Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

New Kamailio DNSSEC Module Enables Higher Security For SIP / VoIP

Kamailio LogoIf you are using voice-over-IP (VoIP), and specifically the Session Initiation Protocol (SIP), how do you know if you are really connecting to the correct SIP server when you make a connection?  When you call someone, your SIP server needs to make a connection to the SIP server for the recipient – how is it sure it is reaching the correct server?

As I’ve talked about and written about in the past, one way to help with this is to use DNSSEC to validate that the information received by the SIP server from DNS is in fact accurate.  While DNSSEC support in VoIP systems has been somewhat limited to date, the great Kamailio team has added a module that provides DNSSEC support.  It will be included in the forthcoming Kamailio 4.1 release (whose development was recently frozen, so it should be available soon), but in the meantime it can be added to Kamailio installations using this tutorial:

http://www.kamailio.org/wiki/tutorials/dns/dnssec

The actual module itself can be found at:

http://kamailio.org/docs/modules/devel/modules/dnssec.html

This kind of support for DNSSEC within VoIP is great to see and will lead to more secure communications over IP in the future.  Plus, getting this kind of DNSSEC support out there now will lay the groundwork for potentially using DANE in the future to secure the certificates used in VoIP communications.

Congrats to the Kamailio team and we look forward to learning more about people using this module in the future!

P.S. See our DNSSEC and DNSSEC Basics pages to learn more about how you can get started with DNSSEC.

Categories
Deploy360 IPv6 To archive

SIP Forum IPv6 Task Group Call – Weds, Oct 3rd, 19:00 CEST, 1:00pm US Eastern

SIP ForumThe SIP Forum IPv6 Task Group will be having its next conference call today, October 3, 2013, at: 19:00 CEST, 18:00 BST (UK) and 1:00 pm US Eastern (and see other times). Task Group co-chair Andy Hutton sent out this agenda and call-in information:

  1. Status of the draft for developers
  2. Status of mine and Gonzalo’s draft to update RFC 3263
  3. Happy Eyeballs for SIP
    3.1. Connection oriented
    3.2. UDP
  4. IPv6 and related protocols
    4.1. MSRP
    4.2. XCAP/HTTP
    4.3. ICE/turn
    4.4. Other related protocols

Anyone is welcome to join the SIP Forum’s IPv6 mailing list and also to join in the effort.  The group is working to “evaluate current best practices and enable and promote migration to SIP over IPv6.”

It’s great to see the work they are doing because we definitely do need to have IP-based telecommunications working over IPv6!

Categories
IPv6

SIP Forum IPv6 Task Group Call – Weds, Oct 3rd, 19:00 CEST, 1:00pm US Eastern

SIP ForumThe SIP Forum IPv6 Task Group will be having its next conference call today, October 3, 2013, at: 19:00 CEST, 18:00 BST (UK) and 1:00 pm US Eastern (and see other times). Task Group co-chair Andy Hutton sent out this agenda and call-in information:

  1. Status of the draft for developers
  2. Status of mine and Gonzalo’s draft to update RFC 3263
  3. Happy Eyeballs for SIP
    3.1. Connection oriented
    3.2. UDP
  4. IPv6 and related protocols
    4.1. MSRP
    4.2. XCAP/HTTP
    4.3. ICE/turn
    4.4. Other related protocols

Anyone is welcome to join the SIP Forum’s IPv6 mailing list and also to join in the effort.  The group is working to “evaluate current best practices and enable and promote migration to SIP over IPv6.”

It’s great to see the work they are doing because we definitely do need to have IP-based telecommunications working over IPv6!

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Missed The VUC Hangout About DNSSEC and VoIP? Watch The Recording…

Interested in learning more about how DNSSEC can potentially work with VoIP?  If you missed the VoIP Users Conference (VUC) Hangout in Google+ back on May 3 where I discussed this topic, you can now watch the archive at:

It was a very enjoyable presentation and I do thank VUC host Randy Resnick for having me on the show.

I’ll note that I also have posted a set of slides about DNSSEC and VoIP, and we’ve now set up a “DNSSEC and IP Communications” page here on Deploy360 where we will continue to add resources as we become aware of them.

Categories
Deploy360 IPv6 To archive

Next “SIP Over IPv6” Task Group Call On Thursday, June 20,

SIP ForumFor those interested in helping make Voice-over-IP (VoIP) work over IPv6, and specifically VoIP using the Session Initiation Protocol (SIP), the next conference call of the SIP Forum’s “SIP Over IPv6” Task Group happens tomorrow, Thursday, June 20, 2013, at:

19:00 Central European Summer Time
18:00 British Summer Time
13:00 US Eastern Daylight Time
10:00 US Pacific Daylight Time

The dial-in number will be +1 972 756 9798 with a conference PIN  of 009444.  Additional country-specific dial-in numbers can be found in the email announcement.

