Luca Veltri

SIP security issues: the SIP authentication procedure and its processing load

Session Initiation Protocol (SIP) is currently receiving much attention and seems to be the most promising candidate as a signaling protocol for the current and future IP telephony services, also becoming a real competitor to the plain old telephone service. For the realization of such a scenario, there is an obvious need to provide a certain level of quality and security, comparable to that provided by the traditional telephone systems. While the problem of QoS mostly refers to the network layer, the problem of security is strictly related to the signaling mechanisms and the service provisioning model. For this reason, at present, a very hot topic in the SIP and IP telephony standardization track is security support. In this work, the security model used by SIP is described, and the different open issues are highlighted. We focus, in particular, on the problem of authentication providing a short tutorial on the solution under standardization. The architecture of a possible commercial IP telephony service including user authentication is also described. Finally, we focus on performance issues. By means of a real testbed implementation, we provide an experimental performance analysis of the SIP security mechanisms, based on our open source Java implementation of a SIP proxy server. The performance of the server has been compared with and without security support, under various scenarios.

QoS control by means of COPS to support SIP-based applications

The COPS protocol has been designed to enable communication on the interface between the policy decision administrator and the policy enforcement devices in a policy-based networking environment. It can be recognized that on the same interface there is the need to transfer information related to the request of resource by QoS clients and for the allocation of resources by resource allocation servers (e.g., bandwidth broker) in a DiffServ network. Hence, it is sensible to add this resource allocation functionality in the COPS framework. In particular, there are at least two cases where it is sensible to use COPS. The first case is on the interface between an edge node and a resource control node for handling resource allocation in a network provider domain. The second case is on the interface between a customer (client of a QoS enabled network) and the network provider: here COPS can be used as a protocol to signal dynamic admission control requests. In this article we present the definition of a new COPS client type to support the above-mentioned functionality, then describe an application scenario where SIP-based IP telephony applications can use Diffserv-based QoS networks. Simple backward-compatible enhancements to SIP are needed to interact with COPS/Diffserv QoS. A testbed implementation of the proposed solutions is finally described.

IoT-OAS: An OAuth-Based Authorization Service Architecture for Secure Services in IoT Scenarios

Open authorization (OAuth) is an open protocol, which allows secure authorization in a simple and standardized way from third-party applications accessing online services, based on the representational state transfer (REST) web architecture. OAuth has been designed to provide an authorization layer, typically on top of a secure transport layer such as HTTPS. The Internet of Things (IoTs) refers to the interconnection of billions of resource-constrained devices, denoted as smart objects, in an Internet-like structure. Smart objects have limited processing/memory capabilities and operate in challenging environments, such as low-power and lossy networks. IP has been foreseen as the standard communication protocol for smart object interoperability. The Internet engineering task force constrained RESTful environments working group has defined the constrained application protocol (CoAP) as a generic web protocol for RESTful-constrained environments, targeting machine-to-machine applications, which maps to HTTP for integration with the existing web. In this paper, we propose an architecture targeting HTTP/CoAP services to provide an authorization framework, which can be integrated by invoking an external oauth-based authorization service (OAS). The overall architecture is denoted as IoT-OAS. We also present an overview of significant IoT application scenarios. The IoT-OAS architecture is meant to be flexible, highly configurable, and easy to integrate with existing services. Among the advantages achieved by delegating the authorization functionality, IoT scenarios benefit by: 1) lower processing load with respect to solutions, where access control is implemented on the smart object; 2) fine-grained (remote) customization of access policies; and 3) scalability, without the need to operate directly on the device.

Information centric networking over SDN and OpenFlow: Architectural aspects and experiments on the OFELIA testbed

Information Centric Networking (ICN) is a new networking paradigm in which the network provides users with content instead of communication channels between hosts. Software Defined Networking (SDN) is an approach that promises to enable the continuous evolution of networking architectures. In this paper we propose and discuss solutions to support ICN by using SDN concepts. We focus on an ICN framework called CONET, which grounds its roots in the CCN/NDN architecture and can interwork with its implementation (CCNx). Although some details of our solution have been specifically designed for the CONET architecture, its general ideas and concepts are applicable to a class of recent ICN proposals, which follow the basic mode of operation of CCN/NDN. We approach the problem in two complementary ways. First we discuss a general and long term solution based on SDN concepts without taking into account specific limitations of SDN standards and equipment. Then we focus on an experiment to support ICN functionality over a large scale SDN testbed based on OpenFlow, developed in the context of the OFELIA European research project. The current OFELIA testbed is based on OpenFlow 1.0 equipment from a variety of vendors, therefore we had to design the experiment taking into account the features that are currently available on off-the-shelf OpenFlow equipment.

