Protocols used for Voice over Internet Protocol (VoIP)

2. Session Internet Protocol (SIP)

Session Initiation Protocol is a signaling protocol specified by the Internet Engineering Task Force used to set up and tear down two-way communications sessions. session internet protocol operates on the application level so can be used with several different protocols. Using tansmission control protocol allows use of providing more security whereas,user datagram protocol allows for faster, lower latency, connections. Usual components of an Session Internet Protocol system are the user agent, proxy server, registrar server, and the redirect server. The usual components software contains client and server components. The client piece makes outgoing calls and the server is responsible for receiving incoming calls. The proxy server forwards traffic, the registrar server authenticates requests, and the redirect server resolves information for the usual components client. The endpoints begin by connecting with a proxy and/or redirect server which resolves the destination number into an internet protocol address. It then returns that information to the originating endpoint which is responsible for transmitting the message directly to the destination. A security advantage of session internet protocol is that it uses one port. The main concerns for security of are confidentiality, message integrity, nonrepudiation, authentication and privacy. New security mechanisms were not created for session internet protocol   instead, session internet protocol uses those provided by Hyper Text Transfer Protocol and Simple Mail Transfer Protocol as well as Internet Protocol Security.

 

                                              Fig: Self-Provided Customer Architecture

Signal confidentiality is best provided with full encryption, however, since some session internet protocol message fields must be read and/or modified by some proxies, care must be taken and possibly other methods used. If however, the proxy can be trusted, then encryption at the transport and/or network layers may be the best solution. Security at the transport and networking layers accomplishes full packet encryption using internet protocol sec. TLS had been used, but has been deprecated. Full encryption requires support of the encryption method at each end point where it is implemented. hyper text transfer protocol authentication uses the 401 and 407 response codes and header fields. This provides a stateless challenge-base mechanism for authentication whereby the hallenge and user credentials are passed in the headers. When a proxy or usual components receives a request, it may challenge to ensure the identity of the sender. Once identity has been confirmed the receiver should also verify that the requester is authorized. Details of this “digest” method may be found in rfc 326112. Secure/Multipurpose Internet Mail Extension is an enhancement to Multipurpose Internet Mail Extension that replaces Pretty Good Privacy. Since Multipurpose Internet Mail Extension bodies are carried by session internet protocol, session internet protocol may use to enhance security, Multipurpose Internet Mail Extension contains components that can provide integrity and encryption for Multipurpose Internet Mail Extension data and as rfc 2633 states Multipurpose Internet Mail Extension can be used for “authentication, message integrity and non-repudiation of origin (using digital signatures) and privacy and data security (using encryption). Multipurpose Internet Mail Extension is useful when full encryption of the packet is not feasible due to the need of network components to use data from the header fields. User identification is done via certificate belonging to the user that is compared to the header information. Integrity of the message is verified by matching the information in the outside header with that of the inside header. Normally, Multipurpose Internet Mail Extension is used to encrypt Session Description Protocol but there may be requirements to encrypt certain header components. Session internet protocol can provide header privacy by encapsulating the entire message using Multipurpose Internet Mail Extension type message/sip. If used for anonymity the message will need to be decrypted before the certificate can be identified and consequently validated. Session internet protocol Security Concerns hyper text transfer protocol digest does not provide the best integrity. Without Multipurpose Internet Mail Extension, spoofing of the header would not be difficult. Multipurpose Internet Mail Extension requires a public key infrastructure. Since certificates are associated with users, moving from one device to another may be difficult. With Multipurpose Internet Mail Extension there may be issues with firewalls or other proxy devices that may require viewing and/or changing session internet protocol bodies. There is information in session internet protocol headers that may be considered sensitive, i.e. an unlisted phone number. Consideration may need to be given to providing per-user options that allow protection of this information. Session internet protocol and H.323 both use protocols that may use random ports requiring that the firewall be able to open and close ports as required. An H.323 or session internet protocol aware firewall may be required. As with H.323, network address translation presents problems for session internet protocol.

Network Address Translation

Network Address Translation allows one network address to be translated at a gateway between two networks into another address so that the packet will have a valid source address on the network it is on. Most commonly Network Address Translation is used to change private internet protocol addresses into public, Internet routable, internet protocol addresses. Ports may also be translated. Network Address Translation traversal is usually only a concern if end-user devices connect directly with an external network or if they connect to the internal network from an external network.

                                                                                Fig : Network Address Translation Architecture

Network Address Translation is a layer of security because it hides the real addresses on the internal network from the public network. Network Address Translation can however, be a problem, because the routing device does not know the actual internet protocol address of the device. The information defining the endpoint is in the header. The routing device must be able to read the header and in some cases (i.e. with proxy firewalls) change it. This is hampered when encryption is used. The best solution is to not use Network Address Translation if at all possible. By removing the issue, the problem disappears, though another problem may present itself. When Network Address Translation is required, care must be taken to select application and proxy firewalls that handle the implementation or, alternatively, consider a service offered by the public networks.

Leave a Reply

Your email address will not be published. Required fields are marked *