<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 30/07/14 06:37, Muhammad Shahzad
wrote:<br>
</div>
<blockquote
cite="mid:CAFZQphxm-Ti6jDmizwBs1twkTzKhZBjfJ=1=P8ReK-RZwNF=FA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Humm, no reply so far, may be because my email was very
long and no body bothered to read it all. Anyways, here is the
shorter more direct version of it. (including kamailio dev
list, since question is rather technical).<br>
<br>
</div>
Is it possible to implement a custom SIP transport in Kamailio
script file i.e. kamailio.cfg. The purpose is to allow
experimentation with custom encryption algorithms such as this,<br>
<br>
<a moz-do-not-send="true" href="https://github.com/mshary/itv">https://github.com/mshary/itv</a><br>
<div>
<div><br>
</div>
<div>What we need is a couple of functions, one to receive
incoming raw / encrypted data received on SIP socket, which
then can be parsed / decrypted in kamailio.cfg (using e.g.
LUA or PERL language modules etc.) and afterwords feed to
kamailio for usual processing (as if it was normal /
plain-text sip data received on sip socket). The second
function to do the opposite, it receives the normal /
plain-text sip data that is ready to be sent out from
kamailio's core, encrypts it and then send it out to actual
destination.<br>
</div>
<div><br>
</div>
<div>In case above is not possible. Can i do it in kamailio's
native code? Any hooks / example code for reference?<br>
</div>
</div>
</div>
</blockquote>
If you look at encrypting sip messages, look at topoh module. You
can write a replacement for its hooks. Topoh is practically decoding
the headers and then lets the pure SIP message go through config
file execution. Before sending, it encodes the headers and then let
it go to the network.<br>
<br>
This is something that should be rather straightforward to do if you
are familiar with C code.<br>
<br>
You mentioned that using TLS can still reveal patters of being sip.
You have to think here of ways to obfuscate even in your case of a
new encryption method. What can be matched here:<br>
- periodical registrations - you can have the client (or even the
server) to use different expires times for each registration<br>
- size of packages, specially if user IDs are the same or similar
length (e.g., say everyone uses a 10 digit id), practically no
matter who is calling who, the size will be pretty much the same
because most of the phones I have seen so far use same set of
headers. Here you can add random custom headers for each packet. I
haven't checked the proposed encryption algorithm (some use random
blocks implicitly to pad the data), but eventually you can add
random data before and after the packet that you strip (and re-add)
in topoh-replacement module<br>
<br>
The other option of having a totally different protocol than SIP
should be possible as well. But you need to re-implement a lot (like
location, authentication, ...). Look at msrp module for an example.
This may need to touch core code a bit.<br>
<br>
Of course, in both cases, the client application has to be developed
as well. Perhaps still easier if going for first option, by reusing
some open source sip client and adding the
encapsulation/decapsulation layer when receiving/sending to network.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<blockquote
cite="mid:CAFZQphxm-Ti6jDmizwBs1twkTzKhZBjfJ=1=P8ReK-RZwNF=FA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>Many thanks and kind regards for your help.<br>
</div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Jul 28, 2014 at 2:38 AM,
Muhammad Shahzad <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:shaheryarkh@gmail.com" target="_blank">shaheryarkh@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
As the mobile voip is getting more and more
popular these days, there has been a strong
opposition from GSM operators against mobile
voip apps. They often use tactics like
blocking voip ports, or detect and block voip
traffic and in some cases restricting udp
traffic altogether to very low upload and
download speeds. See below link for some
details,<br>
<br>
<a moz-do-not-send="true"
href="http://www.linphone.org/eng/blog/linphone-over-3g.html"
target="_blank">http://www.linphone.org/eng/blog/linphone-over-3g.html</a><br>
<br>
</div>
While not all the problems can be solved right
now (especially the limiting udp traffic, since
RTP always uses udp transport) I was wondering
if we can at least handle the sip related
problems. The most important of them is SIP
traffic detection. While some forks would
suggest using TCP/TLS to encrypt SIP traffic, it
has a few problems, e.g.<br>
<br>
</div>
1. It requires somewhat high resources on mobile
devices, so many low-end android phones simply
can't use it.<br>
<br>
</div>
2. There is possibility that encryption signature
may identify it as SIP traffic. There exists
firewalls (often deployed in middle eastern
countries) which have huge database of encryption
signatures and patterns which although may not
decrypt the sip packet but at least identify it as
sip packet and block it.<br>
<div><br>
</div>
<div>Also with rough agencies of evil empires spying
over millions of users worldwide makes the current
encryption standards pretty much pointless, at
least in terms of user privacy and network
security. So there is a strong need to experiment
with new ideas and concepts to regain internet
freedom. Some of such ideas are,<br>
<br>
</div>
<div>1. Convert sip traffic which is plain text to
binary format just before transmitting it and
revert it to plain text upon reception.<br>
<br>
</div>
<div>2. XOR the sip traffic (pretty much same as
binary sip).<br>
<br>
</div>
<div>3. Use some very lightweight but effective /
non-standard encryption algorithm, e.g.<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/mshary/itv"
target="_blank">https://github.com/mshary/itv</a><br>
<br>
</div>
<div>All these ideas require that SIP server such as
Kamailio is able to adopt to these, preferably
with minimal or no change in native code. The
NoSIP module seems an interesting module in this
regard. It provides all traffic it thinks is not
the SIP traffic to configuration script, where we
can do our own parsing and do whatever we want
with it. I have two questions about this,<br>
<br>
</div>
<div>1. If parsed message is SIP, we can we send it
back to kamailio core to get it processed as if it
is a normal SIP message received by kamailio?<br>
<br>
</div>
<div>2. Can this module or any other module
available in kamailio, that can provide us full
sip packet that is about to be transmitted over
sip socket, so we can "encode" it just before it
is sent to next hop?<br>
</div>
<div><br>
</div>
<div>I know this would be like writing a SIP
transport in kamailio script which would be very
tough if not impossible to implement in native
core. But it will really help in winning the
modern mobile voip challenges.<br>
</div>
<div><br>
</div>
<div>Thank you.<br>
</div>
<div><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a></pre>
</body>
</html>