expanding asterisk with kamailio
TRANSCRIPT
Expanding Asterisk with Kamailio
Fred [email protected]
Who am I?
Fred PosnerVoIP Engineer/ConsultantLODThe Palner Group
Started in 2003Vonage CompetitorBroadsoft / Acme PacketSwitched to Asterisk / OpenSER
Beautiful Wife YeniStarted Bearkery Bakery in 2010Live in FloridaBig Fred Cookie
Why Asterisk?
Asterisk GREAT PRODUCTWe're at Astricon afterallAll features you'd ever wantVery customizablePowerfulOpen Source
Queues
Call Recording
Voicemail
IVRAND SO MUCH MORE
If Asterisk can do all that...
If Asterisk is so incredible... then...
Why do we need Kamailio?
and....
Why do we need Kamailio?
and... More importantly...
How do you pronounce Kamailio?
Kah Mah Illie - Oh
Not Without ProblemsEVERYTHING HAS STRENGTHS & WEAKNESSESBelieve it or not... I'm a great guy, ...but I have a weight problem.
Working on weakness creates strength to grow.
Ever hear of Pozzolans?Lime is used in concrete OK by itself... nothing special.Add Pozzolans... Increased strength / durabilityDecreased weaknessPozzolan Effect
Kamailio & Asterisk together work the same way.
What is Kamailio?
SIP Proxy ServerSIP Registrar ServerSIP Location ServerSIP Application ServerSIP Dispatcher Server
What isn't Kamailio?
SIP PhoneB2BUAMedia Server
Want a B2BUA?Use Asterisk =)
All of these are Asterisk
Typical Reasons to Implement Kamailio
ScalingHigh Volume of Calls
High Number of Users
Security
Load Balancing
LCR (Least Cost Routing)
How many calls can Asterisk handle?
200 or 400. There is no 100.
SIP Version of Do or Do Not. There is No Try.
As most of you know...simple questiondifficult answer
Asterisk Activities Affect CPS/Load
Music on Hold
Codec Transcoding
IVR Handling
AGI Scripts
Call Recording
Queues
Voicemail
What you do with Asterisk affects call load& hardware too of course
Some systems can run thousands of channels
Others may have difficulty with more than 400
Reduce Asterisk OverheadFocus on core strengths
Registrations
Authentication
NAT
Calls
Presence
Call Limit
Ext to Ext
Location
STOPTHEINSANITY!
Additional cps concernsFlash Operator Panel? 20 cps
Fail2Ban? Effects cps greatly
Logging
Network (jitter, etc.)
OS
150 cps?Really depends on codecs, hardware, network
Max calls? 10,000? 100?
Internet / PSTN
Kamailio
There must be a better way!
Kamailio:Authentication, NAT, Location, LCR, Registration, Extension to Extension calls, Security
Asterisk:Queues, Media, Call Processing, Voicemail, Conferences, etc.
On embedded systems, with limited resources100s cps
As stateless load balancer, >5000 call setups per
second
4GB memory, Kamailio can serve over 300k subscribers
System can easily scale adding more Kamailio servers
Kamailio LCR handles millions of routing rules
(and that's the built in modules)
Even with just 1 Asterisk server (like above)...
using Kamailio can increase user/call capacity
Load Balancing
n + 1 scaling made easy with dispatcher module
Load balancing is built into Kamailio
Makes n + 1 scaling simple
DISPATCHER Module
# Dispatch requestsroute[DISPATCH] {# round robin dispatching if(!ds_select_dst("1", "4")) { send_reply("404", "Ouch"); exit;} t_on_failure("RTF_DISPATCH"); route(RELAY); exit;}
failure_route[RTF_DISPATCH] { if (t_is_canceled()) { exit; }
# next DST - only for 500 or local timeout if (t_check_status("500") or (t_branch_timeout() and !t_branch_replied())) { if(ds_next_dst()) { t_on_failure("RTF_DISPATCH"); route(RELAY); exit; } }}
Drastically increase call load / capacity
Fault Tolerant
Location failures
Can add more kamailio boxes as well.
You can group clusters by function / limitsVoicemailIVRRecordingsConferences
Internet / PSTN
Kamailio
You can set limits by box as wellThis box can handle 100 calls at 2 cpsThis box can handle 500 calls at 20 cps
Security
Kamailio expands the security capabilities of Asterisk
Ever seen something like this?
[Oct 1 23:01:26] NOTICE[3063][C-00002d55] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!2#48' rejected because extension not found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d56] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d57] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d58] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d59] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!' rejected because extension not found in context 'default'.
