[sr-dev] Obscuring SIP traffic and using with NoSIP

Daniel-Constantin Mierla miconda at gmail.com
Wed Jul 30 12:40:40 CEST 2014


On 30/07/14 11:52, Muhammad Shahzad wrote:
> Thank you so much for this very useful information. I am working on 
> first approach for the moment since its much simpler and easier to 
> implement with only difference being that instead of per header or per 
> sdp line, i plan to do it in one go, i.e. get entire sip message in 
> $mb (sip message buffer), encrypt it and put it back in $mb.
>
> - i guess randomizing registration time is already provided by kamailio.
> - yes packet sizes are a concern, so i already have planned for random 
> padding as you mentioned.
>
> For client app, i have a developed a basic prototype based on doubango 
> framework. I am hopping to release a free and open source 
> implementation using idoubs within next couple of months on Apple app 
> store.
For a mobile device, an app is needed. But for a linux computer, it 
might works running a kamailio proxy there. Say you have many locations 
for a company, then within local network on each site can be sip and 
between sites, the encrypted signaling.

If kamailio uses a socket for clients and a socket for communicating 
with the other sides, then it is easy to tell to the new module for 
which socket should do encryption/decryption. Alternative is to provide 
either local network address or remote site address and match on src 
ip/dst ip.

Cheers,
Daniel

>
> Thank you.
>
>
>
>
> On Wed, Jul 30, 2014 at 12:22 PM, Daniel-Constantin Mierla 
> <miconda at gmail.com <mailto:miconda at gmail.com>> wrote:
>
>
>     On 30/07/14 06:37, Muhammad Shahzad wrote:
>>     Humm, no reply so far, may be because my email was very long and
>>     no body bothered to read it all. Anyways, here is the shorter
>>     more direct version of it. (including kamailio dev list, since
>>     question is rather technical).
>>
>>     Is it possible to implement a custom SIP transport in Kamailio
>>     script file i.e. kamailio.cfg. The purpose is to allow
>>     experimentation with custom encryption algorithms such as this,
>>
>>     https://github.com/mshary/itv
>>
>>     What we need is a couple of functions, one to receive incoming
>>     raw / encrypted data received on SIP socket, which then can be
>>     parsed / decrypted in kamailio.cfg (using e.g. LUA or PERL
>>     language modules etc.) and afterwords feed to kamailio for usual
>>     processing (as if it was normal / plain-text sip data received on
>>     sip socket). The second function to do the opposite, it receives
>>     the normal / plain-text sip data that is ready to be sent out
>>     from kamailio's core, encrypts it and then send it out to actual
>>     destination.
>>
>>     In case above is not possible. Can i do it in kamailio's native
>>     code? Any hooks / example code for reference?
>     If you look at encrypting sip messages, look at topoh module. You
>     can write a replacement for its hooks. Topoh is practically
>     decoding the headers and then lets the pure SIP message go through
>     config file execution. Before sending, it encodes the headers and
>     then let it go to the network.
>
>     This is something that should be rather straightforward to do if
>     you are familiar with C code.
>
>     You mentioned that using TLS can still reveal patters of being
>     sip. You have to think here of ways to obfuscate even in your case
>     of a new encryption method. What can be matched here:
>     - periodical registrations - you can have the client (or even the
>     server) to use different expires times for each registration
>     - size of packages, specially if user IDs are the same or similar
>     length (e.g., say everyone uses a 10 digit id), practically no
>     matter who is calling who, the size will be pretty much the same
>     because most of the phones I have seen so far use same set of
>     headers. Here you can add random custom headers for each packet. I
>     haven't checked the proposed encryption algorithm (some use random
>     blocks implicitly to pad the data), but eventually you can add
>     random data before and after the packet that you strip (and
>     re-add) in topoh-replacement module
>
>     The other option of having a totally different protocol than SIP
>     should be possible as well. But you need to re-implement a lot
>     (like location, authentication, ...). Look at msrp module for an
