Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Authenticated Identites in VoIP Call Control
1. Opportunities and Challenges for Authenticated Identities within VoIP Call Control John Nix VP, Technology Development InCharge Systems, Inc. April 7, 2008
2.
3. How are Endpoints Authenticated Today? Orig. Device Proxy Server Corresponding Node Proxy Server Corresponding Node INVITE INVITE "200 OK" "200 OK" "200 OK" Media Public Internet NAT/FW NAT/FW Communications Service INVITE "Bob"
9. Significant Complexity of Firewall Rules for a Peering Federation Enterprise A.1.a Proxy Server 1 Proxy Server 2 Proxy Server 3 Peering Federation Level 1 Service Providers Level 2 Service Providers Level 3 Enterprises / End Users Note: Any time a proxy server or SBC is moved, changed, added, or deleted, then all firewall rules needs to be updated Service Provider A Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider B Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider C Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider A.1 Proxy Server 1 Proxy Server 2 Proxy Server 3 Service Provider A.2 Proxy Server 1 Proxy Server 2 Proxy Server 3 Enterprise A.1.b Proxy Server 1 Proxy Server 2 Proxy Server 3
14. Signing & Verification Internet End-point or originating operator signs INVITE Peering / Transport Federation Validates signed INVITE and routes accordingly Terminating IP net / gateway validates signed INVITE and delivers call User / Server validates INVITE, blocks SPIT … Example Signing & Remote Validation Validation Service or local application. Uses public-certificate from locally provisioned or remote repository Signing Service or local application. Uses private key SS7 VoIP SIP X
15.
16. Example Message Flow Through Peering Federation Terminating Service Provider Originating Service Provider Proxy Server Proxy Server Authenticate Identity Management Authenticate Identity Management Peering Fabric Certificate Authority Authentication Proxy Peering Fabric UA / Service Provider Requests Key CA Returns Public Key and Certificate UA Sends Invite to Termination Point Client Decrypts Certificate Sign with CA Private Key User Agent User Agent
17. A "Holy Grail" of VoIP - Direct Communication, Likely Requiring IPv6 CN Firewall Corresponding Node IP Address Public Internet MN FW First Media Stream Second Media Stream RTCP Stream 1 RTCP Stream 2 Mobile Network [2008:0db8::1455:57cd]:12345 2008:0db8::1455:57cd [2008:0db8::1455:57cd]:12345 [2008:0db8::1455:57cd]:12346 [2008:0db8::1455:57cd]:12346 [2008:0db8::1455:57cd]:12345 [1ab2:034f::ccdd:4e8b]:22334 [1ab2:034f::ccdd:4e8b]:22334 1ab2:034f::ccdd:4e8b [2008:0db8::1455:57cd]:12346 [1ab2:034f::ccdd:4e8b]:22335 [1ab2:034f::ccdd:4e8b]:22335 [2008:0db8::1455:57cd]:12346 [1ab2:034f::ccdd:4e8b]:22335 [1ab2:034f::ccdd:4e8b]:22335 [1ab2:034f::ccdd:4e8b]:22334 [2008:0db8::1455:57cd]:12345 [1ab2:034f::ccdd:4e8b]:22334 Signaling (via DNS/Enum) [2008:0db8::1455:57cd]:5060 [2008:0db8::1455:57cd]:5060 [1ab2:034f::ccdd:4e8b]:5060 [1ab2:034f::ccdd:4e8b]:5060