Download Voice over IP

Voice over IP
‫حسين كاري زاده‬
1388 ‫دي ماه‬
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Agenda
 ‘old world’ voice = TDM
 ‘new world’ voice
packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
Telephony Equipment
Basic Telephone handset
Key system
Mechanical to electronic
2-10 telephone handsets is typical
PABX
Advanced features
and call routing
10-100’s of telephone handsets
The Telephone Exchange / C.O.
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Analogue Telephony—Signaling
 Supervisory – on-hook/off-hook
“Can I make a phone call??”
 Addressing - DTMF
“…the dialed number…”
 Call progress – ringback tone
“…is the phone ringing or engaged?”
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
Loop Start Signaling (FXS)
On-hook,
open loop
Station
PBX or Central Office
Loop
(Local or Station)
T
BELL
R
Switch
Current
sense
+
–
48v
+
–
48v
+
–
48v
Off-hook,
close loop
DC Current
Switch
BELL
Ring on-hook
Ans off-hook
AC
BELL !!
Ringing
BELL
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Switch
6
Basic Call Progress: Idle
On-Hook
Open
Circuit
On-Hook
Open
Circuit
Telephone
Switch
Local
Loop
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
48v
Cisco Public
Local
Loop
7
Basic Call Progress: Dialing
Off-Hook
Closed
Circuit
On-Hook
Open
Circuit
dialtone
Telephone
Switch
DC Current
48v
Local
Loop
Dialed Digits
Pulses or Tones
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Basic Call Progress: Switching
Off-Hook
Closed
Circuit
Address
to
Port
Translation
On-Hook
Open
Circuit
?
Telephone
Switch
48v
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Local
Loop
9
Basic Call Progress: Ringing
Off-Hook
Closed
Circuit
90V AC
Ring Signal
Ring Back
Tone
On-Hook
Open
Circuit
RG
Telephone
Switch
Local
Loop
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
48v
Cisco Public
Local
Loop
10
Basic Call Progress: Talking
Off-Hook
Closed
Circuit
Off-Hook
Closed
Circuit
Voice Energy
DC Current
Local
Loop
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
X
RG
Telephone
Switch
48v
Cisco Public
Voice Energy
DC Current
Local
Loop
11
Voice Signalling
Trunk
Signalling
PSTN
PBX
PBX to PBX Signalling
Station Loop
Signalling
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
PBX
Private
Network
Cisco Public
12
Echo in Voice Networks
Listener
Talker
Delay in
the network
Talker Echo
Listener Echo
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Echo Is Always Present
… Too Much Echo Is Bad,
but No echo is also bad!!
- 50
High Loss
Echo Is Unnoticeable
Echo Loss
(dB)
Echo Is a Problem
Low Loss
- 10
~200
~20
Echo Path Delay
(ms)
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
How Does Echo Happen?
Echo Is Due to a Reflection
Impedance Mismatch is here
Echo Is Experienced here
Tx
Rx
Remote
Exchange
Local Exchange
Impedance Mismatch at the 2w-4w Hybrid
Is the Most Common Reason for Echo
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Speech and
the Telephone Network
3700Hz voice bandwidth
Power / Volume
Human Ear
Response
Telephone
Network
300Hz
3400Hz 4kHz
16kHz
Frequency / Pitch
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
Mean Opinion Score
Source
Channel Simulation
Impairment
Codec ‘X’
1
2
3
4
5
1
2
3
4
5
“Nowadays, a chicken leg is
a rare dish”
Rating
Speech Quality
Level of Distortion
5
Excellent
Imperceptible
4
Good
Just perceptible but not annoying
3
Fair
Perceptible and slightly annoying
2
Poor
Annoying but not objectionable
1
Unsatisfactory
Very annoying and objectionable
MOS of 4.0 = Toll Quality
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
17
Summary
 Analogue voice technology dates
back to the late 1800s;
 Analogue information exchange is based on voltage, current
sense, grounding;
 Echo is a fundamental component of Analogue voice and
must be controlled.
