OpenSIPS Workshop
-
Upload
saul-ibarra-corretge -
Category
Technology
-
view
5.093 -
download
7
description
Transcript of OpenSIPS Workshop
Workshop
Adrian Georgescu@agprojects
AG ProjectsSIP Infrastructure Experts
Saúl Ibarra Corretgé@saghul
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Hello!
• AG Projects, 10+ years of experience
• Software development for SIP infrastructures
• Blink (and many other projects!)
• Open Source
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Commercial Products
• MSP and SIP Thor - Turnkey SIP platforms
• Blink - SIP Client for OSX, Linux and Windows
Self-organizing SIP Infrastructure
SIP User Agents
User agents need only RFC3263 support(locating SIP services using DNS lookups)
Internet
Self-organizingHorizontally scalableBuilt-in disaster recoveryNo single point of failureMaintenance free
Multiple RolesSIP Proxy/RegistrarRTP Media relayPresence AgentXCAP serverVoicemailProvisioning
Node 5
DB
Node 3
DB
Node 1
DB
Node 2
DB
Node 6
DB
Node 4
DB
SIPRTP
NATNAT
Monday, October 21, 2013
4
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
We like questions, interrupt us!
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
What is OpenSIPS?
• Open Source SIP Server
• It does SIP, just SIP
• Proxy, registrar, B2BUA, ...
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Possible deployment scenarios
• Load balancer
• Edge proxy
• Proxy / registrar
• LCR gateway
• Presence Agent
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Monday, October 21, 2013
12
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
1. Keep the core proxy as lean as possible
• Edge proxy
• Sanity checks
• NAT traversal
• Forward to core proxy
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
• Core proxy
• Main routing logic
• User lookup
• Route request to destination
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Using Path support
• RFC 3327
• Keep the edge proxy always in the path
• Always route requests through it (also outgoing)
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Using Path support…loadmodule "rr.so"loadmodule "registrar.so"loadmodule "path.so"…
modparam("path", "use_received", 1)…
# On the edge proxyif (method == "REGISTER") { if (!add_path_received("edge-in")) sl_send_reply("503", "Internal Path Error"); ...}
# On the core proxyif (method == "REGISTER") { … save("location", "p2v");}
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
NAT traversal
• Always apply NAT traversal techniques
• Chances of not needing them are too low
• But do not break ICE
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
NAT traversal
if (method != "REGISTER" && client_nat_test("3")) { fix_contact();}
if ((method=="REGISTER" || method=="SUBSCRIBE" || (method=="INVITE" && !has_totag())) && client_nat_test("3")) { nat_keepalive();}
if (method==INVITE && !has_totag()) { engage_media_proxy();} Fix media
Fix signaling
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
2. Keep your configuration tidy
• Use a version control system such as git
• Separate logical sections in different files
• Use a template language to help you
• Handle each method separately
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Handle each SIP method separately
...if (method == "REGISTER") { ...} else if (method == "INVITE") { ...} else if (method == "SUBSCRIBE") { ...} else if (method == "PUBLISH") { ......
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Using jcfg
• https://github.com/saghul/jcfg
• Uses Jinja templates for generating config files
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Using jcfg
# TCP
{% if use_tcp %}disable_tcp=no{% for listener in tcp_listeners %}listen=tcp:{{ listener }}{% endfor %}disable_tcp=yes{% endif %}
context = { # UDP 'udp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080'], # TCP 'use_tcp': True, 'tcp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080']}
jcfg --input opensips.tpl --output opensips.cfg --context settings.py
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
3. Fraud is unavoidable, deal with it
• Usage quotas per user, per day / month
• Implement a quick way for switching off an account
• Blacklist premium numbers
• Nobody calls to Antarctica, really
• Limit number of concurrent calls
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
4. Apply common sense sec. measures
• ‘1234’ is not a password, it’s a joke
• Different credentials for SIP and for web configuration tools
• Detect multiple authentication failures
• Discard well known bad UAs
• ‘friendly-scanner’ anyone?
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Mitigating signaling attacks
if (has_totag()) { # in-dialog request if (!validate_dialog()) fix_route_dialog(); ...}
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Call limit with CallControlif (method==INVITE && !has_totag()) { $avp(cc_call_limit) := 10; $avp(cc_call_token) := $RANDOM; call_control(); switch ($retcode) { case 2: # Call with no limit case 1: # Call has limit and is under callcontrol management break; case -1: # Not enough credit (prepaid call) sl_send_reply("402", "Not enough credit"); exit; case -2: # Locked by another call in progress (prepaid call) sl_send_reply("403", "Call locked by another call in progress"); exit; case -3: # Duplicated callid sl_send_reply("400", "Duplicated callid"); exit; case -4: # Call limit reached sl_send_reply("503", "Too many concurrent calls"); exit; default: # Internal error (message parsing, communication, ...) sl_send_reply("500", "Internal server error"); exit; }}
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Using the new Event Interface
…loadmodule("event_datagram")…
# Subscribe to the E_PIKE_BLOCKED event
# Raise your own events from the routing script$avp(s:attr) = "number";$avp(s:val) = 0;$avp(s:attr) = "string";$avp(s:val) = "dummy value";raise_event("E_DUMMY", $avp(s:attr), $avp(s:val));
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
BYE
• Keep configuration simple
• Apply Common Sense (TM)
• Be prepared to deal with fraud and failure
Monday, October 21, 2013
AG ProjectsSIP Infrastructure Experts
Questions?
@agprojects
@saghul
Monday, October 21, 2013