Kamailio

Topology Hiding
protect the network architecture

Daniel-Constantin Mierla Co-Founder Kamailio Project daniel@asipto.com

Chicago - 2022
▸ Originally from Romania, living in Berlin, Germany

▸ Computer science software engineer - Polytechnics University Bucharest (2001)

▸ Researcher in RTC at Fraunhofer Fokus Institute, Berlin, Germany (2002-2005)

▸ Co-founder, main coordinator and lead developer of Kamailio, an open source

SIP Server

▸ Professional consultancy for SIP, VoIP, Kamailio and all RTC at asipto.com

▸ Involved in open source real time communications since 2002

▸ Working with open standard protocols, mainly from IETF, GSMA/3GPP/ITU

▸ C software developer - mainly VoIP server side infrastructure

▸ Co-organizer of Kamailio World Conference, FOSDEM RTC DevRoom

▸ Speaking and promoting OSS RTC at world wide events

 SER
2001 released 2005 Trademark
issue
2022
open source
Kamailio
(GPLv2)
new name

SIP Express Router SER IPR

21
(SER) sold
years
Started by OpenSER
FhG Fokus 2002 created 2008 of
development

nowadays
- over 50 yearly active developers - used by large rtc companies (millions of subscribers, billions of minutes per month) -

www.kamailio.org www.kamailioworld.com
@kamailio @kamailioworld
KAMAILIO SIP SERVER IN ONE SLIDE

Open Source SIP (IETF RFC3261) Signaling Server implementation, developed since 2001

Can be used for VoIP (Voice, Video, VoLTE/IMS, SIP-I/SIP-T), Instant Messaging, Presence, WebRTC, IoT,
Diameter, SQL and NoSQL backends, load balancing, least cost routing, security, …

Designed for modularity, exibility and scalability

used by large telecoms, mobile operators and OTT services world wide

thousands of call setups per second,

hundred thousands of connected phones per instance

IPv6/IPv4 - UDP/TCP/TLS/SCTP/WebSocket - asynchronous routing

Classic SIP - WebRTC gateway using Kamailio + RTPEngine

Embedded interpreters: Lua, Python, JavaScript, Ruby, Squirrel, Perl, .Net, Java

About 250 modules (extensions) - https://www.kamailio.org/docs/modules/stable/

Over 80 active developers each year

Runs its own conference - Kamailio World

in Berlin, Germany: https://www.kamailioworld.com

fl
NEW IN KAMAILIO 2021-2022

https://www.kamailio.org/w/kamailio-v5-6-0-release-notes/

https://www.kamailio.org/w/kamailio-v5-5-0-release-notes/

jwt STIR/SHAKEN nats

websocket client ruxc - http client

posops sworker - siprepo slack

 wait no longer

Kamailio is now available at half price

 SIP Proxy Router

con guration le
fi
fi
 KAMAILIO CONFIGURATION FILE STRUCTURE

# global settings
#!define FLT_ACC 1
debug=3
Three major parts
fork=no
listen=192.168.1.34:5060
Global parameters …
pstn.gw = 1.2.3.4” desc “pstn gateway ip”
Application parameters — ex: debug level, sockets, tcp tunings, worker processes, … ...
Custom (script speci c) parameters — ex: groupid.name # module settings
mpath=”/usr/local/lib/kamailio/modules/”
Modules settings loadmodule=”tm.so”
...
Loading modules and modules parameters modparam("tm", "fr_inv_timer", 30000)
.....
Routing blocks
# routing blocks
Rules for routing SIP tra c request_route {
xlog(“request received from $si\n”);
Blocks for handling requests, responses, branches, failures, … if($si==“10.1.2.10”) {
route(REDIRECT);
The routing blocks } else {
$rd = “10.1.2.5”;
Similar concept with functions/procedures }
t_on_reply(“LOGRPL”);
Prede ned identi ers: request_route, route, branch_route, failure_route, onreply_route, event_route, … t_relay();
}
Contain actions: statements, conditions, loops route[REDIRECT] {
$rd = “10.1.2.3”;
Basic arithmetic and string operations send_reply(“302”, “Redirected”);
exit;
Good support for regular expressions from core and modules }
onreply_route[LOGRPL] {
Script variables with scope per process (private), global (shared), transaction or dialog xlog(“response received from $si\n”);
}
...
fi
fi
fi
ffi
SIP PROXY ROUTER - RECEIVED INVITE

