SlideShare a Scribd company logo
1 of 42
Download to read offline
FreeSWITCH as a Kickass SBC
         Moises Silva <moy@sangoma.com>
             Manager, Software Engineering
FreeSWITCH as a Kickass SBC
         Moises Silva <moy@sangoma.com>
             Manager, Software Engineering

             Moises Silva <moy@sangoma.com>
                 Manager, Software Engineering
SBC: The Mythical Beast

• No precise technical definition

• Not standardized anywhere

• B2BUA or Proxy?

• Handles signaling or media?

• More of a marketing term than technical?
          © Sangoma Technologies Inc.        8/11/2012   3
SBC: The Mythical Beast




        © Sangoma Technologies Inc.   8/11/2012   4
SBC: The Mythical Beast
Enterprise Network                                                                    Internet      PSTN

               IP-PBX




                                              SBC                  SIP trunk                        Telco
               Intranet                                                        ITSP
                          Internal Firewall         External Firewall

                                              DMZ

      SIP-Endpoints




                          © Sangoma Technologies Inc.                                       8/11/2012       5
SBC: The Mythical Beast

• Carrier SBC sits at the edge of service provider
  networks

• Enterprise SBC sits at the edge between
  customer and service provider




          © Sangoma Technologies Inc.       8/11/2012   6
SBC: Definition

• Recently loosely described by RFC 5853




         © Sangoma Technologies Inc.       8/11/2012   7
SBC: Definition

•   Topology Hiding
•   Media Traffic Management
•   Fix capability mismatches
•   SIP NAT
•   Access Control
•   Protocol Repair
•   Media Encryption
•   Threat protection (ie: DoS, Malformed packets)


            © Sangoma Technologies Inc.      8/11/2012   8
Topology Hiding

• Hide the service provider or enterprise network
  implementation details

• Use of RFC 3323 (privacy) not enough

• B2BUA required in most cases




          © Sangoma Technologies Inc.       8/11/2012   9
Topology Hiding

• INVITE before topology hiding




          © Sangoma Technologies Inc.   8/11/2012   10
Topology Hiding

• INVITE after topology hiding




          © Sangoma Technologies Inc.   8/11/2012   11
Topology Hiding in FreeSWITCH

• FreeSWITCH is a B2BUA

• Header manipulation using SIP dialplan
  variables

• Do not enable SDP pass-thru
  (bypass_media=true)




          © Sangoma Technologies Inc.      8/11/2012   12
Topology Hiding Cons

• It is a B2BUA!

• Breaks end to end security mechanisms such as
  RFC 4474

• Obviously no difference from a MITM attack




          © Sangoma Technologies Inc.     8/11/2012   13
Media Traffic Management

• SBC may modify SDP to stay in media path

• Operators enforce the use of certain codecs

• Single point for audition (ie Lawful Interception)




           © Sangoma Technologies Inc.        8/11/2012   14
Media Traffic Management

• SDP before media management




        © Sangoma Technologies Inc.   8/11/2012   15
Media Traffic Management

• SDP after media management




• Session attribute removed enforcing a policy


          © Sangoma Technologies Inc.      8/11/2012   16
Media Traffic Management

• Allows operators to use different billing model
  according to the media type (Voice, Video, Text)

• Fix „lost‟ or „ignored‟ BYE issue

• QoS based routing




           © Sangoma Technologies Inc.      8/11/2012   17
Media Traffic Management in FreeSWITCH

• Flexible codec configuration in SIP profiles or
  dialplan

• Media timeout via SIP profile configuration or
  channel variable “rtp_timeout_sec”

• Flexible SDP manipulation thru variables




           © Sangoma Technologies Inc.       8/11/2012   18
Media Traffic Management in FreeSWITCH

• Set codec preferences



• SDP manipulation




         © Sangoma Technologies Inc.   8/11/2012   19
Media Traffic Management in FreeSWITCH

• Use record_session for local recordings

• Use oreka_record to send media to recording
  server (pending merge on official git repo)
   – git@github.com:moises-silva/freeswitch.git




          © Sangoma Technologies Inc.       8/11/2012   20
Media Traffic Management in FreeSWITCH


                G.722                            G.729
 SIP UA                        FreeSWITCH                SIP UA




                                         G.711



                                  Oreka
                                Recording
                                  Server
                                (orkaudio)