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
18
Agenda
 ‘old world’ voice
 ‘new world’ voice
packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
19
Voice/Data Network Components
Signaling
Network
In-/Out-of-band
SCP
STP
Sig Link
Bearer facility
STP
Transport
PBX
SSP
SSP
PBX
Network
Phone A
X1001
CO Trunks
Phone B
X2001
SS7, QSIG, Proprietary
CO Trunks
Wide Area
Switch
Router
Network
Router
Computer A
200.1.1.1
Ethernet
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
BGP, OSPF, EIGRP, RIP
In-band Routing/Signaling
Cisco Public
Switch
Ethernet
Computer B
200.1.2.1
20
Connection vs. Connectionless
Connection signaled based on destination number
Connection remains up for duration of call
X1001
X2001
Class 4
PBX
Class 5
PBX
Class 5
PRI
PRI
Class 4
X1001
10.1.1.1
Packets are routed by
hop, flow, or destination
R2
Switch
10.1.1.1 Voice
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
10.1.2.1 Voice
R4
R1
X2001
10.1.2.1
Switch
R3
Cisco Public
21
IP Phones
 QoS in phones - standard 802.1p/q
 Integrated Ethernet switching
 Easy access to new world features
IPv6
GigaEthernet
Video
IEEE 802.1x
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
22
Inline Power: IEEE 802.3af
Provides DC Power over Standard Category-5 Ethernet
 IP phone are power hungry and you do not want to have a 220V power
cable
 => get power through the UTP cable
Inline Power
10/100 Ethernet without Inline Power
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
23
Agenda
 ‘old world’ voice
 ‘new world’ voice
Packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
24
Analogue to Digital Voice
Pulse Code Modulation—Nyquist Theorem
Sample rate = 2 x highest frequency
Analogueue
Audio
Source
Sampling
Stage
B/W = 300 to 4000Hz
8,000 samples per second
1 sample = 8 bits;
8000 samples/sec = 64,000
bit/s
...00100101111011001001...
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Digital Audio Stream
25
Speech Compression Techniques
What does the Compression?
Digital Signal Processor
Speech Compression
Voila...
Codec
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
DSP
26
Speech Compression Techniques
Overview
Waveform Coding
• PCM
Differential Waveform Coding
• DPCM, ADPCM
Source algorithms
• Generic CELP, CSA-CELP
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
27
Subjective Quality (MOS)
Mean Opinion Scores
5
Hybrid Coders
(LD-CELP &
CS-ACELP)
4
Waveform Coders
(ADPCM)
3
2
Vocoders
(Older Technology)
1
2
4
8
16
32
64
Kbps
Score
5
4
3
2
1
ULg VoIP
Quality
Excellent
Good
Fair
Poor
Bad
Description of Impairment
Imperceptible
Just Perceptible, not Annoying
Perceptible and Slightly Annoying
Annoying but not Objectionable
Very Annoying and Objectionable
Source: A.M. Kondoz, “Digital Speech Coding for Low Bit-Rate Communications Systems”, 1995
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
28
Voice Activity Detection – G.729b
B/W recovered
- 31 dbm
No Voice
Traffic Sent
Voice
Activity
(Power
Level)
Hang Timer
- 54 dbm
Speech “Spurt”
Silence
Speech “Spurt”
Time
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
29
RTP/RTCP—RFCs 1889/1890
 End-to-end network transport function
Payload type identification—voice, video, compression type
Sequence numbering
Time stamping
Delivery monitoring
 RTCP (Real-Time Control Protocol)
4 Bytes
V
E
R
CC
M
Payload
Type
Sequence Number
4 Bytes
RTP Timestamp
4 Bytes
Synchronization Source (SSRC) ID
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
30
Bandwidth Per IP Call
20ms @ 8kbit/s of compressed voice
IP Header (20)
UDP (8)
Header is 40 bytes
Compressing RTP Header gives
RTP (12)
PAYLOAD : 20
26 kbps of bandwidth
per call
4-5
PAYLOAD : 20
11 kbps of bandwidth per call
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
31
Summary
 All voice over the telephone network is somewhat
compressed;
 DSPs allow very high compression rates while producing
good quality speech
