Using AsteriskTM and the OSP Peering Protocol for Secure MultiLateral Peering

1
Using AsteriskTM and the OSP Peering Protocol
for Secure Multi-Lateral Peering
Jim.Dalton_at_TransNexus.com
2
Market Problem
Terminating Domain ?
Routing
Access Control
Accounting
Originating Domain
PSTN
Settlement
call
Ethernet Switch
Router
PSTN
Internet or IP Network
PSTN
PSTN
Service Provider POP
3
Bilateral Peering with Settlement

ITSP A
IP Network
ITSP E
4
ENUM Peering Bill and Keep
Directory Server
ITSP B
ENUM
ITSP A
ITSP C
Route Look-up
IP Network
IP Phone
PC Phone
5
Multi-lateral Peering
ITSP B
ITSP C
OSP
Certificate Authority and Settlement Clearinghouse
6
Benefits of secure multi-lateral peering

• Efficient peer to peer communications eliminates
  signaling bottlenecks
• Access control is greatly simplified
• IP access lists are eliminated
• Asymmetric key management is simpler and more
  secure than shared secrets
• Eliminates costly overhead of managing many
  bilateral interconnect agreements

7
Solution OSP Peering Protocol

• Open Settlement Protocol (OSP)
• Global standard for inter-domain transaction
  authorization and usage reporting.
• Developed by ETSI in 1998, now in version 4.1.1
• Based on existing standards
• Uses Asymmetric Public Key Infrastructure (PKI)
  services for non-repudiation of transactions
• Broad support Asterisk, SER, OpenSER, Cisco
  UTStarcom, Mediaring, Stratus, Veraz
• Protocol Independent
• Works with SIP, H.323, IAX

8
The Basics of Public-key Cryptosystems
Security services between parties rely on
exchange of public keys and security of private
keys.

• Critical Points
• Public / Private keys used for encryption /
  decryption and digital signatures
• Public keys are public easy to distribute
• A digital certificate signed by a trusted 3rd
  party ensures the public-key is legitimate
• Digital signatures provide data integrity,
  authentication and non-repudiation
• Certificates may be chained from a root authority

9
Establishing PKI Security Services
Asterisk
Certificate Authority (CA) for Peer to
Peer Authorization (OSP Server)
Client Device requests public-key and certificate
from CA
CA sends its public key and its certificate
Client Device sends certificate request to CA
CA returns signed certificate
10
Source Peer Authentication
IP Network
Carrier A

• Routing request to OSP Server is digitally signed
  with VoIP devices private key.
• OSP server verifies client signature with
  clients public key to authenticate routing
  request.

11
Inter-Domain Access Control
Authorization Response with Token
IP Network
Domain A
Domain B

• OSP Server digitally signs authorization token
• Authorization token included in SIP Invite
• Domain B has no trusted relationship with Domain
  A, but verifies digital signature with CA public
  key
• Carrier can retain digital signature for
  non-repudiation

12
Peering Authorization Token

• Destination
• IP address, domain name, sip uri, tel uri, E164,
  trunk group
• Destination Protocol
• SIP, Q931, H323-LRQ, IAX, other
• Transaction ID
• Service Type, Bandwidth, Number of Channels
• Call ID, Session ID, MultiSession ID
• Valid After Valid Until
• Authorized amount
• Seconds, packets, bytes, pages, call, session,
  price, currency
• Authority URL

13
Secure Accounting
IP Network
Domain A
Domain B

• Domains A and B encrypt CDRs with SSL/TLS
• For auditing, OSP Server can request in real time
  that a domain digitally sign a batch of CDRs

14
Capabilities Pricing Messages

• OSP enables clients to update OSP server database
  in real time.
• Capabilities Exchange messages can be used
• To indicate service features available
• To indicate bandwidth or channel available
• To indicate presence
• Pricing Indication is used to query for rates or
  provide rate changes
• for services (voice, fax, message, video )
• based on seconds, pages, bytes, packets and
  currency

15
Examples of OSP Peering

• Enterprise VoIP VPN
• Wholesale Inter-Carrier VoIP Services
• Tiered Peering
• Dundi Settlement Clearinghouse

