Review Session 3

1

Review Session 3

Mobile IPSIP

H.323

2

Mobile IP Requirements Transparency: Movement of Mobile host:

transparent to the applications and transport-layer protocols

Transparent to the routers, except those directly connected with the mobile host

Interoperability with IPv4 and with other mobile hosts

Handles long duration moves and not rapid motion

Scalable

3

Mobile IP Requirements …2

Secure: All messages used to update another node ( a router in the home network) as to the new location of a mobile host must be authenticated in order to protect against remote redirection attacks.

Wireless devices have lower bandwidth and have to conserve the use of energy. So the number of administrative messages and their size should be kept as small as possible.

4

Procedure: two addresses A mobile host has a permanent IP address

in its home network. A router in its home network is used as its Home Agent (HA). HA must have a network interface on the link, indicated by the mobile host’s IP address.

When it moves to another network, it acquires a temporary address, called the Care-of-Address.

Two different processes with Care-of-address:

5

Registration of Care-of-address

Care-of-address operated through a router in the new network. A router in the foreign network, which does the job, is called the Foreign Agent (FA) for the mobile host.

Co-located Care-of-address: The mobile host handles all forwarding and tunneling itself. It requires additional software to do so. Moreover the mobile host on a foreign network, must be located on a link, specified by the network prefix of the Care-of-address.

6

Registration and gratuitous ARP Registration: The mobile host: registers with HA by

informing it of its Care-of-address, -- through FA or in case of co-located Care-of-address, itself.

After registering the mobile host’s Care-of-address, the HA broadcasts a gratuitous ARP message on the home network, giving its own MAC address as a proxy for the mobile host. Since broadcast messages may not reach reliably every host on the network, the gratuitous ARP message is broadcast a few times.

7

Deregistration

Deregistration: When the mobile host comes back to its home network, it sends a gratuitous ARP message to give its own

MAC address to all the hosts on the local network.

a deregistration message to the HA and it simultaneously retransmits the

gratuitous ARP message a few times.

8

Deregistration ….. 2 After accepting the deregistration request, HA sends

a gratuitous ARP message, associating the MAC address of the mobile host with the mobile host’s IP address to the local network.

a reply to the mobile host, accepting deregistration.

The HA retransmits this gratuitous ARP message a few times.

Both the HA and the mobile host are required to send the gratuitous ARP message at deregistration, since the area of coverage of the wireless mobile host and the HA are likely to be different.

9

Data Transfer: from remote sender to mobile host: Triangle Routing The Remote Sender (RS) sends a message

to the home address of the mobile host. The Home Agent (HA)

intercepts the message, using proxy ARP method.

encapsulates the message using IP-in-IP with

Source address = the HA address Destination address = the FA address

Note: PROTOCOL in the IP Header for IP-in-IP is equal to 4.

10

Data Transfer: Foreign Agent (FA):

retrieves the packet, sent by the remote sender, consults a registry table to get the Care-of-

address and sends the packet to the Care-of-address.

From Mobile Host to the Remote Sender:The packet generally goes DIRECTLY, with

Source address = the home address of the mobile host

Destination address = the address of the remote host

11

Double Cross Routing

When The mobile host goes to the network of the Remote Sender (RS):

Remote Sender’s message follows the standard Triangulation process, though the Foreign Agent is in the RS’s network.

Message from the mobile host to RS: Direct

Causes of Inefficiencies: Triangle Routing Double Crossing

12

Solution to inefficiencies

HA may inform RS about the Care-of-address, while forwarding the packet to the FA.

All future packets from RS to mobile host can go directly.

When the mobile host returns to the home network, HA may again inform the RS.

Skip 13-16

13

IP in IP Encapsulation (RFC 2003) To encapsulate an IP datagram in

IP:

14

IP in IP Encapsulation: The Outer IP Header

Protocol: 4 Source Address = HA address Destination Address = FA address. HA and FA are the end-points of the tunnel during the

Triangle Routing. Header Length: length of the outer IP header only Type of Service (TOS): copied from the inner IP header Total Length: length of the entire encapsulated IP

datagram, including the outer IP header, the inner IP header, and its payload.

Time to Live: appropriate for delivery up to the tunnel exit point.

15

IP in IP Encapsulation : The Outer IP Header ….2 "Don't Fragment" bit :

If the "Don't Fragment" bit is set in the inner IP header, it MUST be set in the outer IP header.