[Oct 1 23:01:26] NOTICE[3063][C-00002d5a] chan_sip.c: Call from '' (158.69.52.94:11067) to extension '!qaz' rejected because extension not found in context 'default'.
Rejection of call attempts
Rejection of registration attempts
Brute force password attacks
Anyone been hit by a brute force attack from AWS?Thousands of attempts in a very short period of time
Asterisk Security Tools
fail2ban
custom script
IPTABLES
hardened dialplan
Hardened sip.conf
Log analyzers happen after the attack
CPU/Memory resources
Only protects single box
Current methods of handling happen after the attack
Take resources AWAY from call handling
Protects a single box
Kamailio Security
GEOIP
HTABLE
PIKE (flood detection)
PIPELIMIT (counter)
PERMISSIONS
RATELIMIT (counter)
SANITY (formatting)
Kamailio is flexible.
The way I handle security is different than Daniel orX person or Y.
Different is good.You can learn something from EVERYONE
The best experts keep an open mind
Good writers borrow, great writers steal--TS Elliot
PIKE / HTABLES/PERMISSIONS
if((src_ip!=myself) && !allow_source_address(1)) { if($sht(ipban=>$si)!=$null) { # ip is already blocked exit; }
if (!pike_check_req()) { $sht(ipban=>$si) = 1; exit; }}
Built in module PIKE helps detect floodingCombine with HTABLES to block temporarilyRAM based. Very fast.
White list with PERMISSIONS moduleAlso stored in memory
Here we check if a non-whitelisted IP is blockedIf so, drop them (just ignore it)Not blocked, check if flooding...Yeah? Block em & Drop em.
SIP Message Inspection / HTABLES
if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit;}
if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) { if(src_ip!=myself) { $sht(ipban=>$si) = 1; } exit;}
Friendly Scanner?Drop & Block
SQL Injection?Drop & Block
Most Script Kiddies use the reject messagesNow the real attack begins
Of course, different thoughts on this as wellSend 200 OK
Handle Before Reaching Asterisk
[R-REQINIT:PIPELIMIT] invites to 192.168.101.21 exceeded 5cps
[R-REQINIT:PIPELIMIT] invites to 192.168.101.23 exceeded 5cps
[R-REQINIT:PIPELIMIT] invites to 192.168.101.22 exceeded
5cps[R-REQINIT:ANTIFLOOD] script kiddies from
IP:85.93.91.162:5063 - dropping and blocking[R-REQINIT:ANTIFLOOD]
script kiddies from
IP:212.83.188.161:5068 - dropping and blocking[R-REQINIT:ANTIFLOOD]
script kiddies from
IP:85.93.89.219:5066 - dropping and blocking[R-REQINIT:ANTIFLOOD]
script kiddies from
IP:85.25.74.70:5150 - dropping and blocking
Example of PIPELIMIT which is a fast counterOh this box currently is 5cps, move on
Oh look... a script kiddie
Kamailio Saves Money
Financial Benefits
Kamailio reduces fraud risk (security)
Kamailio reduces carrier cost (lcr)
Kamailio reduces opportunity costs (downtime)
Kamailio Plays Well with Others
IPv4 & IPv6
UDP/TCP
TLS
SCTP
All codecs
WebRTC
Supporting RFC3261, RFC3262, RFC3263, RFC3880, RFC4474, RFC2865, RFC2866, RFC4975, RFC3486, RFC 3265, RFC 3856, RFC 3863, RFC 4480, RFC 3903, RFC 3857, RFC 3858, RFC 3680, RFC3581, RFC1918, RFC2617, RFC4122, RFC4510, RFC4515, RFC4662, RFC4826, RFC4745 and RFC5025, RFC3410, RFC3327, RFC2741, RFC4516, etc.
Kamailio: Positives
Very fast
Minimal hardware
More than 200 modules
Centralization
Saves Money
LCR
Scalable
Failover
Strong Community
Promotes Growth
When we block an IP, it's blocked for everyone
Very scalable.
We can also handle calls by ourselvesPresenceIM integrationExtension to Extension calls
Strong CommunityActive mail listActive IRC channelPretty friendly... be patient with language
Kamailio: Negatives
Must know SIP
Must really know SIP
Need strong SIP knowledge
Expanding Asterisk with Kamailio
Fred [email protected]
Thank you
Expanding Asterisk with Kamailio
Fred Posner@fredposner
Questions