Secure, Multi-Lateral Peering with Asterisk

morningbreadloafΔίκτυα και Επικοινωνίες

30 Οκτ 2013 (πριν από 3 χρόνια και 7 μήνες)

96 εμφανίσεις

Secure, Multi
-
Lateral Peering

with Asterisk

Jim.Dalton@TransNexus.com

This presentation includes slide notes which provide additional detail.

Also, this presentation includes animation and is best viewed as a PowerPoint show
.

Asterisk & Asterisk logo are trademarks of Digium, Inc.

OSP Secured is a trademark of TransNexus, Inc.

Market Problem

V

Ethernet


Switch

Router

PSTN

V

PSTN

PSTN

PSTN

Internet or

IP Network


£¥$ call

Originating

Domain

Terminating

Domain

?

Service Provider POP

Routing

Access Control

Accounting

Settlement

IP Network

ITSP

B

ITSP

A

ITSP

D

IP Phone

PC Phone

ENUM

$

$

Directory Server

Route

Look
-
up

ITSP

C

ENUM Peering


Bill and Keep

Bilateral Peering with Settlement

IP Network

ITSP

C

ITSP

A

ITSP

E

$

Interconnect access
& billing occurs at
Border Controllers

ITSP

B

ITSP

D

$

$

SBC

SBC

SBC

SBC

SBC

n*(n
-
1)


2

Bilateral

Agreements

Multi
-
lateral Peering

Certificate Authority and

Settlement Clearinghouse

IP Network

ITSP

B

ITSP

A

ITSP

C

$

OSP

Interconnect access
& billing occurs at
VoIP Domains

Route Look
-
up

& Authorization

CDR

CDR

$

$

Peering

Server

Benefits of secure, multi
-
lateral peering


Efficient peer to peer communications eliminates
signaling bottlenecks


Access control is greatly simplified

o
IP access lists are eliminated

o
Asymmetric key management is simpler and more
secure than shared secrets


Eliminates costly overhead of managing many
bilateral interconnect agreements

Solution: OSP Peering


OSP Protocol:

o
Global standard for inter
-
domain transaction
authorization and usage reporting.

o
Developed by ETSI in 1998, now in version 4.1.1

o
Based on existing standards

o
Uses Asymmetric Public Key Infrastructure (PKI) services
for non
-
repudiation of transactions

o
Broad support: Asterisk, SER, Cisco, Alcatel, Radvision,
UTStarcom, Mediaring, ISDN Communications, Veraz,
Vovida, Teles

o
Protocol Independent


Works with SIP, H.323, IAX …


Overview I
-

How OSP Works


Route discovery


Inter
-
domain access control


IP Network

Domain A

Domain B

Authentication

Authorization

Token

SIP INVITE with Token

RTP

OSP

Server

Destination

Peer

Source

Peer

Overview II
-

How OSP Works


CDR collection

IP Network

Domain A

Domain B

Accounting:

Encrypted CDR

Accounting:

Encrypted CDR

OSP

Server

Destination

Peer

Source

Peer

The Basics of Public
-
key Cryptosystems

Critical Points:


Public / Private keys used for encryption / decryption and
digital signatures


Public keys are public


easy to distribute


A digital certificate signed by a trusted 3rd party ensures
the public
-
key is legitimate


Digital signatures provide data integrity, authentication and
non
-
repudiation


Certificates may be chained from a root authority

Security services between parties rely on exchange of
public keys and security of private keys.

Establishing PKI Security Services

Certificate Authority (CA)

for Peer to Peer

Authorization

(OSP Server)

Client Device requests public
-
key and

certificate from CA

CA sends its public key

and its certificate

Client Device sends certificate

request to CA

CA returns signed certificate

Sign with

CA private

key

VoIP Device

Information

VoIP Device

Public Key

Certified by

Cert. Authority

CA Signature

Certificate

Asterisk

OSP

Server

Source Peer Authentication

IP Network

Carrier A

Authorization

Request


Routing request to OSP Server is digitally signed
with VoIP device’s private key.


OSP server verifies client signature with client’s
public key to authenticate routing request.