INVITE sip:1002@asipto.lab;user=phone SIP/2.0

Via: SIP/2.0/UDP 192.168.178.62:1024;branch=z9hG4bK-ampxo9rfducs;rport
From: "1001" <sip:1001@asipto.lab>;tag=6ehxxq7ebj SIP
To: <sip:1002@asipto.lab;user=phone>
Call-ID: 313534373435383130393132333431-3xurg8bzzlop
CSeq: 1 INVITE Caller Proxy
Max-Forwards: 70
User-Agent: snom370/8.7.5.35
Contact: <sip:1001@192.168.178.62:1024;line=vuw36p4a>;reg-id=1
X-Serialnumber: 0004132672E3
P-Key-Flags: resolution="31x13", keys="4"
Accept: application/sdp
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE
Allow-Events: talk, hold, refer, call-info
Supported: timer, replaces, from-change
Session-Expires: 3600
Min-SE: 90
Content-Type: application/sdp
Content-Length: 405

v=0
o=root 904410018 904410018 IN IP4 192.168.178.62
s=call
c=IN IP4 192.168.178.62
t=0 0
m=audio 62556 RTP/AVP 9 0 8 3 99 112 18 101
a=rtpmap:9 G722/8000
…
SIP PROXY ROUTER - FORWARDED INVITE

INVITE sip:1002@192.168.178.79:5061 SIP/2.0

Record-Route: <sip:192.168.178.75;lr>
Via: SIP/2.0/UDP 192.168.178.75;branch=z9hG4bK413a.b38be0298e62d68af96 08fe8acf7ec.0
Via: SIP/2.0/UDP 192.168.178.62:1024;received=192.168.178.62;branch=z9hG4bK-ampxo9rfducs;rport=1024 SIP
From: "1001" <sip:1001@asipto.lab>;tag=6ehxxq7ebj
To: <sip:1002@asipto.lab;user=phone>
Call-ID: 313534373435383130393132333431-3xurg8bzzlop Proxy Callee
CSeq: 1 INVITE
Max-Forwards: 69
User-Agent: snom370/8.7.5.35
Contact: <sip:1001@192.168.178.62:1024;line=vuw36p4a>;reg-id=1
X-Serialnumber: 0004132672E3
P-Key-Flags: resolution="31x13", keys="4"
Accept: application/sdp
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE
Allow-Events: talk, hold, refer, call-info
Supported: timer, replaces, from-change
Session-Expires: 3600
Min-SE: 90
Content-Type: application/sdp
Content-Length: 405

v=0
o=root 904410018 904410018 IN IP4 192.168.178.62
s=call
c=IN IP4 192.168.178.62
t=0 0
m=audio 62556 RTP/AVP 9 0 8 3 99 112 18 101
a=rtpmap:9 G722/8000
…
ff
Topology Hiding

masking headers

topoh module
TOPOH MODULE

! module: topoh
! goals
" hide sensitive IP addresses
" contact header
" Via stack " secret key to encode/decode
" Record-Route and Route stacks " encoded fields are SIP grammar valid kamailio
! design " encoding IP and prefixes can be set via parameters
! stateless processing
" survive restarts SIP
! no track of transactions or dialogs
distributed processing " no functions to be called in config file

protocol
!

control
! encoding/decoding can be done by different " everything is done automatically RT
P 5.6.7.8
1.2.3.4
servers " hooks in core after receiving and before sending
! transparent processing
" just load the module and adjust parameters rtp public relay
! config writer should not care about topology
hiding
! everything is in clear while config processing
" use it with a media relay to hide the source of media traffic
! event routes to control topology masking
! skip it based on various conditions

https://kamailio.org/docs/modules/stable/modules/topoh.html
TOPOH MODULE

...
loadmodule "topoh.so"
...
# ----- topoh params -----
modparam("topoh", "mask_key", "my secret here")
modparam("topoh", "mask_ip", "10.1.1.10")
... kamailio

SIP

protocol
control
RT 5.6.7.8
P
1.2.3.4
event_route[topoh:msg-outgoing] {
if($sndto(ip)=="10.1.1.10") { rtp public relay
drop;
}
}
event_route[topoh:msg-sending] {
if(is_request() && $tU=="bob") {
drop;
}
}

https://kamailio.org/docs/modules/stable/modules/topoh.html
TOPOH MODULE

server.com == 192.168.178.10
alice == 192.168.178.27
bob == 192.168.178.22
SIP
U 192.168.178.27:40416 -> 192.168.178.10:5060
INVITE sip:bob@server.com SIP/2.0. Caller Proxy
Via: SIP/2.0/UDP 192.168.178.27:40416;branch=z9hG4bK321149767.
From: "alice" <sip:alice@server.com>;tag=166646806.
To: <sip:bob@server.com>.
Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH.
CSeq: 50 INVITE.
Contact: "alice" <sip:alice@192.168.178.27:40416>.
Max-Forwards: 70.
User-Agent: Grandstream GXV3140 1.0.7.3.
Privacy: none.
P-Preferred-Identity: "alice" <sip:alice@server.com>.
Supported: replaces, path, timer.
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE.
Content-Type: application/sdp.
Accept: application/sdp, application/dtmf-relay.
Content-Length: 483.
.
TOPOH MODULE