Supporting information-centric functionality in software defined networks

The Information-Centric Networking (ICN) paradigm is expected to be one of the major innovation of the Future Internet An ICN can be characterized by some key components like: (i) the content-centric request/reply paradigm for data distribution, (ii) route-by-name operations, and (iii) in-network caching. In this paper we focus on a framework for ICN called CONET (COntent NETwork) and in particular on a solution devised under this framework called coCONET. coCONET characteristics make it suitable for deployment in accordance to the Software Defined Networks (SDN) philosophy. In this paper, we will describe how coCONET can be implemented over an OpenFlow (the most popular SDN instantiation, to date) network and how OpenFlow should be modified to better suit the operations of coCONET and, more in general, of ICN solutions.

SIP-based mobility management in next generation networks

The ITU-T definition of next generation networks includes the ability to make use of multiple broadband transport technologies and to support generalized mobility. Next generation networks must integrate several IP-based access technologies in a seamless way. In this article, we first describe the requirements of a mobility management scheme for multimedia real-time communication services; then, we report a survey of the mobility management schemes proposed in the recent literature to perform vertical handovers between heterogeneous networks. Based on this analysis, we propose an application-layer solution for mobility management that is based on the SIP protocol and satisfies the most important requirements for a proper implementation of vertical handovers. We also implemented our proposed solution, testing it in the field, and proving its overall feasibility and its interoperability with different terminals and SIP servers.

Supporting RSVP in a differentiated service domain: an architectural framework and a scalability analysis

This paper analyzes a framework to offer reservation of resources and QoS guarantees according to the resource reservation protocol (RSVP) paradigm in a network cloud that supports a differentiated services architecture. The key elements are: intelligent edge devices; a flow admission and resource allocation method involving an admission control server; “simple” core routers based on the differentiated services model. The main functionality of a client/server protocol between the edge devices and the admission control server, called simple admission control protocol, is described. The proposed framework is referred to as admission control server based resource allocation. Scalability is analyzed and compared with RSVP approach.

Enforcing Security Mechanisms in the IP-Based Internet of Things: An Algorithmic Overview

The Internet of Things (IoT) refers to the Internet-like structure of billions of interconnected constrained devices, denoted as “smart objects”. Smart objects have limited capabilities, in terms of computational power and memory, and might be battery-powered devices, thus raising the need to adopt particularly energy efficient technologies. Among the most notable challenges that building interconnected smart objects brings about, there are standardization and interoperability. The use of IP has been foreseen as the standard for interoperability for smart objects. As billions of smart objects are expected to come to life and IPv4 addresses have eventually reached depletion, IPv6 has been identified as a candidate for smart-object communication. The deployment of the IoT raises many security issues coming from (i) the very nature of smart objects, e.g., the adoption of lightweight cryptographic algorithms, in terms of processing and memory requirements; and (ii) the use of standard protocols, e.g., the need to minimize the amount of data exchanged between nodes. This paper provides a detailed overview of the security challenges related to the deployment of smart objects. Security protocols at network, transport, and application layers are discussed, together with lightweight cryptographic algorithms proposed to be used instead of conventional and demanding ones, in terms of computational resources. Security aspects, such as key distribution and security bootstrapping, and application scenarios, such as secure data aggregation and service authorization, are also discussed.

Wireless LAN-3G Integration: Unified Mechanisms for Secure Authentication based on SIP

In WLANs, secure access can be provided operating at link layer, at network layer (IP) or at application level, and several solutions have been implemented in current public/private access networks; however most of them are proprietary and the interworking between different operators is still an open issue. At the same time, the 3GPP is working in integrating the WLAN access with the rest of 3GPP/UMTS network infrastructure. In this paper we propose a generic layer-two-independent open solution for secure authentication in a heterogeneous wireless access scenario based on 3G SIM credentials and on the SIP protocol. The solution follows the 3G specification for the authentication in the IMS, with the only addition of a new parameter in a specific header of the SIP protocol. Therefore the security infrastructure of the 3G networks can be fully reused also in scenarios in which the visited network does not provide 3G services. The proposed solution has been implemented in a testbed in which UMTS, 802.11, and Bluetooth has been used as access technologies.

Lightweight multicast forwarding for service discovery in low-power IoT networks

The Internet of Things (IoT) will interconnect billions of devices (denoted as “Smart Objects,” SOs) in an IP-based Internet-like structure. SOs are typically sensor/actuator-equipped devices with severe constraints on processing capabilities, available RAM/ROM, and energy consumption. In a context where billions of deployed SOs, it is important that the SOs are able to self-configure and adapt to the surrounding environment with minimal, if any, external human intervention. Among the service discovery mechanisms proposed in literature for deploying SOs without any prior knowledge, Zeroconf represents a good candidate to automate service and resource discovery in local constrained environments. In this paper, we propose a lightweight forwarding algorithm for efficient multicast support in Low-power and Lossy Networks (LLNs) targeting service discovery for duty-cycled SOs. Among the advantages achieved by the proposed solution, SOs might benefit from smaller memory footprint with respect to those required by other multicast implementations. The performance of the proposed forwarding algorithm is evaluated through Contiki-based nodes in the Cooja simulator.