Secure, Multi-lateral Peering With SIP proxies on Debian Etch E-mail support: https://lists.sourceforge.net/lists/listinfo/osp-toolkit-client www.transnexus.com Copyright (c) 2003-2007 by TransNexus. All Rights Reserved. TransNexus and OSP Secured are trademarks of TransNexus, Inc. Contents Introduction Multi-lateral SIP Peering Call Detail Record Collection Install OSP Toolkit Packages Enroll OpenSER OSP Module with a Peering Server Overview Using the enroll script Introduction Secure multi-lateral peering uses Public Key Infrastructure (PKI) services to secure, direct peering among an anonymous group of SIP peers. In a multi-lateral peering architecture, each peer trusts a common peering authority that enforces routing and access policies on behalf of each peer. The benefits of multi-lateral peering are increased peering security and the elimination of burdensome bilateral peering agreements and access control lists which are difficult to administer in a large peering network. This document provides instructions on how to use the OSP Toolkit packages on Debian Etch. The OSP Toolkit packages for Debian Etch, which are freely available from http://sourceforge.net/projects/osp-toolkit, contain an implementation of the OSP standard defined by the European Telecommunications Standards Institute (ETSI TS 101 321) www.etsi.org. The OSP Toolkit enables SIP proxies on Debian Etch for secure multi-lateral peering. Multi-lateral SIP Peering A peering server is a simple and efficient solution for managing routing, access control and CDR collection for VoIP calls among a network of SIP proxy (OpenSER, for example) devices. OSP can be used to securely manage wholesale VoIP peering among independent SIP networks or by an enterprise to create a secure VoIP virtual private network for calling among branch offices using SIP PBXs. The diagram below illustrates a call scenario between SIP proxy networks using OSP peering. Each SIP proxy manages calls within its own domain. However, when a call must be completed outside its own network, an SIP proxy can query a peering server for routing and access information to a destination peer that can complete the call. 1. The calling party makes a call. 2. The source SIP proxy cannot complete the call within its domain. 3. Peering Request. The source SIP proxy queries the peering server for the IP addresses of other peers that can complete the call to the dialed number. 4. Peering Response. The peering server returns a list of IP addresses of destination peers and digitally signed peering tokens authorizing access to each destination peer. 5. The source SIP proxy routes the call to the destination SIP proxy returned by the peering server. Included in the SIP Invite message is the peering access token signed by the peering server. 6. The destination SIP proxy receives the call and validates the peering token. If the token is valid, the destination SIP proxy routes the call to the called telephone number. 7. The call is completed to calling party. Call Detail Record Collection When the call is over, both the source and destination peers send call detail records to the peering server as shown in steps 8 and 9 below. Install OSP Toolkit Packages The OSP Toolkit is a shared library comprised of OSP client functions that simplify sending and receiving OSP peering messages. It is this library, which will be integrated into the SIP proxy. The OSP Toolkit uses third party software (by default OpenSSL) for cryptographic algorithms and for secure internet transactions (HTTPS). The OSP Toolkit also includes the application enroll which enables the OSP client device to generate its own public-private key pair, get the public key from an OSP peering server, send a certificate request to a peering server and receive the resulting signed certificate from the peering server. There are four OSP Toolkit packages for Debian Etch. The osptoolkit package contains the OSP Toolkit enroll application and a test application. The libosptk-3.4.2 package contains the OSP Toolkit run-time shared library. The libosptk-dev package contains the OSP Toolkit header files and static library. The libosptk-dbg package contains the debug information of the OSP Toolkit shared library and applications. In order to successfully install and use the OSP Toolkit, the following list of software is required: * OpenSSL (required) - Open Source SSL protocol and Cryptographic Algorithms (version 0.9.8c-1 or higher packages are required). libssl package is required to run SIP proxies with OSP Toolkit and other OSP Toolkit client applications. openssl package is required to run the OSP Toolkit enroll application. * OSP Server (required for testing) - Two open source OSP server projects are available. OpenOSP, an OSP server written in C code, is located at http://www.vovida.org/applications/downloads/openosp. RAMS, a Java based OSP server, is located at http://sourceforge.net/projects/rams. Also, a free version of the TransNexus commercial OSP server can be downloaded from www.transnexus.com/OSP%20Toolkit/Peering_Server/VoIP_Peering_Server.htm. After downloading the OSP Toolkit packages for Debian Etch, osptoolkit and libosptk-3.4.2, perform the following steps in order: * Copy the OSP Toolkit packages into the temporary directory. * Login as root and execute the following command: dpkg ¨Ci libosptk-3.4.2_###_$$$.deb Where ### is the version number separated by dots and dash and $$$ is the platform type. For example, if the version is 3.4.2-1 and platform type is i386 then the above commands would be: dpkg ¨Ci libosptk-3.4.2_3.4.2-1_i386.deb By default, it will install the OSP Toolkit run-time shared library, libosptk.so, into /usr/lib directory. * Execute the following command: dpkg ¨CI osptoolkit_###_$$$.deb Where ### is the version number separated by dots and dash and $$$ is the platform type. For example, if the version is 3.4.2-1 and platform type is i386 then the above commands would be: dpkg ¨CI osptoolkit_3.4.2-1_i386.deb By default, it will install OSP Toolkit enroll and the test applications into /usr/bin directory. Enroll SIP proxy on Debian Etch with a Peering Server Overview To establish a secure relationship between an OSP peering server and the OSP module in OpenSER requires three crypto files. These files are: * localcert.pem - The local certificate for OpenSER signed by the OSP server. * pkey.pem - The private key generated by the enroll utility for OpenSER. * cacert_#.pem - The Certificate Authority (CA) certificate from an OSP server. OpenSER may enroll with multiple certificate authorities or peering servers. The # represents an integer indicating the CA certificate from different peering servers. The enroll utility automates the process of enrolling SIP proxy on Debian Etch with a peering server and creating the three crypto files. Using the enroll script The script ospenroll requires AT&T korn shell (ksh) or any of its compatible variants. The ospenroll script should be run from the /usr/bin directory. From the command line, type ospenroll followed by the IP address or domain name of the peering server. Below is an example of the enroll utility being used to enroll SIP proxy on Debian Etch with a peering server named osptestserver.transnexus.com. The gray boxes indicate optional input which will be included in the certificate. Error Code 0 indicates the operation was successful with no error. Shell > ospenroll osptestserver.transnexus.com Generating a 512 bit RSA private key ............................++++++++++++ .++++++++++++ writing new private key to 'pkey.pem' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: _______ State or Province Name (full name) [Some-State]: _______ Locality Name (eg, city) []:_______ Organization Name (eg, company) [Internet Widgits Pty Ltd]: _______ Organizational Unit Name (eg, section) []:_______ Common Name (eg, YOUR name) []:_______ Email Address []:_______ ? Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:_______ An optional company name []:_______ ? Error Code returned from openssl command : 0 ? CA certificate received [SP: osptestserver.transnexus.com]Error Code returned from getcacert command : 0 ? output buffer after operation: operation=request output buffer after nonce: operation=request&nonce=6096834216798074 X509 CertInfo context is null pointer Unable to get Local Certificate depth=0 /CN=osptestserver.transnexus.com/O=OSPServer verify error:num=18:self signed certificate verify return:1 depth=0 /CN=osptestserver.transnexus.com/O=OSPServer verify return:1 The certificate request was successful. Error Code returned from localcert command : 0
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
94687c61046a387f75ca78b9c10fbf1e
>
files
>
7