 Silence suppression can deliver additional bandwidth
efficiencies
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
32
Agenda
 ‘old world’ voice
 ‘new world’ voice
Packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
33
Delay and Voice
Sender
Receiver
PBX
Network
PBX
First Bit
Transmitted
Last Bit
Received
A
Processing
Delay
A
Network
Transit Delay
t
Processing
Delay
End-to-End Delay
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
34
Delay Variation—“Jitter”
SenderA
ReceiverB
Network
B
C
d2
A
Sender Transmits
t
d1
C
B
A
B Receives
t
D2 = d2
D1 = d1
Jitter
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
35
Delay and Jitter
 Delay and jitter are generated when a packet is stored and
forwarded:
by router and switches (frame, cell)
 Delay is also generated by links
1 microsecond every 200 Km
 Jitter is also caused by burst
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
36
Delay in Perspective
Cumulative Transmission Path Delay
CB Zone
Satellite Quality
Fax Relay, Broadcast
High Quality
0
100
200
300
400
500
600
700
800
Time (msec)
Delay Target
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
37
Integrated Services QoS Model
Resource Reservation Protocol
Reserve 1
Mbps BW
on this line
I need 1 Mbps
BW and 200
msec delay
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
This app needs
1 Mbps BW and
200 msec delay
Reserve 1
Mbps BW
on this line
Cisco Public
38
RSVP Agent for Dumb Phones
Main Office
Edge router contains an
RSVP Agent, which is the
RSVP signaling proxy for
Cisco CallManager
CallManager
SIP Proxy
Signaling To RSVP
Agents To Establish
Inter-location
Reservation
Remote Office
#1
Phone To Agent
Media – Not
Reserved
ULg VoIP
RSVP Agent
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Reserved Path
(audio stream)
Remote Office
#2
RSVP Agent
39
Differentiated Services
Finance
Manager
Catalyst
Switch
Enforcement
Remote
Campus
Campus
Backbone
Cisco
Router
Catalyst
Switch
Cisco
Router
Classification
Classification
Order Entry,
Finance,
Manufacturing
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Multimedia
Training
Servers
40
Packet Classification Layers
3 bits called IP Precedence for differentiated services
(DiffServ may use 6 D.S. bits plus 2 for flow ctrl)
Layer 3
IPV4
Version ToS
Len
Length 1 Byte
ID
offset TTL Proto FCS IP-SA IP-DA Data
3 bits used for COS
(user priority)
Layer 2
802.1Q/p
PREAM. SFD DA
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
SA
TAG
PT
4 Bytes
Cisco Public
DATA
FCS
41
QoS Policy Enforcement
Admission
Control
Congestion
Management
CAR
Committed Access Rate
PQ
Priority
Queuing
CBWFQ
Class Based WFQ
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Congestion
Avoidance
Traffic
Shaping
WRED
GTS
Weighted
Random
Early
Detection
Generic
Traffic
Shaping
42
ML-PPP queueing algorithm
Voice 2
Fragment 4
Voice 1
Fragment 3
Jumbogram
Voice 2
Fragment 2
Voice 1
Fragment 1
 Fragment large packets
 Let small packets:
Use “normal” encapsulation
Interleave with fragmented traffic
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
43
Agenda
 ‘old world’ voice
 ‘new world’ voice
Packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
44
Simple signaling: SCCP /1
Catalyst Switch
The phone is powered, what next?
1-Phone looks for DHCP server
2-Phone gets IP + CM address
3-Phone sends MAC to CM
4-CM sends configuration
IP Phone
Config-Table:
MAC add-> config
1-DHCP?
MAC add-> config
2-DHCP & TFTP
3-MAC
MCS-7835 Call
Manager
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
4-Config
Cisco Public
IP Phone
IP Phone
45
Simple signaling: SCCP /2
Catalyst Switch
What happens if IP Phone ‘210’ calls‘320’?
1-Phone sends ‘3’, ‘2’, ‘0’ to CM
2-CM recognizes number in routing-table
3-CM send call request to ‘30.20.1.1’
4-Phone ‘320’ answers , and the phones
talk directly to eachother through IP
#210
1-“320”
4-“Direct IP connection between phones”
3-“210 is calling!”