OSP

Server

Inter
-
Domain Access Control

IP Network

Domain A

Domain B

Authorization

Response with

Token

SIP INVITE with Token


OSP Server digitally signs authorization token


Authorization token included in SIP Invite


Domain B has no trusted relationship with Domain A, but
verifies digital signature with CA public key


Carrier can retain digital signature for non
-
repudiation


RTP

OSP

Server

Peering Authorization Token


Destination

o
IP address, domain name, sip uri, tel uri, E164, trunk group


Destination Protocol

o
SIP, Q931, H323
-
LRQ, IAX, other


Transaction ID


Service Type, Bandwidth, Number of Channels


Call ID, Session ID, MultiSession ID


Valid After


Valid Until


Authorized amount

o
Seconds, packets, bytes, pages, call, session, price, currency


Authority URL

Secure Accounting

IP Network

Domain A

Domain B

Usage Indication:

Encrypted CDR

Usage Indication:

Encrypted CDR


Domains A and B encrypt CDRs with SSL/TLS


For auditing, OSP Server can request in real time
that a domain digitally sign a batch of CDRs

OSP

Server

Capabilities & Pricing Messages


OSP enables clients to update OSP server database
in real time.


Capabilities Exchange messages can be used

o
To indicate service features available

o
To indicate bandwidth or channel available

o
To indicate presence


Pricing Indication is used to query for rates or
provide rate changes

o
for services (voice, fax, message, video …)

o
based on seconds, pages, bytes, packets and currency

Examples of OSP Peering


Enterprise VoIP VPN


Wholesale Inter
-
Carrier VoIP Services


Tiered Peering


Dundi Settlement Clearinghouse

Enterprise VoIP Network


Requirements:

Internet

Call

Center

Headquarters

Sales

Office

Branch

Office

Manufacturing

1. Centralized routing

2. Secure inter
-
office access control

4. Autonomous local operation

3. Centralized accounting

1. Centralized routing

2. Secure inter
-
office access control

3. Centralized accounting

4. Autonomous local operation

5. Minimum bandwidth

5. Minimum bandwidth

1. Centralized routing

1. Centralized routing

2. Secure inter
-
office access control

1. Centralized routing

2. Secure inter
-
office access control

3. Centralized accounting

1. Centralized routing

2. Secure inter
-
office access control

3. Centralized accounting

4. Autonomous local operation



Enterprise VoIP VPN


OSP peering architecture
provides secure VoIP VPN

Internet

Call

Center

Headquarters

Sales

Office

Branch

Office

Manufacturing

1. Centralized routing

2. Secure inter
-
office access control

3. Centralized accounting

4. Autonomous local operation

5. Minimum bandwidth

1. Centralized routing

1. Centralized routing

2. Secure inter
-
office access control

1. Centralized routing

2. Secure inter
-
office access control

3. Centralized accounting

1. Centralized routing

2. Secure inter
-
office access control

3. Centralized accounting

4. Autonomous local operation

Internet

VoIP VPN

OSP

Server

1. Enrollment

2. Route Authorization

3. SIP INVITE with Token

4. CDR collection

Wholesale Inter
-
Carrier Services

Internet


Challenge: How to manage interconnect access
and billing among thousands of ITSP peers

Wholesale Inter
-
Carrier Services

Internet


Conventional solution is to route all calls via a
softswitch or session border controller.

Wholesale Inter
-
Carrier Services

Internet

OSP

Server

OSP

Server

OSP

Server


Direct peering with OSP is more scalable, more
reliable, better QoS, less bandwidth, lower cost.

Route

Lookup

Wholesale Inter
-
Carrier Services

Internet

OSP

Server

OSP

Server

OSP

Server


Call Detail Collection from both the source and
destination eliminates settlement disputes

Source

CDR

Dest.

CDR

Tiered Peering

Internet

OSP

Server

OSP

Server

OSP

Server


OSP enables secure peering among multiple
peering networks.

OSP

Server

OSP

Server

OSP

Server

SIP INVITE with token

for Purple network

Yellow

Peering

Network

Purple

Peering

Network

1. Auth.

Request

3. Auth.

Response

2. Auth.

Request

4. Auth.

Response

Tiered Peering CDR Reporting

Internet

OSP

Server

OSP

Server

OSP

Server


Top tier peering networks receive Call Detail
Records from both source and destination peers.

