Using reSIProcate and repro for Federated VoIP

From reSIProcate
Revision as of 10:12, 11 May 2012 by Dpocock (talk | contribs)
Jump to navigation Jump to search

One of the core initiatives of the upcoming reSIProcate 1.8 release is the support for Federated VoIP

The material at OpenTelecoms.org on Federated VoIP provides a slightly more technical overview.

Federation has been mooted in various forms. The model we follow is the support for domain certifices in SIP RFC 5922 which is analogous to mechanisms in XMPP/Jabber RFC 6120. This means a single TLS/SSL certificate can be used for both SIP and Jabber on the same server.

Key features of repro that support Federated VoIP:

  • easier to configure support for certificate authorities (for example, automatically reading all the certicates in /etc/ssl/certs on Linux using the new CADirectory parameter in repro.config)
  • acting as a TLS client: when repro acts as a TLS client and connects to the SIP proxy for an external domain, it will automatically send it's own certificate to the remote peer, so the peer can verify that repro is authoritative for the domain where messages originate
  • TLS client certificate authentication: (new in v1.8.0) when repro accepts a connection from an external peer, it can be configured to demand a TLS certificate from the peer (mutual TLS authentication) and will verify that each message received from the peer has a From address matching the addresses/domains in the peer's certificate. (See the configuration parameter EnableCertificateAuthenticator in repro.config)
  • ENUM routing: when a user dials a telephone number, repro can resolve the number to a SIP address by making an ENUM query. Using public ENUM trees such as e164.arpa, e164.org and e164-addr.sip5060.net, repro can route many more calls over the internet than ever before. (See the configuration parameter EnumSuffixes in repro.config)

Quick start

  • Install repro
  • Obtain a TLS certificate for your domain, install it as /etc/repro/ssl/domain_cert_example.org.pem
  • Set the following in repro.config:
TLSClientVerification = Optional
TLSPort = 5061
TLSDomainName = example.org
CADirectory = /etc/ssl/certs
EnableCertificateAuthenticator = true
EnumSuffixes = e164.arpa, e164.org, e164-addr.sip5060.net
  • In your DNS, create _sips._tcp SRV entries (using the DNS SRV protocol) for your domain, for example:
 sip-server.example.org.               IN      A       <your server IP address>
 _sips._tcp.example.org.		IN	SRV	0 1 5061 sip-server.example.org.
  • If possible, add your phone numbers to a public ENUM tree such as e164.arpa so other people can call your phone numbers even if they don't have your SIP addresses