Introduction to SIP
Patrick Ferriter
Vice President of Product Marketing
SIP History
Internet Engineering Task Force (IETF) protocol Inventors: M. Handley, H. Schulzrinne, E. Schooler, and J. Rosenberg Became Proposed Standard and RFC 2543 in March 1999. SIPPING (applications) and SIMPLE (presence and instant messaging) WGs using SIP. SIP is now specified in RFC 3261
SIP Properties, 1
Web Integrated SIP is a close relative of HTTP 1.1:
Similar spec outline
URIs and URLs Error messages Similar parser
Adapted for session initiation Makes real time, interactive communications just another web feature
SIP Properties, 2
State Aware Periodically refreshed state:
Robust against system crashes Less state in the center More state in periphery State in client and server
Types of state
Transaction state Dialogue state
SIP Properties, 3
Transport Independent SIP is transport neutral
UDP is most popular today
simple, quick, efficient
TCP can be used for more persistent connections TLS on top of TCP for hop-by-hop security
SIP Properties, 4
SIP Authentication
Challenge/Response based on shared secret - SIP Digest Mechanism also used by HTTP Used for client devices
SIP Properties, 5
Privacy and security
SIP signaling can be encrypted
S/MIME (Secure/Multipurpose Internet Mail Extensions)
Defined in RFC 2633
SIP Properties, 5
SIP can carry encryption key for media in SDP
Session Description Protocol (SDP)
Defined in RFC 2327
SDP Properties
Defined in RFC 2327 Is used to describe media session Carried as a message body in SIP messages Is a text-based protocol Uses RTP/AVP Profiles for common media types
E.g. RFC 3551 RTP Profile for Audio and Video Conferences with Minimal Control
SDP Structure
v=0 o=Tesla 289084 289041 IN IP4 lab.high-voltage.org s=c=IN IP4 100.101.102.103 t=0 0 m=audio 49170 RTP/AVP 0 a=rtpmap:0 PCMU/8000 v = Version number (ignored by SIP) o = Origin (only 3rd field (version) used by SIP) s = Subject (ignored by SIP) c = Connection Data (IN =internet, IP4 = IPv4, IP Address) t = Time (ignored by SIP) m = Media (type, port, RTP/AVP Profile) a = Attribute (profile, codec, sampling rate)
Specifies IP address and port that this device would like to use to RECEIVE data
SIP Addressing
SIP Uses SIP URLs - Uniform Resource Locators Can look like email address or contain phone numbers:
sip:John@doe.com sip:+14085551212@company.com
INVITE/ACK/BYE/CANCEL/UPDATE
Creates, negotiates and tears down a call (dialogue)
MESSAGE
Creates an Instant Messaging session
SUBSCRIBE
Subscribe to a service (like message waiting indication)
NOTIFY
Notify a change in service state (new Voicemail)
The SIP UPDATE method is the proposed replacement for this technique
SIP Responses, 1
SIP Requests generate Responses with codes borrowed from HTTP Classes:
1xx 2xx 3xx 4xx 5xx 6xx Informational Final Redirection Client Error Server Error Global Failure
SIP Responses, 2
1xx-3xx
SIP Response Code 100 Trying 180 Ringing 181 Call Is Being Forwarded 182 Queued 183 Session Progress 200 OK 300 Multiple Choices 301 Moved Permanently 302 Moved Temporarily 305 Use Proxy 380 Alternative Service Brief Description Request received and action is being taken UA received INVITE and is alerting user Used by proxy to indicate call is being forwarded Called party unavailable, call queued Used in early media and QoS setup Request successful Address resolved to several choices User can no longer be found at Req-URI address Temporarily cannot find user at Req-URI address Resource MUST be accessed through proxy. Call not successful. Alternatives possible.