>     example. This may need to touch core code a bit.
>
>     Of course, in both cases, the client application has to be
>     developed as well. Perhaps still easier if going for first option,
>     by reusing some open source sip client and adding the
>     encapsulation/decapsulation layer when receiving/sending to network.
>
>     Cheers,
>     Daniel
>
>
>>
>>     Many thanks and kind regards for your help.
>>
>>
>>     On Mon, Jul 28, 2014 at 2:38 AM, Muhammad Shahzad
>>     <shaheryarkh at gmail.com <mailto:shaheryarkh at gmail.com>> wrote:
>>
>>         Hi,
>>
>>         As the mobile voip is getting more and more popular these
>>         days, there has been a strong opposition from GSM operators
>>         against mobile voip apps. They often use tactics like
>>         blocking voip ports, or detect and block voip traffic and in
>>         some cases restricting udp traffic altogether to very low
>>         upload and download speeds. See below link for some details,
>>
>>         http://www.linphone.org/eng/blog/linphone-over-3g.html
>>
>>         While not all the problems can be solved right now
>>         (especially the limiting udp traffic, since RTP always uses
>>         udp transport) I was wondering if we can at least handle the
>>         sip related problems. The most important of them is SIP
>>         traffic detection. While some forks would suggest using
>>         TCP/TLS to encrypt SIP traffic, it has a few problems, e.g.
>>
>>         1. It requires somewhat high resources on mobile devices, so
>>         many low-end android phones simply can't use it.
>>
>>         2. There is possibility that encryption signature may
>>         identify it as SIP traffic. There exists firewalls (often
>>         deployed in middle eastern countries) which have huge
>>         database of encryption signatures and patterns which although
>>         may not decrypt the sip packet but at least identify it as
>>         sip packet and block it.
>>
>>         Also with rough agencies of evil empires spying over millions
>>         of users worldwide makes the current encryption standards
>>         pretty much pointless, at least in terms of user privacy and
>>         network security. So there is a strong need to experiment
>>         with new ideas and concepts to regain internet freedom. Some
>>         of such ideas are,
>>
>>         1. Convert sip traffic which is plain text to binary format
>>         just before transmitting it and revert it to plain text upon
>>         reception.
>>
>>         2. XOR the sip traffic (pretty much same as binary sip).
>>
>>         3. Use some very lightweight but effective / non-standard
>>         encryption algorithm, e.g.
>>
>>         https://github.com/mshary/itv
>>
>>         All these ideas require that SIP server such as Kamailio is
>>         able to adopt to these, preferably with minimal or no change
>>         in native code. The NoSIP module seems an interesting module
>>         in this regard. It provides all traffic it thinks is not the
>>         SIP traffic to configuration script, where we can do our own
>>         parsing and do whatever we want with it. I have two questions
>>         about this,
>>
>>         1. If parsed message is SIP, we can we send it back to
>>         kamailio core to get it processed as if it is a normal SIP
>>         message received by kamailio?
>>
>>         2. Can this module or any other module available in kamailio,
>>         that can provide us full sip packet that is about to be
>>         transmitted over sip socket, so we can "encode" it just
>>         before it is sent to next hop?
>>
>>         I know this would be like writing a SIP transport in kamailio
>>         script which would be very tough if not impossible to
>>         implement in native core. But it will really help in winning
>>         the modern mobile voip challenges.
>>
>>         Thank you.
>>
>>
>>
>
>     -- 
>     Daniel-Constantin Mierla -http://www.asipto.com
>     http://twitter.com/#!/miconda  <http://twitter.com/#%21/miconda>  -http://www.linkedin.com/in/miconda
>
>

-- 
Daniel-Constantin Mierla - http://www.asipto.com
http://twitter.com/#!/miconda - http://www.linkedin.com/in/miconda

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-dev/attachments/20140730/2bdb6890/attachment-0001.html>


More information about the sr-dev mailing list