If the "Don't Fragment" bit is not set in the inner IP header, it MAY be set in the outer IP header.

Fragmentation and reassembly: will have to be done at the ends of the tunnel. However since the two end-points are routers, reassembly

may pose a problem. An ICMP message due to a large message from a router

within a tunnel may be difficult to relay to the original sender.

Options: Any options present in the inner IP header are in general NOT copied to the outer IP header.

16

IP in IP Encapsulation : The Inner IP Header not changed by the encapsulator (HA),

except to decrement the TTL remains unchanged during its delivery up to

the tunnel exit point TTL in the inner IP header is not changed

when decapsulating. After decapsulation, when the decapsulator (FA) forwards the datagram to one of its network interfaces, it will decrement TTL as a result of doing normal IP forwarding.

17

Discovery of Agents Before a mobile host leaves the home network, it

must obtain information about its Home Agent (HA).

When a mobile host reaches a foreign network, it must discover information about its Foreign Agent (FA).

HA must be always available to serve its mobile hosts.

FA must continue to advertise so that the mobile hosts registered with it know that

they have not gone out of its range. the FA is alive.

18

Discovery of Agents ……..2 Mobility agents (FAs and HAs): advertise

their presence via Agent Advertisement messages A mobile host may optionally solicit an Agent Advertisement message from any locally attached mobility agents through an Agent Solicitation message.

On receiving the Agent Advertisements, a mobile host determines whether it is on its home network or a foreign network.

19

A mobile host: on the Home/Foreign Network:

When it detects that it is on its home network, it operates without mobility services. If returning to its home network from being registered elsewhere, the mobile node deregisters with its HA, through exchange of a Registration Request and Registration Reply message with it.

When it detects that it has moved to a foreign network, it obtains a Care-of address on the foreign network either

from a FA’s advertisements (a FA Care-of address): The preferred method because it allows many mobile nodes to share the same Care-of address and therefore does not place unnecessary demands on the already limited IPv4 address space. OR

20

A mobile host on a Foregn network: Acquiring a care-of-address ……..2

The address may be dynamically acquired as a temporary address by the mobile node through DHCP, or may be owned by the mobile node as a long-term address for its use only while visiting some foreign network. (a Co-located care-of address).

Advantage: No FA need be deployed. Disadvantages: (i) places additional burden on the

IPv4 address space because it requires a pool of addresses within the foreign network to be made available to visiting mobile nodes.

(ii) difficult to efficiently maintain pools of addresses for each subnet that may permit mobile nodes to visit.

21

Acquiring Care-of-addresses from FA advertisement

If there are more than one Care-of-addresses, advertised by a FA, the mobile host should pick up the first.

If FA rejects the Registration Request, then the mobile host should resend the request with the second Care-of-address.

22

Discovery of Agents …2 ADVERTISEMENT BY AGENTS: through

regular ICMP Router Advertisements, on which the Agent advertisements are piggy-backed.

Mobility Agent Advertisement Extension is added to the ICMP Router Advertisements for this purpose.

23

Mobility Agent Advertisement Extension

Appended to the Router Advertisement

ICMP

Router Advertisement Message

Type = 16

Length Sequence Number

Lifetime Code Reserved

Care-of-addresses of Foreign Agents

24

Mobility Agent Advertisement

Extension : Fields Length: of the extension message only Sequence Number: message number Lifetime: The longest lifetime (measured in

seconds) that this agent is willing to accept in any Registration Request.

No relation with the same named field in the ICMP Router Advertisement part.

Notes: 1.This field has no relation to the "Lifetime" field within the ICMP Router Advertisement portion of the Agent Advertisement.

2. All 1’s i.e. 0xffff infinite time

25


Extension : Fields …. 2

Care-of-Addresses: contains the set of available care-of-addresses; the field used by a foreign agent only; At least one Care-of-address must be included in every Agent advertisement.

Code: Each of the bits is used to convey a different message - as defined in the next slide.

26


Extension : Code Bits

Bit 7: R: registration required; Registration with this foreign agent (or another foreign agent on this link) is required even when using a co-located care-of address. Or co-location of care-of-address may not be allowed.

Bit 6: B: Agent is busy. So FA will not accept registrations from additional mobile hosts.

Bit 5: H: Agent acts as a home agent on the link on which this Agent Advertisement message is sent.

