Authentication of SIP and RTP traffic

US 7,568,224 B1
Filed: 02/03/2005
Issued: 07/28/2009
Est. Priority Date: 12/06/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating the source IP address of a Session Initiation Protocol (SIP) data packet sent over a network from a source having a source IP address to a destination, the method comprising:

receiving the SIP data packet at the destination;

decoding, at the destination, data of the received SIP data packet, including at least the source IP address of the received SIP data packet;

encoding said data of the received SIP data packet into a cookie;

sending, from the destination, an outgoing SIP message to the source IP address,wherein said outgoing SIP message contains said cookie and is configured to solicit a SIP response from the source;

if the source does not respond to said outgoing SIP message, then designating the source IP address of the SIP data packet to be unauthenticated, otherwise;

receiving, at the destination, said SIP response in reply to said outgoing SIP message;

decoding, at the destination, data of said received SIP response, including at least said cookie and a sender IP address of said received SIP response;

processing said data of said received SIP response to determine if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message; and

if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message, then designating the source IP address of the SIP data packet to be authenticated.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes receiving a Session Initiation Protocol (SIP) data packet sent over a network from a source address to a destination address, sending an outgoing SIP message to the source address, receiving an incoming SIP message in response to the outgoing SIP message and processing the incoming SIP response message so as to assess authenticity of the received SIP data packet.

79 Citations

View as Search Results

32 Claims

1. A method for authenticating the source IP address of a Session Initiation Protocol (SIP) data packet sent over a network from a source having a source IP address to a destination, the method comprising:
- receiving the SIP data packet at the destination;
  
  decoding, at the destination, data of the received SIP data packet, including at least the source IP address of the received SIP data packet;
  
  encoding said data of the received SIP data packet into a cookie;
  
  sending, from the destination, an outgoing SIP message to the source IP address,wherein said outgoing SIP message contains said cookie and is configured to solicit a SIP response from the source;
  
  if the source does not respond to said outgoing SIP message, then designating the source IP address of the SIP data packet to be unauthenticated, otherwise;
  
  receiving, at the destination, said SIP response in reply to said outgoing SIP message;
  
  decoding, at the destination, data of said received SIP response, including at least said cookie and a sender IP address of said received SIP response;
  
  processing said data of said received SIP response to determine if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message; and
  
  if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message, then designating the source IP address of the SIP data packet to be authenticated.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The method according to claim 1, wherein said outgoing SIP message comprises a SIP OPTIONS request, and wherein said processing said data of said received SIP response includes checking for a SIP OPTIONS OK message.
  - 3. The method according to claim 1, wherein said outgoing SIP message comprises an intentional syntax error, and wherein said processing said data of said received SIP response includes checking for an error message from the source address for said designating the source IP address of the SIP data packet to be authenticated.
  - 4. The method according to claim 1, wherein said SIP data packet comprises an INVITE message, and wherein said outgoing SIP request message comprises a SIP redirect message.
  - 5. The method according to claim 1, wherein said SIP data packet comprises a SIP request, wherein said outgoing SIP request message comprises sending a redirect message.
  - 6. The method according to claim 5, wherein said receiving the incoming SIP message comprises receiving a second SIP request in response to said redirect message, and wherein said processing said data comprises sending a second SIP redirect message to the source IP address in response to said second SIP request.
  - 7. The method according to claim 6, wherein said redirect message comprises an encoded Uniform Resource Identifier (URI) address to be used by the source address, and wherein receiving said second SIP request comprises receiving a message from the source IP address using said encoded URI address.
  - 8. The method according to claim 1, wherein said outgoing SIP request message comprises a SIP “
    - session in progress”
      
      message, and wherein said incoming SIP response message comprises a SIP PRACK acknowledgment.
  - 9. The method according to claim 1, wherein said outgoing SIP request message comprises a SIP SUBSCRIBE message.
  - 10. The method according to claim 1, wherein data of the received SIP data packet further includes a first TTL (Time-to-live) value, wherein said data of said received SIP response further includes a second TTL value, and wherein said processing said data of said received SIP response message comprises comparing said first and said second TTL values in order to determine if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message.
  - 11. The method according to claim 10, wherein said outgoing SIP message comprises said first TTL value encoded in a field of said outgoing SIP message, so as to cause the source to insert said first TTL value encoded in said incoming SIP message, and wherein said comparing said first and said second TTL values comprises decoding said first TTL value encoded from said incoming SIP message.
  - 12. The method according to claim 1, wherein said outgoing SIP message comprises a first encoded tag number, and wherein said incoming SIP message comprises a second encoded tag number, and wherein said processing said data of said received SIP response message comprises comparing said first and said second tag numbers.
  - 13. The method according to claim 12, wherein inserting the first encoded tag number comprises reading an attribute from the SIP data packet, hashing the attribute to generate a key, and applying the key to read the first encoded tag number from a table of random values, and wherein processing said data of said received SIP response comprises reading a further attribute from the incoming SIP message, hashing the further attribute to generate a further key, applying the further key to read a further encoded tag number from the table of random values, and comparing the further encoded tag number to the second tag number.
  - 14. The method according to claim 1, wherein receiving the SIP data packet comprises receiving a signaling packet sent by a proxy server indicating a further source address from which media data packets will be sent during a call, and wherein processing said data of said received SIP response comprises authenticating the proxy server and the further source address responsively to the signaling packet.
  - 15. The method according to claim 14, wherein receiving the signaling packet comprises receiving a Session Description Protocol (SDP) message from the proxy server.
  - 16. The method according to claim 1, and further comprising:
    - receiving, at the destination, a first incoming VoIP data packet from the source in accordance with a VoIP protocol;
      
      sending an outgoing VoIP message to the source in accordance with the VoIP protocol; and
      
      receiving, at the destination, a second incoming VoIP data packet in response to said outgoing VoIP message.

