In the Trenches of a Globally Spanning SIP Network

Similar documents
NAT and Firewall Traversal with STUN / TURN / ICE

NAT and Firewall Traversal with STUN / TURN / ICE

Comparing Session Border Controllers to Firewalls with SIP Application Layer Gateways in Enterprise Voice over IP and Unified Communications Scenarios

OfficeMaster Gate (Virtual) Enterprise Session Border Controller for Microsoft Lync Server. Quick Start Guide

Configuring a Pure-IP SIP Trunk in Lync 2013

AT&T IP Flex Reach/ IP Toll Free Configuration Guide IC 3.0 with Interaction SIP Proxy

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

This presentation discusses the new support for the session initiation protocol in WebSphere Application Server V6.1.

NAT TCP SIP ALG Support

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP LTM for SIP Traffic Management

Design of a SIP Outbound Edge Proxy (EPSIP)

White Paper. Traversing Firewalls with Video over IP: Issues and Solutions

Firewalls P+S Linux Router & Firewall 2013

Grandstream Networks, Inc. UCM6100 Security Manual

CREATE A CUSTOMER... 2 SIP TRUNK ACCOUNTS...

Polycom. RealPresence Ready Firewall Traversal Tips

Configuration Aid To Ingate Firewall/SIParator - Using Your Own SIP Domain. Lisa Hallingström Paul Donald

Transcoding and Call Centers with OpenSIPS Bogdan-Andrei Iancu Founder OpenSIPS Project OpenSIPS Solutions

Cisco Configuring Commonly Used IP ACLs

Application Note. Stateful Firewall, IPS or IDS Load- Balancing

OpenSIPS For Asterisk Users

CISCO UNIFIED COMMUNICATIONS MANAGER SIP INTEGRATION

Cisco Expressway IP Port Usage for Firewall Traversal. Cisco Expressway X8.1 D December 2013

Cisco TelePresence Video Communication Server (Cisco VCS) IP Port Usage for Firewall Traversal. Cisco VCS X8.5 December 2014

Technical White Paper

Firewalls 1 / 43. Firewalls

VoIP Trunking with Session Border Controllers

OpenScape Business V1

SIP, Security and Session Border Controllers

nexvortex Setup Guide

SIP Trunking with Microsoft Office Communication Server 2007 R2

Carrier Grade NAT. Requirements and Challenges in the Real World. Amir Tabdili Cypress Consulting

Lecture 2-ter. 2. A communication example Managing a HTTP v1.0 connection. G.Bianchi, G.Neglia, V.Mancuso

Setup Reference guide for PBX to SBC interconnection

A S B

DDoS Vulnerability Analysis of Bittorrent Protocol

VLAN und MPLS, Firewall und NAT,

Firewall Defaults and Some Basic Rules

Application Note Multiple SIParator Distribution

nexvortex SIP Trunking Implementation & Planning Guide V1.5

Challenges in NetFlow based Event Logging

Vega 100G and Vega 200G Gamma Config Guide

Configuring the Transparent or Routed Firewall

Note: As of Feb 25, 2010 Priority Telecom has not completed FXS verification of fax capabilities. This will be updated as soon as verified.

Grandstream Networks, Inc. How to Integrate UCM6100 with Microsoft Lync Server

BrainDumps Q.A

Acano solution. Third Party Call Control Guide. March E

Allocating Network Bandwidth to Match Business Priorities

How To Deploy Sangoma Sbc Vm At Amazon Cloud Service (Awes) On A Vpc (Virtual Private Cloud) On An Ec2 Instance (Virtual Cloud)

Alcatel-Lucent OXO Configuration Guide. For Use with AT&T s IP Flexible Reach Service. Version 1 / Issue 1 Date July 28, 2009

Using DNS SRV to Provide High Availability Scenarios

Deployment Guide July-2014 rev. a. Deploying Array Networks APV Series Application Delivery Controllers for Microsoft Lync Server 2013