2-CM Routing:
MCS-7835 Call
Manager
ULg VoIP
#210 = 20.10.1.1
#320 = 30.20.1.1
#430 = 40.30.1.1
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
#320
#430
46
SIP: Session Initiated Protocol
 SIP is another VoIP signaling protocol
 Web like
 Text format messages
Similar to HTTP
 Fast call setup
 Run over UDP or TCP
 SIP proxies are the equivalent of H.323 gatekeepers
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
47
SIP Basics
 SIP is a peer-to-peer protocol where end-devices (User Agents - UAs) initiate
sessions
 SIP defines the signaling mechanism
 SIP works for voice, video, instant messaging
 SIP uses IETF protocols
HTTP 1.1
Session Description Protocol (SDP)
media (RTP)
name resolution & mobility (DHCP & DNS)
application encoding (MIME)
 SIP is ASCII text-based:- implementation & debugging
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
48
SIP Commands/Responses
Commands
Responses
 INVITE
 1XX Information
 CONNECTED
 2XX Success
 BYE
 3XX Redirection
 UNREGISTER
 4XX Client Error
 REGISTER
 5XX Server Error
 6XX Global Failure
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
49
SIP
Call
Flow
SIP Phone
SIP UA / GW
Redirect
Server
Or SIP proxy
INVITE
3xx Redirect
INVITE to Address Returned in Contact: of 3XX response
100 Trying
180 Ringing
200 OK
ACK
BYE
200 OK
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
50
What Is 9-1-1 (or 1-1-2 or 9-9-9)?
 A simple, easy to remember telephone number that
allows automated call routing to the local public safety
agency, based on where you are calling from
 In some jurisdictions (North America) there are many
different destinations; source routed
 Mostly ubiquitous for residential service
 Varying degrees of deployment globally
Enhanced 9-1-1 in North America
European Commission current efforts to converge on 1-1-2
India currently has country-wide rollout of 1-0-8
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
51
Residential 9-1-1 Call-Flow (US view)
LEC Network
CAMA or
ISDN
PSAP
#001
CAMA or
SS7
911 Tandem Switch
(Selective Router)
Class 5
CO Switch
Class 4
CO Switch
Home
555-1234
PSAP
#002
PSAP
#003
 “Plain Old Telephone Service” (POTS) line dials 9-1-1 (fixed ANI)
 CO forwards to SR and includes ANI
 SR determines proper PSAP and forwards call including ANI
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
52
Legacy Architecture
Smart Network—Dumb Endpoints
OSI Model
PhoneCompany, Inc.
Location
Layer 7
Mydialtone
The End Device
Layer 3
Mynetwork
Layer 1/2
Mywires
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
PhoneCompany, Inc.
PhoneCompany, Inc.
Cisco Public
53
Internet Architecture
Dumb Network—Smart Endpoints
Common Point—
The End Device
OSI Model
Layer 7
Application
Location/Presence.com
Layer 3
Network
ISP, Inc.
Layer 2
Access
Last Mile, Inc.
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
I Think I’ll
Advertise My
Location
54
Problem: The Global Road Warrior
Hotel in Chicago
112, What’s That?
Chicago,
Where’s That?
Internet
Corporate
HQ in Paris
Chicago
PSAP
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
How Do I Route
This One?
This issue Must be solved!
Cisco Public
55
SIP Routing Based on UAC’s Location
Alice
Outbound Proxy
INVITE w/ SDP and Location
 SIP Routing based on Location
urn:service:sos is not globally unique
If LoST query done by UA, may be as a Route
header
Though not sure yet
Proxy MUST learn UAC’s location,
determine where UAC is, then
Route the call to the proper Public Safety
Answering Point (PSAP)
* “Short form” means not enough room here
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
INVITE sips:urn:service:sos SIP/2.0
Via: SIP/2.0/TLS pc33.atlanta.com;branch=z9hG4bK74
Max-Forwards: 70
From: Alice <sip:[email protected]>;tag=9fxced76sl
To: <sip:urn:service:sos>
Call-ID: [email protected]
CSeq: 31862 INVITE
Geolocation: <cid:[email protected]>
Route: <sips:[email protected];lr>
Contact: <sip:[email protected]>
Content-Type: multipart/mixed; boundary=0a0
Content-Length: 311
--0a0
Content-Type: application/sdp
v=0
o=alice 2890844526 2890844526 IN IP4 atlanta.com
c=IN IP4 10.1.3.33
t=0 0
m=audio 49172 RTP/AVP 0
a=rtpmap:0 PCMU/8000
--0a0
Content-Type: application/pidf+xml (short form*)
<gml:location>
<gml:coordinates>28.44N 81.46W </gml:coordinates>
</gml:location>
<method>802.11</method>
<provided-by>www.cisco.com</provided-by/>
--0a0-56
Agenda
 ‘old world’ voice
 ‘new world’ voice
Packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
57
Network Address Translation: IP at Home
 IPv4 addresses are scarce and close to exhaustion
 Network Address Translation helps
192.168.1.1
Internet
192.168.1.2
ADSL or Cable modem:
1 IPv4 address
WiFi ‘Router’
Multiplex all inside
Hosts over the ISP address
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
ADSL Modem
Cisco Public
58
Different NAT Behaviors...
