1 secure voip: call establishment and media protection johan bilien, erik eliasson, joachim orrblad,...
TRANSCRIPT
1
Secure VoIP: call establishment and media protection
Johan Bilien, Erik Eliasson, Joachim Orrblad, Jon-Olov Vatn
Telecommunication Systems LaboratoryRoyal Institute of Technology (KTH)Stockholm, Sweden
2
• Protecting the signaling– encryption and integrity protection– hop-by-hop– protection of privacy
• Protecting the media– encryption and integrity protection– end-to-end– at network (IPSec ESP) or application
layer (SRTP)
• Authenticated Key Exchange (AKE)– provides key to protect the media– allows callee policies, such as
filtering of spam
Requirements for secure VoIP
UA UA
P P
3
AKE for Secure VoIP• Which protocol?
– IKE (RFC 2409)• widely deployed and acknowledged
– MIKEY (RFC 3830)• specifically designed for protection of multimedia services
• MIKEY profile defined for SRTP
• How to combine the AKE and the SIP signaling?– “out-of-band”, performed in additional messages, or– integrated, carried in the SIP messages
4
Performance metrics• Ringing delay (RD)
– from sending the INVITE to receiving the ringing notification
– includes caller authentication
• Media clipping (MC)– media transmission is
hindered by ongoing cryptographic processing
• Ghost ringing– the caller cancels the call
after the callee started ringing
INVITE
180 RingingRD
200 OK
RTP
RTPMC
5
IKE and SIP signaling• IKE performed “out of band”• SIP preconditions (RFC 3312) extended for IKE setup
INVITE / IPSec required
UPDATE
IKE
183 Session in progress
200 OK (UPDATE)
200 OK (INVITE)
6
MIKEY and SIP signaling• MIKEY integrated with SIP / SDP
• Without reliable provisional responses
– Processing of the MIKEY response in the 200 OK creates media clipping
INVITE / MIKEY Init
200 OK / MIKEY Response
• With reliable provisional responses– The MIKEY response is sent reliably
in a provisional response– The security association is
complete before the 200 OK is sent, thus avoiding media clipping
200 OK
INVITE / MIKEY Init
183 / MIKEY Response
PRACK
7
Implementation• Signaling protection using TLS
• Media protection– SRTP
• AKE using MIKEY in the SDP offer-answer
– IPSEC – ESP• AKE using MIKEY in a separate MIME payload
• proposed MIKEY profile for ESP
• No reliable provisional response
• Open source (LGPL and GPL)
8
Secure call setup - delays
BobAlice
Alice
Alice
INVITE/MIKEY InitInvite processing• SIP Processing• MIKEY verify, Policy check
Callee Transmit Clipping • Create MIKEY Reply• Session key gen.• (Update IPSec DBs)
Packetization delay
Ringing delay• Create MIKEY Init• SIP processing
Caller Transmit Clipping:• SIP Processing• MIKEY verify, policy check• Session key gen.• (Update IPSec DBs)
Packetization Delay
Bob
180 Ringing
200 OK/MIKEY
Reply
DIAL
OFF HOOK
a2
a3a4
a1 b1
RTP Media
RTP Media
b2
b3
Caller ReceptionClipping
9
Measurements
a1 b1 b2 b3 a2 a3 a4Time (in ms)
TCP 73,6 18,6 835,9 28,2 804,4 30,1 83,3TLS 76,1 16,9 834,8 28,2 803,3 30,2 83,5
SRTP TCP 72,2 19 172,8 28,2 146,2 28,1 -14,5
TLS 74,7 17,5 170,3 28,1 145,5 28,2 -13,4
Ringing delay
Invite processing
Callee transmit clipping
Packeti- zation delay
Caller transmit clipping
Packeti-zation delay
Caller receive clipping
IPSec
10
Conclusions and future work• In all the measured cases, the ringing delay is not
significant for a human person (~ 75 ms)• The key exchange for SRTP results in a short transmit
clipping on both sides (~170 ms)• The use of IPSec results in a major media clipping on both
sides (~ 800 ms). We believe this to be a Linux IPSec implementation issue.
• Adding support for reliable provisional responses, to carry the MIKEY response, would cancel those clippings.
• We recommend the use of SRTP for media protection, TLS for signaling protection, and an authenticated key exchange based on MIKEY.