[Serusers] iptel.org: where do you go: SLAMP and "SIP Akamai"

Jiri Kuthan jiri at iptel.org
Tue Jul 1 08:00:45 CEST 2008 

Hello all,

I wanted to share with everyone else my opinion on where SER and/or
iptel.org is going, and ask folks for opinion and testing the new
features mentioned bellow. Shortly I think the key goals on the software
side are SLAMP bundling, security and performance. On the operational
side, the technology is getting to a place which I like to call "akamai
of sip" ... world-wide distributed reliable SIP network.


- BUNDLING. I'm a strong believer in SLAMP ... SER/SEMS/SERWEB -- Linux
-- Apache -- Mysql -- Perl/Python/PHP. It is the software mesh-up that
actually allows to build a variety of web applicatons. We now have
SIPSAK, SERWEB and SEMS well synchronized and working with each other.
SER has advanced on the packaging side to provide out-of-the-box
experience: we have a very complete configuration file (OOB) dealing
with most common real-word scenarios, we have all-in-one packaging that
puts all the pieces in a single box. (see bellow for more).

- SECURITY:  Enormous attention has been paid to it. Actually I have
contracted a security review, TCP code known to be easily vulnerable to
blocking attacks has been made more robust, and SER now implements
predictive nonces to deal with replay attacks mounted on digest
authentication. Support for Identity (see bellow and RFC4474) has been
extensively tested in Sipits. In fact, I consider lack of Internet-wide
notion of identity  one of the greatest hassles in the Internet and this
is our modest contribution to address that.

- PERFORMANCE. This can be never appreciated enough. While SER can
easily serve quite large populations on commodity hardware, the real
challenge is in fact dealing with abnormalities. This includew boot
avalanches of SIP telephones, misconfigurations, unsolicited traffic,
simply all the things you never wish to happen. Still they do. Currently
the bottleneck turned out to be database, which has been greatly improved.

It is worthwile mentioned we eat our own dog's food ... the public
iptel.org service is powered by SLAMP. I'm working with my collegues on
advance concepts that allow to deal with massive geographic dispersion
(akamai-like experience), routing, etc. See bellow for more.



OOB
-----
* Features

First -- OOB, which stands for out-of-the-box, and is a very exhaustive
configuration of SER (we might have called it all-you-can-eat) , dealing
with most of common features/problems:
- NAT traversal
- basic call services (variants of call forwarding, speed-dial)
- multidomain hosting
- gateway routing and gateway protection

* Requirements

OOB is available for SER 2.0 and higher, as it leverages some of the key
SER features coming up with this thoroughly overhauled version. There is
also OOB debian package for it -- not that it only includes SER without
supporting packages such as mysql and rtp proxy.

* Roadmap
- even more security (rate-limit, identity, permissions) Most important
to me appears Identity support. Given that lack of  some credible notion
of identity is causing a lot of mess, I think it is time to begin using
verifiable identity with SIP. SER supports Identity (RFC4474) since
quite a while and has been tested in sipits for it. Also on the security
page, I think the famous module rate-limit shall appear in OOB rather
soon than late.

* Source:
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/etc/ser-oob.cfg?rev=HEAD&content-type=text/vnd.viewcvs-markup

ai1
----
* Features
   All-in-one is an attempt to bring all related packages on a single
box using a simple installation procedure. The metapackage includes SER,
SEMS, SERWEB, SER_CTL. It is in its very early stage, so please help by
testing it.

* Requirements
   debian. There is currently no other system supported.

* To use it:
   - put the iptel.org debian package repository in your source.list:
     deb http://ftp.iptel.org/debian etch main cvs
   - update package list and repositories:
     apt-get update; apt-get upgrade
   - set appropriate reconfiguration level to *medium*
     dpkg-reconfigure
   - install ai1
     apt-get install ai1

* Known limitations
   It is really just finished and only little tested. Please help
testing and collecting the initial experience.


