Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Sorry, following -> flowing.
Am Do., 16. Aug. 2018 um 12:32 Uhr schrieb Kevin Olbrich ko@sv01.de:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich ko@sv01.de wrote:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi!
Sorry if you received an empty email, accidently clicked the send button when resizing the windows.
I am finally able to test a setup with both kamailio and asterisk on public network. Currently I struggle with RTP flow - what do I need to change to have rtp flow directly to asterisk instead of rtpproxy? Rtpproxy is working fine but when I disable NAT, there is no audio (did not yet check SDP).
Kind regards Kevin
Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich ko@sv01.de wrote:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Hi Kevin,
Main objective would be to detect NAT, and if so, fix SDP instead of involving rtpproxy. Both ways of course, requests and replies.
Something like this:
if (nat_uac_test("8"))
fix_nated_sdp("15");
Cheers!
On Wed, Oct 3, 2018 at 3:46 PM Kevin Olbrich ko@sv01.de wrote:
Hi!
Sorry if you received an empty email, accidently clicked the send button when resizing the windows.
I am finally able to test a setup with both kamailio and asterisk on public network. Currently I struggle with RTP flow - what do I need to change to have rtp flow directly to asterisk instead of rtpproxy? Rtpproxy is working fine but when I disable NAT, there is no audio (did not yet check SDP).
Kind regards Kevin
Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich ko@sv01.de wrote:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Am Mi., 3. Okt. 2018 um 22:50 Uhr schrieb Sergiu Pojoga pojogas@gmail.com:
Hi Kevin,
Main objective would be to detect NAT, and if so, fix SDP instead of involving rtpproxy. Both ways of course, requests and replies.
Something like this:
if (nat_uac_test("8"))
fix_nated_sdp("15");
Thank you very much! This works perfectly fine!
Cheers!
On Wed, Oct 3, 2018 at 3:46 PM Kevin Olbrich ko@sv01.de wrote:
Hi!
Sorry if you received an empty email, accidently clicked the send button when resizing the windows.
I am finally able to test a setup with both kamailio and asterisk on public network. Currently I struggle with RTP flow - what do I need to change to have rtp flow directly to asterisk instead of rtpproxy? Rtpproxy is working fine but when I disable NAT, there is no audio (did not yet check SDP).
Kind regards Kevin
Am Do., 16. Aug. 2018 um 12:47 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
is RTP folowing to FS directly in this case?
Yes, it woks fine in 99% and no any additional STUN/ICE are required
On 16 August 2018 at 13:32, Kevin Olbrich ko@sv01.de wrote:
Hi Dmitri,
is RTP folowing to FS directly in this case? This would allow us to use STUN as well as ICE, etc. from Asterisk (which is currently the case without Kamailio SBC in prod).
Kevin
Am Do., 16. Aug. 2018 um 12:29 Uhr schrieb Dmitri Savolainen < savolainen@erinaco.ru>:
Hi Kevin. I use Kamailio as FreeSwitch set balancer almost without rtpengine (rtpengine is used only in some specific cases). All in public IPs. I just tune FS SIP profile to let it get requests only from Kamailio IP:PORT and add same firewall rules also. All RPC commands work via local interface only. PUBLIC NET SIP-Phone ==> Kamailio(PUBLIC) ==> FS(PUBLIC) ==> Kamailio (PUBLIC) ==> Carrier
On 16 August 2018 at 12:57, Kevin Olbrich ko@sv01.de wrote:
Hi!
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Thank you very much.
Kind regards Kevin
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Savolainen Dmitri _______________________________________________ Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Thu, Aug 16, 2018 at 11:57:03AM +0200, Kevin Olbrich wrote:
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
Having a public IP doesn't mean this IP is reachable externally. If this is your concern (rightfully): firewall access to anything that doesn't need to be able to access.
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local firewall with IP whitelists. The internal SIP transactions are UDP-only but for external phones I would like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine), we have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP via rtpproxy (when call between carrier and external phone needs to be bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public network). In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk, the talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as Edge Proxy, and also on astricon there were some talks about this scenario if I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of information about this scenario. You find all the talks available from Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
Hi Henning,
I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core. Most examples indeed expose the node and let media flow directly ( https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Build... - interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had the proxy only on the edge: https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-An... At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice. We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you.
Kind regards, Kevin
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt < hw@kamailio.org>:
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
I am working successfully with Kamailio in my lab setup where Kamailio is the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall
with IP whitelists. The internal SIP transactions are UDP-only but for external phones I
would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we
have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP
via
rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public
network).
