<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 30/07/14 11:52, Muhammad Shahzad
wrote:<br>
</div>
<blockquote
cite="mid:CAFZQphyb77ar6cY57QLwuZbor+WuNBjguBC4HXbZTJEZV3f=3A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>Thank you so much for this very useful information. I
am working on first approach for the moment since its much
simpler and easier to implement with only difference being
that instead of per header or per sdp line, i plan to do
it in one go, i.e. get entire sip message in $mb (sip
message buffer), encrypt it and put it back in $mb.<br>
<br>
</div>
- i guess randomizing registration time is already provided
by kamailio.<br>
</div>
- yes packet sizes are a concern, so i already have planned
for random padding as you mentioned.<br>
<br>
</div>
For client app, i have a developed a basic prototype based on
doubango framework. I am hopping to release a free and open
source implementation using idoubs within next couple of months
on Apple app store.<br>
</div>
</blockquote>
For a mobile device, an app is needed. But for a linux computer, it
might works running a kamailio proxy there. Say you have many
locations for a company, then within local network on each site can
be sip and between sites, the encrypted signaling.<br>
<br>
If kamailio uses a socket for clients and a socket for communicating
with the other sides, then it is easy to tell to the new module for
which socket should do encryption/decryption. Alternative is to
provide either local network address or remote site address and
match on src ip/dst ip.<br>
<br>
Cheers,<br>
Daniel<br>
<br>
<blockquote
cite="mid:CAFZQphyb77ar6cY57QLwuZbor+WuNBjguBC4HXbZTJEZV3f=3A@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thank you.<br>
<br>
<br>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Jul 30, 2014 at 12:22 PM,
Daniel-Constantin Mierla <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:miconda@gmail.com"
target="_blank">miconda@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div class=""> <br>
<div>On 30/07/14 06:37, Muhammad Shahzad wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div>Humm, no reply so far, may be because my email
was very long and no body bothered to read it all.
Anyways, here is the shorter more direct version
of it. (including kamailio dev list, since
question is rather technical).<br>
<br>
</div>
Is it possible to implement a custom SIP transport
in Kamailio script file i.e. kamailio.cfg. The
purpose is to allow experimentation with custom
encryption algorithms such as this,<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/mshary/itv"
target="_blank">https://github.com/mshary/itv</a><br>
<div>
<div><br>
</div>
<div>What we need is a couple of functions, one to
receive incoming raw / encrypted data received
on SIP socket, which then can be parsed /
decrypted in kamailio.cfg (using e.g. LUA or
PERL language modules etc.) and afterwords feed
to kamailio for usual processing (as if it was
normal / plain-text sip data received on sip
socket). The second function to do the opposite,
it receives the normal / plain-text sip data
that is ready to be sent out from kamailio's
core, encrypts it and then send it out to actual
destination.<br>
</div>
<div><br>
</div>
<div>In case above is not possible. Can i do it in
kamailio's native code? Any hooks / example code
for reference?<br>
</div>
</div>
</div>
</blockquote>
</div>
If you look at encrypting sip messages, look at topoh
module. You can write a replacement for its hooks. Topoh
is practically decoding the headers and then lets the pure
SIP message go through config file execution. Before
sending, it encodes the headers and then let it go to the
network.<br>
<br>
This is something that should be rather straightforward to
do if you are familiar with C code.<br>
<br>
You mentioned that using TLS can still reveal patters of
being sip. You have to think here of ways to obfuscate
even in your case of a new encryption method. What can be
matched here:<br>
- periodical registrations - you can have the client (or
even the server) to use different expires times for each
registration<br>
- size of packages, specially if user IDs are the same or
similar length (e.g., say everyone uses a 10 digit id),
practically no matter who is calling who, the size will be
pretty much the same because most of the phones I have
seen so far use same set of headers. Here you can add
random custom headers for each packet. I haven't checked
the proposed encryption algorithm (some use random blocks
implicitly to pad the data), but eventually you can add
random data before and after the packet that you strip
(and re-add) in topoh-replacement module<br>
<br>
The other option of having a totally different protocol
than SIP should be possible as well. But you need to
re-implement a lot (like location, authentication, ...).
