Session Initiation Protocol (SIP) is an application layer protocol for setting up and managing multimedia communication sessions over IP networks. It allows users to initiate, modify and terminate multimedia sessions that include voice, video and messaging applications. SIP supports mobility through proxy servers that can forward calls to a user's current location. Common security threats to SIP include registration hijacking, message modification and denial of service attacks. Recommended security mechanisms include TLS for hop-by-hop security, S/MIME for end-to-end encryption, and digest authentication.

2. INTRODUCTION
• Session Initiation Protocol (SIP) is a Requests For Comments
(RFC) of the Internet Engineering Task Force (IETF)
• First standardized in March 1999 in RFC 2543 (Obsolete)
• A second version in 2002 in RFC 3261

3. INTRODUCTION
• Today, the session initiation protocol (SIP) is the predominant
protocol for IP Telephony Signalling. This paper addresses IP
Telephony security issues - both current and future – focusing
on SIP.
• We summarize current activities regarding SIP
security, including recent developments in the research
community and standardization efforts within the IETF.

4. SIP OVERVIEW (1)
• ASCII based, signaling protocol
• Analogous to HTTP messages, SIP is a text base protocol.
• Works independent of the underlying network transmission
protocol and indifferent to media

5. SIP OVERVIEW (1)
It provides mechanisms to:
• Establish a session
• Maintain a session
• Modify and Terminate a session
• Session Initiation Protocol (SIP) is an application layer protocol, which is
used to establish, maintain and terminate multimedia session.
• These sessions may include voice, video, instant messaging.

6. SIP Components
System using SIP can be viewed in two Dimensions:
• Client/Server
• Individual Network Elements

7. SIP Components
 Client : : A client is any network element that sends SIP
requests and receives SIP responses.
 Server: A server is a network element that receives requests
in order to service them and sends back responses to those
requests.
• Example of Servers: Proxies, user agent servers, redirect
servers, and registrars.

8. SIP Components (2)
Two general categories of SIP are
 User Agent (UA): Resides in every SIP end station
 SIP Servers

9. SIP Components (2)
User Agent (UA)
Has two roles:
 SIP User Agent Client(UAC): Issues SIP requests.
 SIP User Agent Server (UAS): Receives SIP requests, and
Generates a response that accepts, rejects, or redirects the
request.

10. SIP Components (2)
SIP Servers
• Proxy Server: The proxy server is an intermediary entity that acts as both a server and a
client for the purpose of making requests on behalf of other clients. A proxy server primarily
plays the role of routing, meaning that its job is to ensure that a request is sent to another
entity closer to the targeted user.
• Redirect Server: Used during session initiation, Determine the address of the called
device, Returns this information to the calling device.
• Registrar Server: A registrar is a server that accepts REGISTER requests and places the
information it receives (the SIP address and associated IP address of the registering device) in
those requests into the location service for the domain it handles.

11. SIP Functions
Scalability
 Functionality such as proxying, redirection, location, or registration can
reside in different physical servers.
 Distributed functionality allows new processes to be added without
affecting other components.
Interoperability
 An open standard
 Can implement to communicate with other SIP based products

12. SIP Functions (2)
Mobility
• Supports user mobility by proxying and redirecting requests to a
user’s current location.
• The user can be using a PC at work, PC at home, wireless phone, IP
phone, or regular phone.
• Users must register their current location.
• Proxy servers will forward calls to the user’s current location.
• Example mobility applications include presence and call forking.

13. RELATED PROTOCOL
SIP
IPv4 / IPv6
TCP UDP
SDP
MGCP RTSP RTCP RTP RSVP
Signaling Gateway control QoS

14. SIP CAPABILITIES
• Determine location of target points – Support address resolution, name
mapping, call redirection
• Determine media capabilities – SIP uses Session Description Protocol (SDP)
for this
• Determine availability – returns a message why the remote party cannot
be contacted
• Establish a session between end points – also support mid call
changes, changes of media characteristics or codec
• Handles termination of calls – transfer of calls
• Permits interaction between devices via signalling messages

15. SIP CAPABILITIES
• INVITE: Invite a user to join a call
• ACK: Confirm that a client has received a final response to an invite
• BYE: Terminates the call between two of the users on a call
• OPTIONS: Request information on the capabilities of a Server
• CANCEL: Ends a pending Request , but doesn’t end the call
• REGISTER: Provide the map of address resolution that lets the server know the location of the users.

