27 Feb
2014
27 Feb
'14
5:43 p.m.
El 26/02/14 11:39, Alex Villacís Lasso escribió:
El 26/02/14 05:25, Klaus Darilion escribió:
Regarding security, I think rtpproxy can help me. I have configured asterisk to listen for
SIP traffic on localhost only. Of course, this means asterisk will send the media to
localhost only, but now I can be sure there is no way to bypass kamailio
authentication from the outside.
My test setup resembles a typical NAT traversal. However, instead of a single private
interface and a single outgoing interface, I need to route between localhost (which
behaves here as the private network) and multiple external interfaces (similar to the
"public" network). A partially-working patch to kamailio.cfg is attached to this
email. The known problems with the patch are:
- Incoming calls (external->kamailio->asterisk) are handled and media is correctly
routed with multiple rtpproxy instances. However, calls generated from Asterisk itself
(asterisk->kamailio->external) do not have their media routed correctly. This is
because I need to choose which rtpproxy set to use in order to route the media, and I do
not know which field to use at the required point for an outgoing INVITE. For incoming
INVITEs, I am using $Ri, and for OK replies to those INVITES, I am using
$(hdr(Record-Route)[1] (I believe this is not optimal and that a better solution must
exist).
- I am forced to hardcode IPs to the various defined interfaces. As explained before, IPs
can and do change, and removing the need to hardcode the IPs will make configuration and
maintenance easier. I must add that I want to build a generic solution that
can be minimally modified for several deployments.
Is this setup recognizable as an already-solved problem (minus the localhost trick)? How
is it done correctly?
Puh, too many questions in one email.
I am sorry about that. I wanted to provide as much useful information as possible
on my email, including what I had observed, and what I have already tried. After all the
exposition, I just want to 1) have a setup that routes media between several
disjoint networks, 2) while being secure by default even if the firewall gets
misconfigured, 3) without having to hardcode a particular IP address in the configuration
file.
First, you should describe what you want to
achieve. Eg. is there routing between the networks done by the server? E.g. can a clinet
on 10.1.0.0/24 ping a client on 192.168.0.0/16? If yes, there is no need for
Kamailio/Asterisk to listen on multiple
interfaces.
No, the server is not supposed to route ordinary traffic between networks.
If there is no routing, you need to have a media
relay too. Either use rtpproxy or just configure Asterisk with "canreinvite=no"
to avoid media offloading.
The asterisk instance was supposed to be already configured with directmedia=no
the whole time. This was set both in the configuration file and in each of the realtime
peers. The full sip.conf file is attached. The #include'd files at the end are
currently empty. You can see the commented-out attempt to listen on localhost only.
I fail to see why rtpproxy would be required in this setup, since asterisk already opens
RTP ports on all interfaces. In the (already tested) asterisk-only scenario, media is
routed between the test networks through asterisk when it does all of the SIP
negotiation itself.