Re: [SR-Users] Question about encryption with Kamailio
Hello all,
Thanks Klaus for your answer, it helps me a lot !!
For my configuration, do I need to install a database ?
After doing some research, I think for routing purposes a database is not
needed...
Thanks you very much for your input,
Regards
> Message du 13/08/11 08:38
> De : "Klaus Darilion"
> A : sr-users@lists.sip-router.org
> Copie à :
> Objet : Re: [SR-Users] Question about encryption with Kamailio
>
>
>
> On 12.08.2011 14:56, margot.basa wrote:
> > Hello all,
> >
> > I would like to use Kamailio to encrypt contents of SIP messages (using
> > SIP TLS) between 2 endpoints, i.e.:
> > - To use 5061 port instead of 5060 port,
> > - To use sips uri instead of sip uri...
> >
> > For example, T1 and T2 communicates with "Server A" like that:
> > 1) T1 and T2 send REGISTER to "Server A"
> > 2) T1 and T2 received 200 OK from "Server A"
> > ...
> > 3) "Server A" sends an INVITE message to T1 and T2
> > ...
> > 4) RTP flow between T1 and T2 (this should not be encrypted)
> > ...
> > 5) "Server A" sends a BYE request to T1 and T2
> > ...
> >
> > All those exchanges are made on Transport layer TCP or UDP on port 5060.
> > T1 and T2 are not able to support TLS but "Server A" needs to
> > receive/send messages in SIP TLS.
> > I would like to insert Kamailio between T1 and "Server A", T2 and
> > "Server B" in order to encrypt contents of SIP messages.
> >
> > I have some questions about that:
> > - I think Kamailio can do that but I am not sure, can you confirm that
> > to me please?
>
> Yes, you can do that with Kamailio
>
> > - Can I use Kamailio as it is to do that?
>
> Almost yes. You only have to load the TLS module and tell Kamailio to
> listen on port 5061 for TLS.
>
> Probably some modifications to the default configuration are needed.
>
> > - Do I have to add a "Route" header in requests in order that requests
> > between T1 and "Server A" go through Kamailio
>
> Yes. When record-routing is activated (it is activated in the default
> config), all in-dialog requests (ACK, reINVITE, BYE) will be routed
> automatically via Kamailio.
>
> The more complicated part will be the initial requests (REGISTER,
> INVITE). Requests from the clients to the server are quite easy to handle:
>
> if (src_ip != ip.address.of.server) {
> $du = "sip:ip.address.of.server;transport=tls";
> t_relay();
>
> Complicated are INVITEs from the server to the client. Usually during
> registration the server stores the contact information of the client, to
> send incoming calls to this address. This is either the information in
> the Contact header, or the IP address:port from which the REGISTER was
> received (if the server performs NAT traversal).
>
> Both cases are bad - as the server should send the request to Kamailio,
> but Kamailio needs to know where to forward the request.
>
> The proper solution is using "Path" -> see documentation of the Path
> module. If your servers supports "Path", then you are finished.
>
> If your server does not support Path, there are 2 approaches:
>
> A) The server stores the Contact, but sends the INVITE requests always
> to Kamailio. Therefore, the server needs some kond of "outbound proxy"
> functionality.
>
> B) Kamailio stores the contact of the client, and forwards the REGISTER
> with a contact pointing to itself. Thus, server will lookup the client,
> finds the IP address of Kamailio and forwards the request. Then Kamailio
> again looks up the client in the location table and then forwards the
> request. This only works, if Kamailio puts an unique identifier of the
> client into the username part of the Contact header.
>
>
> > - Does Kamailio is able to intercept SIP packets automatically (with a
> > certain configuration)?
>
> No. Other nodes have to send SIP messages to Kamailio. This is why
> record-routing is needed to tell the other clients to route in-dialog
> requests via Kamailio too.
>
> > - Do you know difference between Freeswitch and Kamailio? (because I
> > have seen that Freeswitch can do what I need:
> > see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
>
> No.
>
> Klaus
>
> >
> > Thank you very much for your input.
> > Regards
> >
> >
> >
> >
> >
> >
> >
> > ___
> > SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> > sr-users@lists.sip-router.org
> > http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
> ___
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users@lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
>
Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ?
Je crée ma boîte mail www.laposte.net
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
Re: [SR-Users] Question about encryption with Kamailio
On 12.08.2011 14:56, margot.basa wrote:
Hello all,
I would like to use Kamailio to encrypt contents of SIP messages (using
SIP TLS) between 2 endpoints, i.e.:
- To use 5061 port instead of 5060 port,
- To use sips uri instead of sip uri...
