Security Mechanisms in SIP

The inherent security capabilities that are available in Session Initiation Protocol (SIP) are discussed in this section. SIP security is required in two levels: session level and media level. Session-level security deals with SIP signaling messages, while SIP media-level security is handled by secure media transport protocols like SRTP and ZRTP, which are extensions of the Real-Time Transmission Protocol. We do not deal with media-level security because it in itself needs more detailed treatment that is beyond the scope of this book. However, we explain the Session Description Protocol (SDP) media-level cryptographic features that are used for media streams once the session is set up, and that are negotiated using SIP/SDP messages. First, we explain the session-and media-level security of SIP. Second, the functionality for negotiating the security mechanisms used between a SIP UA and its next-hop SIP entity at the session level is provided. Third, all security mechanisms of SIP are described in detail. Fourth, we explain the SIP session setup that includes security features using an example of a call flow. Fifth, we explain the possible security threats that are being faced in the context of SIP that is an application-layer protocol. Finally, means to mitigate security threats using existing security mechanisms in SIP are provided. In this context, how the lower-transport-layer security capabilities complement SIP application-layer security features is discussed. However, a separate chapter is devoted to describing privacy and anonymity in SIP.