Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compatibility of Cirpack's trunks with TOPOS in Kamailio #7183

Closed
Stell0 opened this issue Nov 27, 2024 · 8 comments
Closed

Compatibility of Cirpack's trunks with TOPOS in Kamailio #7183

Stell0 opened this issue Nov 27, 2024 · 8 comments
Labels
nethvoice Bug or features releted to the NethVoice project
Milestone
NethVoice 1.1

Comments

@Stell0
Copy link

Stell0 commented Nov 27, 2024

Cirpack enforces a security mechanism where outbound INVITE requests must be pre-registered and conform to specific parameters. If these conditions are not met, the system does not respond with an "Auth Required" but instead outright rejects the call.

Current Setup
TOPOS Module Usage:

We utilize the TOPOS module in Kamailio to handle packet compaction (avoiding potential MTU issues) and for security purposes (hiding the network topology).
Per the documentation, REGISTER and PUBLISH requests are bypassed by TOPOS and are expected to terminate on a local SIP server.
Observed Behavior:

The REGISTER request correctly includes two VIA headers, as there are two hops, revealing the backend topology behind Kamailio.
The INVITE request, however, undergoes "topossification," hiding the network topology as intended.
Problem
If we attempt to mask the VIA headers in the REGISTER request for consistency with INVITE, it is unclear whether Kamailio will still be able to handle:

Incoming Calls via Trunk: If the REGISTER request lacks sufficient information, the system might fail to process incoming calls correctly.
Replies Routing: Without accurate state tracking, Kamailio might not route the responses to their intended destinations.
Potential Solutions
State Preservation with Key-Value Store:

Save critical data (e.g., VIA headers) from the REGISTER request in a key-value store like $shv.
Before processing a reply, restore the saved headers using msg_apply to enable proper routing.
This approach requires thorough testing to validate its effectiveness and ensure it handles edge cases (e.g., retries, network disruptions).
Custom SIP Header in Asterisk:

Implement a custom SIP header in Asterisk to instruct Kamailio not to activate TOPOS for specific trunks.
This solution has been used successfully in the past and could provide a quicker workaround if compatible with the current scenario.
@Stell0 Stell0 added this to NethVoice Nov 26, 2024
@Stell0 Stell0 converted this from a draft issue Nov 27, 2024
@Stell0 Stell0 added this to the NethVoice 1.2 milestone Nov 27, 2024
@Stell0 Stell0 self-assigned this Nov 27, 2024
@Stell0
Copy link
Author

Stell0 commented Nov 27, 2024
edited
Loading

We choose to implement the 2nd solution:

  • add an hook to trunks module to add custom "topos=0" sip header
  • with the occasion, also the "isTrunk=1" header should be exposed in trunk page as well
  • default for those two header should be added to nethvoice certified trunks
  • hook to intrface could be added in nethcti3 freepbx module

@Stell0 Stell0 mentioned this issue Nov 29, 2024
Merged
@Amygos Amygos moved this from Todo to In Progress in NethVoice Dec 2, 2024
@Amygos Amygos added the nethvoice Bug or features releted to the NethVoice project label Dec 4, 2024
@Amygos Amygos modified the milestones: NethVoice 1.2, NethVoice 1.1 Dec 4, 2024
@Amygos Amygos mentioned this issue Dec 6, 2024
Open
@Stell0
Copy link
Author

Stell0 commented Dec 12, 2024

Test case:
1.

  • update a nethvoice with trunk that has a trunk that uses proxy and have srtp disabled
  • make a call and verify that isTrunk=1 header is sent in invite from asterisk to kamailio
  • from wizard, create a trunk that has srtp disabled by default
  • check that isTrunk=1 header is sent
  • check that topos=0 and isTrunk=1 headers can be enabled/disabled from freepbx -> connectivity -> trunks -> pjsip settins -> advanced
  • check that topos=0 and isTrunk=1 headers, if enabled for a trunk, are sent to first invite when the outgoing call start, but not in the invite of call transfer
  • make an outgoing call using a trunk that requires isTrunk=1 or topos=0 headers
  • transfer the call to a physical phone that requires srtp
  • check audio works

@Stell0 Stell0 mentioned this issue Jan 8, 2025
Merged
Stell0 added a commit to nethesis/ns8-nethvoice-proxy that referenced this issue Jan 8, 2025
@Stell0
[OW-455] Implement topos disable when header topos : 0 (#51)
140611c 
NethServer/dev#7183

Co-authored-by: Paolo <[email protected]>
Stell0 added a commit to nethesis/ns8-nethvoice that referenced this issue Jan 8, 2025
@Stell0
feat(trunks): allow to enable/disable TOPOS for each trunk (#341)
9c493b8 
* feat(trunks): add switch to enable/disable TOPOS

