Announcements

OpenSIPIt#01 Day 2 Update

by David Duffett

After a great start with RFC8760, attention turned to STIR/SHAKEN with Liviu Chircu, from the OpenSIPS project, taking the lead and making a short presentation during the planning session…

Being the amazing guy he is, Liviu even managed to type up some brief notes from Day 1 and Day 2 activities, which I am pleased to reproduce here:

Day 1: RFC 8760 testing
  * RFC 8760 bolsters the security of SIP by extending the protocol with support for
     stronger digest algorithms.  The newly added digests are SHA-256 and SHA-512/256,
     both on 256 bits, complementing the old and rotting MD5 signature, which is 128 bits only.
  * Teams which provided UAS (server) implementation: Sippy, OpenSIPS, FS
  * Teams which had a UAC (client) implementation: Sippy, OpenSIPS, FS, Sipvicious
  * Teams which helped with testing: Asterisk + above
  * Issues discovered:
    - sipp is still unable to correctly process more than 1 WWW-Authenticate headers (RFC 8760)
    - FreeSWITCH was still choosing MD5, instead of stronger hashing (fixed live)
    - sipp with MD5-sess algorithm does not work (classic RFC 3261 support, outside 8760)
    - OpenSIPS had a minor issue in the digest implementation which was fixed live

Day 2: STIR/SHAKEN testing
  * Using STIR/SHAKEN, service providers can add a digital signature to each call using
     public/private key cryptography, thus guaranteeing that they own the source number (calling
     identity).  This signature comes in the form of the newly added Identity header.
  * The objective was to interop across teams and see whether the Identity header generated by
    one team would get accepted (validated) by the other teams.
  * The teams used a fictive STI-CA (Certification Authority) which everyone added to their trust
    chain.  Next, the CA signed STIR/SHAKEN certificates for each team.
  * Teams which provided VS (verification service) capabilities: FS, Kamailio, OSIPS, Sippy
  * Teams which provided AS (authentication service) capabilities: Kam, sipfront, OSIPS, Sippy, Sipvicious
  * Teams which helped with testing: Asterisk + sipp (sipfront) + above
  * Issues discovered:
    - special care when extracting the caller identity (display name vs. From username)
    - special care when extracting the callee identity (display name vs. To username vs. Request-URI username)
    - crashes due to malformed Identity header payloads (fixed live)
    - lots of issues/quirks around the Date header field (now mandatory):
        * bad formatting (missing comma, GMT (good) vs. UTC (bad))
        * localization issues (Mi (bad) vs. Wed (good))
        * some teams forgot to build it at all

As you can see, there has been a lot going on!
Stay tuned for further updates and remember to check out the Sippy Labs YouTube channel for #OpenSIPIT livestreams and recordings.