SIP.edu : OpenSER in an academic environment

1
SIP.edu OpenSER in an academic environment

• OpenSER SUMMIT - VON Berlin 2006

2
Agenda

• Introduction
• INRIA
• The SIP.edu project
• SIP.edu at INRIA
• Access control with RADIUS
• Expected limitations and problems
• Future improvements

3
INRIA

• French National Institute for Research in
  Computer Science and Control
• Fundamental and applied research in various
  fields
• Networking
• Multimedia
• Software security
• Modeling living structures and mechanisms
• 5000 people in 6 locations

4
The SIP.edu project

• Started in late 2003, from an Internet2
  organization initiative
• Aims to connect academic institutions with SIP
• Two prerequisites
• A user e-mail to phone number mapping mechanism
• SIP address email address
• Integrate with an existing PBX to make non-SIP
  phones reachable
• Not necessarily IP enabled
• More than 250,000 people reachable
• MIT, Harvard University, Yale, ..

5
SIP.edu target architecture
6
SIP.edu at INRIA

• DNS SRV records to our SIP proxy
• SIP proxy OpenSER version 1.0.1
• Directory OpenLDAP
• Gathers the information for all INRIA members
• SIP PBX gateway Asterisk Cisco router
• 12 channels to the existing PBX
• PBX TENOVIS

7
SIP.edu at INRIA the picture
8
Available services

• sipfirst.last_at_inria.fr URIs that map with
  regular E.164 extensions at INRIA
• Accessible to anyone from the Internet
• sip0123456789_at_inria.fr URIs, to call external
  E.164 extensions
• Restricted to INRIAs members
• RADIUS based access control

9
Sample call flow to a numeric extension

• To initiate a call to PSTN extension 0123456789,
  Alice types sip0123456789_at_inria.fr" into her
  SIP user agent (UA)
• DNS SRV query
• Sent to INRIAs SIP proxy
• The proxy detects a numeric extension, and
  triggers the RADIUS authentication process
• The proxy re-writes the INVITE to
• INVITE sip0123456789_at_asterisk.inria.fr, which
  it sends to the Asterisk server
• Asterisk rings extension 0123456789 through the
  PSTN gateway and PBX.

10
SIP and RADIUS user password storage

• Two alternatives
• Clear text format
• Insecure
• Regular authentication database cannot be used
• Digest-HA1 MD5(usernamerealmpassword)
• User password is kept opaque to the admin
• Stored information is still sensitive
• Regular authentication database cannot be used

11
The key role of OpenSER

• Call processing logic
• Not that easy to handle but powerful
• Modular software architecture
• Many database/protocols connectors
• RADIUS, SQL, Jabber, ..
• External scripting integration
• In our SIP.edu architecture, the LDAP information
  retrieval process is a shell script launched by
  OpenSER

12
Expected limitations and problems

• NAT issues
• SPIT (SPam over IP Telephony)
• Use inter-domain TLS?
• OpenSER already addresses those issues

13
Future improvements

• Enable RADIUS authorization by implementing group
  checking
• Integrate with our Jabber based IM - presence
  solution
• Already possible with OpenSER