Bit 4: F: Agent acts as a foreign agent. Bit 3: M: Agent uses minimal encapsulation. (slides 26-30) Bit 2: G: Agent uses Generic Routing Encapsulation (GRE). (RFC 1701) Bit 1: r: Unused (0) Bit 0: T: Agent supports reversed tunneling (slide 31)

27


Extension : Code Bits …..2

In an Agent Advertisement message: 'B' bit MUST NOT be set if the 'F' bit is

not also set. (Only an FA can say that it is busy. A HA must be always available.)

at least one of the 'F' bit and the 'H' bit MUST be set.

‘R' bit MUST NOT be set if the 'F' bit is not also set. (R is set by an FA, when it requires registration from even those mobile hosts, which have co-located Care-of-addresses. R is NOT used by HAs)

28


Extension : Minimal Encapsulation (RFC: 2004) IP-in-IP: has unnecessary duplication of

several fields between the outer and the inner IP header;

Minimal Encapsulation: attempts to save some space by reducing the size of the inner header to 12 bytes by eliminating duplication

Outer Header: PROTOCOL = 55 for IP-in-IP with minimum

encapsulation TTL: kept the same as in the original IP header

29

Mobility Agent Advertisement Extension : Minimal Encapsulation ……2

30

Mobility Agent Advertisement Extension : Minimal Encapsulation: Minimal Forwarding Header

31

Mobility Agent Advertisement Extension : Minimal Encapsulation: Fields of the Minimal Forwarding Header Protocol: same as in the original IP header. S = 1 (If S = 0, the source address in the Outer header is equal to the

source address in the original IP header. Then this address is not put in the inner header and the length of the inner header reduces to 8)

Reserved: are all zero. Header Checksum: for the minimal forwarding

header onlyNote: 1. While de-encapsulating, the original header is restoredback ( with some changes). 2. ICMP messages from within thetunnel have to be handled with care, since the movement of themobile host is transparent to the RS.

32

Mobility Agent Advertisement Extension : Need for Reversed Tunneling (RFC 3024) The message from the mobile host to

RS goes directly from the foreign network to the RS.

But it carries the source address of the home network.

Due to security considerations, some networks may not allow it.

Need for reversed tunneling from mobile host – to- HA –to- RS

33

Additional Specifications: ICMP Router Advertisement with Agent Extension

Link layer: If the Router Advertisement is in response to a Router solicitation message, it will be unicast to the MAC address of the solicitation message. (ie the MAC address and the IP home address of the mobile host)

IP fields: TTL = 1 The multicast Agent advertisement is sent to

either All systems on the link ( 224.0.0.1) or The Limited broadcast (255.255.255.255)

34

Prefix-Length extension

This extension may follow the Mobility Agent Advertisement Extension.

35

Prefix-Length extension Fields Type: 19 Length: N, where N is the value (possibly zero) of

the Num Addrs field in the ICMP Router Advertisement portion of the Agent Advertisement. Prefix Length(s): The number of leading bits that define the network number of the corresponding Router Address listed in the ICMP Router Advertisement portion of the message. The prefix length for each Router Address is encoded as a separate byte, in the order that the Router Addresses are listed in the ICMP Router Advertisement portion of the message

36

Router ADVERTISEMENT Type: 9 for Router Advertisement Code:

Code = 0 The agent routes common traffic, not related to mobile hosts – in addition to the traffic of the mobile hosts

Code = 16: The agent does not route common traffic.However every FA must forward to a default router any datagrams received from a registered mobile host.

(For a non-agent ICMP router advertisement, Code ia always equal to zero.)

The scheme calls for Periodic Retransmission (Default period=10 minutes) Soft state in that the Router information retained for the

specified lifetime (Default lifetime = 30 minute so that missing one ad message will not lead to discarding the Router )

37

ROUTER ADVERTISEMENT

An Advertisement by a Router tells about it self and all other Routers on the network about

which it is aware. Every Router address, associated with

an integer precedence value given in 2’s complement. A host chooses the route with the highest precedence value.

38

ROUTER ADVERTISEMENT

Thus if PR VAL = 0 -----> DEFUALT

ROUTER PR VAL = 8000 0000 ->should

never be selected as the default router.

39

ROUTER ADVERTISEMENT FORMAT

0 8 16 31

Type code checksum

Num Addr Addr Size Life time

ROUTER ADDRESS 1

PREFERENCE LEVEL 1

R A 2

P L 2

40

ROUTER ADVERTISEMENT: Fields Num ADDRS: The number of address entries

which follow (often 1) For an Agent Advertisement, Num ADDRS can be zero.