OSP

Server

OSP

Server

OSP

Server

Yellow

Peering

Network

Purple

Peering

Network

Source

CDR

Dest.

CDR

Source

CDR

Dest.

CDR

DUNDi


Distributed
Universal
Number
Discovery


Based on
General
Peering
Agreement


No Settlement

DUNDi Clearinghouse

OSP

Server

2¢ / minute!

rate / minute?

Token

Request


DUNDi nodes
enroll with CA


DUNDi nodes
enroll with CA


Route and rate
discovery with
DUNDi


DUNDi nodes
enroll with CA


Route and rate
discovery with
DUNDi


Source submits
route & rate to
clearinghouse
for digitally
signed token

DUNDi Clearinghouse


SIP INVITE
includes signed
token


Destination
validates rate in
token


CDRs sent to
clearinghouse

OSP

Server

SIP INVITE with token

CDR

CDR

DUNDi Clearinghouse


Clearinghouse
performs
settlement
billing


OSP

Server

$

$

Details of OSP


An OSP server is a web server


OSP defines standardized messages for the exchange IP
based sessions.


Message Formats


Multipurpose Internet Mail Extensions (MIME)


eXtensible Markup Language (XML)


Secure MIME


Communication Protocols

Open Settlement Protocol

XML Presentation

HTTP V1.0

SSL / TLS

TCP port 80

TCP port 443

IP

OSP Message Example

HTTP/1.1 200 OK

Server: IP address of OSP server

Date: Thu, 12 May 2005 18:32:59 GMT

Connection: Keep
-
Alive

Keep
-
Alive: timeout=3600, max=5000

Content
-
Length: 1996

Content
-
Type: text/plain


<?xml version='1.0'?>

<Message messageId='11703738491' random='21655'>

<
AuthorizationResponse

componentId='11703738490'>

<Timestamp>2005
-
05
-
12T18:32:59Z</Timestamp>

<TransactionId>4785098287068543017</TransactionId>

<Destination>


<CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId>


<DestinationInfo type='e164'>
Called Number
</DestinationInfo>


<DestinationSignalAddress>[
IP Address:Port
]</DestinationSignalAddress>

HTTP Header

OSP Message

OSP Message Example (cont.)

<
AuthorizationResponse

componentId='11703738490'>

<Timestamp>2005
-
05
-
12T18:32:59Z</Timestamp>

<TransactionId>4785098287068543017</TransactionId>

<Destination>


<CallId encoding='base64'>MTExNTkxOTE3Ny45</CallId>


<DestinationInfo type='e164'>
Called Number
</DestinationInfo>


<DestinationSignalAddress>[
IP Address: Port
]</DestinationSignalAddress>


<UsageDetail>


<Amount>14400</Amount>


<Unit>s</Unit>


</UsageDetail>


<ValidAfter>2005
-
05
-
12T18:27:59Z</ValidAfter>


<ValidUntil>2005
-
05
-
12T18:37:59Z</ValidUntil>


<DestinationProtocol>sip</DestinationProtocol>


<SourceInfo type='e164'>
Calling Number
</SourceInfo>


<Token encoding='base64'>


Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5Ua3hPVEUzTnk0NQphPT


IwMDUtMDUtMTJUMTg6Mjc6NTlaCnU9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz


Unique Transaction
ID per call

Call ID from
source device

Called Number
may be translated

IP Address of
Called Number

Call authorized for
14440 seconds

Call authorized
to start in 10
minute window

Protocol may be SIP,
H323, IAX, …

Digital signature of token
ensures non
-
repudiation

Open Source Tools


www.Asterisk.org

o
Asterisk supports OSP peering


www.SIPfoundry.org

o
OSP Toolkit (client)

o
OpenOSP Server (based on Apache)

o
RAMS OSP Server


http://osp
-
module.berlios.de

o
OSP peering module for SIP Express Router


www.OpenSER.org

o
OpenSER supports OSP peering.


www.voxgratia.org

o
OpenH323 proxy supports OSP peering
(future support for SIP in OPAL)


www.TransNexus.com

o
Q1 2006 OSPrey


no cost OSP server 1200 calls per hour