©Stephen Kingham

SIP Protocol overview

SIP Workshop

APAN Taipei Taiwan 23rd Aug 2005

By Stephen Kingham

mailto:Stephen.Kingham@aarnet.edu.au

sip:Stephen.Kingham@aarnet.edu.au

©Stephen Kingham

This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Copyright Stephen Kingham 2004

©Stephen Kingham

Outline and Objectives

• SIP Authentication–Who are you?

• SIP Authorisation–What are you allowed to do?

• SIP Presence and Instant Messaging(the SIMPLE protocol)

–I am available!–Buddy lists.

©Stephen Kingham

• Both ends must know the same secret password (key).• The password is used to encrypt certain information such

as the user’s password.• Originated from HTTP (WWW) and often called HTTP

digest, Digest Authentication is described by RFC 2671.• RFC 3261 (SIP) describes how Digest Authentication is

applied to SIP.

Authentication in SIP

©Stephen Kingham

SIP REGISTER with Digest Authentication

REGISTER bruce@uni.edu.au (with out credentials)

UA Proxy Server

407 Proxy Authentication Required

REGISTER bruce@uni.edu.au (password encrypted with key)

200 OK

ask user for a password

©Stephen Kingham

SIP INVITE with Digest Authentication

INVITE fred@uni.edu.au (with out credentials)

UA Proxy Server

407 Proxy Authentication Required

ACK

100 TRYING

UA

INVITE fred@uni.edu.au (with encrypted password)

INVITE fred@uni.edu.au (password removed)

ask user for a password

©Stephen Kingham

Secure SIP

• SIPS, a close cousin of SIP, is a good and low cost means of encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks. This means a SIPS call will fail rather than complete insecurely.

©Stephen Kingham

Protect Gateways from un-authorised use

• Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP control is via Proxy.

• Configure gateways so that they only respond to SIP from your SIP Proxy.– Filter TCP and UDP traffic to port 5060 on the Gateway.– Also do the same for H.323, TCP traffic to port 1720 on the gateway.

PSTNAllowed

INVITE

(Authenticated)

GatewaySIP Proxy(record Route)

Process Authentication and Authorisation as required

SIP UA

INVITE

blocked by

accesslist

©Stephen Kingham

The “SIMPLE” protocol for presence

• SUBSCRIBE• NOTIFY