SIP Responses, 3
4xx
SIP Response Code 400 Bad Request 401 Unauthorized 402 Payment Required 403 Forbidden 404 Not Found 405 Method Not Allowed 406 Not Acceptable 407 Proxy Authentication Required 408 Request Timeout 410 Gone 413 Request Entity Too Large 414 Request-URI Too Long 415 Unsupported Media Type 416 Unsupported URI Scheme 420 Bad Extension 421 Extension Required 423 Registration Too Brief 480 Temporarily Unavailable 481 Call/Transaction Does Not Exist 482 Loop Detected 483 Too Many Hops 484 Address Incomplete 485 Ambiguous 486 Busy Here 487 Request Terminated 488 Not Acceptable Here 491 Request Pending 493 Undecipherable Brief Description Request not understood due to malformed syntax Request requires user authentication Reserved for future use UAS understood request and refuses to fulfill it UAS finds that user doesn't exist in the domain Method is understood but not allowed Response content not allowed by Accept header Client must first authenticate itself with proxy UAS could not produce response in time UAS resource unavailable; no forwarding addr. Request contains body longer than UAS accepts Req-URI longer than server is willing to interpret Format of the body not supported by UAS Scheme of URI unknown to server UAS not understand protocol extension UAS needs particular extension process request Contact header field expiration time too small UAS contacted successfully but user unavailable UAS Rx request not matching any existing dialog UAS has detected a loop UAS received request containing Max-Forwards=0 UAS Rx request with incomplete Request-URI The Request-URI was ambiguous UAS contacted successfully but user busy Request terminated by a BYE or CANCEL request Same as 606 but only applies to addressed entity UAS Rx req. & have pending req. for same dialog UAS Rx request with encrypted MIME body & not have decryption key
SIP Responses, 4
5xx-6xx
SIP Reponse Code 500 Server Internal Error 501 Not Implemented 502 Bad Gateway 503 Service Unavailable 504 Server Time-out 505 Version Not Supported 513 Message Too Large 600 Busy Everywhere 603 Decline 604 Does Not Exist Anywhere 606 Not Acceptable Brief Description UAS unexpected condition & cannot fulfill request UAS not support functionality to fulfill the request UAS Rx invalid response from a downstream server UAS can't process due to overload or maintenance UAS not Rx response from external server UAS not support SIP version in request Message length exceeded UAS capabilities End systems contacted, user busy at all of them End systems contacted, user explicitly decline UAS has information Req-URI user not exist Some aspects of Session Desc. not acceptable
Headers
Extensible flags
From: and To: URLs
From: John Smith <sip:jsmith@zultys.com> To: Tony Warhurst <sip:twarhurst@beerdrinkers.org>
Contact: URL
Contact: Jane Doe <sip:jdoe@192.168.1.100>
Via: URL
Via: SIP/2.0/UDP 192.168.1.100:5060
Call-ID:
Unique tag for this dialogue
CSeq:
Track how many messages for this request
SIP Headers, 1
SIP Requests and Responses contain Headers (similar to Email headers)
Required Headers
To From Via Call-ID CSeq Max-Forwards
Optional Headers:
Subject, Date, Authentication (and many others)
SIP Headers, 2
Required (mandatory) header descriptions
Mandatory Header To From Via Call-ID CSeq Max-Forwards Brief Description Specifies the logical recipient of the request. Has optional "display-name" for human UI. Indicates the initiator of the request. Has optional "display-name" for human UI. Indicates path taken by request so far (also path that should be followed in routing responses) Uniquely identifies a particular invitation or all registrations of a particular client Contains a single decimal sequence number and the request method (orders requests) Limits the number of proxies that can forward the request to the next downstream server
SIP UAS
Component of UA that receives requests and responds to them Example: UAS receives a call request and rings phone
