Session Initiation Protocol (SIP) communications software protocol is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as Internet telephony calls using Voice over IP (VoIP). SIP supports user applications that require the creation and management of a session, where a session is considered an exchange of data between an association of participants. The implementation of these applications is complicated by the practices of participants: users may move between endpoints, they may be addressable by multiple names, and they may communicate in several different media – sometimes simultaneously.
Session Initiation Protocol can invite participants to already existing sessions, such as multicast conferences. Numerous protocols have been authored that carry various forms of real-time multimedia session data such as voice, video, or text messages. SIP works in concert with these protocols by enabling Internet endpoints (called user agents) to discover one another and to agree on a characterization of a session they would like to share. Media can be added to (and removed from) an existing session.
Session Initiation Protocol transparently supports name mapping and redirection services for enhanced personal mobility. To locate prospective session participants, and other functions, SIP enables the creation of an infrastructure of network hosts (called proxy servers) to which user agents can send registrations, invitations to sessions, and other requests. It is an agile, general-purpose tool for creating, modifying, and terminating sessions that works independently of underlying transport protocols and without dependency on the type of session that is being established. As such, SIP supports:
- User location: determination of the end system to be used for communication
- User availability: determination of the called party to engage in communications
- User capabilities: determination of the media and media parameters to be used
- Session setup: “ringing”, establishment of session parameters at both called and calling party
- Session management: transfer and terminate sessions, modify session parameters, and invoke services
The nature of the services provided make security particularly important. To that end, SIP provides a suite of security services, which include denial-of-service prevention, authentication (both user to user and proxy to user), integrity protection, and encryption and privacy services.
Session Initiation Protocol is not a vertically integrated communications system. SIP is rather a component that can be used with other IETF protocols to build a complete multimedia architecture. Typically, these architectures will include protocols such as the Real-time Transport Protocol (RTP) for transporting real-time data and providing QoS feedback, the Real-Time Streaming Protocol (RTSP) for controlling delivery of streaming media, the Media Gateway Control Protocol (MEGACO) for controlling gateways to the Public Switched Telephone Network (PSTN), and the Session Description Protocol (SDP) for describing multimedia sessions. Therefore, SIP should be used in conjunction with these other protocols to provide complete services to the end users. However, the basic functionality and operation of the protocol does not depend on any of these other protocols.
Session Initiation Protocol does not provide services. Rather, SIP provides primitives that can be used to implement different services. For example, SIP can locate a user and deliver an opaque object to his current location. If this primitive is used to deliver a session description written in SDP, for instance, the endpoints can agree on the parameters of a session. If the same primitive is used to deliver a photo of the caller as well as the session description, a “caller ID” service can be easily implemented. As this example shows, a single primitive is typically used to provide several different services.
Session Initiation Protocol does not offer conference control services such as floor control or voting and does not prescribe how a conference is to be managed. SIP can be used to initiate a session that uses some other conference control protocol. Since messages and the sessions they establish can pass through entirely different networks, SIP cannot, and does not, provide any kind of network resource reservation capabilities.
VOCAL’s implementation of SIP communications software protocol is optimized for performance on leading DSPs and processors. Our software may be licensed by developers as source code or binary with custom solutions available to meet developer specific requirements. VOCAL’sembedded software libraries include a complete range of ETSI / ITU / IEEE compliant algorithms, in addition to many other standard and proprietary algorithms. Our SIP software is optimized for execution on ANSI C and leading DSP architectures (TI, ADI, AMD, ARM, MIPS, CEVA, LSI Logic ZSP, etc.). These libraries are modular and can be executed as a single task under a variety of operating systems or standalone with its own microkernel.
- Compliant with RFC 3261 SIP v.2
- Suppports both IPv4 and IPv6
- Invitations (INVITE) are used to create sessions and carry session descriptions that allow participants to agree on a set of compatible media types.
- Enables user mobility through a mechanism that allows requests to be proxied or redirected to the user’s current location. Users can register their current location with their home server.
- Supports end-to-end and hop-by-hop authentication, as well as end-to-end encryption using S/MIME.
