name mode size
..
doc 040000
Makefile 100644 375B
README 100644 6.63kB
peering.c 100644 4.01kB
peering.h 100644 1.17kB
verify.c 100644 9.37kB
verify.h 100644 1.23kB
README
Peering Module Juha Heinanen <jh@tutpro.com> Edited by Juha Heinanen <jh@tutpro.com> Copyright � 2008 Juha Heinanen Revision History Revision $Revision: 4261 $ $Date: 2008-05-30 01:03:56 +0200 (Fri, 30 Apr 2008) $ __________________________________________________________ Table of Contents 1. Admin Guide 1.1. Overview 1.2. Dependencies 1.2.1. Kamailio Modules 1.2.2. External Libraries or Applications 1.3. Exported Parameters 1.3.1. radius_config (string) 1.3.2. verify_destination_service_type (integer) 1.3.3. verify_source_service_type (integer) 1.4. Exported Functions 1.4.1. verify_destination() 1.4.2. verify_source() List of Examples 1.1. radius_config parameter usage 1.2. verify_destination_service_type parameter usage 1.3. verify_source_service_type parameter usage 1.4. verify_destination() usage 1.5. verify_source() usage Chapter 1. Admin Guide 1.1. Overview Peering module allows SIP providers (operators or organizations) to verify from a broker if source or destination of a SIP request is a trusted peer. In order to participate in the trust community provided by a broker, each SIP provider registers with the broker the domains (host parts of SIP URIs) that they serve. When a SIP proxy of a provider needs to send a SIP request to a non-local domain, it can find out from the broker using verify_destination() function if the non-local domain is served by a trusted peer. If so, the provider receives from the broker a hash of the SIP request and a timestamp that it includes in the request to the non-local domain. When a SIP proxy of the non-local domain receives the SIP request, it, in turn, can verify from the broker using verify_source() function if the request came from a trusted peer. Verification functions communicate with the broker using Radius protocol. Sample FreeRADIUS configuration files for broker's Radius server are available from http://www.wirlab.net/tsi/. Comments and suggestions for improvements are welcome. 1.2. Dependencies 1.2.1. Kamailio Modules The module depends on the following modules (in the other words the listed modules must be loaded before this module): * none 1.2.2. External Libraries or Applications The following libraries or applications must be installed before compilling Kamailio with this module loaded: * radiusclient-ng 0.5.0 or higher -- library and development files. See http://developer.berlios.de/projects/radiusclient-ng/. 1.3. Exported Parameters 1.3.1. radius_config (string) This is the location of the configuration file of radius client libraries. Default value is "/usr/local/etc/radiusclient-ng/radiusclient.conf". Example 1.1. radius_config parameter usage modparam("peering", "radius_config", "/etc/broker/radiusclient.conf") 1.3.2. verify_destination_service_type (integer) This is the value of the Service-Type Radius attribute to be used, when sender of SIP Request verifies request's destination using verify_destination() function. Default value is dictionary value of "Sip-Verify-Destination" Service-Type. Example 1.2. verify_destination_service_type parameter usage modparam("peering", "verify_destination_service_type", 21) 1.3.3. verify_source_service_type (integer) This is the value of the Service-Type Radius attribute to be used, when receiver of SIP Request verifies request's source using verify_source() function. Default value is dictionary value of "Sip-Verify-Source" Service-Type. Example 1.3. verify_source_service_type parameter usage modparam("peering", "verify_source_service_type", 22) 1.4. Exported Functions 1.4.1. verify_destination() Function verify_destination() queries from broker's Radius server if domain (host part) of Request URI is served by a trusted peer. Radius request contains the following attributes/values: * User-Name - Request-URI host * SIP-URI-User - Request-URI user * SIP-From-Tag - From tag * SIP-Call-Id - Call id * Service-Type - verify_destination_service_type Function returns value 1 if domain of Request URI is served by a trusted peer and -1 otherwise. In case of positive result, Radius server returns a set of SIP-AVP reply attributes. Value of each SIP-AVP is of form: [#]name(:|#)value Value of each SIP-AVP reply attribute is mapped to an Kamailio AVP. Prefix # in front of name or value indicates a string name or string value, respectively. One of the SIP-AVP reply attributes contains a string that the source peer must include "as is" in a P-Request-Hash header when it sends the SIP request to the destination peer. The string value may, for example, be of form hash@timestamp, where hash contains a hash calculated by the broker based on the attributes of the query and some local information and timestamp is the time when the calculation was done. AVP names used in reply attributes are assigned by the broker. This function can be used from REQUEST_ROUTE and FAILURE_ROUTE. Example 1.4. verify_destination() usage ... if (verify_destination()) { append_hf("P-Request-Hash: $avp(i:200)\r\n"); } ... 1.4.2. verify_source() Function verify_source() queries from broker's Radius server if SIP request was received from a trusted peer. Radius request contains the following attributes/values: * User-Name - Request-URI host * SIP-URI-User - Request-URI user * SIP-From-Tag - From tag * SIP-Call-Id - Call id * SIP-Request-Hash - body of P-Request-Hash header * Service-Type - verify_source_service_type Function returns value 1 if SIP request was received from a trusted peer and -1 otherwise. In case of positive result, Radius server may return a set of SIP-AVP reply attributes. Value of each SIP-AVP is of form: [#]name(:|#)value Value of each SIP-AVP reply attribute is mapped to an Kamailio AVP. Prefix # in front of name or value indicates a string name or string value, respectively. AVP names used in reply attributes are assigned by the broker. This function can be used from REQUEST_ROUTE and FAILURE_ROUTE. Example 1.5. verify_source() usage ... if (is_present_hf("P-Request-Hash")) { if (verify_source()) { xlog("L_INFO", "Request came from trusted peer\n") } } ...