Title: Using AsteriskTM and the OSP Peering Protocol for Secure MultiLateral Peering
1Using AsteriskTM and the OSP Peering Protocol
for Secure Multi-Lateral Peering
Jim.Dalton_at_TransNexus.com
2Market Problem
Terminating Domain ?
Routing
Access Control
Accounting
Originating Domain
PSTN
Settlement
call
Ethernet Switch
Router
PSTN
Internet or IP Network
PSTN
PSTN
Service Provider POP
3Bilateral Peering with Settlement
ITSP A
IP Network
ITSP E
4ENUM Peering Bill and Keep
Directory Server
ITSP B
ENUM
ITSP A
ITSP C
Route Look-up
IP Network
IP Phone
PC Phone
5Multi-lateral Peering
ITSP B
ITSP C
OSP
Certificate Authority and Settlement Clearinghouse
6Benefits of secure multi-lateral peering
- Efficient peer to peer communications eliminates
signaling bottlenecks - Access control is greatly simplified
- IP access lists are eliminated
- Asymmetric key management is simpler and more
secure than shared secrets - Eliminates costly overhead of managing many
bilateral interconnect agreements
7Solution OSP Peering Protocol
- Open Settlement Protocol (OSP)
- Global standard for inter-domain transaction
authorization and usage reporting. - Developed by ETSI in 1998, now in version 4.1.1
- Based on existing standards
- Uses Asymmetric Public Key Infrastructure (PKI)
services for non-repudiation of transactions - Broad support Asterisk, SER, OpenSER, Cisco
UTStarcom, Mediaring, Stratus, Veraz - Protocol Independent
- Works with SIP, H.323, IAX
8The Basics of Public-key Cryptosystems
Security services between parties rely on
exchange of public keys and security of private
keys.
- Critical Points
- Public / Private keys used for encryption /
decryption and digital signatures - Public keys are public easy to distribute
- A digital certificate signed by a trusted 3rd
party ensures the public-key is legitimate - Digital signatures provide data integrity,
authentication and non-repudiation - Certificates may be chained from a root authority
9Establishing PKI Security Services
Asterisk
Certificate Authority (CA) for Peer to
Peer Authorization (OSP Server)
Client Device requests public-key and certificate
from CA
CA sends its public key and its certificate
Client Device sends certificate request to CA
CA returns signed certificate
10Source Peer Authentication
IP Network
Carrier A
- Routing request to OSP Server is digitally signed
with VoIP devices private key. - OSP server verifies client signature with
clients public key to authenticate routing
request.
11Inter-Domain Access Control
Authorization Response with Token
IP Network
Domain A
Domain B
- OSP Server digitally signs authorization token
- Authorization token included in SIP Invite
- Domain B has no trusted relationship with Domain
A, but verifies digital signature with CA public
key - Carrier can retain digital signature for
non-repudiation
12Peering Authorization Token
- Destination
- IP address, domain name, sip uri, tel uri, E164,
trunk group - Destination Protocol
- SIP, Q931, H323-LRQ, IAX, other
- Transaction ID
- Service Type, Bandwidth, Number of Channels
- Call ID, Session ID, MultiSession ID
- Valid After Valid Until
- Authorized amount
- Seconds, packets, bytes, pages, call, session,
price, currency - Authority URL
13Secure Accounting
IP Network
Domain A
Domain B
- Domains A and B encrypt CDRs with SSL/TLS
- For auditing, OSP Server can request in real time
that a domain digitally sign a batch of CDRs
14Capabilities Pricing Messages
- OSP enables clients to update OSP server database
in real time. - Capabilities Exchange messages can be used
- To indicate service features available
- To indicate bandwidth or channel available
- To indicate presence
- Pricing Indication is used to query for rates or
provide rate changes - for services (voice, fax, message, video )
- based on seconds, pages, bytes, packets and
currency
15Examples of OSP Peering
- Enterprise VoIP VPN
- Wholesale Inter-Carrier VoIP Services
- Tiered Peering
- Dundi Settlement Clearinghouse
16Enterprise VoIP Network
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation 5. Minimum bandwidth
1. Centralized routing
1. Centralized routing 2. Secure inter-office
access control
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation
2. Secure inter-office access control
4. Autonomous local operation
3. Centralized accounting
5. Minimum bandwidth
1. Centralized routing
Branch Office
Internet
Headquarters
Manufacturing
Sales Office
Call Center
17Enterprise VoIP VPN
- OSP peering architecture provides secure VoIP VPN
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation 5. Minimum bandwidth
1. Centralized routing
1. Centralized routing 2. Secure inter-office
access control
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting
1. Centralized routing 2. Secure inter-office
access control 3. Centralized accounting 4.
