View
219
Download
2
Tags:
Embed Size (px)
Citation preview
Developing Secure, Multi-Developing Secure, Multi-
laterallateral
Peer to Peer SIP ApplicationsPeer to Peer SIP [email protected]
Market Problem
VEthernet Switch
Router
PSTN
V
PSTN
PSTN
PSTN
Internet orIP Network
€£¥$ call
OriginatingDomain
TerminatingDomain?
Service Provider POP
Routing
Access Control
Accounting
Settlement
Current Status of Peering
• Ad hoc bilateral peering arrangements• ENUM provides a solution for peer to peer
route discovery But how to handle?o Inter-domain Access controlo Accountingo Settlement disputeso Backwards compatibility with Operations and
Billing Support Systems for H.323 networkso Evolution to new services
Benefits of secure multi-lateral peering
• Efficient peer to peer communications eliminates signaling bottlenecks
• Access control is greatly simplifiedo IP access lists are eliminatedo Asymmetric key management is simpler and
more secure than shared secrets
• Eliminates costly overhead of managing many bilateral interconnect agreements
Solution: Open Settlement Protocol
• Open Settlement Protocol (OSP):o Global standard for inter-domain transaction
authorization and usage reporting.o Developed by ETSI in 1998, now in version 4.1.1o Based on existing standardso Uses Asymmetric Public Key Infrastructure (PKI)
services for non-repudiation of transactionso Broad support: Asterisk, SER, Cisco, Alcatel,
Radvision, UTStarcom, Mediaring, ISDN Communications, Veraz, Vovida, Teles
o Protocol Independent• Works with SIP, H.323, SMS, MMS, IAX …
Overview I - How OSP Works
• Route discovery• Inter-domain access control
IP Network
OSP Server
Domain A Domain B
Authentication
AuthorizationToken
SIP INVITE with Token
RTP
Overview II - How OSP Works
• CDR collection
IP Network
OSP Server
Domain A Domain B
Accounting:Encrypted CDR
Accounting:Encrypted CDR
The Basics of Public-key Cryptosystems
Critical Points:• Public / Private keys used for encryption / decryption
and digital signatures• Public keys are public – easy to distribute• A digital certificate signed by a trusted 3rd party
ensures the public-key is legitimate• Digital signatures provide data integrity,
authentication and non-repudiation• Certificates may be chained from a root authority
Security services between parties rely on exchange of public keys and security of private keys.
Establishing PKI Security Services
SIP Device Certificate Authority (CA)for Peer to PeerAuthorization(OSP Server)
Client Device requests public-key andcertificate from CA
CA sends its public keyand its certificate
Client Device sends certificate request to CA
CA returns signed certificate
Sign with CA private
keyVoIP DeviceInformation
VoIP DevicePublic Key
Certified byCert. Authority
CA Signature
Certificate
Source Peer Authentication
IP Network
OSP Server
Carrier A
AuthorizationRequest
• Routing request to OSP Server is digitally signed with VoIP device’s private key.
• OSP server verifies client signature with client’s public key to authenticate routing request.
Inter-Domain Access Control
IP Network
OSP Server
Domain A Domain B
Authorization Response with
Token
SIP INVITE with Token
• OSP Server digitally signs authorization token
• Authorization token included in SIP Invite• Domain B has no trusted relationship with Domain A,
but verifies digital signature with CA public key• Carrier can retain digital signature for non-repudiation
Authorization Token
• Destinationo IP address, domain name, sip uri, tel uri, E164, trunk group
• Destination Protocolo SIP, Q931, H323-LRQ, IAX, other
• Transaction ID• Service Type, Bandwidth, Number of Channels• Call ID, Session ID, MultiSession ID• Valid after – Valid Until• Authorized amount
o Seconds, packets, bytes, pages, call, session, price, currency
• Authority URL
Secure Accounting
IP Network
OSP Server
Domain A Domain B
Usage Indication:Encrypted CDR
Usage Indication:Encrypted CDR
• Domains A and B encrypt CDRs with CA public key• OSP Server decrypts CDR with CA private key• For auditing, OSP Server can request in real time
that a domain digitally sign a batch of CDRs
Capabilities & Pricing Messages
• OSP enables clients to update OSP server database in real time.
