INTRODUCTION

• Session Initiation Protocol (SIP) is a Requests For Comments

(RFC) of the Internet Engineering Task Force (IETF)

• First standardized in March 1999 in RFC 2543 (Obsolete)

• A second version in 2002 in RFC 3261

INTRODUCTION

• Today, the session initiation protocol (SIP) is the predominant

protocol for IP Telephony Signalling. This paper addresses IP

Telephony security issues - both current and future – focusing

on SIP.

• We summarize current activities regarding SIP security,

including recent developments in the research community

and standardization efforts within the IETF.

SIP OVERVIEW (1)

• ASCII based, signaling protocol

• Analogous to HTTP messages, SIP is a text base protocol.

• Works independent of the underlying network transmission

protocol and indifferent to media

SIP OVERVIEW (1)

It provides mechanisms to:

• Establish a session

• Maintain a session

• Modify and Terminate a session

• Session Initiation Protocol (SIP) is an application layer protocol, which is

used to establish, maintain and terminate multimedia session.

• These sessions may include voice, video, instant messaging.

SIP Components

System using SIP can be viewed in two Dimensions:

• Client/Server

• Individual Network Elements

SIP Components

Client : : A client is any network element that sends SIP

requests and receives SIP responses.

Server: A server is a network element that receives requests

in order to service them and sends back responses to those

requests.

• Example of Servers: Proxies, user agent servers, redirect

servers, and registrars.

SIP Components (2)

Two general categories of SIP are

User Agent (UA): Resides in every SIP end station

SIP Servers

SIP Components (2)

User Agent (UA)

Has two roles:

SIP User Agent Client(UAC): Issues SIP requests.

SIP User Agent Server (UAS): Receives SIP requests, and

Generates a response that accepts, rejects, or redirects the

request.

SIP Components (2)

SIP Servers

• Proxy Server: The proxy server is an intermediary entity that acts as both a server and a

client for the purpose of making requests on behalf of other clients. A proxy server primarily

plays the role of routing, meaning that its job is to ensure that a request is sent to another

entity closer to the targeted user.

• Redirect Server: Used during session initiation, Determine the address of the called device,

Returns this information to the calling device.

• Registrar Server: A registrar is a server that accepts REGISTER requests and places the

information it receives (the SIP address and associated IP address of the registering device) in

those requests into the location service for the domain it handles.

SIP Functions

Scalability

Functionality such as proxying, redirection, location, or registration can

reside in different physical servers.

Distributed functionality allows new processes to be added without

affecting other components.

Interoperability

An open standard

Can implement to communicate with other SIP based products

SIP Functions (2)

Mobility

• Supports user mobility by proxying and redirecting requests to a

user’s current location.

• The user can be using a PC at work, PC at home, wireless phone, IP

phone, or regular phone.

• Users must register their current location.

• Proxy servers will forward calls to the user’s current location.

• Example mobility applications include presence and call forking.

RELATED PROTOCOL

SIP

IPv4 / IPv6

TCP UDP

SDP

MGCP RTSP RTCP RTP RSVP

Signaling Gateway control QoS

SIP CAPABILITIES

• Determine location of target points – Support address resolution, name mapping, call redirection

• Determine media capabilities – SIP uses Session Description Protocol (SDP) for this

• Determine availability – returns a message why the remote party cannot be contacted

• Establish a session between end points – also support mid call changes, changes of media characteristics or codec

• Handles termination of calls – transfer of calls

• Permits interaction between devices via signalling messages

SIP CAPABILITIES

• INVITE: Invite a user to join a call• ACK: Confirm that a client has received a final response to an invite• BYE: Terminates the call between two of the users on a call• OPTIONS: Request information on the capabilities of a Server• CANCEL: Ends a pending Request , but doesn’t end the call• REGISTER: Provide the map of address resolution that lets the server know the location of the users.

Status Codes1xxInformational• 100 Trying• 180 Ringing (ringing tone

played locally)• 181 Call is Being

Forwarded• 182 Queued• 183 Session progress

2xxSuccess• 200 ok

3xx Redirection• 300 Multiple Choices• 301 Moved Permanently• 302 Moved Temporarily• 380 Alternative server

4xxClient error• 400 Bad Request• 401 Unauthorized• 403 Forbidden • 404 Not Found• 405 Bad Method• 415 Unsupported

Content• 420 Bad Extensions• 482 Detected• 486 Busy Here5xxServer failure• 500 Server Internal

Error• 501 Not

Implemented• 503 Unavailable• 504 Timeout

6xxGlobal Failure• 600 Busy Everywhere• 603 Decline• 604 Doesn’t Exist• 606 Not Acceptable

SIP Basic Call Setup

SIP Headers

• Session Initiation Protocol (RFC3261) for call signaling

• Header format is similar to HTTPS

• UDP Port 5060 used (recommended)

• TCP is also allowed (required for SIPS)

• Responsible for connection setup and release: INVITE, OK, ACK, BYE, CANCEL

• Registration service for mobile user agents: REGISTER

• Uses DNS for routing (RFC3263;)

SIP Headers

• Session Description Protocol (RFC 2327) for parameter exchange

• Body of SIP-Messages

• Looks (a little bit) like sendmail mail queue format

• Contact address (ip address, port #) c=IN IP4 172.16.1.127

• Codec m=audio 7078 RTP/AVP 8 0 2 102 100 97 101

• (Master)Key for SRTP k=clear:geheim

SIP Headers (2)

