Using reSIProcate and repro for Federated VoIP

From reSIProcate
Jump to: navigation, search

One of the core initiatives of the upcoming reSIProcate 1.8 release is the support for Federated VoIP.

Initially, TLS connectivity simply provided a secure way to interact with SIP providers (such as external trunking providers) or dedicated links to pre-configured peers.

Federated VoIP extends this concept to allow connection to any arbitrary domain on the public internet, but with the extra security of two-way (mutual) certificate checking.

The material at OpenTelecoms.org on Federated VoIP provides a slightly more technical overview.

[edit] Quick start

[edit] Background

Federation has been mooted in various forms. The model we follow is the support for domain certifices in SIP RFC 5922 which is analogous to mechanisms in XMPP/Jabber RFC 6120. This means a single TLS/SSL certificate can be used for both SIP and Jabber on the same server.

Key features of repro that support Federated VoIP:

  • easier to configure support for certificate authorities (for example, automatically reading all the certicates in /etc/ssl/certs on Linux using the new CADirectory parameter in repro.config)
  • acting as a TLS client: when repro acts as a TLS client and connects to the SIP proxy for an external domain, it will automatically send it's own certificate to the remote peer, so the peer can verify that repro is authoritative for the domain where messages originate
  • TLS client certificate authentication: (new in v1.8.0) when repro accepts a connection from an external peer, it can be configured to demand a TLS certificate from the peer (mutual TLS authentication) and will verify that each message received from the peer has a From address matching the addresses/domains in the peer's certificate. (See the configuration parameter EnableCertificateAuthenticator in repro.config)
  • ENUM routing: when a user dials a telephone number, repro can resolve the number to a SIP address by making an ENUM query. Using public ENUM trees such as e164.arpa, e164.org and e164-addr.sip5060.net, repro can route many more calls over the internet than ever before. (See the configuration parameter EnumSuffixes in repro.config)

[edit] Settings that impact Federated VoIP

  • Install repro
  • Obtain a TLS certificate for your domain, install it as /etc/repro/ssl/domain_cert_example.org.pem
  • Set the following in repro.config:
TLSClientVerification = Optional
TLSPort = 5061
TLSDomainName = example.org
CADirectory = /etc/ssl/certs
EnableCertificateAuthenticator = true
EnumSuffixes = e164.arpa, e164.org, e164-addr.sip5060.net
  • In your DNS, create _sips._tcp SRV entries (using the DNS SRV protocol) for your domain, for example:
 sip-server.example.org.               IN      A       <your server IP address>
 _sips._tcp.example.org.		IN	SRV	0 1 5061 sip-server.example.org.
  • If possible, add your phone numbers to a public ENUM tree such as e164.arpa so other people can call your phone numbers even if they don't have your SIP addresses