Simon Millard Professional Services Manager Aculab – booth 402
description
Transcript of Simon Millard Professional Services Manager Aculab – booth 402
Simon MillardProfessional Services
ManagerAculab – booth 402
The State of SIP
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
The state of SIP
• Agenda– SIP concepts– Media– SIP signalling– NAT traversal– Security
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
SIP concepts
• SIP is the Session Initiation Protocol– Its job is to set up a session (maybe a phone call)
between two or more users
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
SIP concepts
• SIP’s view of the network is the same as the Internet’s
– Intelligence at the edge– Re-use of proven devices and concepts
• There is the ability to negotiate supported features– Can set up any type of media
• SIP separates media from signalling
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Media
For IP telephony we are concerned with RTP
Ethernet, optical, radio, …
IP
UDP
RTPCODECs
RTCP
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Media
• More data is sent than in a TDM call
CHKETH IP UDP RTP AUDIO
• Silence elimination– CNG– VAD
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Media compression
• The rain in Spain falls mainly on the plain– Lossless
• $ r# in Sp# falls m#ly on $ pl#– $ = the #=ain
– Lossy• Th rn n Spn flls mnly n th pln
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
SIP signalling
• Coded in ASCII
• Verbs (methods) and responses– INVITE initiate a session
– ACK confirm session established
– BYE terminate a session
– CANCEL cancel a pending INVITE
– REGISTERbind an address to a location
– ++
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
SIP signalling
• Responses – as per HTTP• 1xx information
– 100 trying, 180 ringing
• 2xx success– 200 OK
• 3xx redirection– 300 multiple choices
• 4xx client error– 404 not found
• 5xx server failure• 6xx global failure
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
SIP signalling
• Media for the session is described by the SDP (session description protocol)
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Signalling – UAs
• SIP based on UAs (User Agents)– UAC initiates requests– UAS responds to requests
response
UAC UAS
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Signalling – Proxies
• Route signalling– Do not initiate requests or responses– Pass through unknown messages unchanged– Stateless or stateful
Aculab Proxy
sip:simon@work
sip:simon@home
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Signalling – Registrars
• Allow a SIP device to dynamically register a location
– This allows them to be contactable when mobile
Aculab Registrar
192.168.0.102
REGISTERsip:[email protected]
Location database
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Signalling – Redirect Servers
• Respond to a request by redirecting it to another device
Aculab Redirect Server
192.168.0.102
request forsip:[email protected]
moved tosip:[email protected]
sip:[email protected] from xx.xx.xx.xx
request forsip:[email protected]
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Signalling – B2BUA
• A back-to-back User Agent is somewhat similar to a Proxy, but terminates and initiates SIP signalling
B2BUAUA UA
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Putting it all together
proxy.a.comINVITE
DNSserver
SIP SRVb.com proxy.b.com
proxy.b.comINVITE
locationserver
[email protected]:5060
INVITE
RTP
BYE
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• Network Address Translation– IP-Masquerading
• Source and/or destination addresses re-written
• Most widely used to allow multiple hosts on a private network to access the Internet from a single public IP address
• Solved the IP address shortage of IPv4
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• NAT binding is created by the NAT to map a private to a public address
• Binding lifetime– Period of time for which the binding remains open– Binding will be closed if there is no traffic for a period of
time
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• Full cone
Client
NAT
Server A
Server B
• Internal IP address and port mapped one-to-one to external IP address and port
• External host can reach internal by sending to IP:port
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• Restricted cone
Client
NAT
Server A
Server B
• Internal IP:port mapped one-to-one to external IP:port• External host can reach internal client only if traffic has
already been sent to it
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• Port restricted
Client
NAT
Server A
Server B
• External host can reach internal port only if traffic has already been sent to it from that port
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• Symmetric
Client
NAT
Server A
Server B• Requests from an internal IP:port are mapped to a unique
external IP:port• Only a host which receives a packet can send packets back
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• STUN
Client
NAT
STUN server
• STUN is a client/server protocol• Client sends request to STUN server which responds
with the IP address of the NAT and the port which was opened for the request
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
NAT traversal
• STUN works with full cone, restricted cone and port restricted NATs
• Will not work with symmetric NAT– IP address of the STUN server is different to that of the
destination endpoint
• Peers communicate discovered IP:port information– In a full cone, any endpoint can initiate the session
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Security
• SIP signalling– Digest authentication, based on knowledge of a shared secret
Caller Proxy Callee
INVITE w/o credentials
407 proxy authentication required
INVITE w/ credentials
100 trying
INVITE w/ credentials
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Security
• SIP signalling– TLS – Transport Layer Security– Based on public key cryptography
• Client requests TLS session• Server responds with public certificate• Client verifies certificate• Mutual exchange of session keys• Send/receive application data using keys
– Can be used hop-by-hop– SIPS requires TLS used end-to-end
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Security
• Media– Uses SRTP (secure RTP)– AES encryption typically using 128 bit keys– Assumes secure key exchange prior to the session
running• Most commonly used are Mikey and SDES (SDES within SDP
so need to secure the SIP session)
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Summary
• Session Initiation Protocol leverages Internet technologies
• Signalling and media paths• Other devices• NAT traversal issues• Security
September 10-12, 2007 • Los Angeles Convention Center • Los Angeles, California
www.ITEXPO.com
Thank you
[email protected] Aculab on booth 402