ADDR SIZE: The size of an address in 32 bit units (1 for IPv4)

LIFE TIME: The number of seconds for which the Router is

retained, if it is not refreshed (default = 30 min) (The maximum length of time that the

Advertisement is considered valid in the absence of further Advertisements.)

41

ROUTER ADVERTISEMENT Process LIFETIME: No relation with the same

named field in the Agent Advertisement part.

Routers send these messages periodically. Or immediately on receipt of a Router solicitation message.

If the Router and the network support multicast, send to all systems multicast address 224.0.0.1

Otherwise it is broadcast locally.

42

Router Solicitation Message: to find a foreign agent In a foreign network, if a mobile host does not

receive the ICMP Router Advertisement, it can use the ICMP Router Solicitation message to ask for assistance.

An Agent Solicitation message is identical to an ICMP Router Solicitation, except that its IP TTL MUST be set to 1

Rate of sending solicitation messages: Initial rate for 3 messages: one per second Back-off the rate exponentially ( and randomize the

sending instant) till you reach one message per minute.

43

Router Solicitation

Router Solicitation For the addresses of Routers connected

to the n/w.

0 8 16 31Type code checksum

Identifier 16 bits Sequence No 16 bits

44

Router Solicitation (Contd)

TYPE: 10 CODE: 0

If a host supports multicast, send the Router Solicitation message to 224.0.0.2 (address of all Routers) Or it may be broadcast to the local n/w.

(Every few minutes – default value = 10 minutes - a Router advertisement is received .

Router Solicitation used only when Router address is required immediately)

45

Registration of the mobile host The mobile host operating away from home

then registers its new Care-of address with its HA through exchange of a messages with it, possibly via a FA.

Registration on moving to a foreign network With the foreign agent With the home agent ( done by the

foreign agent on behalf of the host) Renew registration, if it has expired.

Deregistration after returning to home net

46

Process of Registration Registration Request: sent by the mobile

host to FA to inform it about The chosen Care-of address HA’s address Home address

FA: On receiving the Registration Request: relays the Request in an IP packet to HA – thus informing HA about FA’s address.

Both HA and FA must approve the Registration Request

47

Process of Registration … 2 For a co-located Care-of-address, the mobile

host sends the Registration Request directly to HA

Two new Formats: Registration Request and Registration Reply

UDP: used for Registration messages with Well-known port 434 for the Agent An ephemeral port by the mobile host

UDP checksum must be used for the Registration messages.

48

Registration Request format

Type = 1 Flag Lifetime

Home address

Home Agent address

Care-of-address

Identification

Extensions….

49

8-bit FLAG: to convey Requests from the Mobile Host and to give forwarding information Bit 7: S: Simultaneous Binding: Request for home

agent to retain its prior Care-of-address: Useful when a mobile host is within the range of two FAs; the HA can then send two copies, one to each of the

Care-of-addresses; the mobile host may then receive two copies of the message.

Bit 6: B: Request that home agent may tunnel any broadcast messages on the home network

Bit 5: D: Mobile host is using co-located care-of-address to decapsulate messages itself.

Bit 4: M: Request for home agent to use minimal encapsulation

50

8-bit FLAG:

Bit 3: G: Request for Generic Routing Encapsulation (GRE)

Bit 2: r: zero; ignored on reception Bit 1: T: Reverse Tunneling

requested Bit 0: x: zero; ignored on reception

51

Other Fields TYPE: 1 for Request and 3 for Reply Lifetime: the number of seconds, the

registration is to remain valid; a string of all zeros Deregistration; a string of all 1’s infinite lifetime

Care-of-address: temporary address of the mobile host

Identification: A 64 bit number sent in Request and repeated in Reply. Used for matching the Request and Reply.

variable length Extensions: for authentication

52

Errors in ExtensionsFor both the Agent extension to the ICMP Router

Advertisement ( slide 23) and the authentication extensions (slide 65): When an Extension with TYPE field -- numbered in the

range 0 through 127 -- is encountered but not recognized, the message containing that Extension MUST be silently discarded.

When an Extension numbered in the range 128 through 255 is encountered which is not recognized, that particular Extension is ignored, but the rest of the Extensions and message data MUST still be processed. The Length field of the Extension is used to skip the Data field in searching for the next Extension.