          © Sangoma Technologies Inc.                    8/11/2012   21
Media Traffic Management Cons

• Increase length of media path

• SBC must be aware of all types of media,
  slowing adoption of new media features




          © Sangoma Technologies Inc.        8/11/2012   22
Fix Capability Mismatches

• Allow interconnection of user agents with
  different capabilities (ie: codecs)

• IPv4 to IPv6 internetworking

• SIP over UDP to TCP etc




          © Sangoma Technologies Inc.         8/11/2012   23
Fix Capability Mismatches in FreeSWITCH

• Virtually every codec in the industry

• HD voice codecs such as G.722 and Siren 7

• Hardware transcoding available




           © Sangoma Technologies Inc.    8/11/2012   24
Fix Capability Mismatches in FreeSWITCH

• SIP over UDP/TCP/TLS

• IPv4 and IPv6 support




          © Sangoma Technologies Inc.   8/11/2012   25
Fix Capability Mismatches



          G.729 /                             G.711 /
          TLS /                               UDP /
          IPv6                                IPv4
 SIP UA                          FreeSWITCH             PRI GW




            © Sangoma Technologies Inc.                 8/11/2012   26
SIP NAT

• Detect when a UA is behind NAT

• Help maintain NAT bindings alive

• Provides a publicly reachable IP address




          © Sangoma Technologies Inc.        8/11/2012   27
SIP NAT in FreeSWITCH

• Automatic RTP adjustment when media comes
  from different address than advertised on SDP

• Aggressive NAT detection

• STUN and ICE support




          © Sangoma Technologies Inc.     8/11/2012   28
Access Control

• It‟s all about control, yes, sys admins are control
  freaks

• The network edge of the operator or enterprise
  is a convenient place to enforce policies

• All SIP and RTP traffic to/from a single point (the
  SBC)



           © Sangoma Technologies Inc.        8/11/2012   29
Access Control in FreeSWITCH

• Flexible ACL configuration available

• mod_limit for call rate and general resource
  limiting per IP or „realm‟

• Distributed limits across servers




          © Sangoma Technologies Inc.       8/11/2012   30
Protocol Repair

• The world isn‟t perfect, broken devices are
  everywhere

• Not feasible to throw all broken equipment to the
  garbage (that‟d be too easy wouldn‟t it?)




          © Sangoma Technologies Inc.       8/11/2012   31
Protocol Repair in FreeSWITCH

• Allows matching and fixing of SIP header values

• Allows modifying SDP contents

• Not always possible, SIP stack may discard
  messages if deemed malformed (ie FUBAR)




          © Sangoma Technologies Inc.      8/11/2012   32
Media Encryption

• Desirable to perform encryption on public
  network

• Internal network may need un-encrypted media
  (ie, lawful interception, endpoints without SRTP
  support)




          © Sangoma Technologies Inc.         8/11/2012   33
Media Encryption in FreeSWITCH

• TLS / SRTP support

• ZRTP / SRTP support




         © Sangoma Technologies Inc.   8/11/2012   34
Threat Protection

• DoS

• Malformed and/or malicious packets

• SIP REGISTER scans (ie: sipvicious)

• SIP INVITE scans



         © Sangoma Technologies Inc.    8/11/2012   35
Threat Protection for FreeSWITCH

• DoS limitation using iptableshashlimit (Kristian‟s
  famous script)

• iptableshashlimit does not work on TLS
  obviously

• iptableshashlimit does not help with malformed
  packets



           © Sangoma Technologies Inc.        8/11/2012   36
Threat Protection for FreeSWITCH

• Fail2ban for registration scans

• Depends on log line format, good enough?

• mod_fail2ban makes things easier (by
  kyconquers on github)




          © Sangoma Technologies Inc.    8/11/2012   37
Threat Protection

• Use SIP ACLs

• Even trusted networks can become
  compromised

• IP spoofing on UDP traffic makes things
  complicated




          © Sangoma Technologies Inc.       8/11/2012   38
Sofia Limits

• Extension to mod_sofia to specify SIP message
  limits, per host optionally (no ACL yet )

• Uses mod_hash (or any limit interface) to keep
  track of messages

• Launch ESL event when limit is exceeded

• Malformed packets are accounted for as well

          © Sangoma Technologies Inc.       8/11/2012   39
Sofia Limits




        © Sangoma Technologies Inc.   8/11/2012   40
Conclusion

• Yes, SBCs get in the way, and that‟s a useful
  and desirable feature in some businesses

• FreeSWITCH core foundations go a long way in
  implementing most common SBC features




          © Sangoma Technologies Inc.       8/11/2012   41
THANK YOU.