In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as SBC to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup as DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk, the talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as Edge Proxy, and also on astricon there were some talks about this scenario if I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of information about this scenario. You find all the talks available from Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
-- Henning Westerholt https://skalatan.de/blog/
For what it's worth, we've set up a network/system where Asterisk resides completely on a private network with Kamailio acting as an edge proxy. RTPEngine is necessary as well to help the media through to the private network, but that's probably not surprising. It is completely doable, although the suggestions below about simply restricting Asterisk on a public network to the locations of the Kamailio proxies also works quite well.
Matching inbound requests in Asterisk to only the pool of Kamailio proxies can be done in a variety of fashions - IP address matching being the simplest. You will obviously need to think carefully about how Asterisk handles its outbound calling. If Kamailio is going to act as your registrar, then you will need to find some way to expose the registered contacts to Asterisk - we chose this route, and wrote a small REST sidecar to Kamailio for that purpose. If Asterisk is going to act as your registrar, you will need to fork the REGISTER requests to all of the Asterisk instances. Additionally, for INVITE requests being initiated by Asterisk, you will want to force those to flow through your edge proxies. This can be done using Asterisk's outbound_proxy setting on the AOR object in pjsip.conf.
On Mon, Aug 20, 2018 at 6:23 AM Kevin Olbrich ko@sv01.de wrote:
Hi Henning,
I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core. Most examples indeed expose the node and let media flow directly ( https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Build...
- interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had the proxy only on the edge:
https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-An... At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice. We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you.
Kind regards, Kevin
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt < hw@kamailio.org>:
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
I am working successfully with Kamailio in my lab setup where Kamailio
is
the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==> Asterisk <== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall
with IP whitelists. The internal SIP transactions are UDP-only but for external phones I
would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to RTPengine),
we
have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong IP
via
rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public
network).
In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable from external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC
to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup
as
DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk, the talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as Edge Proxy, and also on astricon there were some talks about this scenario if I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of information about this scenario. You find all the talks available from Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
-- Henning Westerholt https://skalatan.de/blog/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
If Kamailio is going to act as your registrar, then you will need to find some way to expose the registered contacts to Asterisk -
Matthew, could you explain why Asterisk have to know about reg contacts in you approch? Asterisk just may sends all to Kamailio (second call leg) and let Kamailio route this call to appropriate contact.
On 20 August 2018 at 18:23, Matthew Jordan mjordan@digium.com wrote:
For what it's worth, we've set up a network/system where Asterisk resides completely on a private network with Kamailio acting as an edge proxy. RTPEngine is necessary as well to help the media through to the private network, but that's probably not surprising. It is completely doable, although the suggestions below about simply restricting Asterisk on a public network to the locations of the Kamailio proxies also works quite well.
Matching inbound requests in Asterisk to only the pool of Kamailio proxies can be done in a variety of fashions - IP address matching being the simplest. You will obviously need to think carefully about how Asterisk handles its outbound calling. If Kamailio is going to act as your registrar, then you will need to find some way to expose the registered contacts to Asterisk - we chose this route, and wrote a small REST sidecar to Kamailio for that purpose. If Asterisk is going to act as your registrar, you will need to fork the REGISTER requests to all of the Asterisk instances. Additionally, for INVITE requests being initiated by Asterisk, you will want to force those to flow through your edge proxies. This can be done using Asterisk's outbound_proxy setting on the AOR object in pjsip.conf.
On Mon, Aug 20, 2018 at 6:23 AM Kevin Olbrich ko@sv01.de wrote:
Hi Henning,
I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core. Most examples indeed expose the node and let media flow directly ( https://www.kamailio.org/events/2017-KamailioWorld/ Day1/08-David.Casem-Building-A-Global-VoIP-Network.pdf - interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had the proxy only on the edge: https://www.kamailio.org/events/2017-KamailioWorld/ Day2/15-Sebasitan.Damm-Anti-Fraud-With-HTables.pdf At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice. We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you.
Kind regards, Kevin
Am Do., 16. Aug. 2018 um 19:12 Uhr schrieb Henning Westerholt < hw@kamailio.org>:
Am Donnerstag, 16. August 2018, 11:57:03 CEST schrieb Kevin Olbrich:
I am working successfully with Kamailio in my lab setup where Kamailio
is
the SBC for Asterisk. The network layout is looking like this:
SIP-Phone <== PUBLIC NET ==> Kamailio (SBC) <== PRIVATE NET ==>
Asterisk
<== PUBLIC NET ==> Carrier
Each public network is reachable from the internet and has a local
firewall
with IP whitelists. The internal SIP transactions are UDP-only but for external phones I
would
like to also listen for TCP/TLS.
For this layout to work with rtpproxy (before we move on to
RTPengine), we
have to enable mhomed in Kamailio. We also have some routing issues with packets leaving with the wrong
IP via
rtpproxy (when call between carrier and external phone needs to be
bridged).
