expanding asterisk with kamailio

Expanding Asterisk with Kamailio

Fred [email protected]

Who am I?

Fred PosnerVoIP Engineer/ConsultantLODThe Palner Group

Started in 2003Vonage CompetitorBroadsoft / Acme PacketSwitched to Asterisk / OpenSER

Beautiful Wife YeniStarted Bearkery Bakery in 2010Live in FloridaBig Fred Cookie

Why Asterisk?

Asterisk GREAT PRODUCTWe're at Astricon afterallAll features you'd ever wantVery customizablePowerfulOpen Source

Queues

Call Recording

Voicemail

IVRAND SO MUCH MORE

If Asterisk can do all that...

If Asterisk is so incredible... then...

Why do we need Kamailio?

and....

Why do we need Kamailio?

and... More importantly...

How do you pronounce Kamailio?

Kah Mah Illie - Oh

Not Without ProblemsEVERYTHING HAS STRENGTHS & WEAKNESSESBelieve it or not... I'm a great guy, ...but I have a weight problem.

Working on weakness creates strength to grow.

Ever hear of Pozzolans?Lime is used in concrete OK by itself... nothing special.Add Pozzolans... Increased strength / durabilityDecreased weaknessPozzolan Effect

Kamailio & Asterisk together work the same way.

What is Kamailio?

SIP Proxy ServerSIP Registrar ServerSIP Location ServerSIP Application ServerSIP Dispatcher Server

What isn't Kamailio?

SIP PhoneB2BUAMedia Server

Want a B2BUA?Use Asterisk =)

All of these are Asterisk

Typical Reasons to Implement Kamailio

ScalingHigh Volume of Calls

High Number of Users

Security

Load Balancing

LCR (Least Cost Routing)

How many calls can Asterisk handle?

200 or 400. There is no 100.

SIP Version of Do or Do Not. There is No Try.

As most of you know...simple questiondifficult answer

Asterisk Activities Affect CPS/Load

Music on Hold

Codec Transcoding

IVR Handling

AGI Scripts

Call Recording

Queues

Voicemail

What you do with Asterisk affects call load& hardware too of course

Some systems can run thousands of channels

Others may have difficulty with more than 400

Reduce Asterisk OverheadFocus on core strengths

Registrations

Authentication

NAT

Calls

Presence

Call Limit

Ext to Ext

Location

STOPTHEINSANITY!

Additional cps concernsFlash Operator Panel? 20 cps

Fail2Ban? Effects cps greatly

Logging

Network (jitter, etc.)

OS

150 cps?Really depends on codecs, hardware, network

Max calls? 10,000? 100?

Internet / PSTN

Kamailio

There must be a better way!

Kamailio:Authentication, NAT, Location, LCR, Registration, Extension to Extension calls, Security

Asterisk:Queues, Media, Call Processing, Voicemail, Conferences, etc.

On embedded systems, with limited resources100s cps

As stateless load balancer, >5000 call setups per second

4GB memory, Kamailio can serve over 300k subscribers

System can easily scale adding more Kamailio servers

Kamailio LCR handles millions of routing rules
(and that's the built in modules)

Even with just 1 Asterisk server (like above)...
using Kamailio can increase user/call capacity

Load Balancing

n + 1 scaling made easy with dispatcher module

Load balancing is built into Kamailio

Makes n + 1 scaling simple

DISPATCHER Module

# Dispatch requestsroute[DISPATCH] {# round robin dispatching if(!ds_select_dst("1", "4")) { send_reply("404", "Ouch"); exit;} t_on_failure("RTF_DISPATCH"); route(RELAY); exit;}

failure_route[RTF_DISPATCH] { if (t_is_canceled()) { exit; }

# next DST - only for 500 or local timeout if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied())) { if(ds_next_dst()) { t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } }}

Drastically increase call load / capacity

Fault Tolerant

Location failures

Can add more kamailio boxes as well.

You can group clusters by function / limitsVoicemailIVRRecordingsConferences

Internet / PSTN

Kamailio

You can set limits by box as wellThis box can handle 100 calls at 2 cpsThis box can handle 500 calls at 20 cps

Security

Kamailio expands the security capabilities of Asterisk

Ever seen something like this?

[Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not found in context 'default'.

[Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'.




[Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found in context 'default'.

Rejection of call attempts

Rejection of registration attempts

Brute force password attacks

Anyone been hit by a brute force attack from AWS?Thousands of attempts in a very short period of time

Asterisk Security Tools

fail2ban

custom script

IPTABLES

hardened dialplan

Hardened sip.conf

Log analyzers happen after the attack

CPU/Memory resources

Only protects single box

Current methods of handling happen after the attack

Take resources AWAY from call handling

Protects a single box

Kamailio Security

GEOIP

HTABLE

PIKE (flood detection)

PIPELIMIT (counter)

PERMISSIONS

RATELIMIT (counter)

SANITY (formatting)

Kamailio is flexible.

The way I handle security is different than Daniel orX person or Y.

Different is good.You can learn something from EVERYONE

The best experts keep an open mind

Good writers borrow, great writers steal--TS Elliot

PIKE / HTABLES/PERMISSIONS

if((src_ip!=myself) && !allow_source_address(1)) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; }

if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit; }}

Built in module PIKE helps detect floodingCombine with HTABLES to block temporarilyRAM based. Very fast.

White list with PERMISSIONS moduleAlso stored in memory

Here we check if a non-whitelisted IP is blockedIf so, drop them (just ignore it)Not blocked, check if flooding...Yeah? Block em & Drop em.

SIP Message Inspection / HTABLES

if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit;}

if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit;}

Friendly Scanner?Drop & Block

SQL Injection?Drop & Block

Most Script Kiddies use the reject messagesNow the real attack begins

Of course, different thoughts on this as wellSend 200 OK

Handle Before Reaching Asterisk

[R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps [R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded 5cps[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.93.91.162:5063 - dropping and blocking[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.25.74.70:5150 - dropping and blocking

Example of PIPELIMIT which is a fast counterOh this box currently is 5cps, move on

Oh look... a script kiddie

Kamailio Saves Money

Financial Benefits

Kamailio reduces fraud risk (security)

Kamailio reduces carrier cost (lcr)

Kamailio reduces opportunity costs (downtime)

Kamailio Plays Well with Others

IPv4 & IPv6

UDP/TCP

TLS

SCTP

All codecs

WebRTC

Supporting RFC3261, RFC3262, RFC3263, RFC3880, RFC4474, RFC2865, RFC2866, RFC4975, RFC3486, RFC 3265, RFC 3856, RFC 3863, RFC 4480, RFC 3903, RFC 3857, RFC 3858, RFC 3680, RFC3581, RFC1918, RFC2617, RFC4122, RFC4510, RFC4515, RFC4662, RFC4826, RFC4745 and RFC5025, RFC3410, RFC3327, RFC2741, RFC4516, etc.

Kamailio: Positives

Very fast

Minimal hardware

More than 200 modules

Centralization

Saves Money

LCR

Scalable

Failover

Strong Community

Promotes Growth

When we block an IP, it's blocked for everyone

Very scalable.

We can also handle calls by ourselvesPresenceIM integrationExtension to Extension calls

Strong CommunityActive mail listActive IRC channelPretty friendly... be patient with language

Kamailio: Negatives

Must know SIP

Must really know SIP

Need strong SIP knowledge


Fred [email protected]

Thank you


Fred Posner@fredposner

Questions

expanding asterisk with kamailio

Technology