Difference between revisions of "Using reSIProcate and repro for Federated VoIP"

From reSIProcate
Jump to navigation Jump to search
(Created page with "One of the core initiatives of the upcoming reSIProcate 1.8 release is the support for Federated VoIP The overview at [[http://ww...")
 
Line 1: Line 1:
One of the core initiatives of the upcoming reSIProcate 1.8 release is the support for [[http://en.wikipedia.org/wiki/Federated_VoIP|Federated VoIP]]
+
One of the core initiatives of the upcoming reSIProcate 1.8 release is the support for [http://en.wikipedia.org/wiki/Federated_VoIP Federated VoIP]
  
The overview at [[http://www.opentelecoms.org|http://www.opentelecoms.org/federated-voip]] provides a slightly more technical overview.
+
The material at [http://www.opentelecoms.org/federated-voip OpenTelecoms.org on Federated VoIP] provides a slightly more technical overview.
  
Federation has been mooted in various forms.  The model we follow is the support for domain certifices in SIP [[http://tools.ietf.org/html/rfc5922|RFC 5922]] which is analogous to mechanisms in XMPP/Jabber [[http://tools.ietf.org/html/rfc6120#section-13.7|RFC 6120]].  This means a single TLS/SSL certificate can be used for both SIP and Jabber on the same server.
+
Federation has been mooted in various forms.  The model we follow is the support for domain certifices in SIP [http://tools.ietf.org/html/rfc5922 RFC 5922] which is analogous to mechanisms in XMPP/Jabber [http://tools.ietf.org/html/rfc6120#section-13.7 RFC 6120].  This means a single TLS/SSL certificate can be used for both SIP and Jabber on the same server.
  
 
Key features of [[About Repro|repro]] that support Federated VoIP:
 
Key features of [[About Repro|repro]] that support Federated VoIP:
  
* easier to configure support for certificate authorities (for example, automatically reading all the certicates in /etc/ssl/certs on Linux using the new CADirectory parameter in repro.config)
+
* easier to configure support for certificate authorities (for example, automatically reading all the certicates in /etc/ssl/certs on Linux using the new '''CADirectory''' parameter in '''repro.config''')
 
* acting as a TLS client: when repro acts as a TLS client and connects to the SIP proxy for an external domain, it will automatically send it's own certificate to the remote peer, so the peer can verify that repro is authoritative for the domain where messages originate
 
* acting as a TLS client: when repro acts as a TLS client and connects to the SIP proxy for an external domain, it will automatically send it's own certificate to the remote peer, so the peer can verify that repro is authoritative for the domain where messages originate
* TLS client certificate authentication: (new in v1.8.0) when repro accepts a connection from an external peer, it can be configured to demand a TLS certificate from the peer (mutual TLS authentication) and will verify that each message received from the peer has a From address matching the addresses/domains in the peer's certificate.  (See the configuration parameter EnableCertificateAuthenticator in repro.config)
+
* TLS client certificate authentication: (new in v1.8.0) when repro accepts a connection from an external peer, it can be configured to demand a TLS certificate from the peer (mutual TLS authentication) and will verify that each message received from the peer has a From address matching the addresses/domains in the peer's certificate.  (See the configuration parameter '''EnableCertificateAuthenticator''' in '''repro.config''')
* ENUM routing: when a user dials a telephone number, repro can resolve the number to a SIP address by making an ENUM query.  Using public ENUM trees such as e164.arpa, e164.org and e164-addr.sip5060.net, repro can route many more calls over the internet than ever before.  (See the configuration parameter EnumSuffixes in repro.config)
+
* ENUM routing: when a user dials a telephone number, repro can resolve the number to a SIP address by making an ENUM query.  Using public ENUM trees such as '''e164.arpa''', '''e164.org''' and '''e164-addr.sip5060.net''', repro can route many more calls over the internet than ever before.  (See the configuration parameter '''EnumSuffixes''' in '''repro.config''')
  