• Capabilities Exchange messages can be usedo To indicate service features availableo To indicate bandwidth or channel availableo To indicate presence
• Pricing Indication is used to provide rate changeso for services (voice, fax, message, video …)o based on seconds, pages, bytes, packets and currency
Examples of OSP Peering
• Enterprise VoIP VPN• Wholesale Inter-Carrier VoIP Services• Tiered Peering• Dundi Settlement Clearinghouse
Enterprise VoIP Network
• Requirements:
Internet
CallCenter
Headquarters
SalesOffice
BranchOffice
Manufacturing
1. Centralized routing2. Secure inter-office access control4. Autonomous local operation3. Centralized accounting
1. Centralized routing
2. Secure inter-office access control
3. Centralized accounting
4. Autonomous local operation
5. Minimum bandwidth
5. Minimum bandwidth
1. Centralized routing1. Centralized routing
2. Secure inter-office access control
1. Centralized routing
2. Secure inter-office access control
3. Centralized accounting
1. Centralized routing
2. Secure inter-office access control
3. Centralized accounting
4. Autonomous local operation
Enterprise VoIP VPN
• OSP peering architecture provides secure VoIP VPN
Internet
CallCenter
Headquarters
SalesOffice
BranchOffice
Manufacturing
1. Centralized routing
2. Secure inter-office access control
3. Centralized accounting
4. Autonomous local operation
5. Minimum bandwidth
1. Centralized routing1. Centralized routing
2. Secure inter-office access control
1. Centralized routing
2. Secure inter-office access control
3. Centralized accounting
1. Centralized routing
2. Secure inter-office access control
3. Centralized accounting
4. Autonomous local operation
InternetVoIP VPN
OSPServer
Wholesale Inter-Carrier Services
Internet
• Challenge: How to manage interconnect access and billing among thousands of ITSP peers
Wholesale Inter-Carrier Services
Internet
• Conventional solution is to route all calls via a softswitch or session border controller.
Wholesale Inter-Carrier Services
Internet
OSPServerOSP
Server
OSPServer
• Direct peering with OSP is more scalable, more reliable, better QoS, less bandwidth, lower cost.
Route
Lookup
Wholesale Inter-Carrier Services
Internet
OSPServerOSP
Server
OSPServer
• Call Detail Collection from both the source and destination eliminates settlement disputes
SourceCDR
Dest.CDR
Tiered Peering
Internet
OSPServerOSP
Server
OSPServer
• OSP enables secure peering among multiple peering networks.
OSPServerOSP
Server
OSPServer
SIP INVITE with tokenfor Purple network
YellowPeeringNetwork
PurplePeeringNetwork
1. Auth.Request
3. Auth.Response
2. Auth.Request
4. Auth.Response
Tiered Peering CDR Reporting
Internet
OSPServerOSP
Server
OSPServer
• Top tier peering networks receive Call Detail Records from both source and destination peers.
OSPServerOSP
Server
OSPServer
YellowPeeringNetwork
PurplePeeringNetwork
SourceCDR
Dest.CDR
SourceCDR
Dest.CDR
DUNDi ClearinghouseOSP
Server
2¢ / minute!
rate / minute?
TokenRequest
• DUNDi nodes enroll with CA
• DUNDi nodes enroll with CA
• Route and rate discovery with DUNDi
• DUNDi nodes enroll with CA
• Route and rate discovery with DUNDi
• Source submits route & rate to clearinghouse for digitally signed token
DUNDi Clearinghouse
• SIP INVITE includes signed token
• Destination validates rate in token
• CDRs sent to clearinghouse
OSPServer
SIP INVITE with token
CDRCDR
Details of OSP
• An OSP server is a web server• Message Formats
• Multipurpose Internet Mail Extensions (MIME)• eXtensible Markup Language (XML)• Secure MIME
• Communication ProtocolsOpen Settlement Protocol
XML Presentation
HTTP V1.0
SSL / TLSTCP port 80
TCP port 443
IP
OSP Message Example
HTTP/1.1 200 OKServer: IP address of OSP serverDate: Thu, 12 May 2005 18:32:59 GMTConnection: Keep-AliveKeep-Alive: timeout=3600, max=5000Content-Length: 1996Content-Type: text/plain
<?xml version='1.0'?><Message messageId='11703738491' random='21655'><AuthorizationResponse componentId='11703738490'><Timestamp>2005-05-12T18:32:59Z</Timestamp><TransactionId>4785098287068543017</TransactionId><Destination> <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId> <DestinationInfo type='e164'>Called Number</DestinationInfo> <DestinationSignalAddress>[IP Address:Port]</DestinationSignalAddress>
HTTP Header
OSP Message
OSP Message Example (cont.)<AuthorizationResponse componentId='11703738490'><Timestamp>2005-05-12T18:32:59Z</Timestamp><TransactionId>4785098287068543017</TransactionId><Destination> <CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId> <DestinationInfo type='e164'>Called Number</DestinationInfo> <DestinationSignalAddress>[IP Address: Port]</DestinationSignalAddress> <UsageDetail> <Amount>14400</Amount> <Unit>s</Unit> </UsageDetail> <ValidAfter>2005-05-12T18:27:59Z</ValidAfter> <ValidUntil>2005-05-12T18:37:59Z</ValidUntil> <DestinationProtocol>sip</DestinationProtocol> <SourceInfo type='e164'>Calling Number</SourceInfo> <Token encoding='base64'> Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5Ua3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCnU9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz
Unique Transaction ID per call
Call ID from source device
Called Number may be translated
IP Address of Called Number
Call authorized for 14440 seconds Call authorized
to start in 10 minute window
Protocol may be SIP, H323, IAX, …
Digital signature of token ensures non-repudiation
Open Source Tools
• www.SIPfoundry.orgo OSP Toolkit (client)o OpenOSP Server (based on Apache)o RAMS OSP Server
• www.Asterisk.orgo Asterisk includes OSP client
• OSP Module for SIP Express Routero http://osp-module.berlios.de
• www.voxgratia.orgo OSP enabled H323 proxy (future support for SIP)
• www.TransNexus.como OSPrey – free OSP server