Hello all,
I would like to use Kamailio to encrypt contents of SIP messages (using SIP TLS) between 2 endpoints, i.e.: - To use 5061 port instead of 5060 port, - To use sips uri instead of sip uri...
For example, T1 and T2 communicates with "Server A" like that: 1) T1 and T2 send REGISTER to "Server A" 2) T1 and T2 received 200 OK from "Server A" ... 3) "Server A" sends an INVITE message to T1 and T2 ... 4) RTP flow between T1 and T2 (this should not be encrypted) ... 5) "Server A" sends a BYE request to T1 and T2 ...
All those exchanges are made on Transport layer TCP or UDP on port 5060. T1 and T2 are not able to support TLS but "Server A" needs to receive/send messages in SIP TLS. I would like to insert Kamailio between T1 and "Server A", T2 and "Server B" in order to encrypt contents of SIP messages.
I have some questions about that: - I think Kamailio can do that but I am not sure, can you confirm that to me please? - Can I use Kamailio as it is to do that? - Do I have to add a "Route" header in requests in order that requests between T1 and "Server A" go through Kamailio or - Does Kamailio is able to intercept SIP packets automatically (with a certain configuration)? - Do you know difference between Freeswitch and Kamailio? (because I have seen that Freeswitch can do what I need: see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
Thank you very much for your input. Regards
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
On 12.08.2011 14:56, margot.basa wrote:
Hello all,
I would like to use Kamailio to encrypt contents of SIP messages (using SIP TLS) between 2 endpoints, i.e.:
- To use 5061 port instead of 5060 port,
- To use sips uri instead of sip uri...
For example, T1 and T2 communicates with "Server A" like that:
- T1 and T2 send REGISTER to "Server A"
- T1 and T2 received 200 OK from "Server A"
... 3) "Server A" sends an INVITE message to T1 and T2 ... 4) RTP flow between T1 and T2 (this should not be encrypted) ... 5) "Server A" sends a BYE request to T1 and T2 ...
All those exchanges are made on Transport layer TCP or UDP on port 5060. T1 and T2 are not able to support TLS but "Server A" needs to receive/send messages in SIP TLS. I would like to insert Kamailio between T1 and "Server A", T2 and "Server B" in order to encrypt contents of SIP messages.
I have some questions about that:
- I think Kamailio can do that but I am not sure, can you confirm that
to me please?
Yes, you can do that with Kamailio
- Can I use Kamailio as it is to do that?
Almost yes. You only have to load the TLS module and tell Kamailio to listen on port 5061 for TLS.
Probably some modifications to the default configuration are needed.
- Do I have to add a "Route" header in requests in order that requests
between T1 and "Server A" go through Kamailio
Yes. When record-routing is activated (it is activated in the default config), all in-dialog requests (ACK, reINVITE, BYE) will be routed automatically via Kamailio.
The more complicated part will be the initial requests (REGISTER, INVITE). Requests from the clients to the server are quite easy to handle:
if (src_ip != ip.address.of.server) { $du = "sip:ip.address.of.server;transport=tls"; t_relay();
Complicated are INVITEs from the server to the client. Usually during registration the server stores the contact information of the client, to send incoming calls to this address. This is either the information in the Contact header, or the IP address:port from which the REGISTER was received (if the server performs NAT traversal).
Both cases are bad - as the server should send the request to Kamailio, but Kamailio needs to know where to forward the request.
The proper solution is using "Path" -> see documentation of the Path module. If your servers supports "Path", then you are finished.
If your server does not support Path, there are 2 approaches:
A) The server stores the Contact, but sends the INVITE requests always to Kamailio. Therefore, the server needs some kond of "outbound proxy" functionality.
B) Kamailio stores the contact of the client, and forwards the REGISTER with a contact pointing to itself. Thus, server will lookup the client, finds the IP address of Kamailio and forwards the request. Then Kamailio again looks up the client in the location table and then forwards the request. This only works, if Kamailio puts an unique identifier of the client into the username part of the Contact header.