16
Enterprise VoIP Network

• Requirements

1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation 5. Minimum bandwidth
1. Centralized routing
1. Centralized routing 2. Secure inter-office
access control
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation
2. Secure inter-office access control
4. Autonomous local operation
3. Centralized accounting
5. Minimum bandwidth
1. Centralized routing


Branch Office
Internet
Headquarters
Manufacturing
Sales Office
Call Center
17
Enterprise VoIP VPN

• OSP peering architecture provides secure VoIP VPN

1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation 5. Minimum bandwidth
1. Centralized routing
1. Centralized routing 2. Secure inter-office
access control
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation
Branch Office
Internet
Headquarters
Manufacturing
Sales Office
Call Center
2. Route Authorization
3. SIP INVITE with Token
4. CDR collection
1. Enrollment
18
Wholesale Inter-Carrier Services

• Challenge How to manage interconnect access and
  billing among thousands of ITSP peers

Internet
19
Wholesale Inter-Carrier Services

• Conventional solution is to route all calls via a
  softswitch or session border controller.

Internet
20
Wholesale Inter-Carrier Services

• Direct peering with OSP is more scalable, more
  reliable, better QoS, less bandwidth, lower cost.

Route Lookup
Internet
21
Wholesale Inter-Carrier Services

• Call Detail Collection from both the source and
  destination eliminates settlement disputes

Internet
22
Tiered Peering

• OSP enables secure peering among multiple peering
  networks.

Internet
Purple Peering Network
Yellow Peering Network
23
Tiered Peering CDR Reporting

• Top tier peering networks receive Call Detail
  Records from both source and destination peers.

Internet
Purple Peering Network
Yellow Peering Network
24
DUNDi

• Distributed Universal Number Discovery
• Based on General Peering Agreement
• No Settlement

25
DUNDi Clearinghouse

• DUNDi nodes enroll with CA

• DUNDi nodes enroll with CA
• Route and rate discovery with DUNDi

• DUNDi nodes enroll with CA
• Route and rate discovery with DUNDi
• Source submits route rate to clearinghouse for
  digitally signed token

rate / minute?
2 / minute!
26
DUNDi Clearinghouse

• SIP INVITE includes signed token

SIP INVITE with token

• Destination validates token and rate
• CDRs sent to clearinghouse

27
DUNDi Clearinghouse

• Clearinghouse performs settlement billing

28
Details of OSP

• An OSP server is a web server
• OSP defines standardized messages for the
  exchange IP based sessions.
• Message Formats
• Multipurpose Internet Mail Extensions (MIME)
• eXtensible Markup Language (XML)
• Secure MIME
• Communication Protocols

29
OSP Message Example
HTTP/1.1 200 OK Server IP address of OSP
server Date Thu, 12 May 2005 183259
GMT Connection Keep-Alive Keep-Alive
timeout3600, max5000 Content-Length
1996 Content-Type text/plain version'1.0'? random'21655' componentId'11703738490' 2005-05-12T1
83259Z 47850982870685
43017 encoding'base64'MTExNTkxOTE3Ny45
Called
Number essIP AddressPort
HTTP Header
OSP Message
30
OSP Message Example (cont.)
Unique Transaction ID per call

2005-05-12T183259Z actionId4785098287068543017 ination MTExNTkxOTE3
Ny45 type'e164'Called Number
IP Address
Port
14400
s
2005-05-12T182759Z
2005-05-12T183759Z
sip
Calling
Number
Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5U
a3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCn
U9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz
Call ID from source device
Called Number may be translated
Call authorized for 14440 seconds
IP Address of Called Number
Call authorized to start in 10 minute window
Protocol may be SIP, H323, IAX,
Digital signature of token ensures non-repudiation
31
Open Source Tools

• www.Asterisk.org
• Asterisk includes OSP client
• www.SIPfoundry.org
• OSP Toolkit (client)
• OpenOSP Server (based on Apache)
• RAMS OSP Server
• www.iptel.org
• SIP Express Router supports OSP
• www.OpenSER.org
• OpenSER SIP proxy supports OSP
• www.voxgratia.org
• OSP enabled H323 proxy
• www.TransNexus.com
• Free OSP server download

32
Overview I - How OSP Works

• Route discovery
• Inter-domain access control

IP Network
Source Peer
Destination Peer
Domain A
Domain B
33
Overview II - How OSP Works

• CDR collection

IP Network
Source Peer
Destination Peer
Domain A
Domain B