In the agenda announcement from Rifaat Shekh-Yusef the items to be discussed include:

1. draft-klatsky-dispatch-ipv6-impact-ipv4

  • Discuss the feedback and how to continue the discussion on the DISPATCH mailing list
  • *Talk about the options for moving the document forward (AD sponsor vs. new WG)

2. Discuss the text for two new sections that Mohamed Boucadair provided.
(See “IPv6 Implementation Guidelines” & “IPv6/IPv4 Interworking Function: Avoid IPv6 address Leakage?” in the attached document)

  • Should these be added to this draft, which means that we are extending the scope of this draft? or
  • Should we create a separate draft?

3. Happy Eyeballs

4. Sunset4 WG
We received an email of interest from Marc Blanchet, co-chair of sunset4 wg, stating that this work is relevant to the work they are chartered to do.
Marc suggested that we socialize this work with the sunset4 wg, which I did already. He also suggested that we present this work during the coming IETF in Berlin.

We’re delighted to see this ongoing work within the SIP Forum and that several documents are now under consideration.  We do encourage anyone interested in helping SIP work over IPv6 to participate in this call and to join the SIP Forum “IPv6” mailing list for this task group.

For more information about VoIP / SIP and IPv6, please see our page on IPv6 and IP Communications.

Categories
IPv6

Next "SIP Over IPv6" Task Group Call On Thursday, June 20,

SIP ForumFor those interested in helping make Voice-over-IP (VoIP) work over IPv6, and specifically VoIP using the Session Initiation Protocol (SIP), the next conference call of the SIP Forum’s “SIP Over IPv6” Task Group happens tomorrow, Thursday, June 20, 2013, at:

19:00 Central European Summer Time
18:00 British Summer Time
13:00 US Eastern Daylight Time
10:00 US Pacific Daylight Time

The dial-in number will be +1 972 756 9798 with a conference PIN  of 009444.  Additional country-specific dial-in numbers can be found in the email announcement.

In the agenda announcement from Rifaat Shekh-Yusef the items to be discussed include:

1. draft-klatsky-dispatch-ipv6-impact-ipv4

  • Discuss the feedback and how to continue the discussion on the DISPATCH mailing list
  • *Talk about the options for moving the document forward (AD sponsor vs. new WG)

2. Discuss the text for two new sections that Mohamed Boucadair provided.
(See “IPv6 Implementation Guidelines” & “IPv6/IPv4 Interworking Function: Avoid IPv6 address Leakage?” in the attached document)

  • Should these be added to this draft, which means that we are extending the scope of this draft? or
  • Should we create a separate draft?

3. Happy Eyeballs

4. Sunset4 WG
We received an email of interest from Marc Blanchet, co-chair of sunset4 wg, stating that this work is relevant to the work they are chartered to do.
Marc suggested that we socialize this work with the sunset4 wg, which I did already. He also suggested that we present this work during the coming IETF in Berlin.

We’re delighted to see this ongoing work within the SIP Forum and that several documents are now under consideration.  We do encourage anyone interested in helping SIP work over IPv6 to participate in this call and to join the SIP Forum “IPv6” mailing list for this task group.

For more information about VoIP / SIP and IPv6, please see our page on IPv6 and IP Communications.

Categories
Deploy360 IPv6

Next SIP Forum “SIP Over IPv6” Call on January 9th

UPDATE – Jan 9, 2012: Unfortunately due to some scheduling conflicts, the call on January 9th was cancelled.  There will be discussion on the SIP Forum discussion list to determine the date of the next call.

SIP Forum

One week from today, on January 9, the SIP Forum’s “SIP Over IPv6 Task Group” will be having it’s next conference call.  Andy Hutton, co-chair of the group, provided notes of last call where discussion continued about how to move efforts forward.  As he notes, a message with an agenda and more details should be sent to the list soon (you can check the list archive).

As I wrote about before, this Task Group is an important step toward getting more Voice over IP (VoIP) communication happening over IP.  If you are interested in getting more involved, the Task Group web page explains more about what the group is doing – and the SIP Forum IPv6 mailing list is open to all to join.

Categories
IPv6

Next SIP Forum "SIP Over IPv6" Call on January 9th

UPDATE – Jan 9, 2012: Unfortunately due to some scheduling conflicts, the call on January 9th was cancelled.  There will be discussion on the SIP Forum discussion list to determine the date of the next call.

