Kamailio can help a FreeSWITCH deployment in three ways: 1) Using the DISPATCHER module for carrier and internal routing which provides load balancing and failover capabilities, 2) Using the PERMISSIONS module for IP-based access control lists for routing, registrations, and permissions, and 3) Using the HTABLE module for caching and storing data in-memory for improved performance and scalability. Kamailio offers high performance, scalability, and security features that can enhance an existing FreeSWITCH system.

1. ClueCon 2019 – Chicago, IL
Three Ways Kamailio can Help Your
FreeSWITCH Deployment

2. ClueCon 2019 – Chicago, IL
Who am I? Kama what?
1. Fred Posner
2. @fredposner
3. https://qxork.com
→ → kamailio.org ← ←

3. ClueCon 2019 – Chicago, IL
Recently launched v2.0

4. ClueCon 2019 – Chicago, IL
Agenda
1. Brief description of Kamailio
2. Use DISPATCHER for carrier and internal routing
3. Use PERMISSIONS instead of ACL
4. Use HTABLE for all the things

5. ClueCon 2019 – Chicago, IL
What is Kamailio?

6. ClueCon 2019 – Chicago, IL
Fred’s Phases of Learning SIP
1. WTF is this matrix shit?
2. Oh, it’s like HTTP
3. (After FreeSWITCH) Oh, I
get it
4. SIP is pretty straight
forward
5. (After Kamailio) oh dear
god I was wrong
6. What level of hell is this?
7. Ok... I’m getting it again
8. One truly never knows
everything about SIP

7. ClueCon 2019 – Chicago, IL
What is Kamailio?
●
Very, very fast
●
Hundreds of Thousands
of registrations
●
1000’s of cps

8. ClueCon 2019 – Chicago, IL
DISPATCHER

9. ClueCon 2019 – Chicago, IL
DISPATCHER Module
●
SIP Load Balancer
●
SIP Traffic Dispatcher
●
Many algorithms
●
Stateless

10. ClueCon 2019 – Chicago, IL
DISPATCHER Module
●
Group nodes in logical
sets
●
Probing of nodes
(actionable)

11. ClueCon 2019 – Chicago, IL
DISPATCHER Module
●
Probing auto-detects failures
●
Failures can be updated on
status code as well (5xx, 4xx,
etc).
●
Fails over to next node in
group

12. ClueCon 2019 – Chicago, IL
DISPATCHER Module
route[DISPATCH] {
if(!ds_select_dst("1", "4")) { # round robin on group 1
send_reply("404", "No destination");
exit;
}
t_on_failure("RTF_DISPATCH");
route(RELAY);
exit;
}
failure_route[RTF_DISPATCH] {
if (t_is_canceled()) {
exit;
}
# 500 error or timeout
if (t_check_status("500")
or (t_branch_timeout() and !t_branch_replied())) {
if(ds_next_dst()) {
t_on_failure("RTF_DISPATCH");
route(RELAY);
exit;
}
}
}
➔
https://www.kamailio.org/docs/modules/stable/modules/dispatcher.html

13. ClueCon 2019 – Chicago, IL
PERMISSIONS

14. ClueCon 2019 – Chicago, IL
PERMISSIONS Module
• IP based ACL for:
• Routing
• Registrations
• URI permissions
• Address permissions
• Trusted requests

15. ClueCon 2019 – Chicago, IL
PERMISSIONS Module
BEFORE
<configuration name="acl.conf" description="Network Lists">
<network-lists>
<list name="test1" default="deny">
<node type="allow" cidr="1.2.3.0/24"/>
<node type="allow" cidr="2.3.0.0/16"/>
<node type="allow" cidr="3.4.5.6/32"/>
<node type="allow" cidr="4.5.6.0/24"/>
</list>
</network-lists>
</configuration>
AFTER
<configuration name="acl.conf"
description="Network Lists">
<network-lists>
<list name="test1" default="deny">
<node type="allow" cidr="[kamailio]/32"/>
</list>
</network-lists>
</configuration>

