This is the first in a series of posts covering VoIP.

There are two separate components to most VoIP implementations:

• Signalling, which is communicating call setup and details. (Ex: SIP, H.323)
• Session, which carries the actual media stream and conversation itself. (Ex: RTP)

There are also master/slave protocols that incorporate signalling, but directly control the client hardware or software. With this, the handset or softphone is a dumb terminal where keypresses are sent directly to the host which controls the display and indicator lights. Examples include Nortel’s UNISTIM, and Cisco’s Skinny Client Control Protocol (SCCP).

With this in mind, we can classify VoIP endpoint philisophies as follows:

• Peer to peer - with more intelligence in the phones itself, and using SIP or H.323, the phone can negotiate and initiate calls on its own.
• Dumb endpoints - calls are initiated and negotiated on behalf of the endpoint by the controlling host, the PBX.

In this post, I am going to be focusing on and attempting to distill the essentials of SIP, demystifying it for the security audience who wishes to work with it.

One day, Mario was on his way to visit Princess Peach at her invitation. He saw her standing outside of the Warp Pipe that lead to her Castle. He waved at her. She waved back.

And then, oh no! Bowser’s minions snatched her away!

But fortunately, the Mushroom Kingdom was recently wired for WiFi. So Mario whips out his wireless SIP phone. He calls Toadstool, Peach’s loyal servant. Toadstool is on the local wireless network. Mario pushes the speed dial button for Toadstool, which has Toadstool’s domain name.

Once this has been resolved to an IP address, SIP handshaking happens. SIP is transport independent but is usually carried over UDP. SIP messages are text based in the theory that they are easier to monitor and diagnose, with messaging that is stateless and very alike HTTP.

First, Mario’s phone sends a SIP INVITE packet to Toadstool’s phone. It includes all the details on who is calling, including how to contact the caller. This includes origin and ports. Toadstool’s phone responds with a ‘100 Trying’ and then a ‘180 Ringing’ message. When Toadstool answers the phone, it sends a ‘200 OK’ message. When Mario’s phone receives the OK message, it sends an ACK back. Once this happens, voice on each end is sent to the other via RTP over UDP using the IP and ports set up in advance during the SIP transactions.

“Oh, no!” cried Mario to Toadstool, “Bowser’s minions kidnapped Princess Peach!”

“Again?! We have to teach her how to defend herself. She just hasn’t been herself since Super Mario Brothers 2,” replied Toadstool, “I’ll round everyone up. Luigi is away at the Mario Kart Racing Track though.”

“All right! I’ll call him,” replied Mario to Toadstool and then hung up.

Now, for those of you readers who are rooting for Bowser, was he smart enough to realize that you can spoof UDP packets and CANCEL a call before Toadstool could answer? Or did he understand that SIP packets can be intercepted on a local network, and he could set himself up as the man in the middle? Unfortunately for those of you inclined to cheer for the villain, he is a giant turtle of habit. Body snatching and sending minions out is the extent of his technique.

A pity, for that if he had sent out countless INVITE packets on the Mushroom Kingdom network, he could have shut down the entire phone system and gotten away clean with Princess Peach.

Since Luigi was outside the Cloud Kingdom, when Mario dialed for Luigi, his phone talked to the Mushroom Kingdom SIP Proxy.

The SIP Proxy does resolution for the address provided, which was luigi@mushroom. When Luigi went to the Mario Kart Racetrack, his phone registered itself with the Mushroom Kingdom SIP Proxy. When it registered, it let the proxy know what its IP address is and how to contact it.

So when Mario called Luigi, the SIP proxy resolved according to Luigi’s REGISTER information. The standard SIP handshake is passed back and forth. When it gets to RTP streams is where it gets complicated. The Mushroom Kingdom could be using a STUN server as well. Or their infrastructure could be SIP aware, and open ports accordingly on the Mushroom Kingdom firewall.

“Luigi!” Mario exclaimed and could hear his brother’s kart roaring, “Princess Peach has been kidnapped by Bowser!” And with that, Luigi veered off the race track in pursuit of Bowser’s minions.

Those that are more fond of turtles than plumbers would be saddened to note that Bowser could have impersonated as Luigi on the SIP proxy if he had stolen his credentials. Or Bowser could have spoofed Luigi’s IP address, and Mario’s brother would have kept racing on.

Using the superior communications network, they were able to catch up with Bowser’s koopas and jump on their heads. Mario was rewarded by a kiss from Princess Peach!

I hope you enjoyed reading the story as much as I enjoyed writing it. I hope that this will clarify SIP for some of my readers, and open your eyes as to some of the attack vectors inherent in SIP.

All characters and places used are copyrighted by Nintendo.

The background sprites are credited to GordonBlazin@aol.com

The character sprites are credited to davidjclarke@gmail.com