OpenSIPS Workshop

Workshop

Adrian Georgescu@agprojects

AG ProjectsSIP Infrastructure Experts

Saúl Ibarra Corretgé@saghul

Monday, October 21, 2013

Hello!

• AG Projects, 10+ years of experience

• Software development for SIP infrastructures

• Blink (and many other projects!)

• Open Source

Commercial Products

• MSP and SIP Thor - Turnkey SIP platforms

• Blink - SIP Client for OSX, Linux and Windows

Self-organizing SIP Infrastructure

SIP User Agents

User agents need only RFC3263 support(locating SIP services using DNS lookups)

Internet

Self-organizingHorizontally scalableBuilt-in disaster recoveryNo single point of failureMaintenance free

Multiple RolesSIP Proxy/RegistrarRTP Media relayPresence AgentXCAP serverVoicemailProvisioning

Node 5

Node 3

Node 1

Node 2

Node 6

Node 4

SIPRTP

NATNAT

We like questions, interrupt us!

What is OpenSIPS?

• Open Source SIP Server

• It does SIP, just SIP

• Proxy, registrar, B2BUA, ...

Possible deployment scenarios

• Load balancer

• Edge proxy

• Proxy / registrar

• LCR gateway

• Presence Agent

1. Keep the core proxy as lean as possible

• Edge proxy

• Sanity checks

• NAT traversal

• Forward to core proxy

• Core proxy

• Main routing logic

• User lookup

• Route request to destination

Using Path support

• RFC 3327

• Keep the edge proxy always in the path

• Always route requests through it (also outgoing)

Using Path support…loadmodule "rr.so"loadmodule "registrar.so"loadmodule "path.so"…

modparam("path", "use_received", 1)…

# On the edge proxyif (method == "REGISTER") { if (!add_path_received("edge-in")) sl_send_reply("503", "Internal Path Error"); ...}

# On the core proxyif (method == "REGISTER") { … save("location", "p2v");}

NAT traversal

• Always apply NAT traversal techniques

• Chances of not needing them are too low

• But do not break ICE

NAT traversal

if (method != "REGISTER" && client_nat_test("3")) { fix_contact();}

if ((method=="REGISTER" || method=="SUBSCRIBE" || (method=="INVITE" && !has_totag())) && client_nat_test("3")) { nat_keepalive();}

if (method==INVITE && !has_totag()) { engage_media_proxy();} Fix media

Fix signaling

2. Keep your configuration tidy

• Use a version control system such as git

• Separate logical sections in different files

• Use a template language to help you

• Handle each method separately

Handle each SIP method separately

...if (method == "REGISTER") { ...} else if (method == "INVITE") { ...} else if (method == "SUBSCRIBE") { ...} else if (method == "PUBLISH") { ......

Using jcfg

• https://github.com/saghul/jcfg

• Uses Jinja templates for generating config files

Using jcfg

{% if use_tcp %}disable_tcp=no{% for listener in tcp_listeners %}listen=tcp:{{ listener }}{% endfor %}disable_tcp=yes{% endif %}

context = { # UDP 'udp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080'], # TCP 'use_tcp': True, 'tcp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080']}

jcfg --input opensips.tpl --output opensips.cfg --context settings.py

3. Fraud is unavoidable, deal with it

• Usage quotas per user, per day / month

• Implement a quick way for switching off an account

• Blacklist premium numbers

• Nobody calls to Antarctica, really

• Limit number of concurrent calls

4. Apply common sense sec. measures

• ‘1234’ is not a password, it’s a joke

• Different credentials for SIP and for web configuration tools

• Detect multiple authentication failures

• Discard well known bad UAs

• ‘friendly-scanner’ anyone?

Mitigating signaling attacks

if (has_totag()) { # in-dialog request if (!validate_dialog()) fix_route_dialog(); ...}

Call limit with CallControlif (method==INVITE && !has_totag()) { $avp(cc_call_limit) := 10; $avp(cc_call_token) := $RANDOM; call_control(); switch ($retcode) { case 2: # Call with no limit case 1: # Call has limit and is under callcontrol management break; case -1: # Not enough credit (prepaid call) sl_send_reply("402", "Not enough credit"); exit; case -2: # Locked by another call in progress (prepaid call) sl_send_reply("403", "Call locked by another call in progress"); exit; case -3: # Duplicated callid sl_send_reply("400", "Duplicated callid"); exit; case -4: # Call limit reached sl_send_reply("503", "Too many concurrent calls"); exit; default: # Internal error (message parsing, communication, ...) sl_send_reply("500", "Internal server error"); exit; }}

Using the new Event Interface

…loadmodule("event_datagram")…

# Subscribe to the E_PIKE_BLOCKED event

# Raise your own events from the routing script$avp(s:attr) = "number";$avp(s:val) = 0;$avp(s:attr) = "string";$avp(s:val) = "dummy value";raise_event("E_DUMMY", $avp(s:attr), $avp(s:val));

• Keep configuration simple

• Apply Common Sense (TM)

• Be prepared to deal with fraud and failure

Questions?

@agprojects

@saghul

OpenSIPS Workshop

sip method

sip services

sip infrastructures

open source sip server

register method

tcp use

fix signalingif method

register client

Technology

OpenSIPS Summit - Keynotes › pub › events ›...

SolvingBusiness Problemswith( OpenSIPS:...

FreeSWITCH(es) - OpenSIPS · BRTC. gmaruzz@OpenTelecom.IT.....

OpenSIPS Summit 11th of October 2013, Atlanta, USA€¦ ·....

OpenSIPS and...

OpenSIPS( For( Asterisk Users

Distribution, redundancy and high availability using...

Norman Brandinger-HA With OpenSIPS

Real-time charging for OpenSIPS CGRateS - Workshop€¦ ·....

CDRTool: CDR mediation and rating engine for OpenSIPS

Practical WebRTC with OpenSIPS · 2015-11-13 · Federated....

HIGH AVAILABILITY (HA) WITH OPENSIPS · DNS NAPTR • NAPTR...

Install ,configure and manage opensips on kunbuntu

VoIP with Opensips

ISUP / SIP debugging using homer - OpenSIPS · ISUP / SIP.....

YAPC::Brasil 2009, OpenSIPS e PERL