[SR-Users] Question about encryption with Kamailio
Klaus Darilion
klaus.mailinglists at pernau.at
Sat Aug 13 08:38:30 CEST 2011
On 12.08.2011 14:56, margot.basa wrote:
> Hello all,
>
> I would like to use Kamailio to encrypt contents of SIP messages (using
> SIP TLS) between 2 endpoints, i.e.:
> - To use 5061 port instead of 5060 port,
> - To use sips uri instead of sip uri...
>
> For example, T1 and T2 communicates with "Server A" like that:
> 1) T1 and T2 send REGISTER to "Server A"
> 2) T1 and T2 received 200 OK from "Server A"
> ...
> 3) "Server A" sends an INVITE message to T1 and T2
> ...
> 4) RTP flow between T1 and T2 (this should not be encrypted)
> ...
> 5) "Server A" sends a BYE request to T1 and T2
> ...
>
> All those exchanges are made on Transport layer TCP or UDP on port 5060.
> T1 and T2 are not able to support TLS but "Server A" needs to
> receive/send messages in SIP TLS.
> I would like to insert Kamailio between T1 and "Server A", T2 and
> "Server B" in order to encrypt contents of SIP messages.
>
> I have some questions about that:
> - I think Kamailio can do that but I am not sure, can you confirm that
> to me please?
Yes, you can do that with Kamailio
> - Can I use Kamailio as it is to do that?
Almost yes. You only have to load the TLS module and tell Kamailio to
listen on port 5061 for TLS.
Probably some modifications to the default configuration are needed.
> - Do I have to add a "Route" header in requests in order that requests
> between T1 and "Server A" go through Kamailio
Yes. When record-routing is activated (it is activated in the default
config), all in-dialog requests (ACK, reINVITE, BYE) will be routed
automatically via Kamailio.
The more complicated part will be the initial requests (REGISTER,
INVITE). Requests from the clients to the server are quite easy to handle:
if (src_ip != ip.address.of.server) {
$du = "sip:ip.address.of.server;transport=tls";
t_relay();
Complicated are INVITEs from the server to the client. Usually during
registration the server stores the contact information of the client, to
send incoming calls to this address. This is either the information in
the Contact header, or the IP address:port from which the REGISTER was
received (if the server performs NAT traversal).
Both cases are bad - as the server should send the request to Kamailio,
but Kamailio needs to know where to forward the request.
The proper solution is using "Path" -> see documentation of the Path
module. If your servers supports "Path", then you are finished.
If your server does not support Path, there are 2 approaches:
A) The server stores the Contact, but sends the INVITE requests always
to Kamailio. Therefore, the server needs some kond of "outbound proxy"
functionality.
B) Kamailio stores the contact of the client, and forwards the REGISTER
with a contact pointing to itself. Thus, server will lookup the client,
finds the IP address of Kamailio and forwards the request. Then Kamailio
again looks up the client in the location table and then forwards the
request. This only works, if Kamailio puts an unique identifier of the
client into the username part of the Contact header.
> - Does Kamailio is able to intercept SIP packets automatically (with a
> certain configuration)?
No. Other nodes have to send SIP messages to Kamailio. This is why
record-routing is needed to tell the other clients to route in-dialog
requests via Kamailio too.
> - Do you know difference between Freeswitch and Kamailio? (because I
> have seen that Freeswitch can do what I need:
> see Figure4: http://wiki.freeswitch.org/wiki/SIP_TLS)
No.
Klaus
>
> Thank you very much for your input.
> Regards
>
>
>
> <https://compte.laposte.net/inscription/index.do?jeux=2011FOOTER_generique>
>
>
>
> _______________________________________________
> SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list
> sr-users at lists.sip-router.org
> http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
More information about the sr-users
mailing list