, Oct 14 2005, http://en.wikipedia.org/wiki/session_initiation_protocol 4. Session Initiation Protocol, KK Tan and HL Goh. P.1310 1314 Volume 2, IEEE International conference on Information Technology, 11:th 14:th of December 2002 5. The Session Initiation Protocol: Internet Centric Signalling H. Schulzrinne and J. Rosenberg, p.134 141, IEEE Communications Magazine, October 2000. 6. Design and Implementation of a SIP based VoIP architecture, S. Zeadally and F. Siddiquini IEEE AINA 2004 7. SIP and IPLink in the next generation Network, Paper from Intel http://www.dialogic.com/company/whitepap/7299web.htm Page 9 of 9