Look at msrp module for an example. This may need to touch
core code a bit.<br>
<br>
Of course, in both cases, the client application has to be
developed as well. Perhaps still easier if going for first
option, by reusing some open source sip client and adding
the encapsulation/decapsulation layer when
receiving/sending to network.<br>
<br>
Cheers,<br>
Daniel
<div class=""><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>Many thanks and kind regards for your help.<br>
</div>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Jul 28, 2014
at 2:38 AM, Muhammad Shahzad <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:shaheryarkh@gmail.com"
target="_blank">shaheryarkh@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px
0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>
<div>Hi,<br>
<br>
</div>
As the mobile voip is getting more
and more popular these days, there
has been a strong opposition from
GSM operators against mobile voip
apps. They often use tactics like
blocking voip ports, or detect and
block voip traffic and in some
cases restricting udp traffic
altogether to very low upload and
download speeds. See below link
for some details,<br>
<br>
<a moz-do-not-send="true"
href="http://www.linphone.org/eng/blog/linphone-over-3g.html"
target="_blank">http://www.linphone.org/eng/blog/linphone-over-3g.html</a><br>
<br>
</div>
While not all the problems can be
solved right now (especially the
limiting udp traffic, since RTP
always uses udp transport) I was
wondering if we can at least handle
the sip related problems. The most
important of them is SIP traffic
detection. While some forks would
suggest using TCP/TLS to encrypt SIP
traffic, it has a few problems, e.g.<br>
<br>
</div>
1. It requires somewhat high resources
on mobile devices, so many low-end
android phones simply can't use it.<br>
<br>
</div>
2. There is possibility that encryption
signature may identify it as SIP
traffic. There exists firewalls (often
deployed in middle eastern countries)
which have huge database of encryption
signatures and patterns which although
may not decrypt the sip packet but at
least identify it as sip packet and
block it.<br>
<div><br>
</div>
<div>Also with rough agencies of evil
empires spying over millions of users
worldwide makes the current encryption
standards pretty much pointless, at
least in terms of user privacy and
network security. So there is a strong
need to experiment with new ideas and
concepts to regain internet freedom.
Some of such ideas are,<br>
<br>
</div>
<div>1. Convert sip traffic which is
plain text to binary format just
before transmitting it and revert it
to plain text upon reception.<br>
<br>
</div>
<div>2. XOR the sip traffic (pretty much
same as binary sip).<br>
<br>
</div>
<div>3. Use some very lightweight but
effective / non-standard encryption
algorithm, e.g.<br>
<br>
<a moz-do-not-send="true"
href="https://github.com/mshary/itv"
target="_blank">https://github.com/mshary/itv</a><br>
<br>
</div>
<div>All these ideas require that SIP
server such as Kamailio is able to
adopt to these, preferably with
minimal or no change in native code.
The NoSIP module seems an interesting
module in this regard. It provides all
traffic it thinks is not the SIP
traffic to configuration script, where
we can do our own parsing and do
whatever we want with it. I have two
questions about this,<br>
<br>
</div>
<div>1. If parsed message is SIP, we can
we send it back to kamailio core to
get it processed as if it is a normal
SIP message received by kamailio?<br>
<br>
</div>
<div>2. Can this module or any other
module available in kamailio, that can
provide us full sip packet that is
about to be transmitted over sip
socket, so we can "encode" it just
before it is sent to next hop?<br>
</div>
<div><br>
</div>
<div>I know this would be like writing a
SIP transport in kamailio script which
would be very tough if not impossible
to implement in native core. But it
will really help in winning the modern
mobile voip challenges.<br>
</div>
<div><br>
</div>
<div>Thank you.<br>
</div>
<div><br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Daniel-Constantin Mierla - <a moz-do-not-send="true" href="http://www.asipto.com" target="_blank">http://www.asipto.com</a>
<a moz-do-not-send="true" href="http://twitter.com/#%21/miconda" target="_blank">http://twitter.com/#!/miconda</a> - <a moz-do-not-send="true" href="http://www.linkedin.com/in/miconda" target="_blank">http://www.linkedin.com/in/miconda</a></pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla - <a class="moz-txt-link-freetext" href="http://www.asipto.com">http://www.asipto.com</a>
<a class="moz-txt-link-freetext" href="http://twitter.com/#!/miconda">http://twitter.com/#!/miconda</a> - <a class="moz-txt-link-freetext" href="http://www.linkedin.com/in/miconda">http://www.linkedin.com/in/miconda</a></pre>
</body>
</html>