Application Note. Onsight Connect Network Requirements V6.1

Configuration Notes 0215

Mediatrix 4404 Step by Step Configuration Guide June 22, 2011

Voice Over IP and Firewalls

About Firewall Protection

Configuring the Edgewater 4550 for use with the Bluestone Hosted PBX

IPv6 Tunnels through Routers with NAT 1.6. Consulintel

Firewalls and Intrusion Detection

1.1.3 Versions Verified SIP Carrier status as of 18 Sep 2014 : validated on CIC 4.0 SU6.

1 SIP Carriers Warnings Vendor Contact Vendor Web Site : Versions Verified SIP Carrier status as of 9/11/2011

Dial91 iphone User Guide

Application Note Patton SmartNode in combination with a CheckPoint Firewall for Multimedia security

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

SIP Trunk Bridge Fundamentals Avaya Communication Server 1000

VOIP Attacks On The Rise

Technical Bulletin 5844

McAfee Enterprise Mobility Management Performance and Scalability Guide

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

SIP Trunking Test Results for CudaTel Communication Server

IP Address and Pre-configuration Information

Exam 1 Review Questions

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Optimum Business SIP Trunk Set-up Guide

Network Convergence and the NAT/Firewall Problems

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

CompleteSBC: Getting Started Guide

SIP Trunking Configuration with

Troubleshooting BlackBerry Enterprise Service 10 version Instructor Manual

Implementing Microsoft Windows Server Failover Clustering (WSFC) and SQL Server 2012 AlwaysOn Availability Groups in the AWS Cloud

Firewalls. Network Security. Firewalls Defined. Firewalls

Jibe Hub. RCS Exchange for Mobile Operators. The Global Communications Cloud. Anil Sharma Director, Jibe Mobile anil@jibemobile.

The Need for SIP-Enabled Application Delivery Controllers

DEPLOYMENT MODES OF THE MiVoice Border Gateway

Configuring Interactive Intelligence ININ IP PBX For tw telecom SIP Trunking service USER GUIDE

Deployment of Snort IDS in SIP based VoIP environments

Application Notes for Configuring Microsoft Office Communications Server 2007 R2 and Avaya IP Office PSTN Call Routing - Issue 1.0

SIP Trunking. Service Guide. Learn More: Call us at

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Debugging With Netalyzr

INTRODUCTION TO FIREWALL SECURITY

ThinkTel ITSP with Registration Setup Quick Start Guide

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

Application Note. Onsight TeamLink And Firewall Detect v6.3

SIP Security Controllers. Product Overview

Time Warner ITSP Setup Guide

Transcription:

In the Trenches of a Globally Spanning SIP Network & the days spent firefighting

AGENDA - Our SIP Network at a glance - Loops - Failover strategies - Connection Management - Registration - Misc

INTRO - Deployed across the world - 6 different AWS regions

INTRO - Each region deployed across multiple AZ - Each region looks the same

INTRO Those SIP Load balancers = opensips - Philosophy: simple & fast - Transaction Stateful - No external lookups - Border Police implemented by the B2BUA

LOOPS Max-Forwards: - TTL - Typical default 70 - Are you resetting it?

LOOPS Basic SIP Load balancer INVITE sip:hello@example.com SIP/2.0... INVITE sip:hello@example.com SIP/2.0 Route: <sip:192.168.0.100;transport=udp;lr>

LOOPS Bug in downstream element - SIP LB marked call inbound - B2BUA marked call outbound - SIP LB marked call inbound...

LOOPS Malicious attacks INVITE sip:hello@example.com SIP/2.0 Route: <sip:sip_lb_1;lr> Route: <sip:sip_lb_2;lr> INVITE sip:hello@example.com SIP/2.0 Route: <sip:b2bua_no_14;lr> Route: <sip:sip_lb_2;lr>

LOOPS Don t trust Route headers from external entities!

FAILOVER STRATEGY Node crash/misbehave - Goal: need to handle it - Strategy: Let s failover to next

FAILOVER STRATEGY Scenario: Shared Resource is the culprit - SQL - NoSQL - REST Service - Another SIP Element - Network partition What do you think about our failover strategy now?