U 192.168.178.10:5060 -> 192.168.178.22:1056

INVITE sip:bob@192.168.178.22:1056;line=mu3z2i1j SIP/2.0.
Record-Route: <sip:192.168.178.10;lr=on>.
Via: SIP/2.0/UDP 192.168.178.10;branch=z9hG4bK8d21.062561f6.0.
Via: SIP/2.0/UDP 10.1.1.10;branch=z9hG4bKsr-JfymiMenCtp4urS5CX1ZiHvRItc.TM5nCHOBT6SfCXN94v5pswyRIRDZN80HU6gBI8LqTwDiCMe.CXm0TMNP.
From: "alice" <sip:alice@server.com>;tag=166646806.
To: <sip:bob@server.com>.
Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH.
CSeq: 50 INVITE.
Contact: "alice" <sip:10.1.1.10;line=sr-ORylIHvlTJS.IXenCXNciHvPItcZTMWfC6m.T5**>. SIP
Max-Forwards: 69.
User-Agent: Grandstream GXV3140 1.0.7.3.
Privacy: none. Proxy Callee
P-Preferred-Identity: "alice" <sip:alice@server.com>.
Supported: replaces, path, timer.
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE.
Content-Type: application/sdp.
Accept: application/sdp, application/dtmf-relay.
Content-Length: 483.
.
TOPOH MODULE
U 192.168.178.22:1056 -> 192.168.178.10:5060
SIP/2.0 200 Ok.
Via: SIP/2.0/UDP 192.168.178.10;branch=z9hG4bK8d21.062561f6.0.
Via: SIP/2.0/UDP 10.1.1.10;branch=z9hG4bKsr-
JfymiMenCtp4urS5CX1ZiHvRItc.TM5nCHOBT6SfCXN94v5pswyRIRDZN80HU6gBI8LqTwDiCMe.CXm0TMNP. SIP
Record-Route: <sip:192.168.178.10;lr=on>.
From: "alice" <sip:alice@server.com>;tag=166646806.
To: <sip:bob@server.com>;tag=o3ybqqof1s.
Proxy Callee
Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH.
CSeq: 50 INVITE.
Contact: <sip:bob@192.168.178.22:1056;line=mu3z2i1j>;reg-id=1.
User-Agent: snom370/8.4.18.
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO, UPDATE.
Allow-Events: talk, hold, refer, call-info.
U 192.168.178.10:5060 -> 192.168.178.27:40416
Supported: timer, 100rel, replaces, from-change.
SIP/2.0 200 Ok.
Content-Type: application/sdp.
Via: SIP/2.0/UDP 192.168.178.27:40416;branch=z9hG4bK321149767.
Content-Length: 496.
Record-Route: <sip:192.168.178.10;lr=on>.
SIP
.
From: "alice" <sip:alice@server.com>;tag=166646806.
To: <sip:bob@server.com>;tag=o3ybqqof1s. Caller Proxy
Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH.
CSeq: 50 INVITE.
Contact: <sip:10.1.1.10;line=sr-ORylIHvlCJS.IXenCXNciHvPItcZCHW.C6JRIR.o3-Jp3dJMGHDoC8W*>;reg-id=1.
User-Agent: snom370/8.4.18.
Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, MESSAGE, INFO,
UPDATE.
Allow-Events: talk, hold, refer, call-info.
Supported: timer, 100rel, replaces, from-change.
Content-Type: application/sdp.
Content-Length: 496.
.
TOPOH MODULE

