PowerPoint PresentationOverviewBasic VoIP ArchitectureVoIP Calling ProcedureH.323 Protocol StackSIP Protocol StackSIP vs H.323Basic SIP OperationSlide 9Example SIP INVITE messageBasic SIP Operation, cont’dVoIP Service IssuesDisclaimers & ProblemsDisclaimer #4SIP Issues with Network Address Translation (NAT) traversalSolutions for SIP NAT traversalSIP vulnerabilitiesConsiderations for securing SIPSecuring SIPSecuring SIP, cont’dAIB Minimum ContentAIB ExampleAIB Example, cont’dSlide 24Recommended Implementation to Secure SIPSecuring the Media StreamThe Secure Real – Time Transport Protocol (SRTP)Key Management for SRTP – MIKEYRecommended Implementation to Secure VoIP Media StreamConclusionFuture Research/TestsReferences5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0511Evaluation of Existing Voice over Internet Protocol Security Mechanisms & A Recommended Implementation for a SIP-based VoIP PhoneBrett WilsonBrett WilsonHakan EvecekHakan Evecek5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0522OverviewOverviewBasic Voice Over IP (VoIP) ArchitectureBasic Voice Over IP (VoIP) ArchitectureBasic VoIP Calling ProcedureBasic VoIP Calling ProcedureVoIP Service IssuesVoIP Service IssuesCall Setup and Management SecurityCall Setup and Management SecuritySession Initiation Protocol (SIP) OverviewSession Initiation Protocol (SIP) OverviewSIP Security MechanismsSIP Security MechanismsRecommended minimum implementation to protect Recommended minimum implementation to protect SIP call setup/managementSIP call setup/managementMedia Stream SecurityMedia Stream SecuritySecure Real Time Protocol (SRTP), Multimedia Secure Real Time Protocol (SRTP), Multimedia Internet Keying (MIKEY)Internet Keying (MIKEY)Recommended minimum implementation to protect Recommended minimum implementation to protect media streammedia stream5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0533Basic VoIP ArchitectureBasic VoIP ArchitectureEnd UsersEnd UsersVoIP handsets, conferencing units, mobile units, VoIP handsets, conferencing units, mobile units, PC softphonesPC softphones Network ComponentsNetwork ComponentsNetwork ProtocolsNetwork ProtocolsPublic Switched Telephone Network (PSTN) Public Switched Telephone Network (PSTN) gateways provide access to non-VoIP phonesgateways provide access to non-VoIP phonesCall managers, routers, Network Address Call managers, routers, Network Address Translations (NATs), firewalls, gatewaysTranslations (NATs), firewalls, gatewaysSIP Proxies/H.323 GatekeepersSIP Proxies/H.323 Gatekeepers5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0544VoIP Calling ProcedureVoIP Calling ProcedureCall setup/maintenanceCall setup/maintenanceH.323 or SIP used as the signaling protocolH.323 or SIP used as the signaling protocolBoth are commonly used to establish contact and Both are commonly used to establish contact and negotiate the media stream connection and negotiate the media stream connection and detailsdetailsSIP is newer and has several advantages over SIP is newer and has several advantages over H.323H.323Media connectionMedia connectionAfter calling session has been created a media After calling session has been created a media connection is created for exchanging media packetsconnection is created for exchanging media packetsA separate connection/protocolA separate connection/protocolRTP is commonRTP is common5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0555Link & Physical LayerIPUDPTCPRTPVoice CodecG.711, 723, 729, etc.RTCPH.225RASH.225 Call SignalingH.245Audio ApplicationTerminal Control & ManagementH.323 Protocol StackH.323 Protocol Stack5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0566Link & Physical LayerIPUDPTCPRTPVoice CodecG.711, 723, 729, etc.RTCPSIP SDPAudio ApplicationTerminal Control & ManagementSIP Protocol StackSIP Protocol Stack5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0577SIP vs H.323SIP vs H.323Distinct advantages to both protocolsDistinct advantages to both protocolsSIPSIPMany recent comparisons regard SIP as the Many recent comparisons regard SIP as the future for VoIPfuture for VoIPHowever, H.323 use will continue due to However, H.323 use will continue due to existing implementations and its advantagesexisting implementations and its advantagesCurrently receiving most attention from Currently receiving most attention from researchers and the VoIP implementersresearchers and the VoIP implementersOur research focused on SIP Our research focused on SIP5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0588Basic SIP OperationBasic SIP OperationBob wants to place a call to AliceBob wants to place a call to AliceBob sends INVITE msg to Alice through his SIP Bob sends INVITE msg to Alice through his SIP proxy serverproxy serverMay require authentication to the proxyMay require authentication to the proxyBob’s proxy server relays request to Alice’s proxy Bob’s proxy server relays request to Alice’s proxy serverserverBob’s proxy finds Alice’s proxy using DNSBob’s proxy finds Alice’s proxy using DNSAlice’s proxy server relays request to Alice’s Alice’s proxy server relays request to Alice’s locationlocationAlice’s location is known only if she “registers” Alice’s location is known only if she “registers” her location with her proxyher location with her proxyTypically done by the user agent on a Typically done by the user agent on a periodic basisperiodic basisAlice replies with OK msg to Bob back through the Alice replies with OK msg to Bob back through the proxiesproxiesBob sends Alice an ACK directly to his locationBob sends Alice an ACK directly to his location5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan Evecek and Brett Wilson - UCCS CS691 Spring '05 CS691 Spring '0599Basic SIP OperationBasic SIP Operation5/3/055/3/05Hakan Evecek and Brett Wilson - UCCSHakan