53

Extensions:1. Mobile Node Network Access Identifier (NAI)

extension 2. Mobile-Home Authentication extension 3. Mobile- Foreign Authentication extension (RFC

2794)

FORMAT of Mobile Node NAI extension

54

Mobile Node NAI extension Fields

Type (1 byte): 131 Length (1 byte): The length in

bytes of the MN-NAI field MN-NAI: A string in the NAI format

(Examples of the Format are given in the next slide.)

55

Network Access Identifiers (NAI) Examples from RFC 2486

Valid NAIs Invalid NAIs

[email protected] [email protected] [email protected] fred=?#$&*+-/^[email protected] [email protected] [email protected] [email protected] eng%[email protected]

fred@foo fred@foo_9.com @howard.edu [email protected]@smallco.com

eng:[email protected] eng;[email protected] <nancy>@bigu.edu

56

Registration Reply Home Agent: sends the Registration reply

to the Foreign Agent To confirm or To deny the registration.

Foreign Agent, then, relays it to the mobile host.

CODE: FLAG in Registration Request is replaced with CODE in Registration Reply.: shows acceptance or denial of request.

Care-of-address field not needed in Reply

57

Registration Reply Format

Type = 3 Code Lifetime

Home address

Home Agent address

Identification

Extensions…

58

Registration Reply Values of Code Registration Successful

0 registration accepted 1 registration accepted, but

simultaneous mobility bindings unsupported

59

Registration denied by HA: Values of Code

128 reason unspecified 129 administratively prohibited 130 insufficient resources 131 mobile node failed authentication 132 FA failed authentication 133 registration Identification mismatch 134 poorly formed Request 135 too many simultaneous mobility bindings

136 unknown home agent address

60

Registration denied by FA: Values of Code 64 reason unspecified 65 administratively prohibited 66 insufficient resources 67 mobile host failed authentication 68 HA failed authentication 69 requested Lifetime too long 70 poorly formed Request 71 poorly formed Reply 72 requested encapsulation unavailable 73 reserved and unavailable 77 invalid care-of address 78 registration timeout 80 home network unreachable (ICMP error received) 81 HA host unreachable (ICMP error received) 82 HA port unreachable (ICMP error received) 88 HA unreachable (other ICMP error received)

61

LifeTime: smaller of LifeTimeRequest & LifeTimeReply

LifeTimeRequest: LifeTime in the Registration Request

LifeTimeReply: LifeTime received in the Registration Reply

If LifeTimeReply > LifeTimeRequest, the LifeTimeRequest MUST be used.

If LifeTimeReply < LifeTimeRequest, the LifeTimeReply MUST be used.

62

Detecting Movement: Algorithm1: Lifetime in Agent

advertisement: If no further Agent advertisement is received and the lifetime expires, the mobile host may Attempt registration with another Agent,

whose advertisement had been earlier received and whose lifetime has not yet expired.

otherwise, attempt to discover a new FA.

63

Detecting Movement: ……. 2 Algorithm 2: It uses the Prefix-Length

extension. However this method is used only when both the current Care-of-address and the new Agent advertisement received by the mobile host have the prefix-length extension.

If the network part of the address should differ, it means that the mobile host has moved to a new foreign agent and it must re-register with a new Care-of-address.

64

Detecting Movement: ……. 2 Returning Home: when it receives the agent

advertisement from its HA. It should reconfigure its routing table and

deregister with its HA and follow the gratuitous ARP procedures if the home network uses ARP.

A mobile host MUST NOT consider reception of an ICMP Redirect from a FA that is currently providing service to it as reason to register with a new FA.

65

Mobile Home Authentication

66

Mobile Home Authentication Fields Type: 32 Length of MHA in bytes SPI Security Parameter Index (4 bytes): specifying

security context available in the Mobility Security Association; Values 0-255 reserved.

Authenticator (variable length) (default: 128 bit Message Digest over (i) UDP payload (ii) all extensions (iii) TYPE, LENGTH and SPI.

Excludes (i) Authenticator itself (ii) UDP header )Note: (i) Mobile-Foreign Authentication: TYPE = 33(ii) Foreign-Home Authentication: TYPE = 34

67

Mobility Security Association

Mobility Security Association: A collection of security contexts, between a pair of nodes. Each context indicates

an authentication algorithm and mode (default: 128 bit key HMAC-MD5),

a secret (a shared key, or appropriate public/private key pair), and

a style of replay protection in use (nonce/time stamp).