16. Status Codes
1xxInformational
• 100 Trying
• 180 Ringing (ringing tone
played locally)
• 181 Call is Being
Forwarded
• 182 Queued
• 183 Session progress
2xxSuccess
• 200 ok
3xx Redirection
• 300 Multiple Choices
• 301 Moved Permanently
• 302 Moved Temporarily
• 380 Alternative server
4xxClient error
• 400 Bad Request
• 401 Unauthorized
• 403 Forbidden
• 404 Not Found
• 405 Bad Method
• 415 Unsupported
Content
• 420 Bad Extensions
• 482 Detected
• 486 Busy Here
5xxServer failure
• 500 Server Internal
Error
• 501 Not
Implemented
• 503 Unavailable
• 504 Timeout
6xxGlobal Failure
• 600 Busy Everywhere
• 603 Decline
• 604 Doesn’t Exist
• 606 Not Acceptable

17. SIP Basic Call Setup

18. SIP Headers
• Session Initiation Protocol (RFC3261) for call signaling
• Header format is similar to HTTPS
• UDP Port 5060 used (recommended)
• TCP is also allowed (required for SIPS)
• Responsible for connection setup and release:
INVITE, OK, ACK, BYE, CANCEL
• Registration service for mobile user agents: REGISTER
• Uses DNS for routing (RFC3263;)

19. SIP Headers
• Session Description Protocol (RFC 2327) for parameter exchange
• Body of SIP-Messages
• Looks (a little bit) like sendmail mail queue format
• Contact address (ip address, port #) c=IN IP4 172.16.1.127
• Codec m=audio 7078 RTP/AVP 8 0 2 102 100 97 101
• (Master)Key for SRTP k=clear:geheim

20. SIP Headers (2)
INVITE sip:09611000038@202.4.97.11 SIP/2.0
Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---
d8754z-;rport Max-Forwards: 70
Contact: <sip:09611301525@172.16.1.127:6256>
To: <sip:09611000038@202.4.97.11>
From: "09611301525"<sip:09611301525@202.4.97.11>;tag=015ccc4a
Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU.
CSeq: 1 INVITE
Allow:
INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE,
INFO
Content-Type: application/sdp
Supported: replaces User-Agent: PortGo v6.8, Build 07112011
Content-Length: 474

21. Breakdown of Header
INVITE :
message type
Address of called party
SIP version used by caller
Semicolon indicates start of URI parameters
Eg:- user=phone indicates call is for a phone number and not a SIP IP address
INVITE sip:09611000038@202.4.97.11 SIP/2.0
Via:
History of message’s path through network(s)
Helps to prevent looping and ensures replies route back to originator
Indicates the used transport protocol, ip address and port of sender
Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---
d8754z-;rport

22. SDP Headers
• Describes components of communication channel under negotiation
• Includes information about :
– Codecs
– Ports
– Streaming protocols
• Usually sent with INVITE and 200 OK in SIP based devices
• Describes how data stream is going to be support via Real Time Transport
Protocol (RTP, RFC 1889)