INVITE sip:09611000038@202.4.97.11 SIP/2.0 Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport Max-Forwards: 70 Contact: <sip:09611301525@172.16.1.127:6256> To: <sip:09611000038@202.4.97.11> From: "09611301525"<sip:09611301525@202.4.97.11>;tag=015ccc4a Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: PortGo v6.8, Build 07112011 Content-Length: 474

Breakdown of Header

INVITE :message typeAddress of called partySIP version used by callerSemicolon indicates start of URI parametersEg:- user=phone indicates call is for a phone number and not a SIP IP addressINVITE sip:09611000038@202.4.97.11 SIP/2.0Via:History of message’s path through network(s)Helps to prevent looping and ensures replies route back to originatorIndicates the used transport protocol, ip address and port of sender Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport

SDP Headers

• Describes components of communication channel under negotiation

• Includes information about :

– Codecs

– Ports

– Streaming protocols

• Usually sent with INVITE and 200 OK in SIP based devices

• Describes how data stream is going to be support via Real Time Transport Protocol (RTP, RFC 1889)

SIP & SDP Header AnalysisFor INVITE sip:09611000038@202.4.97.11 SIP/2.0 details message looks like this:

202.4.100.35:6256 202.4.97.11:5060 INVITE sip:09611000038@202.4.97.11 SIP/2.0

Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport Max-Forwards: 70

Contact: <sip:09611301525@172.16.1.127:6256> To: <sip:09611000038@202.4.97.11> From: "09611301525"<sip:09611301525@202.4.97.11>;tag=015ccc4a Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU. CSeq: 1 INVITE Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Content-Type: application/sdp Supported: replaces User-Agent: PortGo v6.8, Build 07112011 Content-Length: 474 v=0 o=- 59935706 59935706 IN IP4 172.16.1.127 s=http://www.portsip.com c=IN IP4 172.16.1.127 t=0 0 m=audio 21006 RTP/AVP 8 0 3 121 100 9 97 101 a=rtpmap:8 PCMA/8000 a=rtpmap:0 PCMU/8000 a=rtpmap:3 GSM/8000 a=rtpmap:121 G7221/16000 a=rtpmap:100 SPEEX/16000 a=rtpmap:9 G722/8000 a=rtpmap:97 iLBC/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=ptime:20 a=sendrecv m=video 40180 RTP/AVP 34 a=rtpmap:34 H263/90000 a=fmtp:34 CIF=1 QCIF=1 a=sendrecv

Security Attacks

Signaling Layer Attacks

• SIP Registration Hijacking: Attacker impersonates a valid UA to a registrar himself as a valid user agent. so attacker can receive calls for a valid user.

• Impersonating a Server: When an attacker impersonates a remote server and user agent request are served by the attacker machine.

Security Attacks

Signaling Layer Attacks

• SIP Message Modification: If an attacker launches a man in the middle attack and modify a message. Then attacker could lead the caller to connect to malicious system.

• SIP Cancel / SIP BYE attack

• SIP DOS attack: In SIP attacker creates a bogus request that contained a fake IP address and Via field in the SIP header contains the identity of the target host.

Security Solutions

Two types of security solutions

End-to End security:

• In SIP end points can ensure end-to-end security to those messages which proxy does not read, like SDP messages could be protected using S/MIME.

• Media is transferred directly, so end-to-end security is achieved by SRTP.

Hop-by-hop security

• TLS, IPSec.

SIP Security Mechanisms

The SIP standard, as specified in RFC 3261 , includes several security mechanisms:

• S/MIME: Because SIP is using MIME for message bodies, S/MIME can be used to send authenticated and encrypted messages between user agents.

• Digest Authentication: SIP entities sharing a secret (e.g. a password) can authenticate each other with a challenge-response mechanism.

• TLS & IPSec: Hop-by-hop security for SIP signaling can be achieved either on the transport layer (TLS) or on the network layer (IP sec).

SIP-Secure over TLS• SIPS is like HTTPS: Is set on top of

TCP only• Signaling over sips URI:

sips:user@example.de;transport=tcp, Demands for TLS along the (signaling)path.

• Server authentication via Certificate• Client authentication (mostly) via

username/digest.• Client authentication via Certificate

possible• Only Hop by Hop Security

• S/MIME − secure SDP• Data format based on S/MIME mail.• Encryption of the SDP portion of the

SIP message• End-to-End or Hop by Hop allowed:

Tunneled (and S/MIME encrypted) SDP also allowed

• Supports UDP or TCP: TCP is recommended because of UDP fragmentation.

S/MIME − secure SDP

CONCLUSION

The SIP is such a protocol, which does not have any built-in security. This makes it more vulnerable to common VoIP attacks. In this implementation of the SIP security threats and countermeasures, the SIP secure model is designed to provide security mechanisms by following the best practices for securing a SIP based VOIP system.

CONCLUSION

The intention of this paper has been to present an overview of important challenges and current activities on SIP security.

SIP is used to initiate IP Telephony communications. Thus, SIP security will remain an active and interesting research area in the near future.

THANK YOU

Muhammad Yeasir Arafat

Systems Engineer

Email: yeasir@dhakacom.com

yeasir08@yahoo.com

Dhakacom Limited

Dhaka, Bangladesh