 Mainly for stateless UDP sessions like RTP streams
Symmetric NAT: one entry only for a specific 5-uple
<udp, global address, global port, remote address, remote port>
Full-Cone NAT: one entry only a for a 3-uple
<udp, global address, global port>
Restricted-Cone NAT: one entry only a for a 4-uple
<udp, global address, global port, remote address>
Port-Restricted-Cone NAT: one entry only a for a 4-uple
<udp, global address, global port, remote port>
Good reading: The Internet Protocol Journal, Volume 7, Number 3 by Geoff Huston
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
59
Symmetric NAT
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
60
Full Cone NAT
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
61
What is STUN/ICE?
 STUN
Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NAT)
STUN (RFC3489) is a request/response protocol
Response contains IP address and UDP port of request
Allows client behind a NAT to find out its public address, the type of NAT it is behind and the
internet side port associated by the NAT
Example application: Googletalk
 ICE
Interactive Connectivity Establishment
Defines a standardized method for SIP-enabled clients to determine a set of IP addresses where
clients can establish contact behind firewall
Leverages STUN to collect IP addresses
Example: MSN Live Messenger
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
62
STUN Overview
Simple Traversal of UDP through NAT
 RFC 3489
 Client-server protocol
 Allows a client behind a NAT
find out its public address
the internet side port associated by NAT with a particular local port
type of NAT it is behind
 This information is used for UDP communication between two hosts that
are both behind NAT routers.
 Free implementation of STUN client/server
 http://sourceforge.net/projects/stun
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
63
STUN Operation
 STUN server located on the public Internet.
Using 2 addresses and 2 ports.
STUN
 STUN usages
– binding discovery,
STUN Server
– NAT keepalives
 STUN messages are sent on the very same
ports that RTP will use latter
– First 2 bits allow to differentiate between STUN
and RTP
Public Internet
NAT2
Private Net 2
NAT1
STUN Client
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
Private Net 1
64
Interactive Connectivity Establishment (ICE)
Overview
 offer-answer model for media streams through NAT.
 use of STUN and its relay extension TURN
in a specific methodology which avoids many of the pitfalls of using any one
alone.
Each agent can have its own STUN server, or they can be the same
 ICE agents (endpoints) discover their topologies to find a path or paths
by which they can communicate.
 Agents L and R are capable of engaging in an offer/answer exchange
SDP messages to set up a media session between L and R. Exchange
will occur through a SIP server...
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
65
Gathering Candidate Addresses
 each agent has a variety of candidate transport addresses:
directly attached network interface
A translated address on the public side of a NAT (a "server reflexive"
address)
The address of a media relay the agent is using.
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
66
Example
Stun Srvr
Binding discovery usage
192.0.2.2:3478
192.0.2.3
NAT
10.0.1.1
192.0.2.1
Agent L
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Agent R
Cisco Public
67
Connectivity Checks
 Local
Order highest to lowest priority candidates
Sends them to R over the signaling channel
in the SDP offer.
 When R receives the offer:
same gathering process
responds with its own ordered list of candidates.
sorts the candidate pairs in priority order.
Sends checks on each candidate pair in priority order.
 Both acknowledge checks received from the other agent.
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
68
Agenda
 ‘old world’ voice
 ‘new world’ voice
Packetization
Quality of service
Signalling
Issues with NAT
Security
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
69
Voice and Data Threat Models Merge
 IP Telephony inherits IP data network threat models:
Reconnaissance, DoS, host vulnerability exploit, surveillance,
hijacking, identity, theft, misuse, etc.