68

SIP

69

Session Initiation Protocol (SIP) Application layer signalling protocol used for

establishing sessions in an IP network. A session:

initiated, modified and terminated

by it. But it does not know about the details of a session.

Used for 2-party, multi-party or multicast sessions; or for a simple 2-way telephone call or a collaborative multi-media conference

70

SIP ……2 SIP, like HTTP (RFC 2068), is a

Text-based protocol Uses messages

It is a Request/Response protocol like HTTP and SMTP

SIP "plays nicely" with protocols that are often viewed as overlapping in function. For the near term, SIP will have to coexist with overlapping protocols such as H.323, MGCP, and MEGACO.

71

TCP/IP

STACK+

72

H.323 (ITU standard to allow telephones, on the public telephone network, to talk to computers, connected to Internet) used for local area networks (LANs), but

was not capable of scaling to larger public networks.

Earlier Standard: Media Gateway Control Protocol (MGCP): Converts PTSN audio signals to IP data

packets. is a closed, voice-only standard.

H.248 also called MEGACO: Media Gateway Control Protocol (Megaco) ---

the name used by IETF

73

MEGACO/ H.248 – the name used by ITU-T Study Group 16 MEGACO: a standard protocol for handling

the signaling and session management needed during a multimedia conference.

defines a means of communication between a media gateway, which converts data from the format required for a circuit-switched network to that required for a packet-switched network, and the media gateway controller.

References: 1.RFC 3015 2. http:// searchnetworking.techtarget.com

/ sDefinition/0,,sid7_ gci817224,00.html as of 12th Oct 2006

74

Stream Control Transmission Protocol (SCTP) SCTP: a reliable transport protocol operating on top of

IP. It offers acknowledged error-free non-duplicated

transfer of datagrams (messages). Detection of

data corruption, loss of data and duplication of data

is achieved by using checksums and sequence numbers. A selective retransmission mechanism is applied to correct loss or corruption of data.

75

Difference between SCTP and TCP difference with to TCP: multihoming and

the concept of several streams within a connection. Whereas in TCP a stream is referred to as a sequence of bytes, an SCTP stream represents a sequence of messages (and these may be very short or long).

References: 1. SCTP for beginners http://tdrwww.exp-math.uni-essen.de/inhalt/forschung/sctp_fb/index.html as of Oct 12/2006

2. http://www.sctp.org/ 3. RFC2960

76

Uses of SIP enables disparate computers, phones,

televisions and software to communicate. Through SIP, Users can locate and contact one

another regardless of media content and numbers of participants. SIP negotiates sessions so that all participants can agree on and modify session features. It can even add, drop or transfer users.

VoIP telephony voice-enriched e-commerce web page click-to-dial Instant Messaging with buddy lists Rich media conferencing

77

Session Initiation ProtocolSIP does not provide Conference Control. For VoIP,

besides SIP, the following standards and protocols are used:

to ensure transport (RTP), to authenticate users (RADIUS, DIAMETER), to provide directories (LDAP) for location, to be able to guarantee voice quality (RSVP,

YESSIR) to describe the payload of message content and

characteristics: Session Description Protocol (SDP) to describe the characteristics of the end devices.

to inter-work with today's telephone network, many ITU standards

78

A Brief HistoryReference: Understanding SIP: An Ubiquity White paper http://www.sipcenter.com/sip.nsf/html/WEBB5YNVK8/$FILE/Ubiquity_SIP_Overview.pdf

mid-1990s: Henning Schulzrinne, Dept of CS at Columbia University: Research in Multiparty Multimedia Session Control (MMUSIC).

Henning Schulzrinne: A co-author of the Real-Time Transport Protocol (RTP) for

transmitting real time data via the Internet, Real Time Streaming Protocol (RTSP) – a

proposed standard for controlling streaming audio-visual content over the Web.

1996: He submitted the first draft of SIP to IETF

79

A Brief History …..2 1999: Henning Schulzrinne removed

extraneous components regarding media content in a new submission and IETF issued the first SIP specification, RFC 2543.

2001: Updated SIP specification RFC 3261 RFC 3262: governs Reliability of Provisional

Responses; RFC 3263: establishes rules to locate SIP Proxy Servers; RFC 3264: provides an offer/answer model; RFC 3265: determines specific event notification.

