OpenSIPIt#01 Day 2 Update
After a great start with RFC8760, attention turned to STIR/SHAKEN with Liviu Chircu, from the OpenSIPS project, taking the lead and making a short presentation during the planning session…
Being the amazing guy he is, Liviu even managed to type up some brief notes from Day 1 and Day 2 activities, which I am pleased to reproduce here:
Day 1: RFC 8760 testing * RFC 8760 bolsters the security of SIP by extending the protocol with support for stronger digest algorithms. The newly added digests are SHA-256 and SHA-512/256, both on 256 bits, complementing the old and rotting MD5 signature, which is 128 bits only. * Teams which provided UAS (server) implementation: Sippy, OpenSIPS, FS * Teams which had a UAC (client) implementation: Sippy, OpenSIPS, FS, Sipvicious * Teams which helped with testing: Asterisk + above * Issues discovered: - sipp is still unable to correctly process more than 1 WWW-Authenticate headers (RFC 8760) - FreeSWITCH was still choosing MD5, instead of stronger hashing (fixed live) - sipp with MD5-sess algorithm does not work (classic RFC 3261 support, outside 8760) - OpenSIPS had a minor issue in the digest implementation which was fixed live Day 2: STIR/SHAKEN testing * Using STIR/SHAKEN, service providers can add a digital signature to each call using public/private key cryptography, thus guaranteeing that they own the source number (calling identity). This signature comes in the form of the newly added Identity header. * The objective was to interop across teams and see whether the Identity header generated by one team would get accepted (validated) by the other teams. * The teams used a fictive STI-CA (Certification Authority) which everyone added to their trust chain. Next, the CA signed STIR/SHAKEN certificates for each team. * Teams which provided VS (verification service) capabilities: FS, Kamailio, OSIPS, Sippy * Teams which provided AS (authentication service) capabilities: Kam, sipfront, OSIPS, Sippy, Sipvicious * Teams which helped with testing: Asterisk + sipp (sipfront) + above * Issues discovered: - special care when extracting the caller identity (display name vs. From username) - special care when extracting the callee identity (display name vs. To username vs. Request-URI username) - crashes due to malformed Identity header payloads (fixed live) - lots of issues/quirks around the Date header field (now mandatory): * bad formatting (missing comma, GMT (good) vs. UTC (bad)) * localization issues (Mi (bad) vs. Wed (good)) * some teams forgot to build it at all
As you can see, there has been a lot going on!
Stay tuned for further updates and remember to check out the Sippy Labs YouTube channel for #OpenSIPIT livestreams and recordings.