2. About Quobis
● Working in UC since 2006
● Focus on VoIP since 2008
● Addressing SP and enterprise markets
● HQ in Vigo (Spain)
● Free software
Meet the team
3. About me
● FIC student
● Fran tutored my final year project - "DoS attacks in VoIP"
● Last year: VoIP Engineer
● Now: Security Engineer
Jesús Perez
Security Engineer
@jesusprubio
jesus.perez@quobis.com
4. About me
● FIC student
● Fran tutored my final year project - "DoS attacks in VoIP"
● Last year: VoIP Engineer
● Now: Security Engineer
Quobis is hiring!
Jesús Perez
Security Engineer
@jesusprubio
jesus.perez@quobis.com
5. Index
● Definition
● Real examples
● Signaling
○ VoIP and SIP in 3 slides
● QoffeeSIP
● Final year project proposals
6. Definition
● WebRTC (Web Real-Time Communication) is an API definition
being drafted by the World Wide Web Consortium (W3C) to
enable browser to browser applications for voice calling, video
chat and P2P file sharing without plugins.
http://en.wikipedia.org/wiki/WebRTC
● WebRTC is a free, open
project that enables web
browsers with Real-Time
Communications (RTC)
capabilities via simple
Javascript APIs.
http://www.webrtc.org
7. Definition. Key benefits
● Browser is an omnipresent application
● Users download the client in each access -> no versions issues
● No plugins needed (Flash, Java, Activex, Gtalk plugin, Skype for
Facebook plugin, etc.)
● Use of standards -> security by default
● Multi-platform... and ¡multi-devices!
8. Definition. Main actors
● IETF RTCWeb Working Group
○ WebRTC 1.0 Real-time Communication
Between Browsers
http://www.w3.org/TR/webrtc
● W3C WebRTC
○ draft-ietf-rtcweb-audio-01
○ draft-ietf-rtcweb-data-channel-04
○ draft-ietf-rtcweb-jsep
○ draft-ietf-rtcweb-rtp-usage
○ draft-ietf-rtcweb-use-cases-and-
requirements-10
○ ...
http://datatracker.ietf.org/wg/rtcweb
9. Definition. Main actors
● Standard supporters
● Standard contributors
● Early implementators
● Standard detractors
● Arrived late
● CU-RTC-WEB (Microsoft proposal)
10. Definition. Video codec fight
VP8
H.264
vs
... and VoIP, telepresence and
videoconference vendors
● Since a technical poing of view there aren't enough differences
to complaint
● Most of devices already have hardware acceleration for H-264
(Android ones included)
● But VP8 is free licensed and H.264 not.
11. Definition. Video codec fight
VP8
H.264
vs
... and VoIP, telepresence and
videoconference vendors
● Since a technical poing of view there aren't enough differences
to complaint
● Most of devices already have hardware acceleration for H-264
(Android ones included)
● But VP8 is free licensed and H.264 not.
13. Definition. Another implementations
● Google's WebRTC implementation is a library written in C++
included in V8 Javascript engine
● Then you could download it and compile it wherever you want/can
● Moreover con could always write your own implementation of the
API
● So there are applications that support it without a browser (ie:
Android and iOS apps)
14. Definition. How it works?
DTLS-SRTP Flow
SDP Offer
SDP Answer
ICE
gathering
process ICE
gathering
process
Signalig
Traffic over UDP
● The use of SDP protocol is being discussed now.
19. Definition. Javascript API does the magic
● GetUserMedia: Allows access to local camera, microphone, etc.
● RTCPeerConnection: Allows sending a local stream and to
receive a remote stream
● DataChannel: Allows P2P file sharing between two browsers
32. Signaling
There is NO signaling method defined!
● For our sake says IETF... -> flexibility
33. Signaling
There is NO signaling method defined!
● For our sake says IETF... -> flexibility
34. Signaling. JSON, XMPP, third party API, etc.
● The existence of a media relay server is optional in all cases.
35. Signaling. VoIP in 2 slides
● Voice over Internet Protocol
● Main standard protocols
36. Signaling. VoIP in 2 slides. SIP
● Functions
○ Users location
○ Users availability
○ Client capabilities
○ Session establishement
○ Session management
● Main type of requests
○ REGISTER
○ OPTIONS
○ INVITE
○ ACK
○ BYE
● Responses: 1xx, 2xx, 3xx, 4xx, 5xx, 6xx
INVITE sip: bob@biloxi.com SIP/2.0
Via: SIP/2.0/UDP pc33.atlanta.com;
branch=z9hG4bK776asdhds
MaxForwards: 70
To: Bob <sip: bob@biloxi.com>
From: Alice <sip: alice@atlanta.com>;
tag=1928301774
CallID: a84b4c76e66710@pc33.atlanta.com
CSeq: 314159 INVITE
Contact: <sip: alice@pc33.atlanta.com>
ContentType: application/sdp
ContentLength: 142
37. Signaling. SIP over websockets
● Websockets client only can talks with a websocket server.
● The existence of a relay media server is optional in all cases.
● Most SIP servers (softswitches and proxies) include the SIP
websockets gateway.
38. Signaling. SIP over websockets
● Websockets client only can talks with a websocket server.
● The existence of a relay media server is optional in all cases.
● Most SIP servers (softswitches and proxies) include the SIP
websockets gateway.
39. Signaling. SIP over websockets
TCP connection open
GET /sipserver HTTP/1.1
Host: server.example.com
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Key: x3JJHMbDL1EzLkh9GBhXDw==
Sec-WebSocket-Protocol: sip
Sec-WebSocket-Version: 13
Origin: http://talsetup.quobis.com
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: HSmrc0sMlYUkAGmm5OPpG2HaGWk=
Sec-WebSocket-Protocol: sip
SIP Messages (*)
TCP connection closed
WS Close message
(*) In this case we send SIP messages, but we could send any other protocol.
40. Signaling. SIP over websockets
● The WebSocket Protocol as a Transport for the Session Initiation
Protocol (SIP) - draft-ietf-sipcore-sip-websocket-08
● Servers
○ Kamailio
○ Asterisk
○ OverSIP (Outbound proxy)
○ Privative solutions
● Clients (stacks)
○ QoffeeSIP
○ JsSIP
○ sipML5
○ sip-js
○ Crocodile RCS (Comming soon)
○ Privative solutions
41. QoffeeSIP
● QoffeeSIP is a complete Javascript SIP stack that can be used in
a website to exploit all the multimedia capabilities of WebRTC
technology.
○ Developed in CoffeeScript (simple syntax).
○ Really tiny (< 32 KB).
○ Video/audio calls (WebRTC).
○ SIP over Websockets protocol (and secure).
○ SIP Outbound and GRUU protocols.
○ Design focused in simplicity, having in mind the final user.
○ Some examples of use included.
○ Open source (LGPL).
● Tryit: http://webrtc.quobis.com/
● Use it: QuickStart guide
43. SIPPO
● Enterprise targeted (rich communications) webphone based on
QoffeeSIP.
● Just right now at Las Vegas ...
44. SIPPO
● Enterprise targeted (rich communications) webphone based on
QoffeeSIP.
● Just right now at Las Vegas ...
45. WebRTC+SIP as access method new features>
SIP over WS/REST
DTLS - SRTP
SIP over UDP/TCP/TLS
RTP/SRTP
Signaling & media
interworking
● Direct application for telephony: using the browser as a phone
● We must interwork transport, signaling and media protocols
○ The gap
46. WebRTC+SIP as access method. The gap new fe
● These slides are taken from Victor Pascual conference referenced at the end.