SIP Forum

One week from today, on January 9, the SIP Forum’s “SIP Over IPv6 Task Group” will be having it’s next conference call.  Andy Hutton, co-chair of the group, provided notes of last call where discussion continued about how to move efforts forward.  As he notes, a message with an agenda and more details should be sent to the list soon (you can check the list archive).

As I wrote about before, this Task Group is an important step toward getting more Voice over IP (VoIP) communication happening over IP.  If you are interested in getting more involved, the Task Group web page explains more about what the group is doing – and the SIP Forum IPv6 mailing list is open to all to join.

Categories
Deploy360 IPv6

Slides: SIP and IPv6 – Can They Get Along?

Last week at the SIPNOC 2012 event in Virginia, I gave a presentation about how the Session Initiation Protocol (SIP) can work with IPv6 and what some of the issues are around deployment.  I emphasized the fact that SIP works over IPv6 and then took a step back to talk about the basics of IPv6 before diving into more SIP- and VoIP-specific issues.  There was some great discussion and I learned later that a number of people took photos of my slide about SIP and NAT. 🙂

To that end, my slides about SIP and IPv6 are now available online for your viewing and/or downloading.  I did record the event on video – and at some point here I’m aiming to publish that to our YouTube account.  Meanwhile, enjoy the slides…

SIP and IPv6 – Can They Get Along?

View more presentations from Deploy360
Categories
IPv6

Slides: SIP and IPv6 – Can They Get Along?

Last week at the SIPNOC 2012 event in Virginia, I gave a presentation about how the Session Initiation Protocol (SIP) can work with IPv6 and what some of the issues are around deployment.  I emphasized the fact that SIP works over IPv6 and then took a step back to talk about the basics of IPv6 before diving into more SIP- and VoIP-specific issues.  There was some great discussion and I learned later that a number of people took photos of my slide about SIP and NAT. 🙂

To that end, my slides about SIP and IPv6 are now available online for your viewing and/or downloading.  I did record the event on video – and at some point here I’m aiming to publish that to our YouTube account.  Meanwhile, enjoy the slides…

SIP and IPv6 – Can They Get Along?

View more presentations from Deploy360
Categories
Deploy360 Events IPv6

Speaking about IPv6 and SIP (VoIP) Next Week at SIPNOC in Virginia

SIPNOC logoHow well does the Session Initiation Protocol (SIP) work with IPv6? How do current VoIP software and systems currently handle IPv6?  What does the industry need to do for SIP to thrive in an IPv6 landscape?

I’ll be exploring all those questions and much more at the “SIP Network Operators Conference (SIPNOC)” next week in Herndon, Virginia, USA.  SIPNOC is a great event sponsored by the SIP Forum that brings together network operators and many other companies all involved in actually deploying and using SIP for voice over IP. I really enjoy the event as the participants are really on the leading edge of IP communications. This year, too, the CTO of the US Federal Communications Commission (FCC), Henning Schulzrinne, will be giving what should be an interesting keynote. (And it’s not too late – you still can register to attend SIPNOC!)

As noted on the agenda, I’ll be participating in three sessions during the two-day event:

Tuesday, June 26

10:30am-11:15am: Panel Discussion: SIP Adoption and Network Security.

Along with Eric Burger of Georgetown University (and also an Internet Society Board of Trustee) and Randy Layman of Vocalocity, I’ll be discussing VoIP security issues, a topic I’ve long been involved with.

11:45am-12:15pm: SIP and IPv6 – Can They Get Along?

My main session for the event. The abstract is as follows:

With World IPv6 Launch happening June 6, 2012, production IPv6 network connectivity will be available to many more businesses and individuals. Major web sites and content providers will all enable IPv6 access to their content. Consumer electronics manufacturers are committing to providing IPv6-enabled devices.

What does this mean for SIP-based real-time communications? How well does SIP work with IPv6 today? What are the challenges to deployment and what steps can be taken to overcome those challenges? What should operators and vendors consider with regard to SIP and IPv6? What software, devices and tools are available to assist? And what case studies and other information is available?

In this session Dan York will discuss all of these points and provide concrete suggestions for moving forward with SIP and IPv6. The session will also provide time for sharing of experiences and insight of the attendees. Please bring your questions, ideas and be prepared for a lively session looking at how SIP and real-time communications can work in the new IPv6-based Internet.

We’ll post slides and hopefully video after the event is over.

Wednesday, June 27

12:45pm-1:30pm: BoF: SIP and IPv6

This will be an open forum for discussion of SIP and IPv6-related issues.  At last year’s SIPNOC event the session was very well attended and there were great discussions about issues people were having, examples of where IPv6 worked well and questions people had about tools and services.  I’m hoping we get that level of participation again and that it can be a useful learning experience for all involved.