U 192.168.178.27:40416 -> 192.168.178.10:5060

BYE sip:10.1.1.10;line=sr-ORylIHvlCJS.IXenCXNciHvPItcZCHW.C6JRIR.o3-Jp3dJMGHDoC8W* SIP/2.0.
Via: SIP/2.0/UDP 192.168.178.27:40416;branch=z9hG4bK271415657;rport.
Route: <sip:192.168.178.10;lr=on>.
From: "alice" <sip:alice@server.com>;tag=166646806. SIP
To: <sip:bob@server.com>;tag=o3ybqqof1s.
Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH. Proxy Callee
CSeq: 51 BYE.
Contact: <sip:alice@192.168.178.27:40416>.
Max-Forwards: 70.
Supported: replaces, path, timer.
User-Agent: Grandstream GXV3140 1.0.7.3.
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE,
MESSAGE.
Content-Length: 0. U 192.168.178.10:5060 -> 192.168.178.22:1056
. BYE sip:bob@192.168.178.22:1056;line=mu3z2i1j SIP/2.0.
Via: SIP/2.0/UDP 192.168.178.10;branch=z9hG4bK9d21.d62bd214.0.
Via: SIP/2.0/UDP 10.1.1.10;branch=z9hG4bKsr-
JfymiMenCtp4urS5CX1ZiHvRItc.TM5nCHOBT6SfCXN94v5pswTRIRDZN80HU6gBI8LqTwDiCHO.T6vgTHJPIPDl3PDfhXmlT6vR.
From: "alice" <sip:alice@server.com>;tag=166646806.
To: <sip:bob@server.com>;tag=o3ybqqof1s.
Call-ID: 989804978-40416-6@BJC.BGI.BHI.CH. SIP
CSeq: 51 BYE.
Contact: <sip:10.1.1.10;line=sr-ORylIHvlTJS.IXenCXNciHvPItcZTMWfC6m.T5**>.
Max-Forwards: 69. Proxy Callee
Supported: replaces, path, timer.
User-Agent: Grandstream GXV3140 1.0.7.3.
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE.
Content-Length: 0.
.
Topology Hiding

stripping headers

topos module
TOPOS MODULE

! module: topos
! goals
" remove or replace sensitive headers
" contact header
" Via stack
kamailio
" Record-Route and Route stacks
! design
SIP

! database storage

protocol
control
! track of sip traffic RT 5.6.7.8
P
! alternative redis storage (topoh_redis) 1.2.3.4

! distributed processing
rtp public relay
! shared database
! transparent processing
! config writer should not care about topology stripping
! full sip packet while config processing

! event routes to control topology stripping

! context groupping for spiralling
! ack-to-back user agent like signalling
! use with a RTP relay for full privacy

https://kamailio.org/docs/modules/stable/modules/topos.html
TOPOS MODULE

...
loadmodule "topos.so"
...
# ----- topos params -----
modparam("topos", “storage", "db")
modparam("topoh", “db_url", “mysql://kamailio:kamailio@localhost/kamailio”)
... kamailio

SIP

protocol
control
RT 5.6.7.8
P
1.2.3.4
event_route[topos:msg-outgoing] {
if($sndto(ip)=="10.1.1.10") { rtp public relay
drop;
}
}
event_route[topos:msg-sending] {
if(is_request() && $tU=="bob") {
drop;
}
}

https://kamailio.org/docs/modules/stable/modules/topoh.html
TOPOS MODULE

INVITE sip:alice@siplab01z.asipto.com SIP/2.0.

Via: SIP/2.0/UDP 10.99.0.164:60218;branch=z9hG4bKefc06c860482aea5;rport
SIP
Contact: <sip:bob-0xb400007bf5eedf20@10.99.0.164:60218>
Max-Forwards: 70
Caller Proxy
Route: <sip:siplab01z.asipto.com;lr>
To: <sip:alice@siplab01z.asipto.com>
From: "bob" <sip:bob@siplab01z.asipto.com>;tag=97a7ab7f2d090489
Call-ID: 3de048a6508f6906
CSeq: 11792 INVITE
User-Agent: baresip v2.7.0
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,NOTIFY,SUBSCRIBE,INFO,MESSAGE,UPDATE,REFER
Supported: gruu,path,outbound,replaces,norefersub
Content-Type: application/sdp
Content-Length: 751
.
TOPOS MODULE

INVITE sip:alice@204.14.38.189:61316;transport=UDP;rinstance=d95ecbd2fc1acdc2 SIP/2.0

