SIP.edu

SIP.edu & VoIP SecuritySIP.edu & VoIP Security

2nd Workshop on Securing VoIPJune 1-2, Washington, DC

Ben Teitelbaum <[email protected]>http://people.internet2.edu/~ben/

2nd Workshop on Securing VoIPJune 1-2, Washington, DC

Ben Teitelbaum <[email protected]>http://people.internet2.edu/~ben/

2SIP.edu and VoIP Security—2nd Workshop on Securing VoIP—June 1-2—Washington, DC

OutlineOutline

• Internet2

• SIP.edu• Goal• Architecture• Status• Security Concerns

• Abilene Observatory• VoIP Observatory?


Internet2 Who?Internet2 Who?

Elevator Explanation• Internet2's mission is to develop and deploy

advanced network applications and technologies, accelerating the creation of tomorrow’s Internet

Who we really are• Membership organization of 200+ US research

universities• Parent 501.3c (UCAID) has board of university

presidents• Project supported by numerous partnerships

(government, industry, international)

Goals• Enable new generation of applications• Re-create leading edge R&E network capability• Transfer capability to global production internet


Internet2 Universities206 University Members, March 2005Internet2 Universities206 University Members, March 2005


High Performance NetworksHigh Performance Networks


Internet2 PartnershipsInternet2 Partnerships

• Internet2 universities are recreating the partnerships that fostered the Internet in its infancy• Industry• Government• International

• Additional Participation• Over 60 Internet2 Corporate Members• Over 40 Affiliate Members• New Association Member Category• Over 30 International Partners


Sponsored Education Group ParticipantsSponsored Education Group Participants


Internet2 Focus AreasInternet2 Focus Areas

Advanced Network Infrastructure• 10 GB Abilene backbone • Advanced regional networks • 100

MB to the desktop • National fiber-optic facility

Middleware• Directories • Authentication • Authorization

Engineering• Multicast • IPv6 • Measurement • New Arch

Advanced Applications• Gigabit+ file transfer • High-end video • Remote

instrumentation • Distributed computation • Virtual co-laboratories • Distance learning • Integrated Communications


Advanced Applications (high-end, few users)Advanced Applications (high-end, few users)


• Many ways VoIP can be better… • Multi-media integration• Integration with campus IT assets• Use of IPv6 and Multicast• Fidelity• Addressing• Mobility • Privacy• Survivability • Emergency services

Advanced Communications(less high-end, many users)Advanced Communications(less high-end, many users)

* Drawings by VoIP user, Louis Teitelbaum (age 6)


Internet2’s Secret SauceInternet2’s Secret Sauce

• Demographics• ~3.8 million students (tech-savvy, talk a lot, adapt easily)• And, by the way, they graduate (tech-transfer à la email)

• Institutional Commitments• Internet2 members have committed to advance IP communications

and promote collaborative apps• Commitment to advance communication way beyond POTS

• Connectivity• Great networking connectivity and campus middleware

• High-bandwidth, low-loss, low-jitter • End-to-end transparency (few NATs)• Emerging middleware infrastructure for authentication & authorization• IPv6 and multicast too!

• Strong commitment to open standards


SIP.edu Working GroupSIP.edu Working Group

• Fearless Leader• Dennis Baron, MIT (Chair)

sip:[email protected]• Web Site

• http://www.internet2.edu/sip.edu/


Ends and MeansEnds and Means

• Ends• Grow SIP connectivity in Internet2• Increase value proposition for end-user SIP adoption• Promote SIP and converged identity• Provide a useful service, while supporting R&D

• Means• Cookbook with various “recipes”• Corporate sponsorship and promotional pricing

• Cisco, Avaya, Pulver.com so far• Build community


• Users should not be burdened with device addresses, when it’s people they care about

• Addresses should be mnemonic and empower enterprises to manage the identities of their users

• sip:[email protected]

• It’s time to put E.164 numbers behind us!

• A.G. Bell did not say:

“+1-617-252-1232, come here. I need you!”

Why Phone NUMBERS?Why Phone NUMBERS?


SIP.edu Architecture v0.1SIP.edu Architecture v0.1

SIPProxy

SIP-PBXGateway

PBX

INVITE (sip:[email protected])

INVITE(sip:[email protected])

DNS SRV query sip.udp.bigu.edu

telephoneNumberwhere mail=”bob”

PRI / CASbigu.edu

CampusDirectory Bob's Phone

DNSSRV

SIP User Agent



DNS SRV query sip.udp.bigu.edu

bigu.edu

SIP User Agent

locationDB

REGISTER(Contact: 207.75.164.131)


SIPProxy

Bob's SIP PhonesSIP

Registrar

IP Voice, Video, IM, ...

If Bob has registered, ring his SIP UAs; Else, call his extension through the PBX.

