©stephen kingham sip protocol overview sip workshop apan taipei taiwan 23rd aug 2005 by stephen...
TRANSCRIPT
©Stephen Kingham
SIP Protocol overview
SIP Workshop
APAN Taipei Taiwan 23rd Aug 2005
By Stephen Kingham
mailto:[email protected]
©Stephen Kingham
This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Copyright Stephen Kingham 2004
©Stephen Kingham
Outline and Objectives
• SIP Authentication–Who are you?
• SIP Authorisation–What are you allowed to do?
• SIP Presence and Instant Messaging(the SIMPLE protocol)
–I am available!–Buddy lists.
©Stephen Kingham
• Both ends must know the same secret password (key).• The password is used to encrypt certain information such
as the user’s password.• Originated from HTTP (WWW) and often called HTTP
digest, Digest Authentication is described by RFC 2671.• RFC 3261 (SIP) describes how Digest Authentication is
applied to SIP.
Authentication in SIP
©Stephen Kingham
SIP REGISTER with Digest Authentication
REGISTER [email protected] (with out credentials)
UA Proxy Server
407 Proxy Authentication Required
REGISTER [email protected] (password encrypted with key)
200 OK
ask user for a password
©Stephen Kingham
SIP INVITE with Digest Authentication
INVITE [email protected] (with out credentials)
UA Proxy Server
407 Proxy Authentication Required
ACK
100 TRYING
UA
INVITE [email protected] (with encrypted password)
INVITE [email protected] (password removed)
ask user for a password
©Stephen Kingham
Secure SIP
• SIPS, a close cousin of SIP, is a good and low cost means of encryption soon to be widely deployed. It specifies TLS (transport layer security) over TCP and is not subject to bid down attacks. This means a SIPS call will fail rather than complete insecurely.
©Stephen Kingham
Protect Gateways from un-authorised use
• Use a Proxy Server in front of your Gateways, turn on Record Route so ALL SIP control is via Proxy.
• Configure gateways so that they only respond to SIP from your SIP Proxy.– Filter TCP and UDP traffic to port 5060 on the Gateway.– Also do the same for H.323, TCP traffic to port 1720 on the gateway.
PSTNAllowed
INVITE
(Authenticated)
GatewaySIP Proxy(record Route)
Process Authentication and Authorisation as required
SIP UA
INVITE
blocked by
accesslist
©Stephen Kingham
The “SIMPLE” protocol for presence
• SUBSCRIBE• NOTIFY