- Members in a session can communicate using multicast or unicast relations, or a combination of these. In addition, SIP is independent of the lower-layer transport protocol, which allows it to take advantage of new transport protocols.
- Software implementing the SIP protocol can be extended with additional capabilities and is actively being developed.
- WIFI phones VoWLAN
- Wireless GPRS EDGE systems
- Personal Communications
- Wideband IP telephony
- Audio and Video Conferencing
For additional information regarding the Session Initiation Protocol:
- SIP Calling
- SIP Conferencing
- SIP Message Routing
- SIP Presence and Instant Messaging
- SIP Registration
- SIP User Authentication
- Secure SIP
- SIP and Deep Packet Inspection (DPI)
VOCAL’s Session Initiation Protocol supports a variety of agents to perform different services for SIP enabled devices in a network.
A SIP user agent (UA) is an endpoint device that supports SIP. SIP is used to establish connections and enable sessions between SIP UAs. A UA acts on behalf of a user, usually a person but can be another protocol. UA is comprised of both client (UAC) and server (AS) applications. The UAC issues requests while the UAS issues responses.
At a minimum, a UA supports the Session Description Protocol (SDP) which defines the type and characteristics of a session to be established UAs. The UA notifies other UAs and servers of the capabilities it supports, including methods, SIP extensions, and message body types. This allows UAs to offer and then select mutually supported algorithms, codecs, ports, and other characteristics to be used when establishing a session.
A presence agent processes subscription requests from and notifies other UAs of an event. It accepts SUBSCRIBE requests and generates NOTIFY messages. An example of a presence agent is a SIP server used to support auto-provisioning of SIP enabled devices. A UA subscribes to update notifications from the server and is notified of provision updates when they are released.
A back-to-back user agent (B2BUA) acts as an intermediary. It receives a SIP request and issues a new request that is a reformulated version of the original. Similarly, responses are handled in the same way. It may be used to isolate different UAs and hide information about one UA from the other. A B2BUA can also be used to provide other services but this can introduce additional latencies and potential packet loss. A common application of a B2BUA is an Application Layer Gateway that can be used for example in firewalls to enable SIP and other media packets to pass.
A SIP gateway acts as an interface between two domains – one being SIP and the other another protocol. It translates between the two protocols and similar to a presence agent isolates the interacting agents in the different domains. Unlike a UA, the gateway can support interactions of multiple agents between the separate domains. A gateway can terminate the signaling path and sometimes the media path. In the case of a SIP to PSTN interface, the SIP gateway terminates both the signals and media and converts the signals and media from the one protocol format to the other.
SIP servers accept SIP requests and respond to them. A server is an application that may act on the behalf of a SIP client or user agent (UA) or may provide information or direction to a UA. There are several types of SIP servers including proxy, redirect, and registration.
A proxy server acts on behalf of a UA or even another proxy. The proxy’s purpose is to facilitate a connection between UAs to establish a session for VoIP or other activity. A proxy does not originate SIP requests. It forwards requests and responses received from one UA or another proxy on to another proxy or UA. A proxy does not interpret a SIP message, only pass it on to the next link in the chain. It will access other servers, e.g. DNS or other MIB, to get routing information for the next proxy server or the endpoint UA. In so doing, the proxy will modify message header information to update source and destination as the message is propagated from the originating UA through one or more proxy servers and ultimately to the endpoint UA.
A proxy may be either a stateless or stateful server. Stateless proxies process a SIP request and respond accordingly. No information is retained regarding the source, destination, or anything pertaining to the message contents. By definition, a stateless proxy cannot retransmit messages since it has no information of previous dialogs. Stateful proxies, on the other hand, monitor message transactions and use timers to initiate a message retransmit or other action indicate by the current state. Normally, a stateful proxy responds to a SIP request with 100 Trying back to the sender.
Unlike a proxy server, the redirect server responds to SIP requests but does not forward these requests to another server or UA. Like a proxy, the redirect server can use DNS or other MIB to get user information to provide to the requestor.