80

Addresses: Examples of SIP FormatsSIP: addresses in multiple formats: E-mail address: sip:[email protected] IPv4 address: sip:[email protected] Tel Number: sip:john@519-253-3000SIP uses Session Description Protocol

for details like media encoding, port numbers and multicast addresses etc.

81

Finding the IP address of a Callee

If IP address of a Callee is not known: The Callee not at her/his terminal The Callee connects to Internet

through DHCP and does not have a permanent IP address,

SIP uses a DNS-like mechanism to find it.

82

User Agents (UAs) and Registrar Servers (RS):

UA: end-user device, used to initiate and manage a session. UA Client initiates the session request and UA Server responds to it.

RS: a database containing the location of all user agents within a domain. Every user must be registered with at least one RS at any time. RS knows the IP address of the user.

83

Proxy Servers (PS) and Redirect Servers PS: accepts the request from UAs and

query RS to obtain the addressing information. It then sends the information

to the UA, if it is lying in the same domain. Or to another PS, if the UA is in some other

domain.

Redirect Servers: allow PS to send the session information to external domains.

84

Finding the IP address of the Callee: Using Proxy server and RS

ASSUME: The Caller does not know the IP address of the Callee. But e-mail address of the Callee is known.

Caller sends an INVITE message with e-mail address to the Proxy Server (PS).

PS sends a look-up message to RS. RS responds with the IP address of the

Callee. PS inserts the IP address in INVITE and

sends it to Callee.

85

Messages of SIP SIP MESSAGES: The Caller uses INVITE to

initialize a session.) The Callee answers the call The Caller sends an ACK as a confirmation. BYE: used for termination. OPTIONS: This message queries a machine

about its capabilities. CANCEL: cancels an initialization process,

which had been started. REGISTER: makes a connection, when the

Callee is not available.

86

A SIP SessionEstablishing a connection: (directly or through PS) Caller send INVITE: address + options to

Callee. Callee responds with OK: address. Caller sends ACK message to Callee

Data Transfer: between Caller and Callee through ephemeral ports

Termination: Caller or Callee can send a BYE message to terminate the session.

87

SIP session in the same domain

88

SIP session in the same domain ……2

89

SIP session in dissimilar domains

90

SIP session in dissimilar domains ……2

91

SAP Session: Ref: RFC 3261

92

SIP

SIP may use UDP/TCP/SCTP (Stream Control Transmission Protocol)

References: SIP RFC 3261 http://www.sipcenter.com/sip.nsf/html/What+Is+SIP+Introduction

93

H.323: an ITU standard

Gateway

InternetTelephone Network

Gatekeeper

94

H.323: Definitions

Terminals: computers connected to Internet

Gateway: 5 layer-device, which converts from one type of protocol to another

Gatekeeper: plays the role of Registrar Server

95

H.323uses G.71 and G.723.1 for compression.

Audio Control and Signaling

Compression Code

RTCP

H.225For registration with Gatekeeper

Q.931To set up and to terminate connection

H.245For negotiating about compression protocol

RTP

UDP TCP

IP

96

H.323: Operation Terminal (T) sends a broadcast message

to Gatekeeper (G) G responds with an IP address.

T and G use H.225 to negotiate BW. T,G, gateway and telephone use Q.931 to

set up a connection. T,G, gateway and telephone use H.245 to

negotiate the compression method. T, G and telephone exchange audio using

RTP, under management of RTCP. T,G, gateway and telephone use Q.931 to

terminate the communication.

97

Authentication, Authorization & Accounting (AAA) servicesReference:http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci514491,00.html

An AAA server: a server program that handles user requests for access to computer

resources and provides AAA services for an enterprise.

The AAA server: interacts with ‘network access and gateway servers’ and with ‘databases and directories’ containing user

information. The current standard by which devices or

applications communicate with an AAA server: Remote Authentication Dial-In User Service (RADIUS).

98

RADIUSRef:http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci214249,00.html and RFC 2865

a client/server protocol and software that enables remote access servers to communicate with a central server

to authenticate dial-in users and to authorize their access to the requested system or service.

permits setting up a policy that can be applied at a single administered network point.

Makes it easier to track usage for billing and for keeping network statistics.

Created by Livingston (now owned by Lucent). User profiles for RADIUS: in a central database that

all remote servers can share. Uses UDP port 1812

99

“The use of encrypted passwords appears reasonably secure, in the

absence of serious attention of experts in the field.”

