[SR-Users] Question about encryption with Kamailio
margot.basa
margot.basa at laposte.net
Fri Aug 19 17:12:23 CEST 2011
Hello all,
Thanks Klaus for your answer, it helps me a lot !!
For my configuration, do I need to install a database ?
After doing some research, I think for routing purposes a database is not needed...
Thanks you very much for your input,
Regards
> Message du 13/08/11 08:38
> De : "Klaus Darilion"
> A : sr-users at lists.sip-router.org
> Copie à :
> Objet : Re: [SR-Users] Question about encryption with Kamailio
>
>
>
> On 12.08.2011 14:56, margot.basa wrote:
> > Hello all,
> >
> > I would like to use Kamailio to encrypt contents of SIP messages (using
> > SIP TLS) between 2 endpoints, i.e.:
> > - To use 5061 port instead of 5060 port,
> > - To use sips uri instead of sip uri...
> >
> > For example, T1 and T2 communicates with "Server A" like that:
> > 1) T1 and T2 send REGISTER to "Server A"
> > 2) T1 and T2 received 200 OK from "Server A"
> > ...
> > 3) "Server A" sends an INVITE message to T1 and T2
> > ...
> > 4) RTP flow between T1 and T2 (this should not be encrypted)
> > ...
> > 5) "Server A" sends a BYE request to T1 and T2
> > ...
> >
> > All those exchanges are made on Transport layer TCP or UDP on port 5060.
> > T1 and T2 are not able to support TLS but "Server A" needs to
> > receive/send messages in SIP TLS.
> > I would like to insert Kamailio between T1 and "Server A", T2 and
> > "Server B" in order to encrypt contents of SIP messages.
> >
> > I have some questions about that:
> > - I think Kamailio can do that but I am not sure, can you confirm that
> > to me please?
>
> Yes, you can do that with Kamailio
>
> > - Can I use Kamailio as it is to do that?
>
> Almost yes. You only have to load the TLS module and tell Kamailio to
> listen on port 5061 for TLS.
>
> Probably some modifications to the default configuration are needed.
>
> > - Do I have to add a "Route" header in requests in order that requests
> > between T1 and "Server A" go through Kamailio
>
> Yes. When record-routing is activated (it is activated in the default
> config), all in-dialog requests (ACK, reINVITE, BYE) will be routed
> automatically via Kamailio.
>
> The more complicated part will be the initial requests (REGISTER,
> INVITE). Requests from the clients to the server are quite easy to handle:
>
> if (src_ip != ip.address.of.server) {
> $du = "sip:ip.address.of.server;transport=tls";
> t_relay();
>
> Complicated are INVITEs from the server to the client. Usually during
> registration the server stores the contact information of the client, to
> send incoming calls to this address. This is either the information in
> the Contact header, or the IP address:port from which the REGISTER was
> received (if the server performs NAT traversal).
>
> Both cases are bad - as the server should send the request to Kamailio,
> but Kamailio needs to know where to forward the request.
>
> The proper solution is using "Path" -> see documentation of the Path
> module. If your servers supports "Path", then you are finished.
>
> If your server does not support Path, there are 2 approaches:
>
> A) The server stores the Contact, but sends the INVITE requests always
> to Kamailio. Therefore, the server needs some kond of "outbound proxy"
> functionality.
>
> B) Kamailio stores the contact of the client, and forwards the REGISTER
> with a contact pointing to itself. Thus, server will lookup the client,
> finds the IP address of Kamailio and forwards the request. Then Kamailio
> again looks up the client in the location table and then forwards the
> request. This only works, if Kamailio puts an unique identifier of the
> client into the username part of the Contact header.
>
>
> > - Does Kamailio is able to intercept SIP packets automatically (with a
> > certain configuration)?
>
> No. Other nodes have to send SIP messages to Kamailio. This is why
> record-routing is needed to tell the other clients to route in-dialog
> requests via Kamailio too.
>
> > - Do you know difference between Freeswitch and Kamailio? (because I
> > have seen that Freeswitch can do what I need:
> > see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
>
> No.
>
> Klaus
>
> >
> > Thank you very much for your input.
> > Regards
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users at lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sip-router.org/pipermail/sr-users/attachments/20110819/4791f9f3/attachment.htm>
More information about the sr-users
mailing list