OpenSIPS Workshop

7,351
-1

Published on

Slides from a workshop which took place at ElastixWorld 2013.

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,351
On Slideshare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
91
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

OpenSIPS Workshop

  1. 1. AG Projects SIP Infrastructure Experts Workshop Adrian Georgescu @agprojects Monday, October 21, 2013 Saúl Ibarra Corretgé @saghul
  2. 2. AG Projects SIP Infrastructure Experts Hello! • AG Projects, 10+ years of experience • Software development for SIP infrastructures • Blink (and many other projects!) • Open Source Monday, October 21, 2013
  3. 3. AG Projects SIP Infrastructure Experts Commercial Products • • MSP and SIP Thor - Turnkey SIP platforms Blink - SIP Client for OSX, Linux and Windows Self-organizing SIP Infrastructure DB DB Self-organizing Horizontally scalable Built-in disaster recovery No single point of failure Maintenance free Node 5 Node 1 DB Node 6 Multiple Roles SIP Proxy/Registrar RTP Media relay Presence Agent XCAP server Voicemail Provisioning DB Internet Node 2 DB Node 3 DB Node 4 RTP SIP User Agents User agents need only RFC3263 support (locating SIP services using DNS lookups) Monday, October 21, 2013 NAT SIP NAT
  4. 4. 4 Monday, October 21, 2013
  5. 5. AG Projects SIP Infrastructure Experts We like questions, interrupt us! Monday, October 21, 2013
  6. 6. AG Projects SIP Infrastructure Experts What is OpenSIPS? • Open Source SIP Server • It does SIP, just SIP • Proxy, registrar, B2BUA, ... Monday, October 21, 2013
  7. 7. AG Projects SIP Infrastructure Experts Possible deployment scenarios • Load balancer • Edge proxy • Proxy / registrar • LCR gateway • Presence Agent Monday, October 21, 2013
  8. 8. AG Projects SIP Infrastructure Experts Monday, October 21, 2013
  9. 9. AG Projects SIP Infrastructure Experts Monday, October 21, 2013
  10. 10. AG Projects SIP Infrastructure Experts Monday, October 21, 2013
  11. 11. AG Projects SIP Infrastructure Experts Monday, October 21, 2013
  12. 12. 12 Monday, October 21, 2013
  13. 13. AG Projects SIP Infrastructure Experts 1. Keep the core proxy as lean as possible • Edge proxy • Sanity checks • NAT traversal • Forward to core proxy Monday, October 21, 2013
  14. 14. AG Projects SIP Infrastructure Experts • Core proxy • Main routing logic • User lookup • Route request to destination Monday, October 21, 2013
  15. 15. AG Projects SIP Infrastructure Experts Using Path support • RFC 3327 • Keep the edge proxy always in the path • Always route requests through it (also outgoing) Monday, October 21, 2013
  16. 16. AG Projects SIP Infrastructure Experts Using Path support … loadmodule "rr.so" loadmodule "registrar.so" loadmodule "path.so" … modparam("path", "use_received", 1) … # On the edge proxy if (method == "REGISTER") { if (!add_path_received("edge-in")) sl_send_reply("503", "Internal Path Error"); ... } # On the core proxy if (method == "REGISTER") { … save("location", "p2v"); } Monday, October 21, 2013
  17. 17. AG Projects SIP Infrastructure Experts NAT traversal • Always apply NAT traversal techniques • Chances of not needing them are too low • But do not break ICE Monday, October 21, 2013
  18. 18. AG Projects SIP Infrastructure Experts Monday, October 21, 2013
  19. 19. AG Projects SIP Infrastructure Experts NAT traversal if (method != "REGISTER" && client_nat_test("3")) { fix_contact(); } Fix signaling if ((method=="REGISTER" || method=="SUBSCRIBE" || (method=="INVITE" && !has_totag())) && client_nat_test("3")) { nat_keepalive(); } if (method==INVITE && !has_totag()) { engage_media_proxy(); } Monday, October 21, 2013 Fix media
  20. 20. AG Projects SIP Infrastructure Experts 2. Keep your configuration tidy • Use a version control system such as git • Separate logical sections in different files • Use a template language to help you • Handle each method separately Monday, October 21, 2013
  21. 21. AG Projects SIP Infrastructure Experts Handle each SIP method separately ... if (method == "REGISTER") { ... } else if (method == "INVITE") { ... } else if (method == "SUBSCRIBE") { ... } else if (method == "PUBLISH") { ... ... Monday, October 21, 2013
  22. 22. AG Projects SIP Infrastructure Experts Using jcfg • https://github.com/saghul/jcfg • Uses Jinja templates for generating config files Monday, October 21, 2013
  23. 23. AG Projects SIP Infrastructure Experts Using jcfg # TCP {% if use_tcp %} disable_tcp=no {% for listener in tcp_listeners %} listen=tcp:{{ listener }} {% endfor %} disable_tcp=yes {% endif %} context = { # UDP 'udp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080'], # TCP 'use_tcp': True, 'tcp_listeners': ['127.0.0.1:5060', '127.0.0.1:5080'] } jcfg --input opensips.tpl --output opensips.cfg --context settings.py Monday, October 21, 2013
  24. 24. AG Projects SIP Infrastructure Experts 3. Fraud is unavoidable, deal with it • Usage quotas per user, per day / month • Implement a quick way for switching off an account • Blacklist premium numbers • Nobody calls to Antarctica, really • Limit number of concurrent calls Monday, October 21, 2013
  25. 25. AG Projects SIP Infrastructure Experts 4. Apply common sense sec. measures • ‘1234’ is not a password, it’s a joke • Different credentials for SIP and for web configuration tools • Detect multiple authentication failures • Discard well known bad UAs • Monday, October 21, 2013 ‘friendly-scanner’ anyone?
  26. 26. AG Projects SIP Infrastructure Experts Mitigating signaling attacks if (has_totag()) { # in-dialog request if (!validate_dialog()) fix_route_dialog(); ... } Monday, October 21, 2013
  27. 27. AG Projects SIP Infrastructure Experts Call limit with CallControl if (method==INVITE && !has_totag()) { $avp(cc_call_limit) := 10; $avp(cc_call_token) := $RANDOM; call_control(); switch ($retcode) { case 2: # Call with no limit case 1: # Call has limit and is under callcontrol management break; case -1: # Not enough credit (prepaid call) sl_send_reply("402", "Not enough credit"); exit; case -2: # Locked by another call in progress (prepaid call) sl_send_reply("403", "Call locked by another call in progress"); exit; case -3: # Duplicated callid sl_send_reply("400", "Duplicated callid"); exit; case -4: # Call limit reached sl_send_reply("503", "Too many concurrent calls"); exit; default: # Internal error (message parsing, communication, ...) sl_send_reply("500", "Internal server error"); exit; } } Monday, October 21, 2013
  28. 28. AG Projects SIP Infrastructure Experts Using the new Event Interface … loadmodule("event_datagram") … # Subscribe to the E_PIKE_BLOCKED event # Raise your own events from the routing script $avp(s:attr) = "number"; $avp(s:val) = 0; $avp(s:attr) = "string"; $avp(s:val) = "dummy value"; raise_event("E_DUMMY", $avp(s:attr), $avp(s:val)); Monday, October 21, 2013
  29. 29. AG Projects SIP Infrastructure Experts BYE • Keep configuration simple • Apply Common Sense (TM) • Be prepared to deal with fraud and failure Monday, October 21, 2013
  30. 30. AG Projects SIP Infrastructure Experts Questions? @agprojects @saghul Monday, October 21, 2013
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×