SIP Security

SIP Security - RFCs 3261, 3262, 3263, 3264, 3265

If you want to secure both the SIP and RTP traffic, then you should probably be using an IPsec VPN.

SIP’s rich signaling means that the traffic reveals:

caller and called parties IP addresses
contact lists
traffic patterns

For further details concerning how complex it is to protect such personal information see the dissertation by Alberto Escudero-Pascual, “Privacy in the next generation Internet, Data Protection in the context of European Union Data Protection Policy” [Escudero-Pascual 2002].

For an example of a call anonymizer service -- using a back-to-back user agent (B2BUA), see figure 8.6 on page 121 of Sinnreich and Johnston.

Slide Notes

J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, Sparks, M. Handley, and E. Schooler,”SIP: Session Initiation Protocol”, IETF, Network Working Group, RFC 3261, June 2002, Updated by RFC 3265, RFC 3853, RFC 4320, RFC 4916, RFC 5393, RFC 5621, RFC 5626, RFC 5630, RFC 5922, http://datatracker.ietf.org/doc/rfc3261/ Links to an external site.

Alberto Escudero-Pascual, “Privacy in the next generation Internet, Data Protection in the context of European Union Data Protection Policy”, Dr. Tekn. dissertation, KTH Royal Institute of Technology, December 2002. https://urn.kb.se/resolve?urn=urn%3Anbn%3Ase%3Akth%3Adiva-3435 Links to an external site.

Henry Sinnreich and Alan B. Johnston, Internet Communications Using SIP: Delivering VoIP and Multimedia Services with Session Initiation Protocol, 2nd Edition, Wiley, August 2006, ISBN: 0-471-77657-2.

Transcript

[slide355] Now, if you actually want to provide security for voice over IP, you have to secure both the signaling via the SIP protocol and the media that's being sent by RTP. To secure the signaling and the media, one approach is we can simply stick everything inside an IPSec or other VPN. Right? But if it's other VPNs, we may have to consider what are the properties of the other VPN. So for example, if the VPN is running on top of TLS or some sort of transport layer which has TCP-like properties, do we want our media going across such a tunnel? Probably not. Because we didn't want the delays of a lost segment in the case of TCP causing a retransmission because that will delay all the packets behind it. Right? So-called head-of-line blocking, which will be bad for our media. But IPSec has the advantage because it's running at the IP layer that, in fact, we get the properties we want for both the SIP and for the UDP traffic that's carrying our RTP traffic. But the SIP reveals an awful lot of information. Right? Because we saw in the session description protocol that they're the user's IP addresses. So if we monitor the SIP, we can see what IP address the user is using, and of course we can, in many cases, compute backwards and know where the user is. We can simply assemble contact lists. Right? So most of you are aware that various intelligence services and others mine your social networks. Right? They want to know who knows who. So contact lists are very important. Another thing is traffic patterns. Why are traffic patterns so sensitive? I'll give you a hint. I had a student who did a thesis project in Switzerland for a large pharmaceutical company. And the research laboratory was in one place, and they had factories in other places. If you were simply to watch the volume of traffic between the research laboratory, the headquarters, and the factories, what could you learn? You would learn when they were releasing a new drug to production. Right? And if you were their competitor, that could be very valuable information. So one of the tasks that the student had was to make it so that even if someone had access to the network, and of course they already had all the communication encrypted, the amount of traffic flowing between all of the places never changed. So you couldn't tell was there something special happening in the company or not. Right? At one time I worked for a while in Washington. If you wanted to know was there something special going on at the White House, all you had to do was look for the pizza delivery vans. Right? If there were lots of pizza delivery vans, there was some crisis in the making. Why? Because the kitchen closed in the evening, and there were lots of people there working. They had to get fed somehow. Right? So traffic reveals a lot. Now Albert Escudero Pascal, in a thesis called "Privacy in the Next Generation Internet, Data Protection in the Context of the European Union, Data Protection Policy", actually showed some things which led to the European Union changing its data protection policy because he showed that there were some things in the header, including the IPv6 addresses, that revealed an enormous amount about the user. Now normally in communications we differentiate, for instance, between a letter and a postcard. Right? Anyone can read the outside of the postcard. But for a letter, to open it, you need to have suitable permission to be able to do that. Well we have the same problem for voice over IP communications, right? Because we have the outside, which is the signaling, and then we have the content, which is the media. That would seem obvious. But we also have a lot of content that's actually in the SIP messages. So which part of that do you need to protect? And that will depend on the kinds of services that you're trying to support. And we talked about yesterday the use of back-to-back user agents to be able to provide a call anonymization service. So an anonymizer.