- Added a switch in the trunks interface to enable or disable TOPOS.
- When the "disable TOPOS" switch is activated, an "topos=0" header is sent in INVITE requests to instruct the nethvoice-proxy Kamailio to disable the TOPOS module for that specific invite.
- TOPOS configuration for trunks is now stored in the NethCTI FreePBX module's configuration key-value store.
- Modified the trunk interface and dialplan using dialplan hooks to accommodate the new feature.
- Automatically set the `disable_topos` value for trunks created via the wizard.
- Remove the `disable_topos` value when a trunk is deleted via the wizard.
- Added a new MySQL table to store default `disable_topos` values.
- If no default `disable_topos` value is specified, no header will be sent and Kamailio will use TOPOS nethesis/ns8-nethvoice-proxy#51
- Add switch to control the sending of encrypted media on trunks.
- Migrate existing trunks to avoid attempting encrypted media with providers where media encryption is disabled.
- Removed legacy SQL tables that were used for database initialization in previous versions.
- Now all database tables are initialized in mariadb container and altered in freepbx/initdb.d

NethServer/dev#7183
@Stell0 Stell0 added the testing Packages are available from testing repositories label Jan 8, 2025
@nethbot nethbot moved this from In Progress to Testing in NethVoice Jan 8, 2025
@Stell0
Copy link
Author

Stell0 commented Jan 8, 2025

nethvoice:1.1.3-testing.9
nethvoice-proxy:1.1.2-testing.1

@margit86
Copy link

update a nethvoice with trunk that has a trunk that uses proxy and have srtp disabled
make a call and verify that isTrunk=1 header is sent in invite from asterisk to kamailio

Result:
After the update to the existing trunk, the "disable SRTP proxy header" parameter is set to "no" when it should be set to "Yes" as it is a trunk created by the wizard.

from wizard, create a trunk that has srtp disabled by default
check that isTrunk=1 header is sent

Result:
Verified that the "disable SRTP proxy header" is set to YES.

check that topos=0 and isTrunk=1 headers can be enabled/disabled from freepbx -> connectivity -> trunks -> pjsip settins -> advanced

Result
Verified.

check that topos=0 and isTrunk=1 headers, if enabled for a trunk, are sent to first invite when the outgoing call start, but not in the invite of call transfer

Result
Verified.

make an outgoing call using a trunk that requires isTrunk=1 or topos=0 headers
transfer the call to a physical phone that requires srtp
check audio works

Result
Verified.

Stell0 added a commit to nethesis/ns8-nethvoice that referenced this issue Jan 10, 2025
@Stell0
fix(trunks): trunk default SRTP configuration for existing trunks
d8fbe93 
Fix an error in code for migration of existing trunks that prevented existing trunks to be configured to avoid SRTP by default
NethServer/dev#7183
@Amygos Amygos removed the testing Packages are available from testing repositories label Jan 14, 2025
@nethbot nethbot moved this from Testing to In Progress in NethVoice Jan 14, 2025
@Amygos
Copy link
Member

Amygos commented Jan 14, 2025

Testing release nethesis/ns8-nethvoice 1.1.3-testing.10

@Amygos Amygos added the testing Packages are available from testing repositories label Jan 14, 2025
@nethbot nethbot moved this from In Progress to Testing in NethVoice Jan 14, 2025
@Amygos
Copy link
Member

Amygos commented Jan 14, 2025

Repeat test case 1

@andrea-marchionni andrea-marchionni added verified All test cases were verified successfully and removed testing Packages are available from testing repositories labels Jan 15, 2025
@nethbot nethbot moved this from Testing to Verified in NethVoice Jan 15, 2025
@nethbot nethbot moved this from Verified to In Progress in NethVoice Jan 15, 2025
@Stell0 Stell0 moved this from In Progress to Verified in NethVoice Jan 15, 2025
@Amygos
Copy link
Member

Amygos commented Jan 16, 2025

Release nethesis/ns8-nethvoice-proxy 1.1.2

@Amygos
Copy link
Member

Amygos commented Jan 16, 2025

Release nethesis/ns8-nethvoice 1.1.3

@Amygos Amygos closed this as completed Jan 16, 2025
@github-project-automation github-project-automation bot moved this from Verified to Done in NethVoice Jan 16, 2025
@Amygos Amygos removed the verified All test cases were verified successfully label Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
nethvoice Bug or features releted to the NethVoice project
Projects
NethVoice
Archived in project
Milestone
NethVoice 1.1
Development

No branches or pull requests
4 participants
@Amygos @Stell0 @andrea-marchionni @margit86