Zultys provides a B2BUA that also has elements of the SIP Proxy and Registrar
SIP Registrar, 1
SIP server that can receive and process REGISTER requests A user has an account created which allows them to REGISTER contacts with a particular server The account specifies a SIP Address of Record (AOR)
SIP Registrar, 2
SIP Registrars store the location of SIP endpoints
Each SIP endpoint Registers
with a Registrar using its Address of Record and Contact address Address of Record for John Smith in From: header
SIP Registrar, 3
SIP Proxies
query SIP Registrars for routing information Incoming calls addressed to sip:jsmith@zultys.com
now routed by the Proxy to the Contact: header URL sip:jsmith@192.168.1.100
SIP Registrars
typically hold the list of devices registered for a particular domain
Proxy Server
SIP Proxy servers route SIP messages
Stateless Proxies use stateless protocols like UDP to talk to endpoints
Low Proxy overhead Ephemeral connections, dropped as soon as message is forwarded
Stateful Proxies use TCP or other stateful protocols to set up a permanent connection
High Proxy overhead Endpoint connection must be set up, maintained and torn down for the duration of the session
Stateless Proxy
Forwards every request downstream Forward every response upstream Keeps no state
does not have any notion of a transaction
Stateful Proxy
Maintains state information for the duration of either the:
Transaction (request)
Transaction Stateful
Simple Provisioning
NOTIFY
WATCHER
PRESENTITY
SIP/2.0 200 OK Via: SIP/2.0/UDP user2pc.domain.com To: sip:user1@domain.com From: sip:user2@domain.com;tag=ab8asdasd9 Call-ID: asd88asd77a@1.2.3.4 CSeq: 1 MESSAGE Content-Length: 0
Ad Hoc Conferencing
SIP enables ad-hoc conferencing of any media
audio video white board (T.120) chat media or applications yet to be defined (extensible)
Ad Hoc Conferencing
Audio
Record-Route
Proxies insert Record-Route headers
When they want to be included in the return signaling path Used by carriers to keep track of calls
Proxy 1 Proxy 2
INVITE sip:callee@domain.com SIP/2.0 Contact: sip:caller@u1.example.com INVITE sip:callee@domain.com SIP/2.0 Contact: sip:caller@u1.example.com Record-Route: <sip:p1.example.com;lr>
Mobility, 1
Covered under the SIP-based 3GPP proposal
SIP with minor extensions to better work with lowbandwidth, high-latency wireless networks
SIP compression specifications Additional codecs used like GSM
Mobility, 2
Move your SIP phone anywhere in network
no additional administrative work
Find Me Follow Me
Allows users to define
Who can reach them Where they can be reached When they can be reached How calls are routed
unconditionally or based on a caller receiving
no answer or a busy signal
Here I Am
Find me & follow me
based on predefined rules
Unified Messaging
Not actually a part of SIP, but easy to implement in concert with SIP Can be as simple as
emailing all incoming faxes and voice mail
Can be as complex as
sending Instant Messages with speech to text encoding paging user when someones Presence indicates theyre accessible
Digest Authentication
SIP uses standard HTTP Digest Authentication with minor revisions
Simple Challenge/Response scheme
REGISTER -> <- 407 Challenge + nonce REGISTER + MD-5 hash (pw + nonce) -> <- 200 OK
Password is never sent in the clear, just the MD-5 hash generated with the password and nonce Defeats Man-in-the-middle attacks since source address cant be spoofed or second REGISTER will never arrive
Authorization
Required by many Internet Telephony Service Providers (ITSPs)
Service Provider supplies Username and password SIP leverages Digest Authentication features to do this
NAT Basics, 1
Network Address Translator (NAT)
Defined in RFC 3022 Standard application
map private IP address range
10.0.0.0 10.255.255.255 172.16.0.0 172.31.255.255 192.168.0.0192.168.255.255
NAT Basics, 2
Problem: NATs modify IP addresses (Layer 3)
SIP/SDP are Layer 7 protocols transparent to NAT