For example, T1 and T2 communicates with "Server A" like that:
1) T1 and T2 send REGISTER to "Server A"
2) T1 and T2 received 200 OK from "Server A"
...
3) "Server A" sends an INVITE message to T1 and T2
...
4) RTP flow between T1 and T2 (this should not be encrypted)
...
5) "Server A" sends a BYE request to T1 and T2
...
All those exchanges are made on Transport layer TCP or UDP on port 5060.
T1 and T2 are not able to support TLS but "Server A" needs to
receive/send messages in SIP TLS.
I would like to insert Kamailio between T1 and "Server A", T2 and
"Server B" in order to encrypt contents of SIP messages.
I have some questions about that:
- I think Kamailio can do that but I am not sure, can you confirm that
to me please?
Yes, you can do that with Kamailio
- Can I use Kamailio as it is to do that?
Almost yes. You only have to load the TLS module and tell Kamailio to
listen on port 5061 for TLS.
Probably some modifications to the default configuration are needed.
- Do I have to add a "Route" header in requests in order that requests
between T1 and "Server A" go through Kamailio
Yes. When record-routing is activated (it is activated in the default
config), all in-dialog requests (ACK, reINVITE, BYE) will be routed
automatically via Kamailio.
The more complicated part will be the initial requests (REGISTER,
INVITE). Requests from the clients to the server are quite easy to handle:
if (src_ip != ip.address.of.server) {
$du = "sip:ip.address.of.server;transport=tls";
t_relay();
Complicated are INVITEs from the server to the client. Usually during
registration the server stores the contact information of the client, to
send incoming calls to this address. This is either the information in
the Contact header, or the IP address:port from which the REGISTER was
received (if the server performs NAT traversal).
Both cases are bad - as the server should send the request to Kamailio,
but Kamailio needs to know where to forward the request.
The proper solution is using "Path" -> see documentation of the Path
module. If your servers supports "Path", then you are finished.
If your server does not support Path, there are 2 approaches:
A) The server stores the Contact, but sends the INVITE requests always
to Kamailio. Therefore, the server needs some kond of "outbound proxy"
functionality.
B) Kamailio stores the contact of the client, and forwards the REGISTER
with a contact pointing to itself. Thus, server will lookup the client,
finds the IP address of Kamailio and forwards the request. Then Kamailio
again looks up the client in the location table and then forwards the
request. This only works, if Kamailio puts an unique identifier of the
client into the username part of the Contact header.
- Does Kamailio is able to intercept SIP packets automatically (with a
certain configuration)?
No. Other nodes have to send SIP messages to Kamailio. This is why
record-routing is needed to tell the other clients to route in-dialog
requests via Kamailio too.
- Do you know difference between Freeswitch and Kamailio? (because I
have seen that Freeswitch can do what I need:
see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
No.
Klaus
Thank you very much for your input.
Regards
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
___
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
sr-users@lists.sip-router.org
http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
[SR-Users] Question about encryption with Kamailio
Hello all, I would like to use Kamailio to encrypt contents of SIP messages (using SIP TLS) between 2 endpoints, i.e.: - To use 5061 port instead of 5060 port, - To use sips uri instead of sip uri... For example, T1 and T2 communicates with "Server A" like that: 1) T1 and T2 send REGISTER to "Server A" 2) T1 and T2 received 200 OK from "Server A" ... 3) "Server A" sends an INVITE message to T1 and T2 ... 4) RTP flow between T1 and T2 (this should not be encrypted) ... 5) "Server A" sends a BYE request to T1 and T2 ... All those exchanges are made on Transport layer TCP or UDP on port 5060. T1 and T2 are not able to support TLS but "Server A" needs to receive/send messages in SIP TLS. I would like to insert Kamailio between T1 and "Server A", T2 and "Server B" in order to encrypt contents of SIP messages. I have some questions about that: - I think Kamailio can do that but I am not sure, can you confirm that to me please? - Can I use Kamailio as it is to do that? - Do I have to add a "Route" header in requests in order that requests between T1 and "Server A" go through Kamailio or - Does Kamailio is able to intercept SIP packets automatically (with a certain configuration)? - Do you know difference between Freeswitch and Kamailio? (because I have seen that Freeswitch can do what I need: see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS) Thank you very much for your input. Regards Une messagerie gratuite, garantie à vie et des services en plus, ça vous tente ? Je crée ma boîte mail www.laposte.net ___ SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
