16 Aug
2019
16 Aug
'19
5:35 p.m.
Hello,
at couple of events I participated during the past few months, I was
asked about support of STIR/SHAKEN (caller identity
authentication/verification), which is a hot topic these days at least
in USA, aiming to combat "fraudulent" robo-calling. Therefore I thought
of share some details with everyone in the community about the state in
Kamailio, writing to both devs and users, the information being relevant
for everyone.
We already have the (related) module named auth_identity, available
since 2008 (iirc):
- https://www.kamailio.org/docs/modules/stable/modules/auth_identity.html
But it implements the previous iteration of the specs for caller
identity, respectively RFC 4474:
- https://tools.ietf.org/html/rfc4474
However, that RFC is obsoleted by 8224 (the latest core specs for
STIR/SHAKEN):
- https://tools.ietf.org/html/rfc8224
Then, there are also RFCs 8225 and 8226 to add to the core specs.
Should anyone be interested to implement STIR/SHAKEN specs in a modules,
I would suggest to start from auth_identity -- might not be much work to
update it to become conform with latest specs (a new module can be
created, of course, even when starting from auth_identity).
However, these specs are about signing the SIP request (the INVITE) with
special PKI certificate. It can be done easily with embedded scripts
such as Lua or Python (inline execution in native kamailio.cfg or using
kemi scripts). At Kamailio World 2019, one of the participants I
discussed with told me they already implemented using Lua.
That's it for a starting point, if anyone wants to discuss more, just
reply to sr-users and add your comments or ask the questions.
If someone wants to go ahead and work on a C module, announce yourself
to avoid duplicate work of others, and use sr-dev if you need assistance
on module development.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
23 Aug
23 Aug
8:50 a.m.
Hello, Daniel.
You disscussed it with Oleg Belousov at Kamailio World 2019. ( I added him
in cc as he Just subscribed on list and did not saw this thread)
I was a part of his team Who realized this.
Yes, we've implemented STIR/SHAKEN platform for mobile operator, using Lua,
which interrogates with php-fpm scripts via http/json queries.
Apart from signing SIP requests and validation of identity headers we had
to deploy additional business requirements,
including integration with CVT (Call Validation Treatment) entity, special
handling of certain SIP headers, blacklisting, etc. Above approach gave us
bit more flexibility.
We can deploy C module, if required, can share our expertize as well.
On Fri, 16 Aug 2019, 16:38 Daniel-Constantin Mierla, <miconda(a)gmail.com>
wrote:
Hello,
at couple of events I participated during the past few months, I was
asked about support of STIR/SHAKEN (caller identity
authentication/verification), which is a hot topic these days at least
in USA, aiming to combat "fraudulent" robo-calling. Therefore I thought
of share some details with everyone in the community about the state in
Kamailio, writing to both devs and users, the information being relevant
for everyone.
We already have the (related) module named auth_identity, available
since 2008 (iirc):
-
https://www.kamailio.org/docs/modules/stable/modules/auth_identity.html
But it implements the previous iteration of the specs for caller
identity, respectively RFC 4474:
- https://tools.ietf.org/html/rfc4474
However, that RFC is obsoleted by 8224 (the latest core specs for
STIR/SHAKEN):
- https://tools.ietf.org/html/rfc8224
Then, there are also RFCs 8225 and 8226 to add to the core specs.
Should anyone be interested to implement STIR/SHAKEN specs in a modules,
I would suggest to start from auth_identity -- might not be much work to
update it to become conform with latest specs (a new module can be
created, of course, even when starting from auth_identity).
However, these specs are about signing the SIP request (the INVITE) with
special PKI certificate. It can be done easily with embedded scripts
such as Lua or Python (inline execution in native kamailio.cfg or using
kemi scripts). At Kamailio World 2019, one of the participants I
discussed with told me they already implemented using Lua.
That's it for a starting point, if anyone wants to discuss more, just
reply to sr-users and add your comments or ask the questions.
If someone wants to go ahead and work on a C module, announce yourself
to avoid duplicate work of others, and use sr-dev if you need assistance
on module development.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
5:11 p.m.
Hello,
thanks for giving further details. Just wanted to give the basic details
about these topics and Kamailio ... a C module can be contributed if
someone wants to do it, but other alternatives are already possible ...
Cheers,
Daniel
On 23.08.19 07:50, Yuriy Gorlichenko wrote:
Hello, Daniel.
You disscussed it with Oleg Belousov at Kamailio World 2019. ( I added
him in cc as he Just subscribed on list and did not saw this thread)
I was a part of his team Who realized this.
Yes, we've implemented STIR/SHAKEN platform for mobile operator, using
Lua, which interrogates with php-fpm scripts via http/json queries.
Apart from signing SIP requests and validation of identity headers we
had to deploy additional business requirements,
including integration with CVT (Call Validation Treatment) entity,
special handling of certain SIP headers, blacklisting, etc. Above
approach gave us bit more flexibility.
We can deploy C module, if required, can share our expertize as well.
On Fri, 16 Aug 2019, 16:38 Daniel-Constantin Mierla,
<miconda(a)gmail.com <mailto:miconda@gmail.com>> wrote:
Hello,
at couple of events I participated during the past few months, I was
asked about support of STIR/SHAKEN (caller identity
authentication/verification), which is a hot topic these days at least
in USA, aiming to combat "fraudulent" robo-calling. Therefore I
thought
of share some details with everyone in the community about the
state in
Kamailio, writing to both devs and users, the information being
relevant
for everyone.
We already have the (related) module named auth_identity, available
since 2008 (iirc):
-
https://www.kamailio.org/docs/modules/stable/modules/auth_identity.html
But it implements the previous iteration of the specs for caller
identity, respectively RFC 4474:
- https://tools.ietf.org/html/rfc4474
However, that RFC is obsoleted by 8224 (the latest core specs for
STIR/SHAKEN):
- https://tools.ietf.org/html/rfc8224
Then, there are also RFCs 8225 and 8226 to add to the core specs.
Should anyone be interested to implement STIR/SHAKEN specs in a
modules,
I would suggest to start from auth_identity -- might not be much
work to
update it to become conform with latest specs (a new module can be
created, of course, even when starting from auth_identity).
However, these specs are about signing the SIP request (the
INVITE) with
special PKI certificate. It can be done easily with embedded scripts
such as Lua or Python (inline execution in native kamailio.cfg or
using
kemi scripts). At Kamailio World 2019, one of the participants I
discussed with told me they already implemented using Lua.
That's it for a starting point, if anyone wants to discuss more, just
reply to sr-users and add your comments or ask the questions.
If someone wants to go ahead and work on a C module, announce yourself
to avoid duplicate work of others, and use sr-dev if you need
assistance
on module development.
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com <http://www.asipto.com>
www.twitter.com/miconda <http://www.twitter.com/miconda> --
www.linkedin.com/in/miconda <http://www.linkedin.com/in/miconda>
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org <mailto:sr-users@lists.kamailio.org>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
1918
days inactive
1925
days old
2 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Yuriy Gorlichenko