 
## Quick start
 
## Quick start
Line 16: Line 16:
 
* Install repro
 
* Install repro
  
* Obtain a TLS certificate for your domain, install it as /etc/repro/ssl/domain_cert_example.org.pem
+
* Obtain a TLS certificate for your domain, install it as '''/etc/repro/ssl/domain_cert_example.org.pem'''
  
* Set the following in repro.config:
+
* Set the following in '''repro.config''':
  
 +
TLSClientVerification = Optional
 +
TLSPort = 5061
 +
TLSDomainName = example.org
 
  CADirectory = /etc/ssl/certs
 
  CADirectory = /etc/ssl/certs
 
  EnableCertificateAuthenticator = true
 
  EnableCertificateAuthenticator = true
 
  EnumSuffixes = e164.arpa, e164.org, e164-addr.sip5060.net
 
  EnumSuffixes = e164.arpa, e164.org, e164-addr.sip5060.net
  
* In your DNS, create _sips._tcp SRV entries (using the DNS SRV protocol) for your domain, for example:
+
* In your DNS, create '''_sips._tcp''' SRV entries (using the DNS SRV protocol) for your domain, for example:
  
 
   sip-server.example.org.              IN      A      <your server IP address>
 
   sip-server.example.org.              IN      A      <your server IP address>
 
   _sips._tcp.example.org. IN SRV 0 1 5061 sip-server.example.org.
 
   _sips._tcp.example.org. IN SRV 0 1 5061 sip-server.example.org.
  
* If possible, add your phone numbers to a public ENUM tree such as e164.arpa so other people can call your phone numbers even if they don't have your SIP addresses
+
* If possible, add your phone numbers to a public ENUM tree such as '''e164.arpa''' so other people can call your phone numbers even if they don't have your SIP addresses

Revision as of 08:07, 11 May 2012

One of the core initiatives of the upcoming reSIProcate 1.8 release is the support for Federated VoIP

The material at OpenTelecoms.org on Federated VoIP provides a slightly more technical overview.

Federation has been mooted in various forms. The model we follow is the support for domain certifices in SIP RFC 5922 which is analogous to mechanisms in XMPP/Jabber RFC 6120. This means a single TLS/SSL certificate can be used for both SIP and Jabber on the same server.

Key features of repro that support Federated VoIP:

  • easier to configure support for certificate authorities (for example, automatically reading all the certicates in /etc/ssl/certs on Linux using the new CADirectory parameter in repro.config)
  • acting as a TLS client: when repro acts as a TLS client and connects to the SIP proxy for an external domain, it will automatically send it's own certificate to the remote peer, so the peer can verify that repro is authoritative for the domain where messages originate
  • TLS client certificate authentication: (new in v1.8.0) when repro accepts a connection from an external peer, it can be configured to demand a TLS certificate from the peer (mutual TLS authentication) and will verify that each message received from the peer has a From address matching the addresses/domains in the peer's certificate. (See the configuration parameter EnableCertificateAuthenticator in repro.config)
  • ENUM routing: when a user dials a telephone number, repro can resolve the number to a SIP address by making an ENUM query. Using public ENUM trees such as e164.arpa, e164.org and e164-addr.sip5060.net, repro can route many more calls over the internet than ever before. (See the configuration parameter EnumSuffixes in repro.config)
    1. Quick start
  • Install repro
  • Obtain a TLS certificate for your domain, install it as /etc/repro/ssl/domain_cert_example.org.pem
  • Set the following in repro.config:
TLSClientVerification = Optional
TLSPort = 5061
TLSDomainName = example.org
CADirectory = /etc/ssl/certs
EnableCertificateAuthenticator = true
EnumSuffixes = e164.arpa, e164.org, e164-addr.sip5060.net
  • In your DNS, create _sips._tcp SRV entries (using the DNS SRV protocol) for your domain, for example:
 sip-server.example.org.               IN      A       <your server IP address>
 _sips._tcp.example.org.		IN	SRV	0 1 5061 sip-server.example.org.
  • If possible, add your phone numbers to a public ENUM tree such as e164.arpa so other people can call your phone numbers even if they don't have your SIP addresses