SIP Via:, From: and Contact: headers use not-routable private addresses SDP states that originator wishes to receive media at notroutable private addresses If destination on the public internet tries to send SIP or RTP traffic to those private address
Traffic will be dumped by first router
NAT Basics, 3
Network Address Translator (NAT) - Packets Dropped
SIP INVITE
192.168.1.1
192.168.1.1
NAT
218.30.1.1 IP
Source: 218.30.1.1 Dest: 176.10.1.3
IP
Source: 192.168.1.1 Dest: 176.10.1.3
UDP SIP
UDP SIP
SDP
SDP
NAT Traversal, 1
Solutions to NAT traversal
Application level gateway (ALG) STUN Universal Plug and Pray (UPnP)
NAT Traversal, 2
Solutions to NAT Traversal (commonalities)
Rewrite all SIP/SDP source addresses
SIP Via:, From: and Contact: headers use public NAT address SDP addresses use NAT public address
NAT Traversal, 3
Solutions to NAT Traversal (commonalities)
Use draft-ietf-sip-symmetric-response-00 Use Symmetric SIP/RTP
Use same UDP port number for incoming/outgoing Hold ports open for call duration
Send UDP packet typically every 30 seconds SIP over UDP uses 30 second re-INVITE, REGISTER or OPTIONs RTP sends at much higher frequency by default
NAPT
Network Address Port Translator (NAPT) Packets Dropped
SIP INVITE
192.168.1.1
192.168.1.1
NAT
218.30.1.1 IP
Source: 218.30.1.1 Dest: 176.10.1.3
IP
Source: 192.168.1.1 Dest: 176.10.1.3
UDP SIP
UDP SIP
SDP
SDP
NAT Traversal
Address rewrite + symmetric SIP/RTP
SIP INVITE
192.168.1.1
192.168.1.1
NAT
218.30.1.1 IP
Source: 218.30.1.1 Dest: 176.10.1.3
INVITE
176.10.1.3
IP
Source: 192.168.1.1 Dest: 176.10.1.3
UDP SIP
UDP SIP
SDP
SDP
180 Ringing
Dest: 218.30.1.1 Dest: 5060
200 OK ACK
RTP Stream
Dest: 176.10.1.3 Dest: 5100 Dest: 218.30.1.1 Dest: 5100
NAPT Basics
Network Address Port Translator Can map multiple private IP addresses and ports to one public IP address and ports
NAPT Basics
Same problem as NATs only worse
SIP Via:, From: and Contact: headers use not-routable private addresses AND private UDP port number SDP states that originator wishes to receive RTP media at not-routable private addresses AND private port number If destination on the public internet tries to send SIP or RTP traffic to those private addresses and ports
Traffic will be dumped by first router Rewritten addresses with private ports will get dumped NAPT
NAPT Traversal
NAPT passthru
SIP INVITE
192.168.1.1
192.168.1.1
NAT
218.30.1.1 IP
Source: 218.30.1.1 Dest: 176.10.1.3
INVITE
176.10.1.3
IP
Source: 192.168.1.1 Dest: 176.10.1.3
UDP SIP
UDP SIP
Source: 9999 Dest: 5060 INVITE sip:foo@218.2.3.4 SIP/2.0 Via: 218.30.1.1, rport
SDP
SDP
180 Ringing
Dest: 218.30.1.1 Dest: 9999
SIP/2.0 180 Ringing Via: 192.168.1.1, received=218.30.1.1;rport=9999
200 OK ACK
RTP Stream
Dest: 218.30.1.1 Dest: 5100 Dest: 218.30.1.1 Dest: 5100
Firewall Basics, 1
Firewalls work by blocking services
Packets can typically leave
Only associated packets may return Stateful packet inspection
TCP makes this easy (duration of connection) UDP based on reply timeout Packet filtering
Firewall Basics,2
Stateful Inspection
Pioneered by Checkpoint software Outgoing packets are bound to incoming packets at IP/Layer 3 to establish a virtual session between two endpoints, though Layer 4 and above are used to determine binding Bound incoming packets are allowed through, all others are dropped
Allows applications to
Discover presence and types of NATs and firewalls between them and public Internet Modify outgoing messages according to findings
STUN works with most NATs but falls apart when there is a
STUN, 2
STUN
Client on IP Phone uses STUN protocol To communicate with a STUN server at ISP
Learns external IP address Uses that in SDP
Firewall, NAT and VPN STUN Server Switch
Internet
IAD
UPnP, 2
UPnP
Supported by many Firewall and NAT boxes Phone communicates with Firewall and NAT box to learn external IP address
Firewall, NAT and VPN Switch
Internet
IAD
Encryption
Encryption supported in standard SIP
SIP specs mandate encryption of attachments using S/MIME and AES AES encryption recommended for Secure RTP also