Re-invite after RTPengine pacemaker switching? - sr-users

Karsten Horsmann

7 Nov 7 Nov

12:12 p.m.

Hi, AFAIK the keys of an DTLS session are not restorable so after failover will come with an stale DTLS call. Only SRTP can recovered with RE-INVITES if you use some kind session storage. Am Di., 30. Okt. 2018 um 12:07 Uhr schrieb Жан Базаров <chiefkeeft(a)gmail.com

...

:

...

I need to send re-invite after pacemaker fails over on new rtpengine server. Because new rtpengine dont participate in DTLS handshake and i hear nothing, but silence. I think, may me its would be work. Do you have any idea on this issue? _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Mit freundlichen Grüßen *Karsten Horsmann*

Reply

Giovanni Maruzzelli

3:57 p.m.

( but yes, it works on DTLS, I had not really read you were talking about DTLS. You must reinvite reusing the original SDP peers sent to you) On Thu, Nov 7, 2019 at 1:54 PM Giovanni Maruzzelli <gmaruzz(a)gmail.com> wrote:

...

I believe the problem is that there is no more tcp connection. Eg, if you generate a reinvite over udp, it works (with due care, you can have the keys renegotiated as per beginning) But... you have no more tcp (tls is tcp) connection to send the reinvite to So, it works on udp, but udp is no secure because it sends the keys in signaling... So, end of story: you cannot failover TLS calls, at least not with these simple techniques... Any other opinions? I am extremely interested! -giovanni On Thu, Nov 7, 2019 at 10:14 AM Karsten Horsmann <khorsmann(a)gmail.com> wrote:

Hi, AFAIK the keys of an DTLS session are not restorable so after failover will come with an stale DTLS call. Only SRTP can recovered with RE-INVITES if you use some kind session storage. Am Di., 30. Okt. 2018 um 12:07 Uhr schrieb Жан Базаров < chiefkeeft(a)gmail.com>gt;:

I need to send re-invite after pacemaker fails over on new rtpengine server. Because new rtpengine dont participate in DTLS handshake and i hear nothing, but silence. I think, may me its would be work. Do you have any idea on this issue? _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Mit freundlichen Grüßen *Karsten Horsmann* _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Sincerely, Giovanni Maruzzelli OpenTelecom.IT cell: +39 347 266 56 18

Reply

Giovanni Maruzzelli

4:48 p.m.

Definitely it does not work getting the keys from redis. Also, until not long ago, trying to failover from REDIS in tls calls was crashing rtpengine. I believe it can work on DTLS if we start with a "pristine" reinvite, doing ICE and all things again, like it was a first invite. Something like storing the first invite at dialog beginning, and using it as a base for reinvite if failover happens. This is on my TODO list, so I have no working system, but I would like to check it, and definitely I'd like to read about others' experiences and thoughts. On Thu, Nov 7, 2019 at 2:20 PM Karsten Horsmann <khorsmann(a)gmail.com> wrote:

...

Hi Giovanni, i have an SRTP and WebRTC DTLS setup with pacemaker/corosync and failover works for SRTP (with REINVITES). I use rtpengine with redis backend. On DTLS side, i dont got it working with REINVITES. AFAIK the session keys are not stored like SRTP in SIP Signaling. So i thought, that calls are lost. Cheers Karsten Am Do., 7. Nov. 2019 um 13:59 Uhr schrieb Giovanni Maruzzelli < gmaruzz(a)gmail.com>gt;:

( but yes, it works on DTLS, I had not really read you were talking about DTLS. You must reinvite reusing the original SDP peers sent to you) On Thu, Nov 7, 2019 at 1:54 PM Giovanni Maruzzelli <gmaruzz(a)gmail.com> wrote:

I believe the problem is that there is no more tcp connection. Eg, if you generate a reinvite over udp, it works (with due care, you can have the keys renegotiated as per beginning) But... you have no more tcp (tls is tcp) connection to send the reinvite to So, it works on udp, but udp is no secure because it sends the keys in signaling... So, end of story: you cannot failover TLS calls, at least not with these simple techniques... Any other opinions? I am extremely interested! -giovanni On Thu, Nov 7, 2019 at 10:14 AM Karsten Horsmann <khorsmann(a)gmail.com> wrote:

Hi, AFAIK the keys of an DTLS session are not restorable so after failover will come with an stale DTLS call. Only SRTP can recovered with RE-INVITES if you use some kind session storage. Am Di., 30. Okt. 2018 um 12:07 Uhr schrieb Жан Базаров < chiefkeeft(a)gmail.com>gt;: > I need to send re-invite after pacemaker fails over on new rtpengine > server. Because new rtpengine dont participate in DTLS handshake and i hear > nothing, but silence. I think, may me its would be work. Do you have any > idea on this issue? > _______________________________________________ > Kamailio (SER) - Users Mailing List > sr-users(a)lists.kamailio.org > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users > -- Mit freundlichen Grüßen *Karsten Horsmann* _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Sincerely, Giovanni Maruzzelli OpenTelecom.IT cell: +39 347 266 56 18

-- Sincerely, Giovanni Maruzzelli OpenTelecom.IT cell: +39 347 266 56 18 _______________________________________________ Kamailio (SER) - Users Mailing List sr-users(a)lists.kamailio.org https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

-- Mit freundlichen Grüßen *Karsten Horsmann*

-- Sincerely, Giovanni Maruzzelli OpenTelecom.IT cell: +39 347 266 56 18

Reply