17. Apparatus for authenticating the source IP address of a Session Initiation Protocol (SIP) data packet sent over a network from a source having a source IP address to a destination, the apparatus comprising:
- a network interface, which is adapted to communicate with a network; and
  
  a guard processor, which is coupled to the network interface so as to receive a Session Initiation Protocol (SIP) data packet sent over the network from a source having a source IP address to a destination, and is adapted to;
  
  receive the SIP data packet at the destination;
  
  decode data of the received SIP data packet, including at least the source IP address of the received SIP data packet;
  
  encode said data of the received SIP data packet into a cookie;
  
  send an outgoing SIP message to the source IP address, wherein said outgoing SIP message contains said cookie and is configured to solicit a SIP response from the source;
  
  designate the source IP address of the SIP data packet to be unauthenticated if the source does not respond to said outgoing SIP message;
  
  otherwise;
  
  receive, at the destination, said SIP response;
  
  decode data of said received SIP response, including at least said cookie and a sender IP address of said received SIP response;
  
  process said data of said received SIP response to determine if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message; and
  
  designate the source IP address of the SIP data packet as authenticated if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 18. The apparatus according to claim 17, wherein the outgoing SIP message comprises a SIP OPTIONS request.
  - 19. The apparatus according to claim 17, wherein the guard processor is adapted to incorporate an intentional syntax error in the outgoing SIP message, wherein the incoming SIP message comprises an error message, and wherein said guard processor is further adapted to check for an error message from the source address to designate the source IP address of the SIP data packet as authenticated.
  - 20. The apparatus according to claim 17, wherein the SIP data packet comprises an INVITE message, and wherein the outgoing SIP message comprises a redirect message.
  - 21. The apparatus according to claim 17, wherein the guard processor is adapted to receive a SIP request and to send a redirect message to the source address in response to the SIP request.
  - 22. The apparatus according to claim 21, wherein the guard processor is adapted to receive a second SIP request in response to the redirect message and to send a second redirect message to the source address in response to the second SIP request.
  - 23. The apparatus according to claim 22, wherein the guard processor is adapted to insert an encoded URI address into the redirect message, to be used by the source address, and to receive the second SIP request from the source address using the encoded URI address.
  - 24. The apparatus according to claim 17, wherein the outgoing SIP message comprises a “
    - session in progress”
      
      message, and wherein the incoming SIP message comprises a SIP PRACK acknowledgment.
  - 25. The apparatus according to claim 17, wherein the SIP outgoing message comprises a SUBSCRIBE message.
  - 26. The apparatus according to claim 17, wherein the guard processor is adapted to extract a first Time-To-Live (TTL) value from the SIP data packet, to extract a second TTL value from the incoming SIP response message, and to compare the first and second TTL values in order to process said data of said received SIP response to determine if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message.
  - 27. The apparatus according to claim 26, wherein the guard processor is adapted to encode the first TTL value in a field of the outgoing SIP message, so as to cause the source to insert the encoded first TTL value in the incoming SIP message, and to read and decode the first TTL value from the incoming SIP message for comparison with the second TTL value.
  - 28. The apparatus according to claim 17, wherein the guard processor is adapted to insert a first encoded tag number into the outgoing SIP message, to extract a second encoded tag number from the incoming SIP message, and to compare the first and second tag numbers in order to process said data of said received SIP response to determine if said received SIP response is from the source IP address and is an authentic response to said outgoing SIP message.
  - 29. The apparatus according to claim 28, wherein the guard processor is adapted to read an attribute from the SIP data packet, to hash the attribute to generate a key, to apply the key to read the first encoded tag number from a table of random values, to read a further attribute from the incoming SIP message, to hash the further attribute to generate a further key, to apply the further key to read a further encoded tag number from the table of random values, and to compare the further encoded tag number to the second tag number.
  - 30. The apparatus according to claim 17, wherein the guard processor is adapted to receive a signaling packet sent by a proxy server indicating a further source address from which media data packets will be sent during a call, and to authenticate the proxy server and the further source address responsively to the signaling packet.
  - 31. The apparatus according to claim 30, wherein the signaling packet comprises a Session Description Protocol (SDP) message.
  - 32. The apparatus according to claim 17, wherein said guard processor is further adapted to send an outgoing message to the source in accordance with a VoIP protocol.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Systems, Inc.
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wing, Daniel, Touitou, Dan, Jennings, Cullen
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ARMOUCHE, HADI S

Application Number

US11/050,887
Time in Patent Office

1,636 Days
Field of Search

709/224, 726 13- 15, 726/22, 713/161
US Class Current

726/14
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/126   the source of the received ...

H04L 65/1079   of unsolicited session atte...

H04L 65/1104   Session initiation protocol...

H04L 65/65   Network streaming protocols...

H04L 69/22   Parsing or analysis of headers

Authentication of SIP and RTP traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

79 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Authentication of SIP and RTP traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links