© Sangoma Technologies Inc.          8/11/2012   42

More Related Content

What's hot

Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker建澄 吳
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Fred Posner
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopFatih Ozavci
 
SIP Trunking overview
SIP Trunking overviewSIP Trunking overview
SIP Trunking overviewJohn Downing
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Motty Ben Atia
 
SIP - Introduction to SIP Protocol
SIP - Introduction to SIP ProtocolSIP - Introduction to SIP Protocol
SIP - Introduction to SIP ProtocolLivePerson
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsDaniel-Constantin Mierla
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scaleAndreas Granig
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBasePacketBase, Inc.
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesPaolo Visintin
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with KamailioFred Posner
 
Avaya IP Office Overview
Avaya IP Office OverviewAvaya IP Office Overview
Avaya IP Office OverviewMotty Ben Atia
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAlessandro Polidori
 

What's hot (20)

Kamailio on Docker
Kamailio on DockerKamailio on Docker
Kamailio on Docker
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 
Sipwise rtpengine
Sipwise rtpengineSipwise rtpengine
Sipwise rtpengine
 
Kamailio - SIP Routing in Lua
Kamailio - SIP Routing in LuaKamailio - SIP Routing in Lua
Kamailio - SIP Routing in Lua
 
Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)Introduction to Kamailio (TADSummit 2020 Asia)
Introduction to Kamailio (TADSummit 2020 Asia)
 
The Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 WorkshopThe Art of VoIP Hacking - Defcon 23 Workshop
The Art of VoIP Hacking - Defcon 23 Workshop
 
SIP Trunking overview
SIP Trunking overviewSIP Trunking overview
SIP Trunking overview
 
Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)Avaya Session Border Controller (SBC)
Avaya Session Border Controller (SBC)
 
SIP - Introduction to SIP Protocol
SIP - Introduction to SIP ProtocolSIP - Introduction to SIP Protocol
SIP - Introduction to SIP Protocol
 
Sip architecture
Sip architectureSip architecture
Sip architecture
 
Kamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication PlatformsKamailio - Large Unified Communication Platforms
Kamailio - Large Unified Communication Platforms
 
rtpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scalertpengine and kamailio - or how to simulate calls at scale
rtpengine and kamailio - or how to simulate calls at scale
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBase
 
Sip
SipSip
Sip
 
Kamailio with Docker and Kubernetes
Kamailio with Docker and KubernetesKamailio with Docker and Kubernetes
Kamailio with Docker and Kubernetes
 
Expanding Asterisk with Kamailio
Expanding Asterisk with KamailioExpanding Asterisk with Kamailio
Expanding Asterisk with Kamailio
 
Avaya IP Office Overview
Avaya IP Office OverviewAvaya IP Office Overview
Avaya IP Office Overview
 
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus GatewayAsterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
Asterisk WebRTC frontier: realize client SIP Phone with sipML5 and Janus Gateway
 
FreeSWITCH on Docker
FreeSWITCH on DockerFreeSWITCH on Docker
FreeSWITCH on Docker
 

Similar to FreeSWITCH as a Kickass SBC

DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...
DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...
DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...Open Networking Summits
 
Día Neocenter | Sangoma Portfolio Product Update
Día Neocenter | Sangoma Portfolio Product UpdateDía Neocenter | Sangoma Portfolio Product Update
Día Neocenter | Sangoma Portfolio Product UpdateNeocenter SA de CV
 
QoS for Media Networks
QoS for Media NetworksQoS for Media Networks
QoS for Media NetworksAmine Choukir
 
ProSBC a Deep Dive
ProSBC a Deep DiveProSBC a Deep Dive
ProSBC a Deep DiveAlan Percy
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfWlamir Molinari
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
Cisco vnp workshop 16-17 april v1-0
Cisco  vnp workshop 16-17 april v1-0Cisco  vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0liemgpc2
 
