[SR-Users] Kamailio as SBC

Ellad Yatsko eyatsko at ngs.ru
Mon Oct 22 15:40:03 CEST 2018 

Dear Alex,

your article is just "general words". :-) There is a couple of questions:

  - can my "vision" be completed?
  - how can it be implemented?

The major problem as I see is to modify algorithm so Kamailio will not check
database but will lean on answers of its upstream to generate
UL. It should not BALANCE, just forward SIP traffic, ANALYZE answers of
Upstream
SIP-Server, make decision about attacks and PROXY RTP. It should be more
clear
definition what I would like to achieve.

I could be confused about exact terminology of "Session Border Controller".
But I'd like to implement FRAUD/BruteForce protection of my Asterisk using
Kamailio (in the middle) because I heard it highly effective in the point
of view of heavy loads. Asterisk might not bear a "tons" of SIP requests
(dialogs).



Kind regards,
Ellad


22.10.2018 12:07, Alex Balashov пишет:
> I hate to plug my own articles, but in this case it might help:
>
> http://www.evaristesys.com/blog/kamailio-as-an-sbc-five-years-on/
>
> --
> Sent from mobile. Apologies for brevity and errors. 
>
> -----Original Message-----
> From: Ellad Yatsko <eyatsko at ngs.ru>
> To: sr-users at lists.kamailio.org
> Sent: Mon, 22 Oct 2018 3:28 AM
> Subject: [SR-Users] Kamailio as SBC
>
> Hello!
>
> I'd like to implement the following diagram:
>
>  Users  -> Internet -> Kamailio -> Asterisk
>
> 1. Kamailio has no own users, it just re-writes headers and re-send
> REGISTER messages to Asterisk where usres are located.
>
> 2. Depending on Astersisk's answers Kamailio either form UL (using
> original IP from the first, original REGISTER from Users) or translates
> Asterisk's answer back to Users. If it is error (e.g.
> forbidden/notfound) Kamailio blocks User's IP (for instance using pike
> module) and Fail2Ban adds affected IP into IPSet's List to block it by
> IPTables Permanently.
>
> 3. INVITEs are translated to Asterisk as to the only Upstream
> SIP-Server. And again Errors from Asterisk are processed in the same way
> as Bad REGISTERs. Pike in conjunction with IPSet/IPTables block affected
> IPs.
>
> 4. Astersisk sees all registrations from Internet user as they are
> directly behind Kamailio. Kamailio rewirtes headers twice: from Users to
> Asterisk and from Asterisk to Users - this allows to hide topology from
> users (they deal ONLY with Kamailio) and block non-static IPs on the
> Asterisk's side.
>
> Is this possible?
>
> Kind regards,
> Ellad Yatsko
>
>
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

More information about the sr-users mailing list