If any of you will be attending SIPNOC I look forward to meeting up with you there.

Categories
Deploy360 Domain Name System Security Extensions (DNSSEC)

Jitsi Is The First VoIP Softphone To Support DNSSEC

JitsiWith it’s 1.0 release last week, the Jitsi soft phone became the first VoIP client I know of to support DNSSEC. Jitsi, formerly known as the “SIP Communicator”, is available for Windows, Mac OS X or Linux from:

jitsi.org

Jitsi has a great range of features including support for voice and video calls, chat/IM, desktop sharing, conference calls, wideband audio and much more. It works with the SIP (Session Initiation Protocol) and XMPP (Jabber) protocols and connects to common services like GoogleTalk, AIM, Yahoo!Messenger, Facebook chat, etc.  It’s also free and the source code is all available.

Jitsi has supported SIP and XMPP over IPv6 for quite some time now, but with this new release adds support of DNSSEC courtesy, I learned, of some funding from the NLnet Foundation and the University of Applied Sciences and Arts Northwestern Switzerland (FHNW). The DNSSEC code itself was implemented by Ingo Bauersachs from this university.

Essentially what Jitsi now does if you enable DNSSEC is to validate the signing of the SRV records in DNS that provide the address information for the remote end of the SIP or XMPP connection.

To step back and explain a bit further, if Alice wants to call Bob (to be cliche), and she knows his SIP address is “sip:bob@example.com”, her SIP client, IP-PBX or other SIP server (depending upon configuration) is going to perform a DNS lookup on “example.com” to retrieve the relevant SRV records. These records will provide the IP address(es) of the SIP server on Bob’s side. Alice’s SIP software will then connect to those IP addresses to send the appropriate SIP INVITE to start a conversation with Bob.

But how does Alice’s software know that the SRV records retrieved from DNS are correct? How can it know that they were not tampered with?

What if she is trying to call her bank and an attacker is redirecting her to another SIP server where there is a similar call center or IVR? (Okay, leaving aside the fact that at this moment you may not be able to make SIP connections to many banks… but that is changing slowly.)

Enter DNSSEC.

If the “example.com” domain is signed via DNSSEC, including all the SRV records, then the VoIP client can validate that the SRV records are in fact correct and the connection can be made knowing that it is to the intended recipient based on the SIP address.

From a configuration point of view, there has been one more screen added to Jitsi’s preferences:

Jitsi dnssec

At this moment there is no documentation on the Jitsi site about the DNSSEC features (they are working on it… and open to any offers of assistance! ;-), but I asked Ingo Bauersachs about the configuration of the resolver. His reply was this:

Libunbound, the library Jitsi is using, is validating the DNSSEC chain, but it’s not a full resolver. Queries for DNSKEY, DS, etc. are sent to the OS’s resolver, or if configured, to the “Custom name servers”.

The option to override the OS’s default resolver is there because during development, the only servers supporting all relevant record types were from DNS-OARC and Verisign.

The choice not to use libunbound as a fully recursive resolver was performance and that it’s for one simply not the job of an application to perform recursive DNS queries.

In my own case, I’m running a local instance of DNSSEC-Trigger and that is my operating systems default resolver. I’ll be able to perform the DNSSEC resolution without any issues. Ingo also indicated that the table at the bottom of the Preferences panel will fill up with domains as you start to connect to sites (any sites – DNSSEC-signed or not). You can then specify what the DNSSEC-related behavior is for individual domains.

That’s how this all works, of course, when you have both publicly accessible SIP servers with SRV records – and DNSSEC signatures on those records. There may not be a whole lot of those sites out there quite yet, but having apps like Jitsi available will only help.

If you have a SIP- or XMPP-based VoIP or IM system (or “Unified Communications” system to use the appropriate marketing buzzwords) where you can sign your domain with DNSSEC, definitely check out Jitsi and see how it works. And as you have it working, I’d certainly love to hear from you and perhaps feature some examples in future blog posts.

The Jitsi team is also very interested in feedback and indicated that sending messages to the “dev” mailing list (and joining that list if you want) would be the best way to proceed.

I’m also personally interested in trying this out in a test environment… if you’ve got a SIP server with a domain that is DNSSEC-signed, please drop me a note as I’d like to try calling you. 🙂

Kudos to the NLnet Foundation for funding this work and to Ingo Bauersachs and the Jitsi team for implementing it all. I’m looking forward to seeing where this goes!

P.S. Wikipedia has a decent page on SRV records if you want to know more about these record types.