[SR-Users] Kamailio as SBC
Ellad Yatsko
eyatsko at ngs.ru
Tue Oct 23 11:30:03 CEST 2018
Ok. Let's divide overall task onto several little steps.
I. How to implement the following:
- when Kamailio receives REGISTER from user in the Internet
- Kamailio rewrites IP/UDP headers - it acts with Asterisk on behalf
of User, Asterisk should know just Kamailio IP (add "Via"?)
- Kamailio remembers [somehow] this dialog (how?) and
- retransmits REGISTER to Asterisk
- on receiving Unauthorized Kamailio retransmits it to User - this is
an intermediate step, no action needed
- User repeats steps on Registration with the Nonce
- on receiving OK [from Asterisk] for the memorized dialog Kamailio
retransmits OK to User and composes User Location
- on receiving NOT FOUND, FORBIDDEN, etc Kamailio retransmits SIP
answer to User and after several unsuccessful attempts blocks User IP
- Fail2Ban completes the rest - inserts new rule
Every time Kamailio retransmit SIP packet to the User from Asterisk it
HIDES topology (IP/UDP headers and all SIP-related Info from SIP
Packets). User should know just about Kamailio as about its counterpart.
How to track SIP REGISTER related messages inside Kamailio?
TO: Yu Boot - is it "standalone" implementation? How do you think? :-)
Kind regards,
Ellad
22.10.2018 20:16, Yu Boot пишет:
> I can help you with cfg, if you 're ready to implement standalone
> softswitch on your Kamailio :)
>
>
> 22.10.2018 17:21, Ellad Yatsko пишет:
>> May you help?.. :-)
>>
>> Kind regards,
>> Ellad
>>
>> 22.10.2018 17:12, Alex Balashov пишет:
>>> I did not say that my article represents a complete answer to every
>>> part
>>> of every one of your questions, at every level of abstraction and
>>> specificity. Just that it might be helpful. :-)
>>>
>>> On Mon, Oct 22, 2018 at 04:40:03PM +0300, Ellad Yatsko wrote:
>>>
>>>> Dear Alex,
>>>>
>>>> your article is just "general words". :-) There is a couple of
>>>> questions:
>>>>
>>>> - can my "vision" be completed?
>>>> - how can it be implemented?
>>>>
>>>> The major problem as I see is to modify algorithm so Kamailio will
>>>> not check
>>>> database but will lean on answers of its upstream to generate
>>>> UL. It should not BALANCE, just forward SIP traffic, ANALYZE
>>>> answers of
>>>> Upstream
>>>> SIP-Server, make decision about attacks and PROXY RTP. It should be
>>>> more
>>>> clear
>>>> definition what I would like to achieve.
>>>>
>>>> I could be confused about exact terminology of "Session Border
>>>> Controller".
>>>> But I'd like to implement FRAUD/BruteForce protection of my
>>>> Asterisk using
>>>> Kamailio (in the middle) because I heard it highly effective in the
>>>> point
>>>> of view of heavy loads. Asterisk might not bear a "tons" of SIP
>>>> requests
>>>> (dialogs).
>>>>
>>>>
>>>>
>>>> Kind regards,
>>>> Ellad
>>>>
>>>>
>>>> 22.10.2018 12:07, Alex Balashov пишет:
>>>>> I hate to plug my own articles, but in this case it might help:
>>>>>
>>>>> http://www.evaristesys.com/blog/kamailio-as-an-sbc-five-years-on/
>>>>>
>>>>> --
>>>>> Sent from mobile. Apologies for brevity and errors.
>>>>>
>>>>> -----Original Message-----
>>>>> From: Ellad Yatsko <eyatsko at ngs.ru>
>>>>> To: sr-users at lists.kamailio.org
>>>>> Sent: Mon, 22 Oct 2018 3:28 AM
>>>>> Subject: [SR-Users] Kamailio as SBC
>>>>>
>>>>> Hello!
>>>>>
>>>>> I'd like to implement the following diagram:
>>>>>
>>>>> Users -> Internet -> Kamailio -> Asterisk
>>>>>
>>>>> 1. Kamailio has no own users, it just re-writes headers and re-send
>>>>> REGISTER messages to Asterisk where usres are located.
>>>>>
>>>>> 2. Depending on Astersisk's answers Kamailio either form UL (using
>>>>> original IP from the first, original REGISTER from Users) or
>>>>> translates
>>>>> Asterisk's answer back to Users. If it is error (e.g.
>>>>> forbidden/notfound) Kamailio blocks User's IP (for instance using
>>>>> pike
>>>>> module) and Fail2Ban adds affected IP into IPSet's List to block
>>>>> it by
>>>>> IPTables Permanently.
>>>>>
>>>>> 3. INVITEs are translated to Asterisk as to the only Upstream
>>>>> SIP-Server. And again Errors from Asterisk are processed in the
>>>>> same way
>>>>> as Bad REGISTERs. Pike in conjunction with IPSet/IPTables block
>>>>> affected
>>>>> IPs.
>>>>>
>>>>> 4. Astersisk sees all registrations from Internet user as they are
>>>>> directly behind Kamailio. Kamailio rewirtes headers twice: from
>>>>> Users to
>>>>> Asterisk and from Asterisk to Users - this allows to hide topology
>>>>> from
>>>>> users (they deal ONLY with Kamailio) and block non-static IPs on the
>>>>> Asterisk's side.
>>>>>
>>>>> Is this possible?
>>>>>
>>>>> Kind regards,
>>>>> Ellad Yatsko
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Kamailio (SER) - Users Mailing List
>>>>> sr-users at lists.kamailio.org
>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>>
>>>>> _______________________________________________
>>>>> Kamailio (SER) - Users Mailing List
>>>>> sr-users at lists.kamailio.org
>>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>>>
>>>> _______________________________________________
>>>> Kamailio (SER) - Users Mailing List
>>>> sr-users at lists.kamailio.org
>>>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>>
>> _______________________________________________
>> Kamailio (SER) - Users Mailing List
>> sr-users at lists.kamailio.org
>> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
More information about the sr-users
mailing list