Other semi-news
---------------

While there are interesting periodic Talmudic discussion when 2.0 shall
be labeled as "released", there is lot of good work going on with SER
2.1 (the "HEAD version"). Let me make a "sales pitch" for  at least some
parts of it which have so far made it to CVS.

A very  important change is the DB-API overhaul. For those of you who
are running deployments which are a bit "dense", it is certainly no
secret that database matters. In fact, it it not unusual to have about
seven database transactions for a single SIP invite transaction. Thus
database has a huge impact on performance, and if database is for
whatever reason lame, so will be soon everything else. A large portion
of all major failures I have witnessed were someway related to
databases. The DB-API performs very well and is ready to be used with
real-time databases. Also a new LDAP module has been contributed (single
DB driver for all modules, not like at this moment yet radius-based
modules for different functionalities).

It is also important to realize that well-done database engine is the
key instrument for integrating applications (or if you wish to use this
horrible buzzword, databases are great *middleware*.) The thing is that
in reality it is mysql and other noble databases that connect
applications (such as SER) with web-front-ends (such as SERWEB), CLIs
(such as SERCTL) and any other thinkable applications. Personally I
think that middleware technologies such as "corba" have actually not
achieved such an impact as good open databases did -- long live SLAMP.

On the "aplication-mash-up side", another step is going to be
single-sign-on. I believe this will be very useful in integrating SIP,
and serweb with other applications, such as address books. Our esteemed
serweb author is working on it hard right now.

New configuration framework is extremelly useful thing -- now many
things can be easily managed in SER in real-time without the need to
restart the server.
http://sip-router.org/browser/ser/doc/cfg.txt?rev=6627%3A746a56c7a1f4

An extremely long list of useful features and fixes have appeared on
CVS, be blessed all who have contributed to keeping SER a well-oiled
machine by adding all these laborious changes. I apologize to all the
authors for not mentioning all the important contributions, this email
just began to be more lengthy than I hoped for.
http://cvs.berlios.de/cgi-bin/viewcvs.cgi/ser/sip_router/NEWS?rev=HEAD&content-type=text/vnd.viewcvs-markup

Also as you know, there is a SER book, alas only in German now:
http://www.amazon.de/Internet-Telefonie-VoIP-mit-Asterisk-SER/dp/3937514163

iptel.org setup
----------------
I think the iptel.org running SIP service deserves some extra attention.
In the future I actually plan to "fork" a new mainling list, so that
folks can better separate debates related to the software and to the
running service.

In the heart of the service, there is SER running (CVS/HEAD version).
With SER, we have many useful features:
- have-my-domain ... folks can claim, administer and run their own domains
- BETA: Akamai-like services for selected hosted domains. Briefly, it
allows subscribers to be served by a server close to them. Particularly
beneficial for media relay.
- media services: 1000 at iptel.org ... voicemail, 000777 prefix ...
conference bridge; there is also zRTP-secured confidential conferencing
service
- subscriber provisioning (domain owners can largely manipulate
structure user profiles)
- multiple identities (00 prefix) allows you to terminate SIP calls
using alternate accounts preconfigured in user profile
- monitoring (administrator tool which is essential to keep the service
healthy)
- massive routing administrator provisioning

Of course not all of it is achieved using SER alone -- that's where the
SLAMP concept comes in. Media services are powered by SEMS,
Web-provisioning is achieved using SERWEB. Even proprietary components
fit in very well, such as the monitoring box (palladion), load-balancer
and one private SER extension (the massive route provisioning).



notes to openser users
----------------------
stay tuned. whereas all the development mentioned here relates to SER,
I'm confident they will make their way to openser as well. We had
recently a very open (:-)) meeting with openser advocate, Henning W. and
there was quite lot of good will to exchange. See
http://openser.org/pipermail/devel/2008-June/013880.html

More information about the sr-users mailing list