1. AG Projects
SIP Infrastructure Experts
Workshop
Adrian Georgescu
@agprojects
Monday, October 21, 2013
Saúl Ibarra Corretgé
@saghul
2. AG Projects
SIP Infrastructure Experts
Hello!
• AG Projects, 10+ years of experience
• Software development for SIP
infrastructures
• Blink (and many other projects!)
• Open Source
Monday, October 21, 2013
3. AG Projects
SIP Infrastructure Experts
Commercial Products
•
•
MSP and SIP Thor - Turnkey SIP platforms
Blink - SIP Client for OSX, Linux and Windows
Self-organizing SIP Infrastructure
DB
DB
Self-organizing
Horizontally scalable
Built-in disaster recovery
No single point of failure
Maintenance free
Node 5
Node 1
DB
Node 6
Multiple Roles
SIP Proxy/Registrar
RTP Media relay
Presence Agent
XCAP server
Voicemail
Provisioning
DB
Internet
Node 2
DB
Node 3
DB
Node 4
RTP
SIP User Agents
User agents need only RFC3263 support
(locating SIP services using DNS lookups)
Monday, October 21, 2013
NAT
SIP
NAT
6. AG Projects
SIP Infrastructure Experts
What is OpenSIPS?
• Open Source SIP Server
• It does SIP, just SIP
• Proxy, registrar, B2BUA, ...
Monday, October 21, 2013
7. AG Projects
SIP Infrastructure Experts
Possible deployment scenarios
• Load balancer
• Edge proxy
• Proxy / registrar
• LCR gateway
• Presence Agent
Monday, October 21, 2013
13. AG Projects
SIP Infrastructure Experts
1. Keep the core proxy as lean as possible
• Edge proxy
• Sanity checks
• NAT traversal
• Forward to core proxy
Monday, October 21, 2013
14. AG Projects
SIP Infrastructure Experts
• Core proxy
• Main routing logic
• User lookup
• Route request to destination
Monday, October 21, 2013
15. AG Projects
SIP Infrastructure Experts
Using Path support
• RFC 3327
• Keep the edge proxy always in the path
• Always route requests through it (also
outgoing)
Monday, October 21, 2013
16. AG Projects
SIP Infrastructure Experts
Using Path support
…
loadmodule "rr.so"
loadmodule "registrar.so"
loadmodule "path.so"
…
modparam("path", "use_received", 1)
…
# On the edge proxy
if (method == "REGISTER") {
if (!add_path_received("edge-in"))
sl_send_reply("503", "Internal Path Error");
...
}
# On the core proxy
if (method == "REGISTER") {
…
save("location", "p2v");
}
Monday, October 21, 2013
17. AG Projects
SIP Infrastructure Experts
NAT traversal
• Always apply NAT traversal techniques
• Chances of not needing them are too low
• But do not break ICE
Monday, October 21, 2013
19. AG Projects
SIP Infrastructure Experts
NAT traversal
if (method != "REGISTER" && client_nat_test("3")) {
fix_contact();
}
Fix
signaling
if ((method=="REGISTER" || method=="SUBSCRIBE" ||
(method=="INVITE" && !has_totag())) && client_nat_test("3")) {
nat_keepalive();
}
if (method==INVITE && !has_totag()) {
engage_media_proxy();
}
Monday, October 21, 2013
Fix media
20. AG Projects
SIP Infrastructure Experts
2. Keep your configuration tidy
• Use a version control system such as git
• Separate logical sections in different files
• Use a template language to help you
• Handle each method separately
Monday, October 21, 2013
21. AG Projects
SIP Infrastructure Experts
Handle each SIP method separately
...
if (method == "REGISTER") {
...
} else if (method == "INVITE") {
...
} else if (method == "SUBSCRIBE") {
...
} else if (method == "PUBLISH") {
...
...
Monday, October 21, 2013
22. AG Projects
SIP Infrastructure Experts
Using jcfg
• https://github.com/saghul/jcfg
• Uses Jinja templates for generating config
files
Monday, October 21, 2013
23. AG Projects
SIP Infrastructure Experts
Using jcfg
# TCP
{% if use_tcp %}
disable_tcp=no
{% for listener in tcp_listeners %}
listen=tcp:{{ listener }}
{% endfor %}
disable_tcp=yes
{% endif %}
context = {
# UDP
'udp_listeners':
['127.0.0.1:5060', '127.0.0.1:5080'],
# TCP
'use_tcp': True,
'tcp_listeners':
['127.0.0.1:5060', '127.0.0.1:5080']
}
jcfg --input opensips.tpl --output opensips.cfg --context settings.py
Monday, October 21, 2013
24. AG Projects
SIP Infrastructure Experts
3. Fraud is unavoidable, deal with it
• Usage quotas per user, per day / month
• Implement a quick way for switching off an
account
• Blacklist premium numbers
•
Nobody calls to Antarctica, really
• Limit number of concurrent calls
Monday, October 21, 2013
25. AG Projects
SIP Infrastructure Experts
4. Apply common sense sec. measures
• ‘1234’ is not a password, it’s a joke
• Different credentials for SIP and for web
configuration tools
• Detect multiple authentication failures
• Discard well known bad UAs
•
Monday, October 21, 2013
‘friendly-scanner’ anyone?
26. AG Projects
SIP Infrastructure Experts
Mitigating signaling attacks
if (has_totag()) {
# in-dialog request
if (!validate_dialog())
fix_route_dialog();
...
}
Monday, October 21, 2013
27. AG Projects
SIP Infrastructure Experts
Call limit with CallControl
if (method==INVITE && !has_totag()) {
$avp(cc_call_limit) := 10;
$avp(cc_call_token) := $RANDOM;
call_control();
switch ($retcode) {
case 2:
# Call with no limit
case 1:
# Call has limit and is under callcontrol management
break;
case -1:
# Not enough credit (prepaid call)
sl_send_reply("402", "Not enough credit");
exit;
case -2:
# Locked by another call in progress (prepaid call)
sl_send_reply("403", "Call locked by another call in progress");
exit;
case -3:
# Duplicated callid
sl_send_reply("400", "Duplicated callid");
exit;
case -4:
# Call limit reached
sl_send_reply("503", "Too many concurrent calls");
exit;
default:
# Internal error (message parsing, communication, ...)
sl_send_reply("500", "Internal server error");
exit;
}
}
Monday, October 21, 2013
28. AG Projects
SIP Infrastructure Experts
Using the new Event Interface
…
loadmodule("event_datagram")
…
# Subscribe to the E_PIKE_BLOCKED event
# Raise your own events from the routing script
$avp(s:attr) = "number";
$avp(s:val) = 0;
$avp(s:attr) = "string";
$avp(s:val) = "dummy value";
raise_event("E_DUMMY", $avp(s:attr), $avp(s:val));
Monday, October 21, 2013
29. AG Projects
SIP Infrastructure Experts
BYE
• Keep configuration simple
• Apply Common Sense (TM)
• Be prepared to deal with fraud and failure
Monday, October 21, 2013