An hour with WebRTC FIC UDC
An hour with WebRTC FIC UDCAn hour with WebRTC FIC UDC
An hour with WebRTC FIC UDCQuobis
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPTomar awad
 
SIP2SIP - Direcciones SIP gratuitas para las masas
SIP2SIP - Direcciones SIP gratuitas para las masasSIP2SIP - Direcciones SIP gratuitas para las masas
SIP2SIP - Direcciones SIP gratuitas para las masasPaloSanto Solutions
 
The Role Of SIP In Smart Grid Networks
The Role Of SIP In Smart Grid NetworksThe Role Of SIP In Smart Grid Networks
The Role Of SIP In Smart Grid Networksbleslie
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 
How Cisco Provides World-Class Technology Conference Experiences Using Automa...
How Cisco Provides World-Class Technology Conference Experiences Using Automa...How Cisco Provides World-Class Technology Conference Experiences Using Automa...
How Cisco Provides World-Class Technology Conference Experiences Using Automa...InfluxData
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsAdaCore
 

Similar to FreeSWITCH as a Kickass SBC (20)

Mellanox's Technological Advantage
Mellanox's Technological AdvantageMellanox's Technological Advantage
Mellanox's Technological Advantage
 
Sangoma SS7 Gateway Training
Sangoma SS7 Gateway TrainingSangoma SS7 Gateway Training
Sangoma SS7 Gateway Training
 
Sangoma SBC Training Presentation
Sangoma SBC Training PresentationSangoma SBC Training Presentation
Sangoma SBC Training Presentation
 
DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...
DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...
DESIGN OF BARE METAL FABRICS - Built with SDN, Bare Metal Switches, and Merch...
 
Día Neocenter | Sangoma Portfolio Product Update
Día Neocenter | Sangoma Portfolio Product UpdateDía Neocenter | Sangoma Portfolio Product Update
Día Neocenter | Sangoma Portfolio Product Update
 
QoS for Media Networks
QoS for Media NetworksQoS for Media Networks
QoS for Media Networks
 
ProSBC a Deep Dive
ProSBC a Deep DiveProSBC a Deep Dive
ProSBC a Deep Dive
 
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdfUC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
UC18NA-D3D202-Dianomic-IZoratti-Introduction-To-FogLAMP.pdf
 
ProSBC a Deep Dive
ProSBC a Deep DiveProSBC a Deep Dive
ProSBC a Deep Dive
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
Cisco vnp workshop 16-17 april v1-0
Cisco  vnp workshop 16-17 april v1-0Cisco  vnp workshop 16-17 april v1-0
Cisco vnp workshop 16-17 april v1-0
 
An hour with WebRTC FIC UDC
An hour with WebRTC FIC UDCAn hour with WebRTC FIC UDC
An hour with WebRTC FIC UDC
 
MX Deep Dive PPT
MX Deep Dive PPTMX Deep Dive PPT
MX Deep Dive PPT
 
SIP2SIP - Direcciones SIP gratuitas para las masas
SIP2SIP - Direcciones SIP gratuitas para las masasSIP2SIP - Direcciones SIP gratuitas para las masas
SIP2SIP - Direcciones SIP gratuitas para las masas
 
Vo ip overview
Vo ip overviewVo ip overview
Vo ip overview
 
The Role Of SIP In Smart Grid Networks
The Role Of SIP In Smart Grid NetworksThe Role Of SIP In Smart Grid Networks
The Role Of SIP In Smart Grid Networks
 
Kamailio World 2013 - SIP and MSRP over WebSocket
Kamailio World 2013 - SIP and MSRP over WebSocketKamailio World 2013 - SIP and MSRP over WebSocket
Kamailio World 2013 - SIP and MSRP over WebSocket
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 
How Cisco Provides World-Class Technology Conference Experiences Using Automa...
How Cisco Provides World-Class Technology Conference Experiences Using Automa...How Cisco Provides World-Class Technology Conference Experiences Using Automa...
How Cisco Provides World-Class Technology Conference Experiences Using Automa...
 
RCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standardsRCA OCORA: Safe Computing Platform using open standards
RCA OCORA: Safe Computing Platform using open standards
 

More from Moises Silva

FreeSWITCH Monitoring
FreeSWITCH MonitoringFreeSWITCH Monitoring
FreeSWITCH MonitoringMoises Silva
 
Interfaces de Scripting para librerias en C
Interfaces de Scripting para librerias en CInterfaces de Scripting para librerias en C
Interfaces de Scripting para librerias en CMoises Silva
 
Vulnerabilidades en Aplicaciones Web PHP
Vulnerabilidades en Aplicaciones Web PHPVulnerabilidades en Aplicaciones Web PHP
Vulnerabilidades en Aplicaciones Web PHPMoises Silva
 
Manejo de Medios en FreeSWITCH
Manejo de Medios en FreeSWITCHManejo de Medios en FreeSWITCH
Manejo de Medios en FreeSWITCHMoises Silva
 
Implementation Lessons using WebRTC in Asterisk
Implementation Lessons using WebRTC in AsteriskImplementation Lessons using WebRTC in Asterisk
Implementation Lessons using WebRTC in AsteriskMoises Silva
 
FreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersFreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersMoises Silva
 
FreeSWITCH: Asterisk con Esteroides
FreeSWITCH: Asterisk con EsteroidesFreeSWITCH: Asterisk con Esteroides
FreeSWITCH: Asterisk con EsteroidesMoises Silva
 
Negociacion de Codecs en Asterisk
Negociacion de Codecs en AsteriskNegociacion de Codecs en Asterisk
Negociacion de Codecs en AsteriskMoises Silva
 
Sangoma en el Ecosistema Open Source
Sangoma en el Ecosistema Open SourceSangoma en el Ecosistema Open Source
Sangoma en el Ecosistema Open SourceMoises Silva
 
FreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingFreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingMoises Silva
 
Asterisk PRI Passive Call Recording
Asterisk PRI Passive Call RecordingAsterisk PRI Passive Call Recording
Asterisk PRI Passive Call RecordingMoises Silva
 
OpenR2 in Asterisk
OpenR2 in AsteriskOpenR2 in Asterisk
OpenR2 in AsteriskMoises Silva
 

More from Moises Silva (12)

FreeSWITCH Monitoring
FreeSWITCH MonitoringFreeSWITCH Monitoring
FreeSWITCH Monitoring
 
Interfaces de Scripting para librerias en C
Interfaces de Scripting para librerias en CInterfaces de Scripting para librerias en C
Interfaces de Scripting para librerias en C
 
Vulnerabilidades en Aplicaciones Web PHP
Vulnerabilidades en Aplicaciones Web PHPVulnerabilidades en Aplicaciones Web PHP
Vulnerabilidades en Aplicaciones Web PHP
 
Manejo de Medios en FreeSWITCH
Manejo de Medios en FreeSWITCHManejo de Medios en FreeSWITCH
Manejo de Medios en FreeSWITCH
 
Implementation Lessons using WebRTC in Asterisk
Implementation Lessons using WebRTC in AsteriskImplementation Lessons using WebRTC in Asterisk
Implementation Lessons using WebRTC in Asterisk
 
FreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk DevelopersFreeSWITCH Modules for Asterisk Developers
FreeSWITCH Modules for Asterisk Developers
 
FreeSWITCH: Asterisk con Esteroides
FreeSWITCH: Asterisk con EsteroidesFreeSWITCH: Asterisk con Esteroides
FreeSWITCH: Asterisk con Esteroides
 
Negociacion de Codecs en Asterisk
Negociacion de Codecs en AsteriskNegociacion de Codecs en Asterisk
Negociacion de Codecs en Asterisk
 
Sangoma en el Ecosistema Open Source
Sangoma en el Ecosistema Open SourceSangoma en el Ecosistema Open Source
Sangoma en el Ecosistema Open Source
 
FreeTDM PRI Passive Recording
FreeTDM PRI Passive RecordingFreeTDM PRI Passive Recording
FreeTDM PRI Passive Recording
 
Asterisk PRI Passive Call Recording
Asterisk PRI Passive Call RecordingAsterisk PRI Passive Call Recording
Asterisk PRI Passive Call Recording
 
OpenR2 in Asterisk
OpenR2 in AsteriskOpenR2 in Asterisk
OpenR2 in Asterisk
 

Recently uploaded

UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 

Recently uploaded (20)

UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 

FreeSWITCH as a Kickass SBC

  • 1. FreeSWITCH as a Kickass SBC Moises Silva <moy@sangoma.com> Manager, Software Engineering
  • 2. FreeSWITCH as a Kickass SBC Moises Silva <moy@sangoma.com> Manager, Software Engineering Moises Silva <moy@sangoma.com> Manager, Software Engineering
  • 3. SBC: The Mythical Beast • No precise technical definition • Not standardized anywhere • B2BUA or Proxy? • Handles signaling or media? • More of a marketing term than technical? © Sangoma Technologies Inc. 8/11/2012 3
  • 4. SBC: The Mythical Beast © Sangoma Technologies Inc. 8/11/2012 4
  • 5. SBC: The Mythical Beast Enterprise Network Internet PSTN IP-PBX SBC SIP trunk Telco Intranet ITSP Internal Firewall External Firewall DMZ SIP-Endpoints © Sangoma Technologies Inc. 8/11/2012 5
  • 6. SBC: The Mythical Beast • Carrier SBC sits at the edge of service provider networks • Enterprise SBC sits at the edge between customer and service provider © Sangoma Technologies Inc. 8/11/2012 6
  • 7. SBC: Definition • Recently loosely described by RFC 5853 © Sangoma Technologies Inc. 8/11/2012 7
  • 8. SBC: Definition • Topology Hiding • Media Traffic Management • Fix capability mismatches • SIP NAT • Access Control • Protocol Repair • Media Encryption • Threat protection (ie: DoS, Malformed packets) © Sangoma Technologies Inc. 8/11/2012 8
  • 9. Topology Hiding • Hide the service provider or enterprise network implementation details • Use of RFC 3323 (privacy) not enough • B2BUA required in most cases © Sangoma Technologies Inc. 8/11/2012 9
  • 10. Topology Hiding • INVITE before topology hiding © Sangoma Technologies Inc. 8/11/2012 10
  • 11. Topology Hiding • INVITE after topology hiding © Sangoma Technologies Inc. 8/11/2012 11
  • 12. Topology Hiding in FreeSWITCH • FreeSWITCH is a B2BUA • Header manipulation using SIP dialplan variables • Do not enable SDP pass-thru (bypass_media=true) © Sangoma Technologies Inc. 8/11/2012 12
  • 13. Topology Hiding Cons • It is a B2BUA! • Breaks end to end security mechanisms such as RFC 4474 • Obviously no difference from a MITM attack © Sangoma Technologies Inc. 8/11/2012 13
  • 14. Media Traffic Management • SBC may modify SDP to stay in media path • Operators enforce the use of certain codecs • Single point for audition (ie Lawful Interception) © Sangoma Technologies Inc. 8/11/2012 14
  • 15. Media Traffic Management • SDP before media management © Sangoma Technologies Inc. 8/11/2012 15
  • 16. Media Traffic Management • SDP after media management • Session attribute removed enforcing a policy © Sangoma Technologies Inc. 8/11/2012 16
  • 17. Media Traffic Management • Allows operators to use different billing model according to the media type (Voice, Video, Text) • Fix „lost‟ or „ignored‟ BYE issue • QoS based routing © Sangoma Technologies Inc. 8/11/2012 17
  • 18. Media Traffic Management in FreeSWITCH • Flexible codec configuration in SIP profiles or dialplan • Media timeout via SIP profile configuration or channel variable “rtp_timeout_sec” • Flexible SDP manipulation thru variables © Sangoma Technologies Inc. 8/11/2012 18
  • 19. Media Traffic Management in FreeSWITCH • Set codec preferences • SDP manipulation © Sangoma Technologies Inc. 8/11/2012 19
  • 20. Media Traffic Management in FreeSWITCH • Use record_session for local recordings • Use oreka_record to send media to recording server (pending merge on official git repo) – git@github.com:moises-silva/freeswitch.git © Sangoma Technologies Inc. 8/11/2012 20
  • 21. Media Traffic Management in FreeSWITCH G.722 G.729 SIP UA FreeSWITCH SIP UA G.711 Oreka Recording Server (orkaudio) © Sangoma Technologies Inc. 8/11/2012 21
  • 22. Media Traffic Management Cons • Increase length of media path • SBC must be aware of all types of media, slowing adoption of new media features © Sangoma Technologies Inc. 8/11/2012 22