FAILOVER STRATEGY Be mindful when you failover - Strategy: - The node closest to the problem spot probably knows best - Each node is responsible for exhaustively trying all options - If a node fails to contact XXX, then say so - A node will only failover on - 408-503 -...

FAILOVER STRATEGY Drawback: network partition/bad network card - Node is experiencing a localized network issue - Node will signal to upstream that nope, no can do. Don t failover - In this case, it would have helped. Conclusion: you have to figure out what is worse for you.

FLOW MANAGEMENT A flow: - Represents a bidirectional communication path between two endpoints. - Identified by: Local IP:Port + Remote IP:Port + Transport - Has to be maintained - NAT & FW - Sending keep-alive traffic

FLOW MANAGEMENT Registration - What are we trying to achieve? 1 REGISTER sip:example.com SIP/2.0... Via: SIP/2.0/TCP 192.168.0.100;rport;branch=... Contact: <sip:alice@192.168.0.100;transport=tcp;lr> 2 REGISTER sip:example.com SIP/2.0... Via: SIP/2.0/TCP 192.168.0.100;rport=5678;received=62.63.64.65;branch=... Contact: <sip:alice@192.168.0.100;transport=tcp;lr> Path: <sip:flow_token@10.36.10.11;transport=udp;lr;ob>

FLOW MANAGEMENT Registration - No RFC 5626 support in opensips - Can use force_tcp_alias - but: tcpconn_add_alias: possible port hijack attempt - what s going on?

FLOW MANAGEMENT Registration 1 - force_tcp_alias will store the connection under a key computed from the src IP of the incoming connection + port found on the Via-header REGISTER sip:example.com SIP/2.0... Via: SIP/2.0/TCP 192.168.0.100;rport;branch=... Contact: <sip:alice@192.168.0.100;transport=tcp;lr> 2 REGISTER sip:example.com SIP/2.0... Via: SIP/2.0/TCP 192.168.0.100;rport=5678;received=62.63.64.65;branch=... Contact: <sip:alice@192.168.0.100;transport=tcp;lr> Path: <sip:flow_token@10.36.10.11;transport=udp;lr;ob>

Registration FLOW MANAGEMENT - Users behind same NAT => same tcp_alias - First wins - Note: you must also fix the Contact header.

Maintain the Flow FLOW MANAGEMENT - Keep-alive traffic - Use TCP Keep alive - But, doesn t always work. AT&T e.g. will kill your connection anyway - Client has to send a payload (double CRLF) as ping - ios App - What happens when it is backgrounded? - Conclusion: server has to send double CRLF (opensips ask: please add server side double CRLF support)

Registration Flood FLOW MANAGEMENT - Huge issue, it s the perfect DDoS - Client has to play along - Honor 302 on REGISTER (not standard, we do this for our clients. Facilitates connection migration) - If lose connection, wait randomly between 0 - X seconds - Honor Retry-After headers (server could send a 500 e.g) - Re-cycle the connection after X hours - Server side: - Limit the total no of connections/ip - Throttle incoming connections - Add ability to issue 302s - Retry-After headers

MISC Fragmentation - Are you building a SIP based smartphone app? - Do you use ICE? - Are your SDPs massive? - Using TCP? (I certainly hope you are!) - tcp_max_msg_chunks TCP Connection Timeout - Different in 1.11 than 1.8

MISC Monitor Everything - opensips - we log all requests and responses in a parsable friendly manner - pub those stats to dashboards Carrier Edge US XYZ / s Carrier Edge US 0.62 Carrier Edge EU XYZ / s Carrier Edge EU 0.42 Carrier Edge BR XYZ / s Carrier Edge BR 0.22

MISC Capture Everything - tshark - voipmonitor - we push to S3 - tools for downloading, parsing and drawing (heavily use pkts.io)

MISC KEEP THINGS SIMPLE

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information