Kamailio, TLS and Let’s Encrypt Certificate

Let’s Encrypt is a free certificate authority launched in the second part of 2015, recently leaving the beta stage – from September 2015 to April 2016, they issued over 1.7 millions certificates.

Started by Mozilla and backed up by big IT players and organization (e.g., Internet Society, Cisco, HP, Microsoft, Facebook, …), it offers free TLS certificates that are trusted by all the major operating systems and browsers out there. In other words, you don’t have to pay for a TLS certificate, meaning that it is no reason to support HTTPS for your web server and SIP over TLS for your VoIP service.

Our Fred Posner made a blog article showing how simple is to deploy a Let’s Encrypt certificate for Kamailio – you can read it at:

• http://www.fredposner.com/1836/kamailio-tls-and-letsencrypt/

Kamailio has one of the best and scalable TLS implementations, with asynchronous support since 2008, already deployed by large IM mobile services servicing millions of active users. If you don’t have TLS enabled in your Kamailio, it’s time to act, it costs nothing now and brings full privacy to your customers connecting over the public internet!

Of course, kamailio.org website is already using a Let’s Encrypt certificate.

Thank you for flying Kamailio! And looking forward to meet some of you at Kamailio World Conference 2016!

SIP Security – Analyze SIP HA1 Values

WWW-Digest authentication (RFC 2617), the same used to authenticate users in SIP, requires that both server and user share and store the same secret. Storing the password in clear text is really bad, unfortunately the only alternative is to store the so called HA1 string, which is the result of MD5 hashing over username, authentication realm and password — this has become the default lately. 

Kamailio, as well as other SIP server side applications such as Asterisk or FreeSwitch, can work with clear text passwords as well as HA1 values (no need to repeat that you should use them with the second option!).

Each SIP service that allows customers to set the passwords must have a system in place to test if the passwords are strong enough to offer a fair protection against dictionary attacks. However, not all of them had such system from the moment they started to get customers.

To become safe, the options are:

1. force a reset of the passwords, so the new values are tested to see if they are strong
2. try to audit the existing HA1 values in subscriber database and detect the ones using weak values

The option a) is the best, but not easy to implement if the service provider doesn’t control the devices of the customer (CPE), especially when the customer has no IT/technical background.

The option b) means more or less that the SIP provider performs a dictionary attack against itself. Tools like sipsak, sipp or sipvicious can be used for such task, but they have the drawback of doing quite some processing: build and parsing of SIP messages, plus network communication. The SIP servers with all subscriber accounts have to replicated on different machines, not to overload the production instances.

But, unlike the attacker, the service provider has access to HA1 strings, knows the usernames and realsm, therefore it can skip a lot of processing done by SIP scanning tools and that can save a lot of resources and time.

Not finding quickly an existing implementation for such needs, a tool named md5ha1 has been developed and published on Github, targeting to help doing audits over HA1 values, it is available at:

• https://github.com/miconda/md5ha1

It has options to load passwords from a file (e.g., 101, 123, …), generate passwords using templates (e.g., %u123 – replace %u with username) from a file or generate passwords using a set of characters with minimum and maximum length (e.g., passwords using only digits with length between 3 and 6). The readme of the project has more details about how md5ha1 can be used.

Hopefully the tool is going to be useful for Kamailio community! Improvements to it are welcome, use Github platform for issues and contributions.

New module – embedded MSRP relay

A new module in development branch of Kamailio SIP Server, named msrp, provides a MSRP routing engine, a.k.a. MSRP relay. The core specification of MSRP (Message Session Relay Protocol) is defined by RFC4975, the extensions for a MSRP Relay being covered in RFC4976. One of typical use case for MSRP is to do Instant Messaging sessions negotiated with SIP via INVITE-200OK-ACK.

The msrp is controlled from configuration file via actions in event_route[msrp:frame-in]. The module is a full, embedded MSRP relay, it does not require any external application nor library. It uses the core transport layer components, thus it benefits of the scalable and asynchronous TCP/TLS support implementation already existing in the project for many years now.

Kamailio, with msrp module loaded, can handle SIP and MSRP traffic received on the same port. But you can configure Kamailio as a stand alone instance to deal only with MSRP traffic, leaving the SIP traffic to another Kamailio instance. Also, another option is to configure Kamailio to listen on different TCP/TLS sockets (e.g., different ports or IP/network interfaces) and direct SIP and MSRP to different ports — then in the config file you can take care of filtering (dropping) inappropriate content on specific ports. With all this flexibility, you can choose a configuration that will not affect at all the routing of SIP messages with Kamailio.

