The IMS IPSec-Registrar Module

Dragos Vingarzan

   FhG Fokus
   <Dragos.Vingarzan@fokus.fraunhofer.de>

Jason Penton

   Smile Communications
   <jason.penton@smilecoms.com>

Richard Good

   Smile Communications
   <richard.good@smilecoms.com>

Carsten Bock

   ng-voice GmbH
   <carsten@ng-voice.com>

Tsvetomir Dimitrov

   <tsv.dimitrov@gmail.com>

   Copyright © 2007 FhG FOKUS

   Copyright © 2012 Smile Communications

   Copyright © 2015 ng-voice GmbH
     __________________________________________________________________

   Table of Contents

   1. Admin Guide

        1. Overview
        2. Dependencies

              2.1. Kamailio Modules
              2.2. External Libraries or Applications

        3. Parameters

              3.1. ipsec_listen_addr (string)
              3.2. ipsec_listen_addr6 (string)
              3.3. ipsec_client_port (int)
              3.4. ipsec_server_port (int)
              3.5. ipsec_max_connections (int)
              3.6. ipsec_reuse_server_port (int)
              3.7. ipsec_spi_id_start (int)
              3.8. ipsec_spi_id_range (int)

        4. Functions

              4.1. ipsec_create(domain)
              4.2. ipsec_forward(domain, flags)
              4.3. ipsec_destroy(domain)

   List of Examples

   1.1. ipsec_listen_addr parameter usage
   1.2. ipsec_listen_addr6 parameter usage
   1.3. ipsec_client_port parameter usage
   1.4. ipsec_server_port parameter usage
   1.5. ipsec_max_connections parameter usage
   1.6. ipsec_reuse_server_port parameter usage
   1.7. ipsec_spi_id_start parameter usage
   1.8. ipsec_spi_id_range parameter usage
   1.9. ipsec_create
   1.10. ipsec_forward
   1.11. ipsec_destroy

Chapter 1. Admin Guide

   Table of Contents

   1. Overview
   2. Dependencies

        2.1. Kamailio Modules
        2.2. External Libraries or Applications

   3. Parameters

        3.1. ipsec_listen_addr (string)
        3.2. ipsec_listen_addr6 (string)
        3.3. ipsec_client_port (int)
        3.4. ipsec_server_port (int)
        3.5. ipsec_max_connections (int)
        3.6. ipsec_reuse_server_port (int)
        3.7. ipsec_spi_id_start (int)
        3.8. ipsec_spi_id_range (int)

   4. Functions

        4.1. ipsec_create(domain)
        4.2. ipsec_forward(domain, flags)
        4.3. ipsec_destroy(domain)

1. Overview

   This module contains methods for IPSec initialisation/deinitialisation
   related for usage of Kamailio as a Proxy-CSCF.

2. Dependencies

   2.1. Kamailio Modules
   2.2. External Libraries or Applications

2.1. Kamailio Modules

   The Following modules must be loaded before this module:
     * Usrloc PCSCF
     * TM

2.2. External Libraries or Applications

   This modules requires the internal IMS library and libmnl for operating
   with netlink sockets.

3. Parameters

   3.1. ipsec_listen_addr (string)
   3.2. ipsec_listen_addr6 (string)
   3.3. ipsec_client_port (int)
   3.4. ipsec_server_port (int)
   3.5. ipsec_max_connections (int)
   3.6. ipsec_reuse_server_port (int)
   3.7. ipsec_spi_id_start (int)
   3.8. ipsec_spi_id_range (int)

3.1. ipsec_listen_addr (string)

   IP address which the Proxy-CSCF will use for incoming/outgoing SIP
   traffic over IPSec.

   Default value is empty string (null) - IPv4 listen interface will not
   be added

   Example 1.1. ipsec_listen_addr parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_listen_addr", "")
...

3.2. ipsec_listen_addr6 (string)

   IPv6 address which the Proxy-CSCF will use for incoming/outgoing SIP
   traffic over IPSec.