16. ClueCon 2019 – Chicago, IL
PERMISSIONS Module
●
File or DB
●
Can run by function or
logical groupings
●
Port, Protocol, Address
●
Reloadable

17. ClueCon 2019 – Chicago, IL
PERMISSIONS Module
// Check if source address/port is in group 1
if (!allow_address("1", "$si", "$sp")) {
sl_send_reply("403", "Forbidden");
};
...
if (allow_trusted()) {
t_relay();
}
...
if (allow_trusted("$si", "$proto")) {
t_relay();
}

18. ClueCon 2019 – Chicago, IL
HTABLE

19. ClueCon 2019 – Chicago, IL
“If you’re not using HTABLE,
you’re doing something wrong.”
—@miconda

20. ClueCon 2019 – Chicago, IL
HTABLE Module
●
Hash Table Containers
●
Stored in memory
●
Automatic Replication
(DMQ)

21. ClueCon 2019 – Chicago, IL
HTABLE Module
You can use HTABLE to block bad traffic...
Config:
# ----- htable params -----
/* ip ban htable with
autoexpire after 5 minutes */
modparam("htable", "htable",
"ipban=>size=8;autoexpire=300;
")
if(src_ip!=myself) {
if($sht(ipban=>$si)!=$null) {
# ip is already blocked
xdbg("request from blocked IP n");
exit;
}
if (!pike_check_req()) {
xlog("L_ALERT","ALERT: pike blocking $rm from
$fu (IP:$si:$sp)n");
$sht(ipban=>$si) = 1;
exit;
}
}

22. ClueCon 2019 – Chicago, IL
HTABLE Module
You can use HTABLE to
cache authentication…
modparam("htable", "htable",
"auth=>size=10;autoexpire=300;")
modparam("auth_db", "load_credentials",
"$avp(password)=password")
route[AUTHCACHE]{
if($sht(auth=>$au::passwd)!=$null) {
if (!pv_auth_check("$fd",
"$sht(auth=>$au::passwd)", "0", "1")) {
auth_challenge("$fd", “1”);
exit;
}
} else {
# authenticate requests
if (!auth_check("$fd", "subscriber", "1")) {
auth_challenge("$fd", "0");
exit;
}
$sht(auth=>$au::passwd) = $avp(password);
}
# user authenticated - remove auth header
if(!is_method("REGISTER|PUBLISH"))
consume_credentials();
}

23. ClueCon 2019 – Chicago, IL
HTABLE Module
You can use HTABLE to cache
anything…
if (is_method("INVITE")) {
setflag(FLT_ACC); # do accounting
$sht(cps=>$ci) = "caps";
if ($sht(stats=>caps) < ($shtcv(cps=>==caps) / 10)) {
$sht(stats=>caps) = $shtcv(cps=>==caps) / 10;
}
}
if (is_method("REGISTER") || is_method("INVITE")) {
$sht(regs=>$si) = $sht(regs=>$si) + 1;
if($sht(regs=>$si)>15) {
xlog("L_INFO","more than 15 auths from $si n");
if(src_ip!=myself) {
xlog("L_INFO","blocking $rm from $fu (IP:$si:$sp)n");
exec_msg("/usr/local/etc/kamailio/matrix-
post.sh "LODVOIP: (more than 15 auths) blocking $rm from $fu
(IP:$si:$sp)"");
$sht(ipban=>$si) = 1;
}
send_reply(401, "Unauthorized AU");
exit;
}
}

24. ClueCon 2019 – Chicago, IL
3 Quick Ways to Help FreeSWITCH
1. DISPATCHER
2. PERMISSIONS
3. HTABLE
1. Stability
2. Security
3. Scalability
But, there’s so much more you can do…

25. ClueCon 2019 – Chicago, IL
Thank you!
●
See you in Berlin for...
Kamailio World!!!
●
Questions?
●
Contact
●
qxork.com / @fredposner
●
Cookies & More
●
BearBakeShop.com