The embedded MSRP relay, built on top of the SIP server, offers many benefits such as:

• reuse mature code tested over the past 10 years, msrp module itself being really small piece of code in regards to MSRP protocol
• MSRP is done over TCP/TLS, thus implicitly the forwarding is done asynchronously, offering great performances
• IPv4 and IPv6 support
• MSRP is for transmission of a SIP session content, going to be used by the SIP users in your UC platform — there is no need to manage a different user profile
• the configuration and MSRP routing is done via the same flexible language and format as for SIP traffic, you being in control of what is passing through your server
• access to all existing extensions that are related to SIP request routing, for example: IP address checking, flood detection, many database connectors, accounting, a.s.o.

You can read more about the msrp module in the documentation file:

• http://kamailio.org/docs/modules/devel/modules/msrp.html

At this moment, Kamailio offers a set of extensions that allows building a complete Unified Communication platform, within a single SIP server instance for small deployments as well as a grid of servers, each one doing particular functions:

• voice, video, screen sharing, etc. sessions with content communication via RTP
• end to end presence – this is purely SIP routing
• SIMPLE-based presence (aka, presence server or presence agent model) via presence* and pua* modules — user presence, dialog states notification (aka, blinking lamps), resource lists service (including OMA/RCS extensions), user location states notification and replication, audio/video conference mixer notifications, a.s.o.
• embedded XCAP server – management of user contact lists, presence policies, user agent configuration files, a.s.o. There is also an XCAP client extension
• embedded HTTP server – for admin and user interaction with the service via pure HTTP or XMLRPC requests
• embedded MSRP relay – for relaying and fine controlling of the message-based content of SIP sessions
• IRC-style instant messaging conference via imc module
• storage of instant messages for offline users and relay to them when they become again online via msilo module

All above components are built on the same solid foundation, practically is Kamailio core plus a selected set of modules, no extra dependencies, just configuration options.

Fancy time recurrence matching in config

A new module for Kamailio SIP Server named for now tmrec allow matching of time recurrences based on definitions specified by Internet Calendaring and Scheduling Core Object Specification (Calendar COS – RFC 2445).

It becomes trivial to match current time against rules such as working hours, weekend, up to complex conditions such as the interval from 18:00 to 20:00 of the 98th day of every other year if it is a Thursday.

Here is an example of how to match the working hours 8:30am to 6:30pm on business days:

 if(tmrec_match("20120101T083000|10H|weekly|||MO,TU,WE,TH,FR")
  xdbg("it is within working hours\n");

The rule can be specified via a config variable (e.g., load from user profile stored in database via sqlops). A typical use case is time based routing policies.

You can read more about the new extension in the documentation:

• http://kamailio.org/docs/modules/devel/modules/tmrec.html

Kamailio 2010 Awards

Here we are, the 4th edition of Kamailio Project Awards, granted for activity during 2010.

The past year was full of events and achieved very important milestones set for our project. First of all was the release of version 3.0, the first as a result of the integration between Kamailio and SIP Express Router (SER), the two being since then one application - see more about 3.0 release here.

More over, another major release was done in 2010, v3.1, worked out by an enlarged development team, brought a big list of new features, including full asynchronous network communication (even TCP and TLS) - see more about 3.1 release here.

All together, 2010 was great, therefore the awards got two new categories - Innovation in Communications for those using Kamailio for services beyond voice and Academic Environment for using Kamailio in research and educational networks.

I was not able to list everyone I wished, trying to stick to the tradition of having each of the category with two winners, listed in alphabetic order. As a rule, I tried to choose people and companies that were not selected in the past editions, but of course I want to thank to everyone contributing to and using Kamailio during 2010.

Let the show begin...

