Expanding Asterisk with Kamailio
3 likes6,109 views
The document discusses the integration of Kamailio with Asterisk, highlighting Kamailio's roles such as a SIP proxy, registrar, and application server. It emphasizes the advantages of using Kamailio for scaling, security, load balancing, and least cost routing, while also noting its limitations compared to Asterisk concerning media handling and call processing. Key security measures for Kamailio are detailed, along with its financial benefits, compatibility with various protocols, and the requirement for strong SIP knowledge.
![DISPATCHER Module
# Dispatch requests
route[DISPATCH] {
# round robin dispatching
if(!ds_select_dst("1", "4")) {
send_reply("404", "Ouch");
exit;
}
t_on_failure("RTF_DISPATCH");
route(RELAY);
exit;
}
failure_route[RTF_DISPATCH] {
if (t_is_canceled()) {
exit;
}
# next DST - only for 500 or local timeout
if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied()))
{
if(ds_next_dst()) {
t_on_failure("RTF_DISPATCH");
route(RELAY);
exit;
}
}
}](https://image.slidesharecdn.com/posnerastricon201516x9-151015220548-lva1-app6891/85/Expanding-Asterisk-with-Kamailio-15-320.jpg)
![Ever seen something like this?
[Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not
found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d57] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d58] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d59] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in
context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found
in context 'default'.](https://image.slidesharecdn.com/posnerastricon201516x9-151015220548-lva1-app6891/85/Expanding-Asterisk-with-Kamailio-18-320.jpg)
![Handle Before Reaching Asterisk
[R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps
[R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps
[R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded 5cps
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.93.91.162:5063 - dropping and blocking
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:212.83.188.161:5068 - dropping and blocking
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.93.89.219:5066 - dropping and blocking
[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.25.74.70:5150 - dropping and blocking](https://image.slidesharecdn.com/posnerastricon201516x9-151015220548-lva1-app6891/85/Expanding-Asterisk-with-Kamailio-23-320.jpg)
Expanding Asterisk with Kamailio
- 1. Expanding Asterisk with Kamailio Fred Posner @fredposner qxork.com
- 2. Who am I?
- 4. If Asterisk can do all that...
- 5. Why do we need Kamailio? and....
- 6. How do you pronounce Kamailio? Kah – Mah – Illie - Oh
- 7. What is Kamailio? SIP Proxy Server SIP Registrar Server SIP Location Server SIP Application Server SIP Dispatcher Server
- 8. What isn't Kamailio? SIP Phone B2BUA Media Server
- 9. Typical Reasons to Implement Kamailio ● Scaling – High Volume of Calls – High Number of Users ● Security ● Load Balancing ● LCR (Least Cost Routing)
- 10. How many calls can Asterisk handle? 200 or 400. There is no 100.
- 11. Asterisk “Activities” Affect CPS/Load ● Music on Hold ● Codec Transcoding ● IVR Handling ● AGI Scripts ● Call Recording ● Queues ● Voicemail
- 12. Registrations Authentication NAT CallsPresence Call LimitExt to Ext Location STOPSTOP THETHE INSANITINSANIT
- 13. Internet / PSTN Kamailio There must be a better way! Kamailio: – Authentication, NAT, Location, LCR, Registration, Extension to Extension calls, Security Asterisk: – Queues, Media, Call Processing, Voicemail, Conferences, etc.
- 14. Load Balancing n + 1 scaling made easy with dispatcher module
- 15. DISPATCHER Module # Dispatch requests route[DISPATCH] { # round robin dispatching if(!ds_select_dst("1", "4")) { send_reply("404", "Ouch"); exit; } t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } failure_route[RTF_DISPATCH] { if (t_is_canceled()) { exit; } # next DST - only for 500 or local timeout if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied())) { if(ds_next_dst()) { t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } } }
- 17. Security
- 18. Ever seen something like this? [Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d57] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d58] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d59] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'. [Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found in context 'default'.
- 19. Asterisk Security Tools ● fail2ban ● custom script ● IPTABLES ● hardened dialplan ● Hardened sip.conf ● Log analyzers happen after the attack ● CPU/Memory resources ● Only protects single box
- 20. Kamailio Security ● GEOIP ● HTABLE ● PIKE (flood detection) ● PIPELIMIT (counter) ● PERMISSIONS ● RATELIMIT (counter) ● SANITY (formatting)
- 21. PIKE / HTABLES/PERMISSIONS if((src_ip!=myself) && !allow_source_address(1)) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; } if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit; } }
- 22. SIP Message Inspection / HTABLES if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit; } if($au =~ "(=)|(--)|(')|(#)|(%27)|(%24)" and $au != $null) { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit; }
- 23. Handle Before Reaching Asterisk [R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded 5cps [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.93.91.162:5063 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:212.83.188.161:5068 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.93.89.219:5066 - dropping and blocking [R-REQINIT:ANTIFLOOD] script kiddies from IP:85.25.74.70:5150 - dropping and blocking
- 25. Financial Benefits ● Kamailio reduces fraud risk (security) ● Kamailio reduces carrier cost (lcr) ● Kamailio reduces opportunity costs (downtime)
- 26. Kamailio Plays Well with Others ● IPv4 & IPv6 ● UDP/TCP ● TLS ● SCTP ● All codecs ● WebRTC ● Supporting RFC3261, RFC3262, RFC3263, RFC3880, RFC4474, RFC2865, RFC2866, RFC4975, RFC3486, RFC 3265, RFC 3856, RFC 3863, RFC 4480, RFC 3903, RFC 3857, RFC 3858, RFC 3680, RFC3581, RFC1918, RFC2617, RFC4122, RFC4510, RFC4515, RFC4662, RFC4826, RFC4745 and RFC5025, RFC3410, RFC3327, RFC2741, RFC4516, etc.