A registration or registrar server accepts requests from a UA to register an address of record with the server. The server records the address of record along with the device URI so that requests form another UA can be routed to the URI. Typically the server will require UA authentication using TLS to prevent unauthorized or malicious users from redirecting another user’s contact information to theirs.
SIP trunking is an internet connection established using SIP between a business IP-PBX to Voice over IP (VoIP) services provided by an Internet Telephony Service Provider (ITSP). Phone calls can originate as an IP call or an internal POTS call that is converted to IP by an analog telephone adapter (ATA) or media gateway and then transmitted over the SIP trunk to the ITSP. Unlike the physical line and switching required with PSTN service, the IP-PBX uses virtual phone line to access ITSP VoIP services over a broadband internet connection. Trunk bandwidth must be adequate to handle the day-to-day voice, data, and video usage of the business or telephony QoS will be affected when the connection to the ITSP is overloaded and packet latency and loss increase.
SIP trunking allows businesses to utilize lower cost VoIP services and calling plans provided by an ITSP. If multiple business locations want to access VoIP services, each location can utilize a separate SIP trunk to the ITSP from its local IP-PBX or the remote locations can direct calls over an internet connection to the local IP-PBX and access the SIP trunk. Many IP-PBX systems support dedicated internet connections between multiple locations. Thus businesses could purchase larger bandwidth from one location to take advantage of bundling discounts with the ITSP and share or allocate the bandwidth amongst the individual offices. This also permits offices to use the internet to connect through another location to access the local PSTN system and use the local call service rates.
- Use lower cost VoIP services for long distance and local calling
- Select from alternate providers for lowest cost voice connections
Auto Provisioning with SIP
The TR-069 or CPE WAN Management Protocol (CWMP) protocol describes provisioning networked customer premises equipment (CPE). How provisioning will be accomplished is not specified by CWMP and this has been left to vendors to determine. One approach is to use the inherent features of SIP, to manage and direct the auto-provisioning of SIP enabled devices using CWMP.
For auto-provisioning, the CPE should be able to locate a suitable server to determine if an provisioning update is available for any of its installed features. This can easily be handled using SIP. On startup, client devices can issue SUBSCRIBE to register with a SIP server for a provisioning service. A properly configured server will reply with NOTIFY and indicate the URL of a server that supports provisioning for that CPE. The URL of the provisioning server is stored in the device to query for updates on subsequent startups. The provisioning server can also send NOTIFY requests to the device indicating that an update is pending. SIP is used to establish the connection between the device user agent and server to perform the update.
Using CWMP the CPE can access the provisioning server; determine if updates exist, and download the corresponding configuration files. The configuration updates may be for a device or range of device types but it may also identify a specific device ID and address. Once the configuration data has been downloaded, the CPE can apply the configuration updates. This may involve interpreting the configuration data for the specific device and current configuration and copying the parameters to the appropriate configuration profile. In addition, the CPE may need to perform other activities, such as updating firmware.
- Support auto-provisioning of SIP enabled devices
- Reduce maintenance and provisioning costs for CPE
SIP Application in IP Multimedia System (IMS)
SIP is used as the signaling protocol for establishing and controlling a session in IP Multimedia System (IMS). SIP should provide mobile users secure and efficient multimedia services regardless of location. IMS services are expected to provide a certain level of QoS and when a session is established for IMS, resource reservation also specifies the desired QoS level. SIP components have the added capability to communicate with and control the physical infrastructure.
For mobile users, access to multiple service providers can occur during a single phone call as they travel. This requires cooperation and tracking for billing and maintaining QoS levels between different providers. Thus, IMS distinguishes service between home and foreign providers. The home service is the primary contractual provider with mutual arrangements for roaming with foreign service providers to supply satisfactory IMS services in accordance with a customer’s terms of service.
SIP provides for indirect authentication between a user and a network using HTTP Digest and TLS. In addition, IMS supports establishing trust between the user and network. SIP allows a user to initiate a call session prior to registration, whereas IMS requires the user to register before initiating a session to authenticate subsequent activity. Since IMS requires efficient use of resources, it uses message compression to significantly reduce the size of SIP signal transmissions over the network. In addition, IMS supports centralized call service to manage and monitor user account status and other activities such as device state and registration with a network.
