Beruflich Dokumente
Kultur Dokumente
topics
• FWs (Firewalls)
– security device
– numbers of FWs is growing (including personal FWs)
– FWs rules get more restrictive
© NEC Corporation 2005 3
NATs: Basic Operation
PC NAT Server
1 2
Port mapping:
Private Public
M
A,b P
X,y
Full Cone
NAT S
• No restrictions on IP traffic arriving at (A,b)
Private Public
M
X
P,q
A,b P,r
X,y X
Restricted
Cone S
NAT
Private Public
M,n
P,q
A,b X P,r
X,y X
Restricted
Cone S
NAT
Private Public
M,n
C,d
P,q
A,b X P,r
X,y X
Symmetric
NAT S
NAT/FW
SIP Proxy
NAT/FW
SIP Signaling
Public Private
Private
© NEC Corporation 2005 10
Media Traversal Issues
RTP/RTCP
Media
Public Private
Private
© NEC Corporation 2005 11
Media Traversal Issues
SIP SIP
Signaling Signaling
Application Application
• STUN
• TURN
• ICE
• B2BUA
[A,b] STUN
Server
X,y A,b S,t
STUN
Client NAT
RTP 4 4 RTP
SIP UA-1 SIP UA-2
(with TURN Client) NAT NAT
SIP 2 3 SIP
1. UA-1 discovers by STUN what kind of firewall or NAT it is behind and what public IP address (and port
mapping rules) its NAT uses
2. As a backup plan it requests a public IP/Port pair from the TURN server
3. UA-1 send an INVITE containing any gained information on how it could be contacted as ordered alternatives
4. UA-2 uses these alternatives for “trial and error” until it has a successful connection (not shown here)
SIP Proxy
SIP Client-A SIP Client-B
SIP
SIP
RTP RTP
B2BUA
© NEC Corporation 2005 19
Solutions to NAT Traversal: B2BUA
2
SIP 1 SIP 3
RTP 4 RTP 4
RTP 4 4 RTP
SIP UA-1 SIP UA-2
(with TURN Client)
SIP 2 3 SIP
SIP 1 SIP 3
RTP 4 RTP 4
SIP Proxy
(Default Outbound
WIFi SIP
Proxy and B2BUA)
Client-B
Private DMZ
PSTN-IP Public
Gateway
4 bit
4 bit
Used by a receiver to Version
Header 8-bit type of service 16-bit total length ( in bytes )
Length
detect packet loss (also
3 bit
can be used to restore 16-bit identification
Flags
13-bit Fragment Offset
packet sequence).
8-bit time to live
8-bit protocol 16-bit header checksum 20 bytes
( TTL )
V P X CC M PT Sequence Number
Timestamp
Identifies the
source of an RTP SSRC
stream
CSRC
• RTP play-out
• Call Eavesdropping
– Capturing RTP flows
• Since RTP identifies the codec being used (statically) or either using a
“dynamic” identified codec it is easy to reconstruct the voice sampling
(even in real time)
• Result: listen/record conversations
• Result: listen DTMF tones to steal passwords and PINs
• Signaling
– End-to-end
• S/MIME (Secure/Multipurpose Internet Mail Extensions), IETF RFC 2633
– provides a way to send and receive secure MIME data. Based on the MIME standard,
S/MIME provides the following cryptographic security services for electronic messaging
applications: authentication, message integrity and non-repudiation of origin (using digital
signatures) and privacy and data security (using encryption)
– Hop-by-hop
• Lower-Layer solutions (e.g. IPsec)
– IPSec is actually a suite of protocols being developed by the IETF in the IPsec charter
for authentication and encryption
• SIPS (requires Transport Layer Security, TLS, on whole signaling path)
– TLS version 1.0, detailed in IETF RFC 2246 but going to be updated to version 1.1, is a
client/server protocol that allows peers to communicate in a way that is designed to
prevent eavesdropping, tampering, or message forgery
• Media
– Lower-Layer security (e.g. IPsec)
– SRTP (Secure Real Time Protocol), IETF RFC 3711
• provides confidentiality, message authentication, and replay protection to the RTP
traffic and to the control traffic for RTP
• key exchange done using MIKEY (Multimedia Internet KEYing), IETF RFC 3830
– a key management scheme that can be used for real-time applications (both for peer-to-
peer communication and group communication) supporting SRTP
SIP Client-B
I TE
E
INV
/ BY
EL
NC
CA
SIP Client-A
Attacker
• The attacker messages cancel a pending request with the same Call-ID,
TO, From, and Cseq fields
SIP Client-B
I TE
INV
CANCEL / BYE
SIP Client-A
Attacker
• The attacker messages cancel a pending request with the same Call-ID,
TO, From, and Cseq fields
• Call Hijacking
– After INVITE message, a 301 “Moved Permanently” message
would hijack the call towards whoever the attacker decides (himself
of another client)
SIP Client-B
E
IN VIT
301 Mo
ved Pe
rmanen
tly
INVIT
E
SIP Client-A
Attacker
• Identity Theft
– Registering address instead of other (if requires authentication
might use another type of attack)
SIP Registrar
SIP Client-A
Attacker
– Hop-by-hop Reques
t with C
• TLS, IPsec redentia
ls
• SIPS
• Streams
– SRTP
• Same thread as with email (hundreds of calls just with publicity messages,
the phone is ringing all day, etc.)
• Most E-mail filters rely on content analysis. But in voice calls, it is too late to analyze
media for spamming
– Voice Spam Detection – difficult
– Headers for voice spam detection : “from” , “contact”. Are these enough ?
– Detection in real time before the media arrives
SIP Proxy
SIP
FW Signaling FW
RTP/RTCP Media
SIP Client-A
SBC SIP Client-B