SIP.edu Architecture v0.2SIP.edu Architecture v0.2

DNSSRV


Campus DeploymentsCampus Deployments


SIP.edu Security ConsiderationsSIP.edu Security Considerations

• VoIP is wonderful, but returns us to the bad old days of in-band signaling

• DoS, SPIT, SPIM, Spideo, all concerns• Toll fraud - not so much• SIP.edu community looking seriously at

draft-ietf-sip-identity-05 (Peterson & Jennings) to deter spoofing

• Possible leverage of Shibboleth / InCommon PKI


Security Should Not Compromise SecuritySecurity Should Not Compromise Security

• CALEA• Tapping boxes could introduce fragility• Tapping boxes could be hacked

• 911• Short-term solutions could delay the deployment of

much better long-term solutions• IP-enabled PSAPs• Better 911: multimedia, testability, low-cost, robustness• Columbia/Texas A&M/Internet2/NENA NG911 project

• Priority and preemption systems• Open new opportunities for DoS attacks• Best-effort is often what you want in a crisis


SIP.edu Goals RevistedSIP.edu Goals Revisted

• Provide a useful service…• User-to-user connectivity to support mass-

use of new collaborative applications • Eventual evolution of testbed deployments

into production services

• …while supporting R&D• Experimental deployment of new solutions• Access to statistics & measurement data


Abilene Observatory - SummaryAbilene Observatory - Summary

• History and Motivation• What is the Observatory?

• Collocation Projects• Internet2 and NOC Measurements• Data Collections

• Examples of Research Results• Participation in Research Proposals• Future Directions• Issues• http://abilene.internet2.edu/observatory/


History and MotivationHistory and Motivation

• Original Abilene racks included measurement devices• Included a single PC• Early OWAMP, surveyor measurements• Optical splitters at some locations

• Motivation was primarily operational• Data collections

• Collected and maintained by the NOC• How is the network performing?• Available to other network operators • Data also proved valuable for research purposes


History and MotivationHistory and Motivation

• An important decision was made during the last upgrade process (Juniper T-640 routers and OC-192c)• Two racks, one dedicated to measurement platform• Potential for research community to collocate

• Created two components to the Observatory• Collocation - research groups are able to collocate

equipment in the Abilene router nodes• Measurement - data is collected by the NOC, the

Ohio ITEC, and Internet2, and made available to the research community


Abilene router nodeAbilene router node

Power

Out-of-band

Eth. Switch

T-640

(M-5)

Power (48VDC)

Measurement Machines

(nms)

Space!

Measurement(Observatory)

Rack


Dedicated servers at each nodeDedicated servers at each node

• Houston Router Node• NMS machines• PlanetLab

machines


Collocation Research ProjectsCollocation Research Projects

• PlanetLab – Nodes installed in all Abilene Router Nodes• PlanetLab is a global overlay network for

developing and accessing new network services• Goal is deploy 1000 nodes in a variety of

networks• Designed to support both short-term

experiments and long-running services• Larry Peterson, Princeton University is

Research Lead• http://www.planet-lab.org• Potential new direction using MPLS L2VPNs


Collocation ProjectsCollocation Projects

• The AMP Project – Active Measurement Platform, Deployed in all Abilene Router Nodes• More than 150 nodes deployed worldwide• Measurements include path, round-trip-time,

packet loss and on demand throughput tests• Project of NLANR/MNA• Tony McGregor NLANR/MNA, Waikato

University is Research Lead• http://amp.nlanr.net


Collocation ProjectsCollocation Projects

• The PMA Project – Passive Measurement and Analysis, Deployed at Abilene Indianapolis Router Node• Analysis of header traces from over 20 sites,

including OC-192 circuits in Abilene• Header traces of all packets in and out of the

Indianapolis Abilene router – A router clamp• Joerg Micheel, NLANR/MNA, San Diego

Supercomputer Center, UCSD, is research lead• http://pma.nlanr.net • http://pma.nlanr.net/Sites/ipls-2004/


Measurement CapabilitiesMeasurement Capabilities

•One way latency, jitter, loss• IPv4 and IPv6

•Regular TCP/UDP throughput tests – ~1 Gbps• IPv4 and IPv6; On-demand available (see “pipes”)

•SNMP (NOC)• Octets, packets, errors; collected frequently

•“Netflow” (ITEC Ohio)• Addresses anonymized by 0-ing the low order 11 bits

•Multicast beacon with historical data•Routing data

• Both IGP and BGP - Measurement device participates in both• Japanese research techniques on routing research were

implemented


Databases – Date TypesDatabases – Date Types

• Data is collected locally and stored in a distributed databases

• Databases• Usage Data• Netflow Data • Routing Data • Latency Data • Throughput Data • Router Data • Syslog Data


Databases - InterfaceDatabases - Interface

•Variety of Interfaces to data•Simple web based for usage data•Rsync for netflow•Simple web based for routing data•SOAP interface for latency data•SOAP interface for throughput data•SOAP interface for Router data•Syslog data still under development


“SIP.edu Observatory”?“SIP.edu Observatory”?

• Could the Abilene Observatory be leveraged to support VoIP security research?

• Are additional data (e.g. anonymized proxy logs) needed to support VoIP security research?


Documents

SIP.edu