Autonomous local operation
Branch Office
Internet
Headquarters
Manufacturing
Sales Office
Call Center
2. Route Authorization
3. SIP INVITE with Token
4. CDR collection
1. Enrollment
18Wholesale Inter-Carrier Services
- Challenge How to manage interconnect access and
billing among thousands of ITSP peers
Internet
19Wholesale Inter-Carrier Services
- Conventional solution is to route all calls via a
softswitch or session border controller.
Internet
20Wholesale Inter-Carrier Services
- Direct peering with OSP is more scalable, more
reliable, better QoS, less bandwidth, lower cost.
Route Lookup
Internet
21Wholesale Inter-Carrier Services
- Call Detail Collection from both the source and
destination eliminates settlement disputes
Internet
22Tiered Peering
- OSP enables secure peering among multiple peering
networks.
Internet
Purple Peering Network
Yellow Peering Network
23Tiered Peering CDR Reporting
- Top tier peering networks receive Call Detail
Records from both source and destination peers.
Internet
Purple Peering Network
Yellow Peering Network
24DUNDi
- Distributed Universal Number Discovery
- Based on General Peering Agreement
- No Settlement
25DUNDi Clearinghouse
- DUNDi nodes enroll with CA
- DUNDi nodes enroll with CA
- Route and rate discovery with DUNDi
- DUNDi nodes enroll with CA
- Route and rate discovery with DUNDi
- Source submits route rate to clearinghouse for
digitally signed token
rate / minute?
2 / minute!
26DUNDi Clearinghouse
- SIP INVITE includes signed token
SIP INVITE with token
- Destination validates token and rate
- CDRs sent to clearinghouse
27DUNDi Clearinghouse
- Clearinghouse performs settlement billing
28Details of OSP
- An OSP server is a web server
- OSP defines standardized messages for the
exchange IP based sessions. - Message Formats
- Multipurpose Internet Mail Extensions (MIME)
- eXtensible Markup Language (XML)
- Secure MIME
- Communication Protocols
29OSP Message Example
HTTP/1.1 200 OK Server IP address of OSP
server Date Thu, 12 May 2005 183259
GMT Connection Keep-Alive Keep-Alive
timeout3600, max5000 Content-Length
1996 Content-Type text/plain version'1.0'? random'21655' componentId'11703738490' 2005-05-12T1
83259Z 47850982870685
43017 encoding'base64'MTExNTkxOTE3Ny45
Called
Number essIP AddressPort
HTTP Header
OSP Message
30OSP Message Example (cont.)
Unique Transaction ID per call
2005-05-12T183259Z actionId4785098287068543017 ination MTExNTkxOTE3
Ny45 type'e164'Called Number
IP Address
Port
14400
s
2005-05-12T182759Z
2005-05-12T183759Z
sip
Calling
Number
Vj0xCnI9MjE2NTUKYz0KQz03Nzc3Nzc3Nzc3Cmk9TVRFeE5U
a3hPVEUzTnk0NQphPT IwMDUtMDUtMTJUMTg6Mjc6NTlaCn
U9MjAwNS0wNS0xMlQxODozNzo1OVoKST00Nz
Call ID from source device
Called Number may be translated
Call authorized for 14440 seconds
IP Address of Called Number
Call authorized to start in 10 minute window
Protocol may be SIP, H323, IAX,
Digital signature of token ensures non-repudiation
31Open Source Tools
- www.Asterisk.org
- Asterisk includes OSP client
- www.SIPfoundry.org
- OSP Toolkit (client)
- OpenOSP Server (based on Apache)
- RAMS OSP Server
- www.iptel.org
- SIP Express Router supports OSP
- www.OpenSER.org
- OpenSER SIP proxy supports OSP
- www.voxgratia.org
- OSP enabled H323 proxy
- www.TransNexus.com
- Free OSP server download
32Overview I - How OSP Works
- Route discovery
- Inter-domain access control
IP Network
Source Peer
Destination Peer
Domain A
Domain B
33Overview II - How OSP Works
IP Network
Source Peer
Destination Peer
Domain A
Domain B