   Default value is empty string (null) - IPv6 listen interface will not
   be added

   Example 1.2. ipsec_listen_addr6 parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_listen_addr6", "")
...

3.3. ipsec_client_port (int)

   Start port number which will be bound for incoming (server) IPSec
   traffic.

   Default value is 5062.

   Example 1.3. ipsec_client_port parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_client_port", 5062)
...

3.4. ipsec_server_port (int)

   Start port number which will be bound for incoming (server) IPSec
   traffic.

   Default value is 5063.

   Example 1.4. ipsec_server_port parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_server_port", 5063)
...

3.5. ipsec_max_connections (int)

   Maximum IPSec connections for the process. E.g. if
   ipsec_client_port=5100, ipsec_server_port=6100 and
   ipsec_max_connections=10, all client ports between 5100 and 5109 and
   all server ports between 6100 and 6109 will be used for maximum to 10
   IPSec connections.

   Default value is 2.

   Example 1.5. ipsec_max_connections parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_max_connections", 10)
...

3.6. ipsec_reuse_server_port (int)

   Reuse (1) or not (0) the P-CSCF Server port for Re-registration for one
   UA. When set to 0 - During Re-registration P-CSCF will distribute new
   P-CSCF client and P-CSCF server ports. When set to 1 - During
   Re-registration P-CSCF will reuse the old P-CSCF server port and will
   distribute a new P-CSCF client port.

   Default value is 1.

   Example 1.6. ipsec_reuse_server_port parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_reuse_server_port", 1)
...

3.7. ipsec_spi_id_start (int)

   Each IPSec tunnel has a unique system-wide identifier. This and the
   following option allows to tune the SPIs used by Kamailio in order to
   avoid collisions with other IPSec useres. If Kamailio is the only
   process on the system which uses IPSec, don't bother with this option.

   Default value is 100.

   Example 1.7. ipsec_spi_id_start parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_spi_id_start", 100)
...

3.8. ipsec_spi_id_range (int)

   How many SPIs to be allocated for the process. E.g. if
   ipsec_spi_id_start = 100 and ipsec_spi_id_range = 1000, SPIs between
   100 and 1100 will be used.

   Default value is 1000.

   Example 1.8. ipsec_spi_id_range parameter usage
...
modparam("ims_ipsec_pcscf", "ipsec_spi_id_range", 1000)
...

4. Functions

   4.1. ipsec_create(domain)
   4.2. ipsec_forward(domain, flags)
   4.3. ipsec_destroy(domain)

4.1. ipsec_create(domain)

   This function creates IPSec SA and Policy based on the parameters sent
   in Security-Client header in the REGISTER message. It's called when OK
   is received. The function also adds Security-Server header to the
   REGISTER.

   Meaning of the parameters is as follows:
     * domain - Logical domain within the registrar. If a database is used
       then this must be name of the table which stores the contacts.

   Example 1.9. ipsec_create
...
ipsec_create("location");
...

4.2. ipsec_forward(domain, flags)

   The function processes redirects outgoing message via the IPSec tunnel
   initiated with ipsec_create().

   Meaning of the parameters is as follows:
     * domain - Logical domain within the registrar. If a database is used
       then this must be name of the table which stores the contacts.
       flags - Set send force socket for request messages. If 1 - set
       force socket for request messages. Useful for ipsec and TCP. This
       is an optional parameter, default value - 0.

   Example 1.10. ipsec_forward
...
ipsec_forward("location");
# or
ipsec_forward("location", "1");
...

4.3. ipsec_destroy(domain)

   The function destroys IPSec tunnel, created with ipsec_create.

   Meaning of the parameters is as follows:
     * domain - Logical domain within the registrar. If a database is used
       then this must be name of the table which stores the contacts.

   Example 1.11. ipsec_destroy
...
ipsec_destroy("location");
...