OpenSIPS Workshop

Workshop

Adrian Georgescu@agprojects

AG ProjectsSIP Infrastructure Experts

Saúl Ibarra Corretgé@saghul

Monday, October 21, 2013


Hello!

• AG Projects, 10+ years of experience

• Software development for SIP infrastructures

• Blink (and many other projects!)

• Open Source



Commercial Products

• MSP and SIP Thor - Turnkey SIP platforms

• Blink - SIP Client for OSX, Linux and Windows

Self-organizing SIP Infrastructure

SIP User Agents

User agents need only RFC3263 support(locating SIP services using DNS lookups)

Internet

Self-organizingHorizontally scalableBuilt-in disaster recoveryNo single point of failureMaintenance free

Multiple RolesSIP Proxy/RegistrarRTP Media relayPresence AgentXCAP serverVoicemailProvisioning

Node 5

DB

Node 3

DB

Node 1

DB

Node 2

DB

Node 6

DB

Node 4

DB

SIPRTP

NATNAT


4



We like questions, interrupt us!



What is OpenSIPS?

• Open Source SIP Server

• It does SIP, just SIP

• Proxy, registrar, B2BUA, ...



Possible deployment scenarios

• Load balancer

• Edge proxy

• Proxy / registrar

• LCR gateway

• Presence Agent










12



1. Keep the core proxy as lean as possible

• Edge proxy

• Sanity checks

• NAT traversal

• Forward to core proxy



• Core proxy

• Main routing logic

• User lookup

• Route request to destination



Using Path support

• RFC 3327

• Keep the edge proxy always in the path

• Always route requests through it (also outgoing)



Using Path support…loadmodule "rr.so"loadmodule "registrar.so"loadmodule "path.so"…

modparam("path", "use_received", 1)…

# On the edge proxyif (method == "REGISTER") { if (!add_path_received("edge-in")) sl_send_reply("503", "Internal Path Error"); ...}

# On the core proxyif (method == "REGISTER") { … save("location", "p2v");}



NAT traversal

• Always apply NAT traversal techniques

• Chances of not needing them are too low

• But do not break ICE





NAT traversal

if (method != "REGISTER" && client_nat_test("3")) { fix_contact();}

if ((method=="REGISTER" || method=="SUBSCRIBE" || (method=="INVITE" && !has_totag())) && client_nat_test("3")) { nat_keepalive();}

if (method==INVITE && !has_totag()) { engage_media_proxy();} Fix media

Fix signaling



2. Keep your configuration tidy

• Use a version control system such as git

• Separate logical sections in different files

• Use a template language to help you

• Handle each method separately



Handle each SIP method separately

...if (method == "REGISTER") { ...} else if (method == "INVITE") { ...} else if (method == "SUBSCRIBE") { ...} else if (method == "PUBLISH") { ......



Using jcfg

• https://github.com/saghul/jcfg

• Uses Jinja templates for generating config files


https://github.com/saghul/jcfg

https://github.com/saghul/jcfg


Using jcfg

# TCP

{% if use_tcp %}disable_tcp=no{% for listener in tcp_listeners %}listen=tcp:{{ listener }}{% endfor %}disable_tcp=yes{% endif %}

context = { # UDP 'udp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080'], # TCP 'use_tcp': True, 'tcp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080']}

jcfg --input opensips.tpl --output opensips.cfg --context settings.py



3. Fraud is unavoidable, deal with it

• Usage quotas per user, per day / month

• Implement a quick way for switching off an account

• Blacklist premium numbers

• Nobody calls to Antarctica, really

• Limit number of concurrent calls



4. Apply common sense sec. measures

• ‘1234’ is not a password, it’s a joke

• Different credentials for SIP and for web configuration tools

• Detect multiple authentication failures

• Discard well known bad UAs

• ‘friendly-scanner’ anyone?



Mitigating signaling attacks

if (has_totag()) { # in-dialog request if (!validate_dialog()) fix_route_dialog(); ...}



Call limit with CallControlif (method==INVITE && !has_totag()) { $avp(cc_call_limit) := 10; $avp(cc_call_token) := $RANDOM; call_control(); switch ($retcode) { case 2: # Call with no limit case 1: # Call has limit and is under callcontrol management break; case -1: # Not enough credit (prepaid call) sl_send_reply("402", "Not enough credit"); exit; case -2: # Locked by another call in progress (prepaid call) sl_send_reply("403", "Call locked by another call in progress"); exit; case -3: # Duplicated callid sl_send_reply("400", "Duplicated callid"); exit; case -4: # Call limit reached sl_send_reply("503", "Too many concurrent calls"); exit; default: # Internal error (message parsing, communication, ...) sl_send_reply("500", "Internal server error"); exit; }}



Using the new Event Interface

…loadmodule("event_datagram")…

# Subscribe to the E_PIKE_BLOCKED event

# Raise your own events from the routing script$avp(s:attr) = "number";$avp(s:val) = 0;$avp(s:attr) = "string";$avp(s:val) = "dummy value";raise_event("E_DUMMY", $avp(s:attr), $avp(s:val));



BYE

• Keep configuration simple

• Apply Common Sense (TM)

• Be prepared to deal with fraud and failure



Questions?

@agprojects

@saghul


OpenSIPS Workshop

Technology

sip method

sip services

sip infrastructures

open source sip server

register method

tcp use

fix signalingif method

register client