 QoS requirements of IP Telephony increase exposure to
DoS attacks that affect:
Delay, jitter, packet loss, bandwidth
 PC endpoints typically require user authentication, phones
typically allow any user (exceptions: access/billing codes,
Class of Service)
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
70
IPT Servers
 They are essential to IPT
 Protected by
Strict security policy enforcement (firewall, …)
Host security: IPS, AV, …
Applying security fixes
RBAC management
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
71
Design a Secure IP Network
Data And Voice Segmentation
 Physical separation is of course giving the best security but has investment
constraints
 Use the same physical access, core, and distribution layers for the two segments
but segment logically
 Segmentation also provides easier QoS configuration, scalability, and manageability
Technologies such as Layer 3 access control, stateful firewall, MPLS-VPN and
VLANs make this possible
Call-Process
Manager
Access
© 2008 Cisco Systems, Inc. All rights reserved.
Proxy, E-Mail, &
Voice-Mail Servers
Core
User Systems
ULg VoIP
Server
Distribution
Cisco Public
72
Firewall and NAT Voice ALGs
ALG
= Application Layer Gateway
= Firewall Fixup
 Perform stateful inspection of voice signaling protocols
 ALGs exist for SIP, SCCP, H.323, and MGCP
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
73
Different Paths for Signaling and Media
Streams
 Perform stateful inspection of voice signaling protocols
exists for SIP, SCCP, H.323, and MGCP
 Issue if the signaling does not follow the media streams
2) Media Stream
3) No state
=> block
1) Signaling
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
74
Securing the IP Telephony Itself
 Plain SIP/SCCP protocols:
No authentication
No integrity
No confidentiality
 Secure SIP/SCCP protocols
With authentication: using X.509 certificates
With integrity and confidentiality
Rely on cryptographically secure protocols
 Secure firmware and configuration with RSA signatures
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
75
Protecting Signaling
TLS: Transport Layer Security
Supports any application protocol
HTTP
SCCP
SIP
LDAP
TLS
TCP
IP
• Computes Hashed Message
Authentication Code (HMAC)
• Bi-directional PKI establishes
Authentication
• HMAC provides Integrity
• Encryption offers Confidentiality
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
• Needs secure method to exchange
shared secret
• Bi-directional PKI pairs for
mutual authentication
• Shared secret exchanged using
RSA
Cisco Public
• Allows MD5 or SHA1
• Conventional cryptography using
shared secret
• DES, 3DES, AES
• RC2, RC4
• IDEA
76
Authentication and Encryption Basics
Protecting the Signaling
TLS is the transport for
signed (RSA),
authenticated (HMACSHA1) and encrypted
(AES-128) signaling (1)
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
77
SRTP: Secure RTP
• RFC 3711 for transport of secure media
• Uses AES-128 for both authentication and encryption
• High throughput, low packet expansion
V
P X
CC
M
PT
sequence number
timestamp
synchronization source (SSRC) identifier
contributing sources (CCRC) identifiers
…
RTP extension (optional)
RTP payload
SRTP MKI -- 0 bytes for voice
Authentication tag -- 4 bytes for voice
Encrypted portion
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Authenticated portion
Cisco Public
78
Authentication and Encryption Basics
Protecting the Media Streams
CAPF
CTL Client
SRTP is the transport for
authenticated and encrypted (AES128) media (2)
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
79
Firewalls Blinded by Encrypted Signaling
2) What is
this?
3) Media Stream
1) Signaling
4) Unknown
traffic
=> Drop!
 If signaling is encrypted, how can firewall inspect the traffic?
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
80
SPIT
Spam over IP Telephony
 Potential issue of getting spammed by IP telephony
 Easy for spammers
Scan the Internet
Send 1000's of SIP invite/sec (using UDP)
Play message over RTP when someone pick-up
 Hopefully
Not a lot of SIP phones on the Internet
SIP phones will probably accept invites only over TCP and from known/trusted
SIP proxy
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
81
Final Words
 IP Telephony is now a proven technology
 SIP is the standard
 IP Telephony can be secured
ULg VoIP
© 2008 Cisco Systems, Inc. All rights reserved.
Cisco Public
82