23. SIP & SDP Header Analysis
For INVITE sip:09611000038@202.4.97.11 SIP/2.0 details message looks like this:
202.4.100.35:6256 202.4.97.11:5060
INVITE sip:09611000038@202.4.97.11 SIP/2.0
Via: SIP/2.0/UDP 172.16.1.127:6256;branch=z9hG4bK-d8754z-64630900441c9d08-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:09611301525@172.16.1.127:6256>
To: <sip:09611000038@202.4.97.11>
From: "09611301525"<sip:09611301525@202.4.97.11>;tag=015ccc4a
Call-ID: NGY1OGQ4NDI0OGMzMTI4MTNhY2M1ZTRkYzVlMDliMDU.
CSeq: 1 INVITE
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO
Content-Type: application/sdp
Supported: replaces
User-Agent: PortGo v6.8, Build 07112011
Content-Length: 474
v=0
o=- 59935706 59935706 IN IP4 172.16.1.127
s=http://www.portsip.com
c=IN IP4 172.16.1.127
t=0 0
m=audio 21006 RTP/AVP 8 0 3 121 100 9 97 101
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:121 G7221/16000
a=rtpmap:100 SPEEX/16000
a=rtpmap:9 G722/8000
a=rtpmap:97 iLBC/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=sendrecv
m=video 40180 RTP/AVP 34
a=rtpmap:34 H263/90000
a=fmtp:34 CIF=1 QCIF=1
a=sendrecv

24. Security Attacks
Signaling Layer Attacks
• SIP Registration Hijacking: Attacker impersonates a valid UA to a
registrar himself as a valid user agent. so attacker can receive calls
for a valid user.
• Impersonating a Server: When an attacker impersonates a remote
server and user agent request are served by the attacker machine.

25. Security Attacks
Signaling Layer Attacks
• SIP Message Modification: If an attacker launches a man in the
middle attack and modify a message. Then attacker could lead the
caller to connect to malicious system.
• SIP Cancel / SIP BYE attack
• SIP DOS attack: In SIP attacker creates a bogus request that
contained a fake IP address and Via field in the SIP header contains
the identity of the target host.

26. Security Solutions
Two types of security solutions
End-to End security:
• In SIP end points can ensure end-to-end security to those messages which
proxy does not read, like SDP messages could be protected using S/MIME.
• Media is transferred directly, so end-to-end security is achieved by SRTP.
Hop-by-hop security
• TLS, IPSec.

27. SIP Security Mechanisms
The SIP standard, as specified in RFC 3261 , includes several security
mechanisms:
• S/MIME: Because SIP is using MIME for message bodies, S/MIME can be
used to send authenticated and encrypted messages between user
agents.
• Digest Authentication: SIP entities sharing a secret (e.g. a password) can
authenticate each other with a challenge-response mechanism.
• TLS & IPSec: Hop-by-hop security for SIP signaling can be achieved either
on the transport layer (TLS) or on the network layer (IP sec).

28. SIP-Secure over TLS
• SIPS is like HTTPS: Is set on top of
TCP only
• Signaling over sips URI:
sips:user@example.de;transport=tc
p, Demands for TLS along the
(signaling)path.
• Server authentication via Certificate
• Client authentication (mostly) via
username/digest.
• Client authentication via Certificate
possible
• Only Hop by Hop Security
• S/MIME − secure SDP
• Data format based on S/MIME mail.
• Encryption of the SDP portion of the
SIP message
• End-to-End or Hop by Hop allowed:
Tunneled (and S/MIME encrypted)
SDP also allowed
• Supports UDP or TCP: TCP is
recommended because of UDP
fragmentation.
S/MIME − secure SDP

29. CONCLUSION
 The SIP is such a protocol, which does not have any built-in security.
This makes it more vulnerable to common VoIP attacks. In this
implementation of the SIP security threats and
countermeasures, the SIP secure model is designed to provide
security mechanisms by following the best practices for securing a
SIP based VOIP system.

30. CONCLUSION
 The intention of this paper has been to present an overview of
important challenges and current activities on SIP security.
 SIP is used to initiate IP Telephony communications. Thus, SIP
security will remain an active and interesting research area in the
near future.

31. THANK YOU
Muhammad Yeasir Arafat
Systems Engineer
Email: yeasir@dhakacom.com
yeasir08@yahoo.com
Dhakacom Limited
Dhaka, Bangladesh