- 27. Kamailio: Positives ● Very fast ● Minimal hardware ● More than 200 modules ● Centralization ● Saves Money ● LCR ● Scalable ● Failover ● Strong Community ● Promotes Growth
- 28. Kamailio: Negatives ● Must know SIP ● Must really know SIP ● Need strong SIP knowledge
- 29. Expanding Asterisk with Kamailio Fred Posner @fredposner qxork.com Thank you
- 30. Expanding Asterisk with Kamailio Fred Posner @fredposner Questions
Editor's Notes
- #3: Fred Posner VoIP Engineer/Consultant LOD The Palner Group Started in 2003 Vonage Competitor Broadsoft / Acme Packet Switched to Asterisk / OpenSER Beautiful Wife Yeni Started Bearkery Bakery in 2010 Live in Florida Big Fred Cookie
- #4: Asterisk GREAT PRODUCT We're at Astricon afterall All features you'd ever want Very customizable Powerful Open Source Queues Call Recording Voicemail IVR AND SO MUCH MORE
- #5: If Asterisk is so incredible... then...
- #6: Why do we need Kamailio? and... More importantly...
- #7: Not Without Problems EVERYTHING HAS STRENGTHS & WEAKNESSES Believe it or not... I'm a great guy, ...but I have a weight problem. Working on weakness creates strength to grow. Ever hear of Pozzolans? Lime is used in concrete OK by itself... nothing special. Add Pozzolans... Increased strength / durability Decreased weakness Pozzolan Effect Kamailio & Asterisk together work the same way.
- #9: Want a B2BUA? Use Asterisk =) All of these are Asterisk
- #11: SIP Version of Do or Do Not. There is No Try. As most of you know... simple question difficult answer
- #12: What you do with Asterisk affects call load & hardware too of course Some systems can run thousands of channels Others may have difficulty with more than 400 Reduce Asterisk Overhead Focus on core strengths
- #13: Additional cps concerns Flash Operator Panel? 20 cps Fail2Ban? Effects cps greatly Logging Network (jitter, etc.) OS 150 cps? Really depends on codecs, hardware, network Max calls? 10,000? 100?
- #14: On embedded systems, with limited resources—100s cps As stateless load balancer, >5000 call setups per second 4GB memory, Kamailio can serve over 300k subscribers System can easily scale adding more Kamailio servers Kamailio LCR handles millions of routing rules(and that's the built in modules) Even with just 1 Asterisk server (like above)...using Kamailio can increase user/call capacity
- #15: Load balancing is built into Kamailio Makes n + 1 scaling simple
- #16: Drastically increase call load / capacity Fault Tolerant Location failures Can add more kamailio boxes as well. You can group clusters by function / limits Voicemail IVR Recordings Conferences
- #17: You can set limits by box as well This box can handle 100 calls at 2 cps This box can handle 500 calls at 20 cps
- #18: Kamailio expands the security capabilities of Asterisk
- #19: Rejection of call attempts Rejection of registration attempts Brute force password attacks Anyone been hit by a brute force attack from AWS? Thousands of attempts in a very short period of time
- #20: Current methods of handling happen after the attack Take resources AWAY from call handling Protects a single box
- #21: Kamailio is flexible. The way I handle security is different than Daniel or X person or Y. Different is good. You can learn something from EVERYONE The best experts keep an open mind “Good writers borrow, great writers steal”--TS Elliot
- #22: Built in module PIKE helps detect flooding Combine with HTABLES to block temporarily RAM based. Very fast. White list with PERMISSIONS module Also stored in memory Here we check if a non-whitelisted IP is blocked If so, drop them (just ignore it) Not blocked, check if flooding... Yeah? Block em & Drop em.
- #23: Friendly Scanner? Drop & Block SQL Injection? Drop & Block Most Script Kiddies use the reject messages Now the real attack begins Of course, different thoughts on this as well Send 200 OK
- #24: Example of PIPELIMIT which is a fast counter Oh this box currently is 5cps, move on Oh look... a script kiddie
- #28: When we block an IP, it's blocked for everyone Very scalable. We can also handle calls by ourselves Presence IM integration Extension to Extension calls Strong Community Active mail list Active IRC channel Pretty friendly... be patient with language