---Morris and Thompson, ‘Password Security: A Case History’ (1979)

100

Procedures

1. USER AUTHENTICATION: PASSWORDS Problem: Password Guessing: Made easier

by the following practices: joe accounts. Accounts that use the account name as the

password. Guest or demonstration accounts that require no

password, or use a well-publicized password. System accounts with default passwords. User who tell their passwords to others.

101

Procedures (continued) Intruder’s method: dictionary guessing: uses a

program that encrypts each word in a dictionary (e.g., /usr/dict/words) and compares each encrypted word to the encrypted password in the /etc/passwd file. Besides the words from a dictionary things known about the target (his name, initials, telephone number, etc.) are also run through the guessing program.

Solution: a password : 6 characters, a random mix of

numbers and letters, that can be remembered easily

Protect the /etc/passwd file. Or use the shadow password file for hiding the

encrypted passwords.

102

Procedures (continued)

The Shadow Password File The encrypted password is stored only in the

shadow password file, /etc/shadow, and not in the /etc/passwd file. Every password field in the /etc/passwd file contains an x, which tells the system to look in the shadow file for the real password. The passwd file is maintained as a world-readable file because it contains information that various programs use.

The shadow file can only be read by root. It only contains passwords and the information needed to manage them.

103

Procedures (continued)

Example:The format of a shadow file entry on a Solaris system is:

username:password: lastchg:min:max:warn:inactive:expire:flag

username: login username password: the encrypted password or NP ( NP: no password because this is

not a login account. System accounts, such as daemon or uucp, are not login accounts, so they have NP in the password field.)

or *LK* for locked accounts that have been disabled from any further use.

104

Password Aging

The following four fields are used for PASSWORD AGING:

Lastchg: the date that the password was last changed, written as the number of days from January 1, 1970 to the date of the change

Min: the minimum number of days that must elapse before the password can be changed

Max: the maximum number of days the user can keep the password before it must be changed

Warn: the number of days before the password expires that the user is warned

105

Password Aging (continued) inactive: the number of days the account

can be inactive before it is locked; Inactivity measured in terms of the number of days the account continues with an expired password

Expire: the date on which the account will be closed; for creating accounts with a specified life-time

Flag: unused.

106

Password Authentication Protocol (PAP) Point-to-Point Protocol (PPP): supports two

authentication protocols: PAP and Challenge Handshake

Authentication Protocol (CHAP). PAP requires clear text PW. If the authentication is at the local host, OK. Otherwise a listener on the line may be able

to find the PW. So the idea of one-time PW, which have to

be used only once.

107

One-time Passwords In

Everything (OPIE) Procedure: With OPIE software loaded on your

machine, supply the old password. The user is asked to select a new secret 10 character password.

Then the system comes out with the following:

1. A one-time PW consisting of a group of six short, uppercase character strings

2. An initial sequence number and the seed

108

OPIE Procedure (continued)

The secret PW, the ISN and the seed can be used on your desktop to generate the next one-time PW.

If one has to go out, one can generate a number of one time passwords.

One time passwords can also be generated with a smart card.

109

Challenge Handshake

Authentication Protocol (CHAP) an advanced authentication system that

can repeatedly re-authenticate a remote system: The procedure: (i) The user is sent a randomly generated

string. (ii) The user uses a secret PIN and his pass

word to generate a response-string. The authenticator checks the response-

string and authenticates the user.

110

Procedures (continued) 2. APPLICATION SECURITY:

(i) Remove unnecessary software. Any software that allows a remote site to log in

to your system, can be exploited by an intruder.

(ii) Keep the software up-to-date. 3. ACCESS CONTROL: It adds a check to validate the source of a

service request, and retains all of the normal checks to validate the user.TCP wrapper: a software that

logs requests for Internet services, and provides an access control mechanism

111

References1. PPP Authentication Protocols:

http://www.tcpipguide.com/free/t_PPPAuthenticationProtocolsPasswordAuthenticationPr.htm as of 22 Oct 06

2. “PPP Authentication Using the ppp chap hostname and ppp authentication chap callin Commands”: http://www.cisco.com/en/US/tech/tk713/tk507/technologies_configuration_example09186a0080094333.shtml as of 22 Oct 06

3. “Understanding and Configuring PPP CHAP Authentication”: http://www.cisco.com/warp/public/471/understanding_ppp_chap.html as of 22 Oct 06

Documents

Review Session 3