Authenticated Identites in VoIP Call Control

Opportunities and Challenges for Authenticated Identities within VoIP Call Control John Nix VP, Technology Development InCharge Systems, Inc. April 7, 2008

Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

How are Endpoints Authenticated Today? Orig. Device Proxy Server Corresponding Node Proxy Server Corresponding Node INVITE INVITE "200 OK" "200 OK" "200 OK" Media Public Internet NAT/FW NAT/FW Communications Service INVITE "Bob"

How are Endpoints Authenticated Today (cont)? ,[object Object],[object Object],[object Object],[object Object],[object Object]

How are Endpoints Authenticated Today (cont.)?

Benefits / Drawbacks of Current Authentication ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

More Drawbacks of Current Authentication ,[object Object],[object Object],[object Object],[object Object]

Significant Complexity of Firewall Rules for a Peering Federation Enterprise A.1.a Proxy Server 1 Proxy Server 2 Proxy Server 3 Peering Federation Level 1 Service Providers Level 2 Service Providers Level 3 Enterprises / End Users Note: Any time a proxy server or SBC is moved, changed, added, or deleted, then all firewall rules needs to be updated Service Provider A Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider B Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider C Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider A.1 Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider A.2 Proxy Server 1 Proxy Server 2 Proxy Server 3 Enterprise A.1.b Proxy Server 1 Proxy Server 2 Proxy Server 3

Alternative to Firewall Rules - Open but Calls require a Prefix ,[object Object],[object Object],[object Object],[object Object]

Proposed Solution for Authentication and Identity - IETF RFC 4474 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Verified Identity Using IETF RFC 4474

Example Public Key - Used to Verify Signature

Signing & Verification Internet End-point or originating operator signs INVITE Peering / Transport Federation Validates signed INVITE and routes accordingly Terminating IP net / gateway validates signed INVITE and delivers call User / Server validates INVITE, blocks SPIT … Example Signing & Remote Validation Validation Service or local application. Uses public-certificate from locally provisioned or remote repository Signing Service or local application. Uses private key SS7 VoIP SIP X

Authenticated Identities Simplify Peering Security enhanced while eliminating firewall rules ! ,[object Object],[object Object],[object Object],[object Object],[object Object],Without Signed Messages Internet X Peer.-Fed. SS7 PSTN SIP X 6 * Provisioning Interfaces Signed Messages Save Internet X Peer.-Fed. SS7 PSTN SIP X ICS Sign Validate

Example Message Flow Through Peering Federation Terminating Service Provider Originating Service Provider Proxy Server Proxy Server Authenticate Identity Management Authenticate Identity Management Peering Fabric Certificate Authority Authentication Proxy Peering Fabric UA / Service Provider Requests Key CA Returns Public Key and Certificate UA Sends Invite to Termination Point Client Decrypts Certificate Sign with CA Private Key User Agent User Agent

A "Holy Grail" of VoIP - Direct Communication, Likely Requiring IPv6 CN Firewall Corresponding Node IP Address Public Internet MN FW First Media Stream Second Media Stream RTCP Stream 1 RTCP Stream 2 Mobile Network [2008:0db8::1455:57cd]:12345 2008:0db8::1455:57cd [2008:0db8::1455:57cd]:12345 [2008:0db8::1455:57cd]:12346 [2008:0db8::1455:57cd]:12346 [2008:0db8::1455:57cd]:12345 [1ab2:034f::ccdd:4e8b]:22334 [1ab2:034f::ccdd:4e8b]:22334 1ab2:034f::ccdd:4e8b [2008:0db8::1455:57cd]:12346 [1ab2:034f::ccdd:4e8b]:22335 [1ab2:034f::ccdd:4e8b]:22335 [2008:0db8::1455:57cd]:12346 [1ab2:034f::ccdd:4e8b]:22335 [1ab2:034f::ccdd:4e8b]:22335 [1ab2:034f::ccdd:4e8b]:22334 [2008:0db8::1455:57cd]:12345 [1ab2:034f::ccdd:4e8b]:22334 Signaling (via DNS/Enum) [2008:0db8::1455:57cd]:5060 [2008:0db8::1455:57cd]:5060 [1ab2:034f::ccdd:4e8b]:5060 [1ab2:034f::ccdd:4e8b]:5060

Summary of Benefits of RFC 4474 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Challenges for RFC 4474 ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Example "Support" Systems Required to Deploy RFC 4474 on a Wide Scale ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],Back Office Functions Supported User Applications Management, Provisioning, Auditing, Information Repository ICS Provisioning Signing Services Validation Services Peering-Fed. Provision Authorize Orig.- / Term.- Svc. Provider Sign, Authorize Enterprises Direct Peering Encryption End - User Sign, SPAM SMS, Encryption Real Time Hosting or User Services

Key Assumption for IETF RFC 4474 ,[object Object]

One of Many "Real-World" Call Flows 3725 IP-IP BICS Go2Call Radius Go2Call Database Asterisk 01 Asterisk 02 Asterisk 03 VoIP Phone NAT ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]

Another "Real World" Issue - Caller ID and "Display Name" on Cisco Gateways ,[object Object],[object Object],[object Object]

Need for a Reference System - Solve "Real World" Issues and Revise RFC ,[object Object],[object Object],[object Object],[object Object]

Authenticated Identites in VoIP Call Control

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (19)

Similar a Authenticated Identites in VoIP Call Control

Similar a Authenticated Identites in VoIP Call Control (20)

Último

Último (20)

Authenticated Identites in VoIP Call Control