  • 23. Fix Capability Mismatches • Allow interconnection of user agents with different capabilities (ie: codecs) • IPv4 to IPv6 internetworking • SIP over UDP to TCP etc © Sangoma Technologies Inc. 8/11/2012 23
  • 24. Fix Capability Mismatches in FreeSWITCH • Virtually every codec in the industry • HD voice codecs such as G.722 and Siren 7 • Hardware transcoding available © Sangoma Technologies Inc. 8/11/2012 24
  • 25. Fix Capability Mismatches in FreeSWITCH • SIP over UDP/TCP/TLS • IPv4 and IPv6 support © Sangoma Technologies Inc. 8/11/2012 25
  • 26. Fix Capability Mismatches G.729 / G.711 / TLS / UDP / IPv6 IPv4 SIP UA FreeSWITCH PRI GW © Sangoma Technologies Inc. 8/11/2012 26
  • 27. SIP NAT • Detect when a UA is behind NAT • Help maintain NAT bindings alive • Provides a publicly reachable IP address © Sangoma Technologies Inc. 8/11/2012 27
  • 28. SIP NAT in FreeSWITCH • Automatic RTP adjustment when media comes from different address than advertised on SDP • Aggressive NAT detection • STUN and ICE support © Sangoma Technologies Inc. 8/11/2012 28
  • 29. Access Control • It‟s all about control, yes, sys admins are control freaks • The network edge of the operator or enterprise is a convenient place to enforce policies • All SIP and RTP traffic to/from a single point (the SBC) © Sangoma Technologies Inc. 8/11/2012 29
  • 30. Access Control in FreeSWITCH • Flexible ACL configuration available • mod_limit for call rate and general resource limiting per IP or „realm‟ • Distributed limits across servers © Sangoma Technologies Inc. 8/11/2012 30
  • 31. Protocol Repair • The world isn‟t perfect, broken devices are everywhere • Not feasible to throw all broken equipment to the garbage (that‟d be too easy wouldn‟t it?) © Sangoma Technologies Inc. 8/11/2012 31
  • 32. Protocol Repair in FreeSWITCH • Allows matching and fixing of SIP header values • Allows modifying SDP contents • Not always possible, SIP stack may discard messages if deemed malformed (ie FUBAR) © Sangoma Technologies Inc. 8/11/2012 32
  • 33. Media Encryption • Desirable to perform encryption on public network • Internal network may need un-encrypted media (ie, lawful interception, endpoints without SRTP support) © Sangoma Technologies Inc. 8/11/2012 33
  • 34. Media Encryption in FreeSWITCH • TLS / SRTP support • ZRTP / SRTP support © Sangoma Technologies Inc. 8/11/2012 34
  • 35. Threat Protection • DoS • Malformed and/or malicious packets • SIP REGISTER scans (ie: sipvicious) • SIP INVITE scans © Sangoma Technologies Inc. 8/11/2012 35
  • 36. Threat Protection for FreeSWITCH • DoS limitation using iptableshashlimit (Kristian‟s famous script) • iptableshashlimit does not work on TLS obviously • iptableshashlimit does not help with malformed packets © Sangoma Technologies Inc. 8/11/2012 36
  • 37. Threat Protection for FreeSWITCH • Fail2ban for registration scans • Depends on log line format, good enough? • mod_fail2ban makes things easier (by kyconquers on github) © Sangoma Technologies Inc. 8/11/2012 37
  • 38. Threat Protection • Use SIP ACLs • Even trusted networks can become compromised • IP spoofing on UDP traffic makes things complicated © Sangoma Technologies Inc. 8/11/2012 38
  • 39. Sofia Limits • Extension to mod_sofia to specify SIP message limits, per host optionally (no ACL yet ) • Uses mod_hash (or any limit interface) to keep track of messages • Launch ESL event when limit is exceeded • Malformed packets are accounted for as well © Sangoma Technologies Inc. 8/11/2012 39
  • 40. Sofia Limits © Sangoma Technologies Inc. 8/11/2012 40
  • 41. Conclusion • Yes, SBCs get in the way, and that‟s a useful and desirable feature in some businesses • FreeSWITCH core foundations go a long way in implementing most common SBC features © Sangoma Technologies Inc. 8/11/2012 41
  • 42. THANK YOU. © Sangoma Technologies Inc. 8/11/2012 42