Blogging:

• Venture VoIP – very good coverage of Kamailio (OpenSER) & Asterisk related news, like the integration tutorials between the two open source telephony applications. Web link: http://www.venturevoip.com/news.php
• VoIP Today – VoIP news site always keeping an eye on our project activities, publishing news about our releases and major events around the project. Web link: http://www.voiptoday.org

Related Projects:

• SEMS - (aka SIP Express Media Server) programmable and lightweight SIP back to back user agent and media server written in C++, offering features such as signaling B2BUA, Voicemail, audio conferencing, SBC, IVR, a.s.o. The project shares many developers of Kamailio and it has the roots in the same research institute as Kamailio and SER, FhG FOKUS Berlin, Germany. Web link: http://www.ipterl.org/sems/
• SIP:Provider – full featured VoIP servicing platform using Kamailio for SIP routing, offering web management interfaces for administration and users. Among features: postpaid billing, call forwarding, call blocking, speed dial, voice mail, click-to-dial, peering, least cost routing - click here for more. Web link: http://www.sipwise.com/products/spce/

Technical Support:

• Alex Hermann - one of the community members that spotted corner case issues and came with detailed report and patches most of the time. In addition he added enhancements to newly XAVP concept and provided straight answers on our mailing lists. Alex works for SpeakUp, Netherlands
• Timo Reimann - omnipresent at our developer meetings and events as well as on our mailing lists. His development involvements brought many modules, such as dialog, to better structure. Timo works for 1&1, Germany

New Contributions:

• app_lua - the new module allows execution of embedded Lua applications. The latest enhancements to this module allowed writing a pretty complete Kamailio configuration for SIP routing only in Lua, see this page for it. You can see also a presentation done at Fosdem 2011 about Twitter Notifications from Kamailio Configuration - click here for it. Web link: http://kamailio.org/docs/modules/stable/modules/app_lua.html
• presence_conference - this module came as a result of Google Summer of Code, successfully completed by Marius Ovidiu Bucur. Done together with SIP Communicator (btw, the best cross-platform open source SIP softphone I met so far), this extension based on RFC 4353 and 4575 added to our SIMPLE Presence implementations, which along with the newly added embedded XCAP server makes Kamailio the most complete SIMPLE Presence Server implementation that can be found in the open source world. Web link: http://kamailio.org/docs/modules/stable/modules_k/presence_conference.html

Developer Remarks:

• Carsten Bock - member of Kamailio Management team, working for Telefonica O2, Germany, Carsten worked lately a lot with dispatcher, dialog and usrloc modules, plus the newly started efforts to the IMS extensions.
• Marius Ovidiu Bucur - the new developer landed in our project as a result of participation to Google Summer of Code. A student at Polytechnics University of Bucharest, working now part time for 1&1, Marius continued to contribute to Kamailio's SIMPLE Presence server, his latest work to this component focused on increasing the scalability (the code already in our GIT repository).

Advocating:

• Fred Posner - I had the opportunity to meet Fred personally during the last year, a person that carries an amazing bag of experience in VoIP and security. Fred continuously helped in promoting Kamailio, on mailing lists, IRC channels and public events. Besides that, his baker skills are visible at amazing good looking and tasteful cakes by Dream Day Cakes (and yes, I did taste some of them during my last trip in USA, thanks Fred & Yeni - but just trust me, don't look to their site, after that it might be too late and it may cost you a lot by not being able to stop yourself keep ordering).
• Olle E. Johanson - probably it is not really much to add about Olle, the VoIP Olle. However, last year Olle conducted super-human efforts to keep SIP world ahead in communications. Kamailio was always a part of that. I mention here only a few of them: SIPit in Stockholm (organized by Olle himself) where Olle and I setup Kamailio based TLS and IPv6 testbeds to be used by anyone attending there. His VoIP Forum articles kept heads up in regards to IPv6 and security in SIP, then, his involvement made possible the switch to SIP in the entire Portuguese educational network, running now about 300 pairs of Asterisk and Kamailio - deployment presented by Ruben Sousa at Astricon 2010.

VoIP Services:

• Flowroute - early adopter of Kamailio, Flowroute, acting mainly as a SIP interconnect broker and providing quality VoIP routes, keeps pushing the SIP server towards innovation, always looking for better performances and proper security in regard to attacks and fraud detection. Flowroute is also actively involved in promoting Kamailio project, hosting related events at their premises. Web link: http://www.flowroute.com
• XtraTelecom – Spanish telephony provider focused on enterprise market, offering SIP trunking services along with hosted PBX’s. With Inaki Baz Castillo in their team, member of Kamailio's management as well, XtraTelecom relies on a capable group of engineers that can only ensure quality of service. Web link: http://www.xtratelecom.es

Business Initiatives:

• NG Voice - the team coordinated by Carsten Bock working with IMS extensions in Kamailio, also developing other IMS infrastructure applications. It is a new initiative with a lot of potential in business environment in the near future. Web link: http://www.ng-voice.com
• TeamForest - every year, the number of companies offering Kamailio services is growing in USA. Knowing now them personally, TeamForest is another company that you can trust theirs skills in deploying Kamailio and offering professional support services. Web link: http://www.teamforrest.com

Events:

• Cluecon - after missing the 2009 edition, being busy in that year to complete the integration between Kamailio and SER, the 2010 edition was amazing for me. In the first day only, Kamailio was present directly in 5 presentations (one by myself), plus a demo done by Phil Zimmermann using iptel.org sevice which runs SER flavour of our project. Purely amazing for me! I was able to catch up with many members of Kamailio community and FreeSWITCH developers. Web link: http://www.cluecon.com
• LinuxTag - the event taking place in Berlin offered Kamailio the chance to have a booth at the exhibition and a presentation at conference track done by Henning Westerholt. All together we were about 15 Kamailio developers and community chatting with visitors, other open source developers and projects present there. Henning featured also an interview in German for RadioTux - listen the podcast here. Web link: http://www.linuxtag.org

Academic Environment:

• Illinois Institute of Technology - School of Applied Technology - Chicago, IL, USA - they conducted a set of research projects with Kamailio involved (one very interesting is the performance benchmark - click here for results in pdf). Web link: http://voip.itm.iit.edu
• Zilinska University - Slovakia - they published a set of useful tutorials about how they use Kamailio inside the university, see more at: http://nil.uniza.sk/sip/kamailio. Web link: http://nil.uniza.sk

Innovation in communications:

• Ifbyphone - a provider of voice applications for customer interactions - relying on cloud based services to offer call tracking, dynamic inbound call routing with IVR screening, outbound call automation, virtual call center applications and a highly flexible family of API based integration tools. With two presentation at Cluecon by Irv Shapiro and Robin Rodriguez, they showed usage of Kamailio beyond the classic telephony (e.g., video of the talk Web Enabling Voice Applications with Kamailio). Web link: http://www.ifbyphone.com
• NextIX - an innovation company that specializes in universally available information and communication technology solutions. At Astricon 2010, they presented “Asterisk, Kamailio, Openfire and Social Media Integration” - another way of using Kamailio for voice and beyond that. Web link: http://www.nextixsystems.com

As of Personal Facts related to the project, this time I want to underline the release of several complete tutorials, such as: integration with Asterisk or FreeSwitch, scanning attacks protection or SIP SIMPLE Presence server - see all of them at:

• http://kb.asipto.com/kamailio:index.

This is it for 2010. If you want to check the previous turn of awards:

• http://by-miconda.blogspot.com/2010/02/kamailio-openser-2009-awards.html

Experiences from 18 Hours of SIP Scanning Attack

During the testing period of Kamailio 3.1.0, while running it at voipuser.org, I had the chance to watch live and analyze a SIP scanning attack.

Yesterday I noticed another one by looking at Siremis 2.0 charts, therefore I wrote an article with some hints about what you can use to protect your SIP services within Kamailio configuration file.

You can read it at:

• http://asipto.com/u/i

Book: SIP Security

I had it from quite some time now, really enjoyed reading it, so time for blogging it.


First, all authors are former fellows at FhG Fokus Institute, Berlin, Germany and most of them tight involved in SIP Express Router from day one. So this is not something written upon theoretical research and concepts but upon years of hands on experience with SIP networks.

Having technical background, I found interesting the blending of cryptographic mechanisms, security concepts and applicability to SIP networks. Everything needed to fully understand the book is inside.

For me, it is important to mention that lot of scenarios and solutions are exemplified with SIP Express Router, project I was involved pretty much from its beginning, from where I started Kamailio (OpenSER) back in 2005 and I met again last November within SIP Router project.

The foreworld from Philip Zimmermann really synthesize the security concerns about VoIP and SIP. Shortly, the main chapters:
- introduction to cryptographic mechanisms
- introduction to SIP
- introduction to IMS
- secure access and interworking in IMS
- user identity in SIP
- media security
- denial of services attacks on VoIP and IMS service
- spam over IP telephony

The chapter about DoS attacks is comprehensive, covering over 15 type of attacks. I will blog in more details about the chapters I find most interesting for me.

The book is available on Amazon UK:
http://www.amazon.co.uk/gp/product/0470516364/

There you can see complete table of content. A dedicated site for SIP security and this book is put up together by authors at:
http://www.sipsecurity.org/