- Does Kamailio is able to intercept SIP packets automatically (with a
certain configuration)?
No. Other nodes have to send SIP messages to Kamailio. This is why record-routing is needed to tell the other clients to route in-dialog requests via Kamailio too.
- Do you know difference between Freeswitch and Kamailio? (because I
have seen that Freeswitch can do what I need: see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
No.
Klaus
Thank you very much for your input. Regards
https://compte.laposte.net/inscription/index.do?jeux=2011FOOTER_generique
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Hello all,
Thanks Klaus for your answer, it helps me a lot !! For my configuration, do I need to install a database ? After doing some research, I think for routing purposes a database is not needed...
Thanks you very much for your input, Regards
Message du 13/08/11 08:38 De : "Klaus Darilion" A : sr-users@lists.sip-router.org Copie à : Objet : Re: [SR-Users] Question about encryption with Kamailio
On 12.08.2011 14:56, margot.basa wrote:
Hello all,
I would like to use Kamailio to encrypt contents of SIP messages (using SIP TLS) between 2 endpoints, i.e.:
- To use 5061 port instead of 5060 port,
- To use sips uri instead of sip uri...
For example, T1 and T2 communicates with "Server A" like that:
- T1 and T2 send REGISTER to "Server A"
- T1 and T2 received 200 OK from "Server A"
... 3) "Server A" sends an INVITE message to T1 and T2 ... 4) RTP flow between T1 and T2 (this should not be encrypted) ... 5) "Server A" sends a BYE request to T1 and T2 ...
All those exchanges are made on Transport layer TCP or UDP on port 5060. T1 and T2 are not able to support TLS but "Server A" needs to receive/send messages in SIP TLS. I would like to insert Kamailio between T1 and "Server A", T2 and "Server B" in order to encrypt contents of SIP messages.
I have some questions about that:
- I think Kamailio can do that but I am not sure, can you confirm that
to me please?
Yes, you can do that with Kamailio
- Can I use Kamailio as it is to do that?
Almost yes. You only have to load the TLS module and tell Kamailio to listen on port 5061 for TLS.
Probably some modifications to the default configuration are needed.
- Do I have to add a "Route" header in requests in order that requests
between T1 and "Server A" go through Kamailio
Yes. When record-routing is activated (it is activated in the default config), all in-dialog requests (ACK, reINVITE, BYE) will be routed automatically via Kamailio.
The more complicated part will be the initial requests (REGISTER, INVITE). Requests from the clients to the server are quite easy to handle:
if (src_ip != ip.address.of.server) { $du = "sip:ip.address.of.server;transport=tls"; t_relay();
Complicated are INVITEs from the server to the client. Usually during registration the server stores the contact information of the client, to send incoming calls to this address. This is either the information in the Contact header, or the IP address:port from which the REGISTER was received (if the server performs NAT traversal).
Both cases are bad - as the server should send the request to Kamailio, but Kamailio needs to know where to forward the request.
The proper solution is using "Path" -> see documentation of the Path module. If your servers supports "Path", then you are finished.
If your server does not support Path, there are 2 approaches:
A) The server stores the Contact, but sends the INVITE requests always to Kamailio. Therefore, the server needs some kond of "outbound proxy" functionality.
B) Kamailio stores the contact of the client, and forwards the REGISTER with a contact pointing to itself. Thus, server will lookup the client, finds the IP address of Kamailio and forwards the request. Then Kamailio again looks up the client in the location table and then forwards the request. This only works, if Kamailio puts an unique identifier of the client into the username part of the Contact header.
- Does Kamailio is able to intercept SIP packets automatically (with a
certain configuration)?
No. Other nodes have to send SIP messages to Kamailio. This is why record-routing is needed to tell the other clients to route in-dialog requests via Kamailio too.
- Do you know difference between Freeswitch and Kamailio? (because I
have seen that Freeswitch can do what I need: see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
No.
Klaus
Thank you very much for your input. Regards
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net
-
Klaus Darilion -
margot.basa