Most examples show that Asterisk is deployed on the same network as the external interface of Kamailio (-> Asterisk exposed to the public
network).
In our tests, this works much better but I have great security concerns because this Asterisk instance itself does not need to be reachable
from
external.
How do other users deploy Kamailio in front of Asterisk or similar as
SBC
to secure internals? There is lot of docs for Kamailio's config but IMHO less for the setup
as
DMZ (SBC) proxy.
Hello Kevin,
this is indeed a common setup to protect asterisk and to have also much greater flexibility with regards to balancing and/or SIP message adaptions.
To get some ideas, have a look to the last years conferences available here:
https://www.kamailio.org/events/
There should be some talks about using Kamailio to in front of asterisk, the talk name is usually in the file name.
I think even on this year cluecon Fred Posner did a talk about Kamailio as Edge Proxy, and also on astricon there were some talks about this scenario if I remember correctly.
You should also find in the Kamailio World or FOSDEM talks a lot of information about this scenario. You find all the talks available from Kamailio World in our youtube channel:
https://www.youtube.com/kamailioworld
Best regards,
Henning
-- Henning Westerholt https://skalatan.de/blog/
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
-- Matthew Jordan Digium, Inc. | CTO 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA Check us out at: http://digium.com & http://asterisk.org
Kamailio (SER) - Users Mailing List sr-users@lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
On Mon, Aug 20, 2018 at 09:01:08PM +0300, Dmitri Savolainen wrote:
If Kamailio is going to act as your registrar, then you will need to find some way to expose the registered contacts to Asterisk -
Matthew, could you explain why Asterisk have to know about reg contacts in you approch? Asterisk just may sends all to Kamailio (second call leg) and let Kamailio route this call to appropriate contact.
The historical problem with this "dial endpoints over a trunk peer" approach is that such endpoints are not as privileged by Asterisk as local AstDB bindings for various Class 5 / application purposes, e.g. hints, voicemail, MWI, etc.
But as I understand it, PJSIP is supposed to fix this problem and make use of an outboard registrar a lot more transparent.
On Mon, Aug 20, 2018 at 1:04 PM Alex Balashov abalashov@evaristesys.com wrote:
On Mon, Aug 20, 2018 at 09:01:08PM +0300, Dmitri Savolainen wrote:
If Kamailio is going to act as your registrar, then you will need to find some way to expose the registered contacts to Asterisk -
Matthew, could you explain why Asterisk have to know about reg contacts
in
you approch? Asterisk just may sends all to Kamailio (second call leg) and let Kamailio route this call to appropriate contact.
This is fine, and you can make your outbound calls in that fashion. You do need to have Asterisk present enough information that Kamailio is aware of how to route that outbound INVITE request, but if you have sufficient information in the request URI, it can certainly make that decision.
If, however, you wanted to dial PJSIP/1000 - which no other information and where 1000 is some registered device - Asterisk will need the registered contact that the device has presented to the registrar. In which case, you have to have some mechanism for Asterisk to get at that information.
The historical problem with this "dial endpoints over a trunk peer" approach is that such endpoints are not as privileged by Asterisk as local AstDB bindings for various Class 5 / application purposes, e.g. hints, voicemail, MWI, etc.
But as I understand it, PJSIP is supposed to fix this problem and make use of an outboard registrar a lot more transparent.
Yup - it all depends on how you configure / use things.
Am Montag, 20. August 2018, 13:22:30 CEST schrieb Kevin Olbrich:
I browsed the files but was unable to find one using Kamailio as SBC without exposing the Asterisk core.
Most examples indeed expose the node and let media flow directly ( https://www.kamailio.org/events/2017-KamailioWorld/Day1/08-David.Casem-Build ing-A-Global-VoIP-Network.pdf - interesting solution with e/iBGP which we would also be able to deploy).
There was just a single presentation that I was able to locate that had the proxy only on the edge: https://www.kamailio.org/events/2017-KamailioWorld/Day2/15-Sebasitan.Damm-An ti-Fraud-With-HTables.pdf At least it looks like they are located behind the SBC.
After the research my impression is, that co-locating the B2BUA with the Edge-Proxy and firewall-ing it, seems best practice. We will try to add some security by bridge-firewalling and BGP.
If anyone has a hint for a presentation with high-security edge-proxy, I would appreciate it. Thank you. [..]
Hi Kevin,
here you find a (older) presentation about a setup with private asterisk and kamailio as network edge. This is the one that we build back in the days at 1&1, slide 19 has a schematic diagram of the setup:
https://skalatan.de/archive/presentations/kamailio-world-2013-presentation.p...
Best regards,
Henning
-
Alex Balashov -
Daniel Tryba -
Dmitri Savolainen -
Henning Westerholt -
Kevin Olbrich -
Matthew Jordan -
Sergiu Pojoga