Via: SIP/2.0/UDP 200.10.10.100;branch=z9hG4bKc684.5d4a99f065208dd826e33f8dd3aa4551.0 SIP
Max-Forwards: 69
To: <sip:alice@siplab01z.asipto.com> Proxy Callee
From: "bob" <sip:bob@siplab01z.asipto.com>;tag=97a7ab7f2d090489
Call-ID: 3de048a6508f6906
CSeq: 11792 INVITE
User-Agent: baresip v2.7.0
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,NOTIFY,SUBSCRIBE,INFO,MESSAGE,UPDATE,REFER
Supported: gruu,path,outbound,replaces,norefersub
Content-Type: application/sdp
Content-Length: 751
Contact: <sip:btpsh-634da825-e9d-3@200.10.10.100>
.
TOPOS MODULE

SIP/2.0 200 OK
Via: SIP/2.0/UDP 200.10.10.100;branch=z9hG4bKc684.5d4a99f065208dd826e33f8dd3aa4551.0
Contact: <sip:alice@204.14.38.189:61316;transport=UDP> SIP
To: <sip:alice@siplab01z.asipto.com>;tag=03e88a26
From: "bob" <sip:bob@siplab01z.asipto.com>;tag=97a7ab7f2d090489
Call-ID: 3de048a6508f6906 Proxy Callee
CSeq: 11792 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
User-Agent: Z 5.5.13 v2.10.18.3
Allow-Events: presence, kpml, talk
Content-Length: 327
.
SIP/2.0 200 OK SIP
To: <sip:alice@siplab01z.asipto.com>;tag=03e88a26
From: "bob" <sip:bob@siplab01z.asipto.com>;tag=97a7ab7f2d090489
Caller Proxy
Call-ID: 3de048a6508f6906
CSeq: 11792 INVITE
Allow: INVITE, ACK, CANCEL, BYE, NOTIFY, REFER, MESSAGE, OPTIONS, INFO, SUBSCRIBE
Content-Type: application/sdp
User-Agent: Z 5.5.13 v2.10.18.3
Allow-Events: presence, kpml, talk
Content-Length: 327
Via: SIP/2.0/UDP 10.99.0.164:60218;received=204.14.38.189;branch=z9hG4bKefc06c860482aea5;rport=60218
Contact: <sip:atpsh-634da825-e9d-3@200.10.10.100>
.
TOPOS MODULE

BYE sip:btpsh-634da825-e9d-3@200.10.10.100 SIP/2.0

Via: SIP/2.0/UDP 10.99.0.150:61316;branch=z9hG4bK-524287-1---714779474df296db;rport SIP
Max-Forwards: 70
To: "bob" <sip:bob@siplab01z.asipto.com>;tag=97a7ab7f2d090489 Proxy Callee
From: <sip:alice@siplab01z.asipto.com>;tag=03e88a26
Call-ID: 3de048a6508f6906
CSeq: 2 BYE
User-Agent: Z 5.5.13 v2.10.18.3
Content-Length: 0
.

BYE sip:bob-0xb400007bf5eedf20@10.99.0.164:60218 SIP/2.0

Via: SIP/2.0/UDP 200.10.10.100;branch=z9hG4bK68c9.785d869648797f7c4a22521599212934.0
Max-Forwards: 69
To: "bob" <sip:bob@siplab01z.asipto.com>;tag=97a7ab7f2d090489
From: <sip:alice@siplab01z.asipto.com>;tag=03e88a26 SIP
Call-ID: 3de048a6508f6906
CSeq: 2 BYE Caller Proxy
User-Agent: Z 5.5.13 v2.10.18.3
Content-Length: 0
.
Is it now a B2BUA?
IT IS NOT
…
• Website: https://www.kamailio.org Resources
• Development project: https://github.com/kamailio/kamailio

• Documentation page: https://www.kamailio.org/w/documentation/

• Wiki tutorials: https://www.kamailio.org/wiki/

• Bug tracker: https://github.com/kamailio/kamailio/issues

• Users mailing list: https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

• Realtime chat channels: Matrix: #kamailio (kamailio.dev)

• Business directory: https://www.kamailio.org/w/business-directory/

• Download: https://www.kamailio.org/w/download/ (or OS distro repos)

SecSIPIDx Project - STIR/SHAKEN

https://github.com/asipto/secsipidx

Components:
• secsipid: Go library - common functions
• csecsipid: C library - wrapper code to build
dynamic or static library and .h include les
• secsipidx: main.go - CLI tool and HTTP API
server for checking or building SIP identity
fi
• content update for v5.3.x (selling now)
• new chapters under work (new edition)

https://www.asipto.com/sw/kamailio-admin-book/
 THANK YOU!
Daniel-Constantin Mierla
Co-Founder Kamailio Project
@miconda
asipto.com

Aiming For A Berlin Edition In 2023

(late May - early June)

www.kamailioworld.com