Discovery of Secure Devices on a Network
Secure devices may be isolated in classified enclaves or network domains and need to discover other similarly isolated devices to exchange information. SIP is a signaling protocol used for establishing sessions in an IP network and does not know session details. It simply initiates, terminates, and modifies sessions. A SIP user agent (UA) can communicate with proxy, registration, and redirection servers to register and authenticate a device URI, learn the location of other services and devices, as well as be notified of events that pertain to them. A SIP UA communicates through one or more proxy servers to discover the location of another UA to setup a connection between the two endpoints.
These same methods can also enable secure devices to establish a session and connect with each other as needed. The SIP Instant Messaging and Presence Leveraging Extension (SIMPLE) along with SIP messaging (REGISTER, SUBSCRIBE, NOTIFY, INVITE, and MESSAGE) are ideal to stablish sessions and exchange information between UAs for secure devices. REGISTER allows a UA to register its URI for discovery by another UA or proxy; INVITE enables one UA to initiate a session with another UA; SUBSCRIBE and NOTIFY allow a UA to learn about events pertaining to itself; and MESSAGE permits one UA to send an instant message (IM) to another.
Because of security requirements, secure SIP, secure RTP(SRTP) along with TLS and secure MIME(S/MIME) may be used, as appropriate, to ensure that no sensitive information is inadvertently released or intercepted by a malicious user during the discovery process and while establishing a session. Once the connection is established, only device encrypted data is exchanged at the security level required.
Securing SIP Sessions
The Session Initiation Protocol has vulnerabilities that could enable an attacker to intercept and redirect messages for other purposes. SIP is an application layer protocol designed to establish and tear down multimedia sessions between two or more users. As such SIP provides for session location, setup, ongoing management, and termination. It is typically used for VoIP but can also support teleconferencing.
Because proxy servers need to read and modify SIP message headers, ensuring end-to-end security is challenging when transmitting messages over multiple hops. SIP has security provisions including TLS, secure SIP URI, and HTTP Digest authentication with TLS and end clients may negotiate additional security measures to prevent potential man-in-the-middleattacks.
- Redirection where an attacker intercepts a registration request and redirects a user agent and possibly other invitees to an alternate registration server.
- Impersonation where a malicious user falsely represents itself as a server or another user agent.
- Denial of Service where an attacker directs multiple messages to the same IP address to overload the recipient.
- Termination where anattacker intercepts an INVITE request, transmits a forged BYE message to remove a user agent from the session, and assumes the user’s place.
- Protect user sessions from malicious attacks
- Prevent unauthorized access to private communications
Information Assurance and End-to-End Data Security
Recent incidents involving disclosure of classified material, information was collected by an insider who had the appropriate clearance level to view documents but not necessarily access approval or need-to-know. Once inside a secured enclave, an individual with malicious intent can access, with few exceptions, any and all information desired. When classified information is transmitted between computer systems, end-to-end security is paramount but security does not end there. For data stored on a hard drive (data at rest), the individual files are not typically encrypted or protected from unauthorized access. Systems allow settings to restrict access to directories but not individual files and manual procedures are not reliable.
Information assurance relies on network security (OSI layer 3), physical security (layer 1), and the actions of cleared individuals to prevent information theft or accidental disclosure. However data must be secured not only in transit but also while it is stored. Applications that enforce a need-to-know policy to ensure only authorized access to classified information at the application level (layer 7) while stored on a computer or mobile device, add another layer of defense to overall system security.
Existing standards already provide security for data in transit. Voice over IP(VoIP) using secure Session Initiation Protocol with Secure Real-Time Transport Protocol can be used to secure data at the application level thus protecting not only the infrastructure but the content as well. User Agents that support TLS and SRTP provide protection of signal and voice data while in transit. The User Agent can also access the encrypted file when stored. Intercepted or lost data is encrypted and cannot be compromised without the key.
- Develop applications for communications and mobile devices
- Satisfy customer security requirements
- Application and enforcement of security policy at the file level